Jump to content

Metamorphic code

From Wikipedia, the free encyclopedia

Metamorphic code is code that when run outputs a logically equivalent version of its own code under some interpretation. This is similar to a quine, except that a quine's source code is exactly equivalent to its own output. Metamorphic code also usually outputs machine code and not its own source code.

Overview

[edit]

Metamorphic code is used by computer viruses to avoid the pattern recognition of anti-virus software. Metamorphic viruses often translate their own binary code into a temporary representation, editing the temporary representation of themselves and then translate the edited form back to machine code again.[1] This procedure is done with the virus itself, and thus also the metamorphic engine itself undergoes changes, which means that no part of the virus stays the same. This differs from polymorphic code, where the polymorphic engine can not rewrite its own code.

Metamorphic code is used by some viruses when they are about to infect new files, and the result is that the next generation will never look like current generation. The mutated code will do exactly the same thing (under the interpretation used), but the child's binary representation will typically be completely different from the parent's. Mutation can be achieved using techniques like inserting NOP instructions (brute force), changing what registers to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

Metamorphism does not protect a virus against heuristic analysis.[citation needed]

Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and Linux) or even different computer architectures. Often, the virus does this by carrying several viruses within itself. The beginning of the virus is then coded so that it translates to correct machine-code for all of the platforms that it is supposed to execute in.[2] This is used primarily in remote exploit injection code where the target platform is unknown.

Metamorphic viruses

[edit]

See also

[edit]

References

[edit]
  1. ^ "Metamorphism in practice or "How I made MetaPHOR and what I've learnt"". VX Heavens. February 2002. Archived from the original on June 2, 2007.
  2. ^ "Architecture Spanning Shellcode". Phrack Magazine. Vol. 11, no. 57. August 11, 2001. Archived from the original on December 4, 2023.
  3. ^ Peter Ferrie "Crimea River", VB, 2008
[edit]