Table of Contents
Previous Section Next Section

7.4. Oligomorphic Viruses

Virus writers quickly realized that detection of an encrypted virus remains simple for the antivirus software as long as the code of the decryptor itself is long enough and unique enough. To challenge the antivirus products further, they decided to implement techniques to create mutated decryptors.

Unlike encrypted viruses, oligomorphic viruses do change their decryptors in new generations. The simplest technique to change the decryptors is to use a set of decryptors instead of a single one. The first known virus to use this technique was Whale. Whale carried a few dozen different decryptors, and the virus picked one randomly.

W95/Memorial had the ability to build 96 different decryptor patterns. Thus the detection of the virus based on the decryptor's code was an impractical solution, though a possible one. Most products tried to deal with the virus by dynamic decryption of the encrypted code. The detection is still based on the constant code of the decrypted virus body.

Consider the example of Memorial shown in Listing 7.3, a particular instance of 96 different cases.

Listing 7.3. An Example Decryptor of the W95/Memorial Virus
mov     ebp,00405000h       ; select base
mov     ecx,0550h           ; this many bytes
lea     esi,[ebp+0000002E]  ; offset of "Start"
add     ecx,[ebp+00000029]  ; plus this many bytes
mov     al,[ebp+0000002D]   ; pick the first key

Decrypt:
nop                  ; junk
nop                  ; junk
xor     [esi],al     ; decrypt a byte
inc     esi          ; next byte
nop                  ; junk
inc     al           ; slide the key
dec     ecx          ; are there any more bytes to decrypt?
jnz     Decrypt      ; until all bytes are decrypted
jmp     Start        ; decryption done, execute body

; Data area

Start:
;     encrypted/decrypted virus body

Notice the sliding-key feature. The order of the instructions can be slightly changed, and the decryptor can use different instructions for looping.

Compare this example with another instance, shown in Listing 7.4.

Listing 7.4. A Slightly Different Decryptor of W95/Memorial
mov     ecx,0550h           ; this many bytes
mov     ebp,013BC000h       ; select base
lea     esi,[ebp+0000002E]  ; offset of "Start"
add     ecx,[ebp+00000029]  ; plus this many bytes
mov     al,[ebp+0000002D]   ; pick the first key

Decrypt:
nop                         ; junk
nop                         ; junk
xor     [esi],al            ; decrypt a byte
inc     esi                 ; next byte
nop                         ; junk
inc     al                  ; slide the key
loop    Decrypt             ; until all bytes are decrypted
jmp     Start               ; Decryption done, execute body

; Data area

Start:
;     Encrypted/decrypted virus body

Notice the appearance of a "loop" instruction in this instance, as well as the swapped instructions in the front of the decryptor. A virus is said to be oligomorphic if it is capable of mutating its decryptor only slightly.

Interestingly, some products that we tested could not detect all instances of Memorial. This is because such viruses must be examined to their smallest details to find and understand the oligomorphic decryptor generator. Without such careful manual analysis, the slow oligomorphic virus techniques are impossible to detect with any reliability. For example, the decryptor of the Badboy virus15 changes in one instructionand only very rarely. Obviously, they are a great challenge for automated virus analysis centers.

Another early example of an oligomorphic virus is the Russian virus family called WordSwap.

    Table of Contents
    Previous Section Next Section