Scribd
Upload
349 views

Polymorphic Code

Polymorphic code was the first technique that posed a serious threat to virus scanners by encrypting the virus body and modifying the decryption module on each infection, making it difficult to detect using signatures. Antivirus software can detect polymorphic viruses by decrypting them using an emulator or statistical pattern analysis. Polymorphic viruses employ a mutation engine to enable random encryption variations, and some viruses constrain mutation rates or refrain from mutating on already infected computers to evade detection. Undetectable viruses proposed by Yongge Wang are signature-free polymorphic viruses that are hard to detect without cryptographic failure.

Uploaded by

Jash
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
349 views

Polymorphic Code

Polymorphic code was the first technique that posed a serious threat to virus scanners by encrypting the virus body and modifying the decryption module on each infection, making it difficult to detect using signatures. Antivirus software can detect polymorphic viruses by decrypting them using an emulator or statistical pattern analysis. Polymorphic viruses employ a mutation engine to enable random encryption variations, and some viruses constrain mutation rates or refrain from mutating on already infected computers to evade detection. Undetectable viruses proposed by Yongge Wang are signature-free polymorphic viruses that are hard to detect without cryptographic failure.

Uploaded by

Jash
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 1

Polymorphic code was the first technique that posed a serious threat to virus scanners.

Just like
regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is
decoded by a decryption module. In the case of polymorphic viruses, however, this decryption
module is also modified on each infection. A well-written polymorphic virus therefore has no parts
which remain identical between infections, making it very difficult to detect directly using signatures.
[43][44]

Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical

pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have
a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted
body. See polymorphic code for technical detail on how such engines operate. [45]
Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus
significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be
programmed to refrain from mutating when it infects a file on a computer that already contains
copies of the virus. The advantage of using such slow polymorphic code is that it makes it more
difficult for antivirus professionals to obtain representative samples of the virus, because bait files
that are infected in one run will typically contain identical or similar samples of the virus. This will
make it more likely that the detection by the virus scanner will be unreliable, and that some instances
of the virus may be able to avoid detection.
There has also been virus called undetectable virus (proposed in Yongge Wang

[46]

). Undetectable

virus is one kind of polymorphic virus that is static signature-free and whose dynamic signatures are
hard to determine unless some cryptographic assumption fails.

You might also like