Polymorphic engine

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

A polymorphic engine (sometimes called mutation engine or mutating engine) is a computer program that can be used to transform a program into a subsequent version that consists of different code yet operates with the same functionality. For example, 3+1 and 6-2 both achieve the same result, yet use completely different code.

Polymorphic engines typically work either by encrypting code or obfuscating code, the latter of which may not involve any encryption at all.

Polymorphic engines are used almost exclusively by computer viruses, shellcodes and other malware, with the main purpose being to make it hard for virus scanners and other security software to detect and identify the body of the malware as traditional "fixed signatures" cannot usually be used.

The first polymorphic engine was called MtE (short for Mutation Engine). It was written in 1992 by a virus author who called himself 'Dark Avenger'. There has subsequently been a disassembly,[1] which shows the implementation of the variety of encryption routines possible.

Most of the polymorphic engines are written in low-level assembly code like the SPE32 (short for Simple Polymorphic Engine 32bit) engine,[2] but you can also find tutorials of how to write the polymorphic engine in high-level languages like C++.[3]

A polymorphic packer is a type of polymorphic engine. A polymorphic packer is a software tool, which rolls up several kinds of malware into a single package, such as an e-mail attachment, and has the ability to make its "signature" mutate over time, so it is more difficult to detect and remove.

See also[edit]