DRAFT - Malwares typology

Introduction: Why Polymorphic and Metamorphic Malwares Exist ?

At the beginning, some hacker created malware to “attack” computers.

A malware can be disseminated thanks to different technics to other computers (email attachment or other channel).

The first approach to detect if the program is a malware or not is using a blacklist:

In the blacklist, you have a list of program hash. You get a file, you hash it, you check if the hash belong to the blacklist. If the hash is in, you are 100% confident it is a malware. You delete the file.

END OF THE STORY

Polymorphic malwares and Mutation

Nevertheless, the hacker wants to circumvent the filter. One property of the hash is that if a single bit in the program is modified, then the hash would be totaly different. This is were polymorphic malware comes.

A Polymorphic malware is a malware that can transform itself in an equivalent malware thanks to encryption: The malware code is in two parts:

• a visible part with a key and a decoder
• an encrypted part that can be decoded thanks to the key and the decoder.

When the malware replicates, it decrypts the encrypted part, generate a new key, and encrypt the decoded part. Thanks to that, the hash of the malware children are different from the parent’ hash.

The detection is less easy in this case. Nevertheless, the decoder is the same for all malwares, and we can detect that one part is encrypted. Therefore, we can detect it.

END OF THE STORY

Metamorphic Malwares

These are complex ones. They rely on code rewritting to produce an equivalent program. Different technics are available:

• Change function/variable naming
• Change function order
• Add dummy functions / Dead code insertion

This makes the comparison between the parent malware and a child difficult, as they do not have the same size / and do not correspond completely.

Here, the analysis can be done in a sandbox: you execute the code in a limited environment, and see how the code behaves. The problem is that it is difficult to create a limited environment which mimics a typical host. Otherwise, the malware activity will not show up. Next, the analysis requires some time, therefore this can only be done by specialist and not on Individual computer.

https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware/ “”” Code Obfuscation – By using encryption, compression, or other obfuscation methods, polymorphic malware can conceal its true nature from security software. Dynamic Encryption Keys – Polymorphic malware can use different encryption keys for each new instance, making it challenging for signature-based detection tools to identify the malware based on a fixed pattern. Variable Code Structure – By changing its code structure, polymorphic malware can confuse security tools that rely on static signatures for detection. Behavioral Adaptation – Polymorphic malware can alter its behavior or execution patterns to blend in with normal system processes, making it harder for behavioral-based detection methods to identify the threat “””

Subroutine Permutation Register Swapping – nstruction Substitution

Dead-code insertion, which randomly injects dead code throughout a program.
Subroutine reordering, in which the ordering of the code's subroutines is changed in a randomized way so that it is harder for antivirus programs to detect it.
Register reassignment, which changes registers to newer generations, while retaining the program code and behavior.
Instruction substitution, which changes code by replacing some instructions with equivalent ones.
Code transposition, in which routines and branches in the code are reordered without having a visible effect on its behavior.
Code integration, in which the malware integrates itself in the target program and produces a new version of the target program.

Polymorphic VS Metamorphic

• First kind malware: do not evolve => single signature / hash

• Second generation: Polymorphic => Constant part + variable part. One part is encrypted

• Third generation: Metamorphic. When the malware replicates, code pieces are re-arrange, “non-coding “ parts are inserted here and there to confuse recognition models.

>> You can subscribe to my mailing list here for a monthly update. <<