Metamorphic malware sets new standard in antivirus evasion

One of the most innovative and insidious creations of malware propagators has undoubtedly been the advent of metamorphic malware. To understand the concept -- and its cousin, polymorphic malware -- requires a basic understanding of underlying malware encryption techniques. In the simplest of models, an encrypted virus consists of a virus decryption routine (VDR) and an encrypted virus body (EVB). Execution of an infected application enables the VDR to decrypt the EVB, which in turn causes the virus to perform its intended function. In the propagation phase, the virus is re-encrypted and appended onto another host application. A new key is randomly generated with each copy, thus altering the appearance of the code. However, the VDR remains constant and this is its inherent weakness, resulting in detection via signature recognition.

Listen to Noah Schiffman's tip Download Noah's metamorphic virus strategies to your PC or favorite MP3 player.

Polymorphism, which literally means "changing that of appearance," adds an additional component to the encrypted code -- a mutation engine (ME). The ME essentially can change the code of another program without changing its functionality. For example, an ME can alter the code of a VDR with each replication, while maintaining its ability to decrypt the EVB. The continuous alteration of the VDR is achieved using obfuscation techniques such as junk code insertion, instruction reordering and mathematical contrapositives. However, the preservation of the decrypted virus body is its Achilles' heel, as it provides a form of complex signature. Consequently, advanced techniques such as generic decryption scanning, negative heuristic analysis and the use of emulation and virtualization technologies have proven to be successful polymorphic detection methods.

Evolving from the deficiencies of polymorphism, metamorphic malware brought virus mutation to the next level. Instead of mutating the EVB and reapplying a cryptographic cover, metamorphism employs the ME to transform the virus itself. Using a disassembly phase, the code is represented as a meta-language that characterizes its end function, disregarding how the code achieves this function. Thus, after analysis, code morphing and reassembling, the end result is new code that bears no resemblance to its original syntax, yet it's functionally the same.

For more information Ed Skoudis reviews polymorphic virus defenses. Learn about Warezov and its many variations. SearchSecurity.com's Messaging Security School provides lessons on how to defend your mobile devices from viruses and malware.

Metamorphic malware's ability to completely re-alter its code -- and change its signature pattern -- with each cycle is evidence to its disturbingly significant power to evade AV techniques. One prototypical model can be observed with the Win32.Metaphor virus (aka Win32.Etap, Win32/Simile). Acronymically named for metaphoric permutating high-obfuscating reassembler, this virus first surfaced in 2002, with numerous variants following. Despite its non-destructive payload (various messages were displayed depending on the date), its incorporation of several innovative and advanced metamorphic techniques provided successful propagation and antivirus evasion. The powerful combination of entry point obscuring (EPO), pseudo-code permutation, size shrinking and expansion (the "accordion model" technique), anti-emulation time stamp analysis, advanced infection routines and cross-platform compatibility with Linux, created a new class of malware -- a threat level surpassing non-metamorphic code. This changed the enterprise security model, requiring different strategic perspective for central, perimeter and endpoint security.

While no definitive all-encompassing detection methodologies exist for this continually evolving class of malware, identification is possible. Metamorphism reveals its inherent weakness in its need for self-analysis. As an entity, it can analyze its own code, thus theoretically it can be analyzed by other programs. Effective methods have been developed using emulation techniques to heuristically examine the post-morphed function of the code. Furthermore, research in methods such as automated replication systems, similarity indices, geometric analysis, and tracing emulators continue to grow. Despite the advancements in detection and prevention, virus writers are creating more sophisticated and efficient mutation engines and new obfuscation techniques. Until a method for definitive identification is developed, new forms of metamorphic code will continue to propagate and pose a challenge for the security community.

Protection from any type of metamorphic malware is best addressed by blended threat management platforms using a multi-layered approach. Antivirus software, updated frequently, remote access restrictions and compliance monitoring should be employed at the server and end-user levels. Network and personal firewalls should have any unused service ports shut down. Email servers should employ content filters and file scanning. Finally, any corporate setting should develop, maintain and enforce a well-defined and effective set of security policies. In extreme situations, when dealing with highly sensitive data, extra security measures such as real-time emulation analysis and specialized network segmentation may be considered.

About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Server Message Block Version 2 security in question: Disable or patch? Preparing for future security threats, evolving malware Best practices for (small) botnets Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.