-=( ---------------------------------------------------------------------- )=- -=( Natural Selection Issue #1 --------------- Great Debate : Metamorphism )=- -=( ---------------------------------------------------------------------- )=- -=( 0 : Contents --------------------------------------------------------- )=- 0 : Contents 1 : Introduction 2 : Questions 3 : Conclusion -=( 1 : Introduction ----------------------------------------------------- )=- Ever since the days of the first metamorphic viruses like ACG and TMC, the idea of mutating a virus to eliminate any possible scan strings has captured the imagination of virus writers world wide. Suddenly, it was shown that some of the same ideas used in polymorphic decryptors could be applied to the entire virus body. Time passed, into a new century in fact, and several excellent examples of metamorphic virus have appeared (like Zmist). But the question still remains, what does the virus scene think of metamorphism? Does metamorphism deliver the goods or is polymorphism here to stay? We would like to thank all those who took part in this Great Debate. Thanks go to the following people for participating: CyberYoda, a_guy_in_the_wind, CyberWarrior, mandragore, Rezial, Knowdeth, DoxtorL, and anonymous. -=( 2 : Questions -------------------------------------------------------- )=- How do you see the application of metamorphic technology. Is it the best thing to come out of the virus scene, or unstable dead weight? CyberYoda> Metamorphic technology is an evolutionary step forward in virus writing technology. Done properly it is a powerful technique in a virus writer's tool box. a_guy_in_the_wind> The answer is hard, if metamorphism seems to be the top of the top technology, to me it seems that there's no "good" metamorphism, well some are very efficient, but Im very sceptical about it, for the implementation to be done in the rules of art, it need deep algorithm studies and mathematical proove to be sure of not a complete reverse/cryptanalysis, as you should do in the professional world, added to this you have to design strong and complex code to manage this, well I think such a work is much okay for a team work, but as most coders work alone, you wont see lot of meta. CyberWarrior> Metamorphie is a great way to hide viruses and they say lots about the coder who did them (as long as they arent ripped or from other coders ;) mandragore> Let's put the virus scene apart. The application of such technologies is obvious; to evolve like a biological virus. This similarity is a good short and long term adaptation for viruses : some kind of poly nowadays, it could become the elegant way to cross invade system and evade detectors. As long as it's not 50k of 'did you see my code'. Rezial> TMC crashed a lot. I haven't heard any antivirus companies say "Sorry we don't detect that virus, it is too metamorphic". I think it is well established that Metamorphism doesn't work very well yet :) Knowdeth> Could be a good thing for ASM coder's, Dead weight for HLL. Last thing I want to see is a 1mb meta visual basic virus. DoxtorL> Interesting theoric technology. anonymous> It's not the best thing to come out of the viruses scene, that's the virus itself. But it's certainly not unstable dead weight either. We've seen plenty of proof of that. What do you think the base purpose of metamorphic technology is and how do you compare that with the capability of polymorphic technology? For example, how efficient are they in making a virus undetectable? CyberYoda> The soul purpose of metamorphic technology is to delay as long as possible the understanding and reliable detection of the virus. Given the same level of complexity, a metamorphic virus should be a little more difficult to understand and detect than polymorphic. a_guy_in_the_wind> Well, good polymorphism have fooled antivirus, as well do good metamorphic ones, well, I find meta is way more boring to do than polymorphic engine, but I dont like that much polymorphic engine, metamorphism is in principle a good idea, many ppl wrote about it, application seems quite more hard, and need lot of motivation. CyberWarrior> i think its a nice way to code multi file types infectors. making a virus undetectable is not a question of encryption or plain code. as long as av is able to trace the code they will detect it. polymorphie and metamorphie are as good as normal encryptions if they are well done. but those dont offer that many scanstrings as encrypted or unencrypted viruses. mandragore> For me, metamorphism is a kind of polymorphism. But if you consider the second one as Random Decrypting Algo, then metamorphism goes one step further. It lets control over the whole body theorically, and practically if the engine is well done. Changing shapes is the best way to avoid all kind of algo scanners, but one must still care about heuristics, integrity checkers, and so on... Rezial> It started off as a replacement for polymorphism, as decryptors were too easily detected with statistical instruction analysis and code emulation. But when they emulate your metamorphed code, whenever you call an API you are open to the same code emulation problem as before, and this is why current metamorphism is almost useless. I don't think the solution to a detection technique is to throw more code at the problem. It requires a different thinking strategy. Knowdeth> To give the asm coder's something to have a fit with :-) Well poly and og is possible for what I deal with, so I don't see a change coming any time soon as morphic virii go at least from how I see it. Then again there is that you never know factor, and tomorrow someone could pull some strange Batch I-Worm with full meta. I've seen stranger. DoxtorL> Metamorphic technology makes close the fusion between the host code and the virus code. But it's usually alot of work for nothing. (see mental driller virus, "etapux", now easily detected) The power of microprocessors makes easier the job of antiviruses. anonymous> the purpose of metamorphism is exactly the same as polymorphism, to make the virus harder to detect. The less constant code/data, the harder it is to detect the virus and since a polymorphic virus has to have constant code/data (even though its encrypted) and a metamorphic virus doesn't have to have constant code/data. I'd say a metamorphic virus has to be more successful. Though everything can be detected. Would you feel comfortable writing a Metamorphic engine right now? Have you ever done so, or tried to? How did it go? CyberYoda> While it is within my abilities to write a simple metamorphic engine, I've never attempted the feat in assembly. a_guy_in_the_wind> At the moment ? Nope, I dont have time for it, and also, Im rudely working on other topics, I have started a library about assembly disassembly, designed to be callable, with easy & flexible apis, then I started writing a little motor who was supposed to disassemble and mute into others couple of instruction, the algorithm were bad thought, well, to be honest, it started to bore me lot. CyberWarrior> very comfortable to write one to infect different kinds of files. its not as easy as "just" changing the entry point to the code but working fine and it doesnt offer av that many scanstrings =] mandragore> Yup i already tried, it went rather fine actually. I thought it would be harder but it only involved things i already knew. What i tried for my last creation is some metamorphism embedded in a tunneler usin contexts. Rezial> No. Knowdeth> For what I code I don't even know if it would be applicable, much less possible. DoxtorL> It's a hard job, to tell the truth i have never written that sort of viruses , neither polymorphic viruses as well. anonymous> Yes, I'd feel comfortable writing a metamorphic engine. I've done so. There are just as many ways to do metamorphism as there is ways to do polymorphism. The better metamorphism you want, the more complex your code gets, alot more complex. What do you think are the key parts to writing a good metamorphic engine, and what are the most difficult aspects? CyberYoda> A strong understanding of machine language and creativity is necessary, but having enough patience is the most difficult requirement to fulfill. a_guy_in_the_wind> Well, I think you need very good bases in disassembly and assembly, as first, for second, you need to have a very good management with instruction couple and their results, last part, and this is very interesting part to develop, I think the analyst part of meta, the right shortcut to do, to retrieve what initially the conceptor of the virus really wanted to do, and choose an other permutation, a good idea seems to get down to the binary and start a study of the result of a couple of instruction, so multiple instruction will be recognized perfectly, instruction can lie on their aspect, they wont lie on the result :) CyberWarrior> the most difficult one is that u need some opcode knowledge but guess every asm reference can fix that ;] mandragore> Gettin the idea is pretty simple, what's harder is taking all cases in consideration, and forgettin a bug somewhere in the opcode interpretor.. The one which happens at 3% but takes you forever to find ) Rezial> Considering the only factor to gain from in metamorphism is obscuring the intent of your code, the "key part" to metamorphism is more == better, and hiding easter egg code swapping / mutation / dropping routines within the garbage. The most difficult aspect is how to deal with wasted months of work when AV detect your virus anyway. That, and debugging :) Knowdeth> Never made one so I couldn't tell you. DoxtorL> For me, these kind of viruses are a bit mysterious. I suppose to write this kind of viruses you have to think a long time to plan how the virus will change/mutate. Maybe the main problem is to make the virus having no fixed bytes or patterns. It's more difficult than to write a polymorphic virus, a decent metamorphic virus has no encrypted bytes or only few ones. In a polymorphic virus, usually the main part is encrypted with a different key/encrypting algorithm. anonymous> The key parts of writing a good metamorphic engine, must be to swap code and data around, change order of execution, modify code and add new code. The most difficult aspects is separating code from data. In the future, do you think we'll see a larger or smaller percentage of viruses written with metamorphic engines, and why? CyberYoda> I believe there will be a smaller percentage of viruses written with a metamorphic engine as the number of coders capable of creating a stable metamorphic virus is decreasing, while the cheap knock offs of viruses always seem to increase. a_guy_in_the_wind> I have no idea on the question, I think it will go with the scene, sleeping and sleeping more :) CyberWarrior> a smaller precentage. those days new viruses are written in visual basic or delphi packed with upx or other file packers. newbies dont mess with asm any more. they start with .bat those days which is completely useless in my eyes since WinME+ doesnt really support .bat any more. and metamorphic engines written in visual basic, delphi or c/c++/c# are difficult to do since there is no real wanted access on the file opcodes. Guess main problem is that most zines release tutorials about how coding viruses with batch or basic. hope this will change soon =] mandragore> I don't think so. Visual Basic doesn't support it ) It's an in depth conception which can be done in assembly and barely in other languages. And there are fewer and fewer asm coders. Today's goals are fast spreading, fast infecting. Retro and hiding technologies aren't part of it. This position is understandable because AVs are loosin for now on this field. But soon they'll be able to correctly filter mails and so on, and microsoft could secure its stuff one day (not today ok). Let's hope coders will grow and be at the rendez vous, and ready to evolve. The solution is already there.. Rezial> Less. There are less assembly language coders, and although you can do it in macro viruses, I think these will eventually die out. It is hard to get people to legitimately open macro'd documents as it is, let along randomly emailed ones :) Knowdeth> Honestly without, I see more and more HLL, its rare to see poly much less a meta, I see things getting bigger, but then again I said that when someone told me my 45k was huge, now you find 150k+ virii all over the place. DoxtorL> I doubt we will see a larger percent of viruses using that technology. Too much work and the need to have a good skill in asm. anonymous> A larger percent of viruses written will be metamorphic. Because that is the development of viruses. Just look how fast virus coders began adding polymorphism to their viruses. -=( 3 : Conclusion ------------------------------------------------------- )=- As expected, there are wide range of views on metamorphism. The only two common answers seem to be that they are difficult and most people are rather cynical in expecting more of them. But then, perhaps the rarity and difficulty of metamorphism is what makes people so interested in them. -=( ---------------------------------------------------------------------- )=- -=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=- -=( ---------------------------------------------------------------------- )=-