Welcome to the SecAware blog

I spy with my beady eye ...

8 Mar 2007

Polymorphism gone bonkers

Over the past few months, the "Storm" worm has taken the idea of polymorphism to new extremes. To understand the context, here's a little history.

Once upon a time long long ago, cunning virus authors discovered they cold fool the early antivirus programs simply by making insignificant changes in their code. Adding the odd "null command", pointless loops or whatever was enough to make 'variants' that escaped detection, for a while anyway until the equally cunning antivirus analysts caught on, figuring out how to unravel the variations and find the common factors to make reliable virus signatures. Virus variants emerged every few months or weeks.

Next, even more cunning authors of automated virus generating engines added the ability to create variant or "polymorphic" viruses at will. A whole industry of polymoprphic cunningness developed, adding tricks such as self-modifying code, obfuscation and encryption to the pot and spewing out variants by the bucket-load. The antivirus wizz-kids spent their days searching through the layers of obfuscation for invariant code sequences such as the decryption routines, and toyed with the idea of "heuristic scanning" for "virus-like activity". Variants emerged every few weeks or days.

The author of "Storm" took the game to a new level. He/she released a few hundred worm variants simply to test the waters, then an absolute avalance of thousands or tens of thousands of variants all at once, seeded from tens or hundreds of thousands of compromised 'bot' machines all over the net. The worms use highly variable subject lines and code and through sheer numbers alone threaten to overload even the most assiduous antivirus team.

The next chapter in this thriling story is likely to be rather unpleasant.

More malware links

No comments:

Post a Comment