Metamorphic Virus is a type of a virus that can change the structure of the code in each iteration. These kinds of viruses are considered as a major threat to digital world. When compared with other kinds of viruses and malwares, metamorphic viruses are said to be more advanced.
Now let’s discuss why metamorphic viruses are considered as a major threat to digital and why it is considered as a more advanced virus than other virus types.
As mentioned before metamorphic viruses are capable of changing the internal code structure in each iteration. The major disadvantage of this is that due to this unique ability of metamorphic viruses, they can avoid pattern recognition of anti-virus software. Most of the anti-virus software uses malware signatures to detect viruses. These anti-virus software stores a unique malware signature for each identified or known malware within their database, and this malware signature will be matched with the signature created for each file. This is the way how typical antivirus software works. There is a drawback in signature-based virus scanners. The drawback is that if any small change happens to the virus code, the signature will be different. This drawback is used by metamorphic viruses to avoid getting detected from signature-based virus scanners. Since the metamorphic virus avoid detection from signature-based antivirus software it is said to be more advanced than any other virus type.
How does metamorphic virus work?
Virus writers wanted to create a virus that will not get detected by signature-based virus scanners and the outcome was metamorphic virus. The problem is how does metamorphic viruses change the code structure. To change the code structure, metamorphic viruses use obfuscation techniques. One of the key features of metamorphic virus is that, though the structure of virus changes, functionality of the virus remains same.
Some of the most common obfuscation techniques used by virus writers are as below:
· Junk code insertion
· Register/Variable substitution
· Instruction replacement
· Instruction permutation
Junk code insertion: This is one of the most common obfuscation techniques available. This can be done effortlessly. This simply means adding junk instructions to the virus code. The junk instruction should be inserted in a way that it will not affect the functionality of metamorphic virus.
Instruction replacement: Instruction replacement is used to replace the instructions with another instruction that does the same task/functionality. To perform a particular activity/task/function there are multiple ways to code it.
Instruction Permutation: In instruction permutation, instructions are reordered. Instructions changes its place/order without affecting the functionality.
All the metamorphic viruses follow a common procedure to do the required activity. This works according to an anatomy of metamorphic engine/mutation engine. There are some essential components that all the mutation engines should contain. Which is Disassembler, Code Analyser, Code Transformer and Assembler. Disassembler is used to change the virus code into a set of assembly instructions. Code Analyser is used to provide the required information that code transformer need to do its required work. Information such as code variables, sub routines, process flow are provided. Then come the Code Transformer. Code Transformer is considered as the heart of mutation engine. This is the component that do the actual work. This is the place where the virus code gets mutated or changed using obfuscation techniques. After the virus code is changed Assembler is convert the mutated code into binary code.
How to detect metamorphic virus
With the advanced capabilities of metamorphic viruses, signature-based virus scanners have become useless. It is important to keep in mind that though metamorphic viruses are hard to detect it is not impossible to detect them.
Ways to detect metamorphic virus:
· Control Flow Graph
· API Call
· Hybrid Approach
Control Flow Graph: This is one of the mechanisms that is very old, and it can be used to detect viruses as well. As the name suggests, it is a kind of a flow graph that can be used to present the flow of the code. As I mentioned before, one of the key features of metamorphic virus is that though the structure of the code changes, the functionality remains same. This key feature is used in this method. The control flow graph for a metamorphic virus will not change with each generation. One of the advantages of using a Control Flow Graph is that CFG will examine every possible path that the program execution will take place or follow.
API call — This uses a graph as well. Which is the Call Graph. A call graph is developed for the executable code. This is a combination of API Call and Call Graph. API Call graph is developed using call sequences. Using this Call Graph, a Code Graph is created. Then the created code graphs will be compared with the other code graphs that are generated for various programs/files.
Though there are mechanisms introduced to detect metamorphic viruses, most of the companies/organization uses signature-based virus scanners or typical antivirus software. Most of the organization rely on these that do not have the ability to detect advanced viruses like metamorphic viruses. Because of this metamorphic virus family have become one of the most challenging threats to the digital world. A metamorphic virus causes severe damage to a particular system. Not only this, metamorphic viruses can infect multiple hosts as well without getting detected. If required controls are not in place, metamorphic viruses can become even more sophisticated and more harmful. As other viruses, most of the metamorphic viruses gets infected to the systems via email attachments or through compromised websites. By using well defined security policies and by making users aware about these kinds of viruses, it is possible to protect the system from metamorphic viruses up to a certain extent. Other than these, the commonly used controls like firewalls, remote access restrictions, email filtering can also be used to protect our systems from metamorphic viruses.
Written by Chamodi Hapuarachchi — 3rd Year 2nd Semester -Cyber Security Student-SLIIT