 | This articleneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Polymorphic code" – news ·newspapers ·books ·scholar ·JSTOR(November 2010) (Learn how and when to remove this message) |
In computing,polymorphic code is code that uses apolymorphic engine to mutate while keeping the originalalgorithm intact - that is, thecode changes itself every time it runs, but thefunction of the code (itssemantics) stays the same. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with differentmachine code in aCPU. This technique is sometimes used bycomputer viruses,shellcodes andcomputer worms to hide their presence.[1]
Encryption is the most common method to hide code. With encryption, the main body of the code (also called itspayload) is encrypted and will appear meaningless. For the code to function as before, a decryption function is added to the code. When the code isexecuted, this function reads the payload and decrypts it before executing it in turn.
Encryption alone is not polymorphism. To gain polymorphic behavior, the encryptor/decryptor pair is mutated with each copy of the code. This allows different versions of some code which all function the same.[2]
Mostanti-virus software andintrusion detection systems (IDS) attempt to locate malicious code by searching through computer files and data packets sent over acomputer network. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to recognize the offending code because it constantly mutates.
Maliciousprogrammers have sought to protect their encrypted code from this virus-scanning strategy by rewriting the unencrypted decryption engine (and the resulting encrypted payload) each time the virus or worm is propagated. Anti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting suchmalware.
Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in a virtual environment before utilizing other methods, such as traditional signature scanning. Such a virtual environment is sometimes called asandbox. Polymorphism does not protect the virus against such emulation if the decrypted payload remains the same regardless of variation in the decryption algorithm.Metamorphic code techniques may be used to complicate detection further, as the virus may execute without ever having identifiable code blocks in memory that remains constant from infection to infection.
The first known polymorphic virus was written by Mark Washburn. The virus, called1260, was written in 1990.[3] A better-known polymorphic virus was created in 1992 by the hackerDark Avenger as a means of avoiding pattern recognition from antivirus software. A common and very virulent polymorphic virus is the file infecterVirut.