DEFGEN9.CVP 930819 Polymorphism and self encryption Scanning software is, for all of its limitations, still the most widely used of antiviral software. The idea is to find a "signature string" for the virus: a piece of code that appears in the virus and in no other program, thus giving a unique identification. There is an art to the choice of a signature string, as with anything else. You want a piece of code more than you want text, which is easy to change. You want a piece of code integral to the operation of the virus. You want a string which may identify new "mutations" of this virus, as well as the current infection. However, once you have a suitable signature, you can identify the virus. Unless the virus changes. This is the idea behind polymorphism. There are a number of ways to change the "shape" of a virus. One way is to get a simple "random" number, such as the value of the "seconds" field of the system time when the infection occurs, and to perform a simple encryption on the value of each byte in the viral code. Only a short chunk is left at the beginning to decrypt the rest of the virus when the time comes to activate it. Encryption could be used in other ways: encrypting a regular but arbitrary number of bytes, or encrypting the code as a whole rather than on a bytewise basis. A second means is the fact that, in programming, there are always at least half a dozen means to the same end, and that many programming functions are commutative; it doesn't matter in what order certain operations are performed. This means that very small chunks of code, pieces too small to be of use as signatures, can be rearranged in different orders each time the virus infects a new file. This, as you can imagine, requires a more "intelligent" program than a simple encryption routine. A distinction tends to be made between the early, and limited, "self-encrypting" viral programs, and the latter, more sophisticated, polymorphs. Earlier self-encrypting viri had limited numbers of "variants": even the enormous Whale virus had less than forty distinct forms. (Some of the earliest were the V2Px family written by Mark Washburn. He stated that he wrote them to prove that scanners were unworkable, and wrote his own activity monitoring program. He is one of the very few people to have written, and released, a virus, and to have written antiviral software. His release of "live" code in the wild tends to deny him the status of an antivirus researcher. Lest some say this is arbitrary bias, please note that his thesis was rather ineffectual: all his variants are fairly easily detectable.) More recent polymorphs are more prolific: Tremor is calculated to have almost six billion forms. copyright Robert M. Slade, 1993 DEFGEN9.CVP 930819 ============== Vancouver ROBERTS@decus.ca | "Is it plugged in?" Institute for Robert_Slade@sfu.ca | "I can't see." Research into rslade@cue.bc.ca | "Why not?" User p1@CyberStore.ca | "The power's off Security Canada V7K 2G6 | here."