7.4. Oligomorphic Viruses
Virus writers quickly realized that detection of an encrypted virus remains simple for the antivirus software as long as the code of the decryptor itself is long enough and unique enough. To challenge the antivirus products further, they decided to implement techniques to create mutated decryptors.
Unlike encrypted viruses, oligomorphic viruses do change their decryptors in new generations. The simplest technique to change the decryptors is to use a set of decryptors instead of a single one. The first known virus to use this technique was Whale. Whale carried a few dozen different decryptors, and the virus picked one randomly.
W95/Memorial had the ability to build 96 different decryptor patterns. Thus the detection of the virus based on the decryptor's code was an impractical solution, though a possible one. Most products tried to deal with the virus by dynamic decryption of the encrypted code. The detection is still based on the constant code of the decrypted virus body.
Consider the example of Memorial shown in Listing 7.3, a particular instance of 96 different cases.
Listing 7.3. An Example Decryptor of the W95/Memorial Virus
mov ebp,00405000h ; select base mov ecx,0550h ; this many bytes lea esi,[ebp+0000002E] ; offset of "Start" add ecx,[ebp+00000029] ; plus this many bytes mov al,[ebp+0000002D] ; pick the first key Decrypt: nop ; junk nop ; junk xor [esi],al ; decrypt a byte inc esi ; next byte nop ; junk inc al ; slide the key dec ecx ; are there any more bytes to decrypt? jnz Decrypt ; until all bytes are decrypted jmp Start ; decryption done, execute body ; Data area Start: ; encrypted/decrypted virus body
Compare this example with another instance, shown in Listing 7.4.
Listing 7.4. A Slightly Different Decryptor of W95/Memorial
mov ecx,0550h ; this many bytes mov ebp,013BC000h ; select base lea esi,[ebp+0000002E] ; offset of "Start" add ecx,[ebp+00000029] ; plus this many bytes mov al,[ebp+0000002D] ; pick the first key Decrypt: nop ; junk nop ; junk xor [esi],al ; decrypt a byte inc esi ; next byte nop ; junk inc al ; slide the key loop Decrypt ; until all bytes are decrypted jmp Start ; Decryption done, execute body ; Data area Start: ; Encrypted/decrypted virus body
Notice the appearance of a "loop" instruction in this instance, as well as the swapped instructions in the front of the decryptor. A virus is said to be oligomorphic if it is capable of mutating its decryptor only slightly.
Interestingly, some products that we tested could not detect all instances of Memorial. This is because such viruses must be examined to their smallest details to find and understand the oligomorphic decryptor generator. Without such careful manual analysis, the slow oligomorphic virus techniques are impossible to detect with any reliability. For example, the decryptor of the Badboy virus15 changes in one instructionand only very rarely. Obviously, they are a great challenge for automated virus analysis centers.