Evolution of Malwares from Encryption to Metamorphism
What are Malwares?
Malware has always been a serious cause of concern for the antivirus and coding experts. These days the malware has evolved to an exceptionally sophisticated level making their detection quite difficult. This delay in the detection of malware allows it to spread more widely but it can be dealt with if antiviruses can scan the malware in a short duration of time. However, if malware use camouflaging tactics like:
They can make their detection from difficult to seemingly impossible.
Techniques used to detect Malwares
During the early days of programming languages computer specialists used to make viruses for fun then slowly these viruses were being misused for a lot of things like stealing bank account numbers and their passwords along with that these were also used for avenging people. So the creation of viruses no longer remained as a show-off activity but turned into malpractice. To conceal themselves, the malware creators first attempted to use stealth techniques.
These are the techniques that conceal any kind of changes made by the malware to the infected system. Stealth viruses can infect a computer system when the user opens a malicious attachment link from emails or websites. These stealth viruses takedown the performance of the whole system. However, their detection is seemingly difficult because of these two adaptations.
- They conceal the size of the file they infected originally.
- They temporarily move away from the infected file and copy themselves into a file present in another drive, replacing their prior location with a clean file.
The above working of malware is based on two main aspects of stealth camouflaging that are hiding the trails of malware and hiding the main code from humans and antivirus programs. However, the malware creators could not enjoy their upper hand for a very long time as the antiviruses later were able to tackle it which gave way towards the camouflaging evolution of malware.
It was the earliest technique of camouflaging in which malware authors tend to improve their program code from being detected that allowed their viruses to penetrate more deeply into the computer. This technique makes use of a decryption loop in addition to the main body of the code. The main work of the decryption loop is to conceal the working of the main body of the code. Without the decryptor, the main body of code is meaningless as the decryptor is responsible for encrypting and decrypting the code. Some sophisticated ways of encrypting involve usage of a constant value or a sliding variable value generated by a special algorithm.
Virus scanners are sometimes not able to detect the encrypted viruses as they have to first decrypt the code to decode the whole body of code but then the antiviruses have revolutionized and have started detecting the decryption code providing indirect evidence for the detection of viruses.
The next advancement in malware concealment is oligomorphism that uses oligomorphic code to specially launch the computer viruses. Instead of using only one decryptor, oligomorphism makes use of n decryptors. During this process, the main body tends to pick a random decryptor from n decryptors making the detection tedious for the virus scanners. However, as the maximum number of predefined decryptors is not more than a few hundred for a particular code so their detection can be made possible by some advanced antiviruses as they used a wildcard(low probability and high impact) scan approach to detect them. This approach takes a lot of time but still detects the virus.
It is a very complicated form of oligomorphism and encryption. The only difference between oligomorphism and polymorphism is that an unlimited number of decryptors are used in polymorphism. Various polymorphism techniques are based on making the analysis of viruses harder by changing the appearance of the virus. The decryptor constantly mutates its appearance from one copy to another and this process is carried out very skillfully so that the virus scanners cannot exploit any copy for detection purposes. Polymorphism can very easily fool signature-based detection that is carried out commonly by most of the antiviruses so usage of machine learning and behavior-based analytics for their detection is essential. Machine learning focuses on the abnormal behaviour of a file rather than its signatures. Also no matter how well the code is designed but after the code does a sufficient number of emulations the underlying encrypted code will be revealed by simple string matching.
It is a completely different breed of viruses that has no encrypted part but just like polymorphic viruses it has a mutation engine. This engine modifies the whole body of the virus rather than only modifying the decryptor. In metamorphic viruses after their mutation, they may have different code, body size, and structure but their behaviour remains the same. The metamorphic virus has four main components of the mutation engine that are:
- Code Analyzer
- Code Transformer
The working of metamorphic virus takes place as follows:
- Step 1: The virus first locates its code and then converts it into assembly instruction(task done by the internal disassembler).
- Step 2: The code analyzer provides a code transformer with the required information. This information includes:
- Structure and Flow diagram of the program.
- The life period of variables and registers and so on.
- Step 3: A code transformer is the heart of the mutation engine that changes the binary sequence of codes.
- Step 4: Then the assembler converts the assembly code of virus into machine binary code.
A good metamorphic virus is nearly impossible to catch. Only the usage of behaviour-based analytics and machine learning can completely tackle this problem. Although various metamorphic viruses have been tackled till now yet no concrete methodology has been designed to fight with the same.