DEFGEN9.CVP  930819
 
                 Polymorphism and self encryption
 
Scanning software is, for all of its limitations, still the most
widely used of antiviral software.  The idea is to find a "signature
string" for the virus:  a piece of code that appears in the virus
and in no other program, thus giving a unique identification.  There
is an art to the choice of a signature string, as with anything
else.  You want a piece of code more than you want text, which is
easy to change.  You want a piece of code integral to the operation
of the virus.  You want a string which may identify new "mutations"
of this virus, as well as the current infection.  However, once you
have a suitable signature, you can identify the virus.
 
Unless the virus changes.
 
This is the idea behind polymorphism.  There are a number of ways to
change the "shape" of a virus.  One way is to get a simple "random"
number, such as the value of the "seconds" field of the system time
when the infection occurs, and to perform a simple encryption on the
value of each byte in the viral code.  Only a short chunk is left at
the beginning to decrypt the rest of the virus when the time comes
to activate it.  Encryption could be used in other ways:  encrypting
a regular but arbitrary number of bytes, or encrypting the code as a
whole rather than on a bytewise basis.
 
A second means is the fact that, in programming, there are always at
least half a dozen means to the same end, and that many programming
functions are commutative; it doesn't matter in what order certain
operations are performed.  This means that very small chunks of
code, pieces too small to be of use as signatures, can be rearranged
in different orders each time the virus infects a new file.  This,
as you can imagine, requires a more "intelligent" program than a
simple encryption routine.
 
A distinction tends to be made between the early, and limited,
"self-encrypting" viral programs, and the latter, more
sophisticated, polymorphs.  Earlier self-encrypting viri had limited
numbers of "variants":  even the enormous Whale virus had less than
forty distinct forms.  (Some of the earliest were the V2Px family
written by Mark Washburn.  He stated that he wrote them to prove
that scanners were unworkable, and wrote his own activity monitoring
program.  He is one of the very few people to have written, and
released, a virus, and to have written antiviral software.  His
release of "live" code in the wild tends to deny him the status of
an antivirus researcher.  Lest some say this is arbitrary bias,
please note that his thesis was rather ineffectual: all his variants
are fairly easily detectable.)  More recent polymorphs are more
prolific:  Tremor is calculated to have almost six billion forms.
 
copyright Robert M. Slade, 1993   DEFGEN9.CVP  930819

==============
Vancouver      ROBERTS@decus.ca         | "Is it plugged in?"
Institute for  Robert_Slade@sfu.ca      | "I can't see."
Research into  rslade@cue.bc.ca         | "Why not?"
User           p1@CyberStore.ca         | "The power's off
Security       Canada V7K 2G6           |  here."