Polymorphic viruses escape detection but get our attention
Last week, we faced the implications of the next-generation
ultrastealth viruses that are now reproducing themselves among us.
Because a few of these viruses have already been found to be
employing this new scanner-beating self-modifying technology and
because their is nothing particularly difficult about writing such
a polymorphic virus, I feel there is more good than harm in a
public discussion of this nasty new breed.
(I know that many readers are wondering what happened to my
promised solution to the spread of these viruses; it will come next
week after I illustrate the danger of these new germs.)
viruses can be detested by recognizing either their dynamic
actions or their static presence. Dynamic-action recognition
provides the potential benefit of stopping unknown viruses.
Nevertheless, today's smarter viruses can circumvent such
interception easily. If the virus wishes to have a higher level of
software access to the system, several techniques are known for
getting underneath DOS and BIOS interception, so resident blockers
are all but useless.
Static-presence recognition scans the entire system for the
"fingerprints" of known viruses. Today's deliberately elusive
polymorphic viruses can evade this detection entirely.
The simple idea behind the polymorphic virus is that the bulk of
the virus can be scrambled by a random number. Every IBM-compatible
PC has a counter/timer chip that can be used as the source for a
completely nondeterministic 16-bit random number. When the virus
clones itself into a new environment, it can use the instantaneous
value of the counter/timer as a scrambling starting point. By
algorithmically altering every byte of itself based upon this
initial number, the newly propagated virus will be immune to
fingerprint detection.
There's one flaw in this approach: The small kernel of code used
to unscramble the body of the virus must be left in an unscrambled
state so the computer can execute it and unscramble the balance of
the virus. This means the unscrambling portion could still be
fingerprinted and identified.
This problem could be easily solved: By deliberately interlacing
irrelevant "do nothing" instructions among those that perform the
unscrambling work, every stored instance of the unscrambling kernel
could be completely different from all the others. As the virus
copies itself to a new destination, it randomly draws from a
repertory of superfluous instructions, peppering them liberally
throughout the new copy of itself.
As you can see, these techniques can be teamed up with activity
interception avoidance to create a new breed of viruses that would
be virtually impossible to detect.
It is quite annoying that we must expend our resources in the
prevention of this software terrorism. But there may be some value
in experiencing this terrorism now. Most viruses have been the work
of amateurs and are far from devastating.
Being told on Friday the 13th that your computer is "stoned" is
annoying as hell, and having to type "Happy Birthday to Joshi"
early in January makes you wonder who's in charge. But it sure
beats being informed that your company's customer list and the
archived source code for your next unreleased product have just
been transmitted by modem to your competition. When your network's
database and modem servers receive remote procedure calls (RPCs)
from remote workstations, are you sure they should answer that
call?
We need to begin tightening up our systems and taking security
very seriously. Personal computing is not just a diversion from the
tedium of sharpening pencils; it is a serious endeavor that is
extremely prone to organized and deliberate attack. If a bored,
pimply faced highschool kid is capable of penetrating your
corporation's security with his annoying but benign virus, you had
better hope he never wants to hurt you.
Steve Gibson is the developer and publisher of SpinRite and
president of Gibson Research Corp., based in Irvine California.
From April 20,1992 issue of InfoWorld\