The Symantec Enterprise PapersVolume XXXUnderstandingand ManagingPolymorphicViruses.Table of ContentsIntroduction 1The Evolution of Polymorphic Viruses1Simple Viruses1Encrypted Viruses1Polymorphic Viruses3The Scale of the Problem4Polymorphic Detection 4Generic Decryption 5Heuristic-Based Generic Decryption 8The Striker System9Striker’s Strategic Advantages10Outlook11Additional Anti-virus Information 11Contacts for Media11About the Author12Further Reading 12About Symantec131IntroductionPolymorphic computer viruses are the most complex and difficult viruses to detect, often requiringanti-virus companies to spend days or months creating the detection routines needed to catch asingle polymorphic.This white paper provides an overview of polymorphics and existing methods of detection, andintroduces Symantec’s Striker™technology, a new, patent-pending method for detecting polymorphics. Norton AntiVirus 2.0 for Windows 95 is the first Symantec anti-virus product to include Striker;Symantec will integrate Striker into other Norton anti-virus products as it introduces new editions.The Evolution of Polymorphic VirusesA computer virus is a self-replicating computer program that operates without the consent of theuser. It spreads by attaching a copy of itself to some part of a program file, such as a spreadsheetorword processor. Viruses also attack boot records and master boot records, which contain theinformation a computer uses to start up. Macro viruses attack such files as word processing docu-ments or spreadsheets. Most viruses simply replicate. Some display messages. Some, however, deliver a payload — a portionof the virus program that is designed to corrupt programs, delete files, reformat a hard disk, or crasha corporate-wide network, potentially wiping out years of data and destroying critical information.Simple VirusesA simple virus that merely replicates itself is the easiest to detect. If a user launches an infected pro-gram, thevirus gains control of the computer and attaches a copy of itself to another program file.After itspreads, the virus transfers control back to the host program, which functions normally. Yet no matter how many times a simple virus infects a new file or floppy disk, for example, theinfection always makes an exact copy of itself. Anti-virus software need only search, or scan, foratell-tale sequence of bytes — known as a signature — found in the virus.Encrypted VirusesIn response, virus authors began encrypting viruses. The idea was to hide the fixed signature byscrambling the virus, making it unrecognizable to a virus scanner.2DecryptorKeyBody1. Count = #VirusBytes 2. Temp = Fetch N extByte 3. Temp = Decrypt(Temp) 4. Store N extByte(Temp) 5. Decrement Count 6. If Count>0, G OT O 2 7. # $^ #@^# ^#!^!#^!#^!^ 8. !#@%$!@%!@%!@# 9. $ #&!&%!#&#!%^!!# Virus Decryption RoutineEncypted Virus Body...Figure 1. An encrypting virus always propagates using the same decryption routine. However,the key value within the decryption routine changes from infection to infection. Consequently,the encrypted body of the virus also varies, depending on the key value.Figure 2. This is what an encrypted virus looks like before execution.1. Count = #VirusBytes 2. Temp = Fetch N extByte 3. Temp = Decrypt(Temp) 4. Store N extByte(Temp) 5. Decrement Count 6. If Count>0, G OT O 2 7. S$ ^ #@^ #^ #!^!# ^!#^!^ 8. !#@%$!@%!@%!@# 9. $ #&!&%!#&#!%^!!# Virus Decryption RoutineEncypted Virus BodyFirst Decrypted Byte...Figure 3. At this point, the virus has executed its first five instructions and has decrypted thefirst byte of the encrypted virus body.3An encrypted virus consists of a virus decryption routine and an encrypted virus body. If a userlaunches an infected program, the virus decryption routine first gains control of the computer,then decrypts the virus body. Next, the decryption routine transfers control of the computer to thedecrypted virus.An encrypted virus infects programs and files as any simple virus does. Each time it infects a newprogram, the virus makes a copy of both the decrypted virus body and its related decryption routine,encrypts the copy, and attaches both to a target.To encrypt the copy of the virus body, an encrypted virus uses an encryption key that the virus isprogrammed to change from infection to infection. As this key changes, the scrambling of the virusbody changes, making the virus appear different from infection to infection. This makes it extremelydifficult for anti-virus software to search for a virus signature extracted from a consistent virus body.However, the decryption routines remain constant from generation to generation — a weakness thatanti-virus software quickly evolved to exploit. Instead of scanning just for virus signatures, virusscanners were modified to also search for the tell-tale sequence of bytes that identified a specificdecryption routine.Polymorphic VirusesIn retaliation, virus authors developed the polymorphic virus. Like an encrypted virus, a polymorphicvirus includes a scrambled virus body and a decryption routine that first gains control of the comput-er, then decrypts the virus body. However, a polymorphic virus adds to these two components a third — a mutation engine that gen-erates randomized decryption routines that change each time a virus infects a new program.In a polymorphic virus, the mutation engine and virus body are both encrypted. When a user runs aprogram infected with a polymorphic virus, the decryption routine first gains control of the computer,then decrypts both the virus body and the mutation engine. Next, the decryption routine transferscontrol of the computer to the virus, which locates a new program to infect.At this point, the virus makes a copy of both itself and the mutation engine in random access memory(RAM). The virus then invokes the mutation engine, which randomly generates a new decryptionroutine that is capable of decrypting the virus, yet bears little or no resemblance to any prior decryp-tion routine. Next, the virus encrypts this new copy of the virus body and mutation engine. Finally, thevirus appends this new decryption routine, along with the newly encrypted virus and mutation engine,onto a new program.1. Count = #VirusBytes 2. Temp = Fetch N extByte 3. Temp = Decrypt(Temp) 4. Store N extByte(Temp) 5. Decrement Count 6. If Count>0, G OT O 2 7. Search for an EXE file 8. Change the attributes… 9. O pen the file…Virus Decryption RoutineDecypted Virus