Metamorphic code

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Metamorphic code is code that when run outputs a logical equivalent version of its own code under some interpretation. This is similar to a quine, except that the quine's source code is exactly equivalent to its own output. Metamorphic code also usually output machine code and not its own source code.

This is used by computer viruses to avoid the pattern recognition of anti-virus software. Metamorphic viruses often translate their own binary code into a temporary representation, editing the temporary representation of themselves and then translate the edited form back to machine code again.[1] This procedure is done with the virus itself, and thus also the metamorphic engine itself undergoes changes, which means that no part of the virus stays the same. This differs from polymorphic code, where the polymorphic engine can not rewrite its own code.

Metamorphic code is used by some viruses when they are about to infect new files, and the result is that the next generation will never look like current generation. The mutated code will do exactly the same thing (under the interpretation used), but the children's binary representation will typically be completely different from the parent's. Mutation can be achieved using techniques like inserting NOP instructions (brute force), changing what registers to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

Metamorphism does not protect a virus against heuristic analysis.

Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and GNU/Linux) or even different computer architectures. Often, the virus does this by carrying several viruses within itself. The beginning of the virus is then coded so that it translates to correct machine-code for all of the platforms that it is supposed to execute in.[2] This is used primarily in remote exploit injection code where the target platform is unknown.

Metamorphic viruses[edit]

See also[edit]

References[edit]

External links[edit]

  • [3] Hunting for Metamorphic