How Viruses Hide: Metamorphic Code

Metamorphic viruses represent the end of the road in present day virus detection avoidance. Think of a metamorphic virus as a polymorphic virus on steroids. Instead of changing parts of itself for each new infection or under certain defined criteria, a metamorphic virus COMPLETELY rewrites itself each time they infect a new target.

This requires a metamorphic engine. The difference between poly and metamorphic is one of scale and code base. Because it completely rewrites itself a metamorphic virus is usually quite large in file size – often too large to be practical as a consumer-targeted virus. One such metamorphic virus known as W31/Simile contained more than 14,000 lines of code – the vast majority of which was the engine.

But, faster processors and larger disc drives are fast making metamorphic viruses more feasible and applicable in more situations. The only way an anti-virus software can try to identify metamorphic viruses is through the creation of some sort of emulator designed to model and mimic known metamorphic virus behaviors or through what’s known as statistical pattern analysis of the encrypted virus body. Neither technique offers the same confidence level as signature matching, which, as we know, has its own issues.

It’s a brave new world. 🙁

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email