Saturday, May 03, 2008

what is a variant?

a malware variant is a modified version of a previously existing piece of malware where the modification was performed by something other than the malware itself...

any modification that results in something that isn't a byte-for-byte match with the original is enough to classify the result as a new variant so long as the modification wasn't made entirely by the malware itself... that means flipping a single bit by hand creates a new variant while traditional polymorphism does not...

the reason traditional polymorphism isn't considered to produce new variants is because every possible form the malware can take as a result of the polymorphism is knowable by analyzing the code of that malware... the transformation is known and fixed, while modifications performed by forces beyond the malware itself are unknown and unpredictable...

perhaps confusingly, server-side polymorphism can arguably be considered to produce new variants... this is because the modification is not performed by the malware itself but by a server-side component that the malware analysts may not have access to and as a result cannot predict all possible forms a given malware may take when transformed by it... if the server-side component becomes known (and assuming it's entirely algorithmic) then it becomes possible to detect all possible instances of a piece of server-side polymorphic malware, but it's difficult in general to justify saying that they magically stop being different variants once the transformation function becomes known...

back to index

(thanks to vesselin for the previous discussions on the objective definition of variant)

0 comments: