Friday, August 10, 2007

what is polymorphism?

in the malware context, polymorphism refers to a property of self-replicating malware (viruses and worms, *although self-modifying non-replicative programs take on different forms by virtue of modifying themselves so the term polymorphism can technically apply to them also) whereby the offspring (the copies) potentially take on a different form than the parent (the original)...

typically polymorphism works by encrypting the main virus body (which was actually unchanging) using a variable key (in order to make the ciphertext actually be different from one instance to the next a different key is needed each time, otherwise it would simply be considered *encrypted) and using a decryptor (a stub that decrypts the main body of the virus in order for it to execute) that is also variable (otherwise the decryptor itself could be easily used to detect the virus)...

polymorphism is a type of camouflage that was originally developed back when anti-virus products were just using simple scan strings to compare against samples in the process of looking for viruses... a virus that changed it's contents could easily fool such a simple scanner because there would be no single sequence of bytes that would match all instances of the virus... as a result anti-virus companies developed technology that would use the virus' decryptor against it by allowing it to decrypt the main body of the virus so that that could then be used to identify the virus...

the term polymorph, in the malware context, arose out of a long telephone conversation between frisk (fridrik skulason) and alan solomon as a way to describe viruses that mutated or garbled themselves (according to dr. solly's retelling anyways) but over the years it has been narrowed to exclude cases where the decryptor didn't change (variably encrypted), or only changed into relatively few alternate forms (oligomorphs), or cases that didn't use a decryptor at all...

back to index

(*updates/improvements thanks to vesselin's comments)

2 comments:

Vesselin said...

1) Although I can't think of a good example right now, polymorphism doesn't have to be restricted to self-replicating malware. For instance, a Trojan horse could polymorph its body every time it is executed.

2) Encryption with a constant key isn't armouring. Armouring is the use of programming tricks that make disassembling, debugging and understanding of the code difficult. For instance, the Whale virus is heavily armoured, despite that it doesn't use constant encryption. (It uses variable encryption and is, in fact, oligomorphic.)

kurt wismer said...

1) i don't think i've ever heard the label polymorphic applied to self-modifying programs before (though on some level it obviously applies)... thanks for that...

2) i guess i was intending the term armoured in an umbrella-term sort of way, though your description seems equally encompassing - 'programming tricks' could refer to anything and there was a time when simply encrypting code could be considered to have made at least disassembling and understanding the code more difficult (certainly more tedious)... on reading it again, though, i can see how one might interpret my use of 'armoured' to mean something much more specific than what i intended...