Friday, August 10, 2007

what is metamorphism?

metamorphism can be thought of as a kind of polymorphism that doesn't use decryptors... in fact many of the techniques that polymorphic viruses used to vary their decryptors metamorphic viruses have used to vary their entire bodies...

metamorphism, like polymorphism, was a type of camouflage that was meant to fool anti-virus technology of the day... one of the successful solutions to polymorphism was to use a polymorphic virus' decryptor against it generically... by allowing it to run in an emulated environment so that the decryptor would reverse the obfuscation that had been performed on the main body of the virus, the de-obfuscated static virus body could then easily be matched against signatures...

rather than encrypt the virus' body and decrypt it when needed as a conventional polymorphic virus would, a metamorphic virus would vary it's entire body the way a polymorphic virus varied it's decryptor... since the transformation function used didn't need to be reversed in order for the code to run (otherwise decryptors in polymorphic viruses would have needed additional decryptors of their own), this meant that the virus' main body was generally never returned to an untransformed state during the normal operation of the virus and so would foil the previously mentioned tactic used against conventional polymorphism...

that said, the metamorphic engine (like the polymorphic engine) still must reside within the virus (in order for copies to have a different form the code doing the copying must have access to the transformation function) and that in itself was a weakness as it gave anti-virus vendors knowledge of the transformation function and therefore the ability to know (or at least derive) all forms a metamorphic virus could take...

back to index

2 comments:

Vess said...

The term "metamorphism" was introduced by Peter Szor, I think. Before that, we used the more awkward term "body-polymorphic".

kurt wismer said...

i do recall body polymorphism from somewhere... thanks for the note on the origin of the term - i considered myself lucky to remember where polymorphism came from, i don't think i ever heard where metamorphism came from...