The propagation of malicious code dates back to the early days of sneakernet-style transmission of boot-sector viruses via floppy disks. Once the spread of infectious code reached critical levels, the security community counteracted
One of the most innovative and insidious creations of malware propagators has undoubtedly been the advent of metamorphic malware. To understand the concept -- and its cousin, polymorphic malware -- requires a basic understanding of underlying malware encryption techniques. In the simplest of models, an encrypted virus consists of a virus decryption routine (VDR) and an encrypted virus body (EVB). Execution of an infected application enables the VDR to decrypt the EVB, which in turn causes the virus to perform its intended function. In the propagation phase, the virus is re-encrypted and appended onto another host application. A new key is randomly generated with each copy, thus altering the appearance of the code. However, the VDR remains constant and this is its inherent weakness, resulting in detection via signature recognition.
Polymorphism, which literally means "changing that of appearance," adds an additional component to the encrypted code -- a mutation engine (ME). The ME essentially can change the code of another program without changing its functionality. For example, an ME can alter the code of a VDR with each replication, while maintaining its ability to decrypt the EVB. The continuous alteration of the VDR is achieved using obfuscation techniques such as junk code insertion, instruction reordering and mathematical contrapositives. However, the preservation of the decrypted virus body is its Achilles' heel, as it provides a form of complex signature. Consequently, advanced techniques such as generic decryption scanning, negative heuristic analysis and the use of emulation and virtualization technologies have proven to be successful polymorphic detection methods.
Evolving from the deficiencies of polymorphism, metamorphic malware brought virus mutation to the next level. Instead of mutating the EVB and reapplying a cryptographic cover, metamorphism employs the ME to transform the virus itself. Using a disassembly phase, the code is represented as a meta-language that characterizes its end function, disregarding how the code achieves this function. Thus, after analysis, code morphing and reassembling, the end result is new code that bears no resemblance to its original syntax, yet it's functionally the same.
Metamorphic malware's ability to completely re-alter its code -- and change its signature pattern -- with each cycle is evidence to its disturbingly significant power to evade AV techniques. One prototypical model can be observed with the Win32.Metaphor virus (aka Win32.Etap, Win32/Simile). Acronymically named for metaphoric permutating high-obfuscating reassembler, this virus first surfaced in 2002, with numerous variants following. Despite its non-destructive payload (various messages were displayed depending on the date), its incorporation of several innovative and advanced metamorphic techniques provided successful propagation and antivirus evasion. The powerful combination of entry point obscuring (EPO), pseudo-code permutation, size shrinking and expansion (the "accordion model" technique), anti-emulation time stamp analysis, advanced infection routines and cross-platform compatibility with Linux, created a new class of malware -- a threat level surpassing non-metamorphic code. This changed the enterprise security model, requiring different strategic perspective for central, perimeter and endpoint security.
While no definitive all-encompassing detection methodologies exist for this continually evolving class of malware, identification is possible. Metamorphism reveals its inherent weakness in its need for self-analysis. As an entity, it can analyze its own code, thus theoretically it can be analyzed by other programs. Effective methods have been developed using emulation techniques to heuristically examine the post-morphed function of the code. Furthermore, research in methods such as automated replication systems, similarity indices, geometric analysis, and tracing emulators continue to grow. Despite the advancements in detection and prevention, virus writers are creating more sophisticated and efficient mutation engines and new obfuscation techniques. Until a method for definitive identification is developed, new forms of metamorphic code will continue to propagate and pose a challenge for the security community.
Protection from any type of metamorphic malware is best addressed by blended threat management platforms using a multi-layered approach. Antivirus software, updated frequently, remote access restrictions and compliance monitoring should be employed at the server and end-user levels. Network and personal firewalls should have any unused service ports shut down. Email servers should employ content filters and file scanning. Finally, any corporate setting should develop, maintain and enforce a well-defined and effective set of security policies. In extreme situations, when dealing with highly sensitive data, extra security measures such as real-time emulation analysis and specialized network segmentation may be considered.
About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.
This was first published in August 2007