Are there any polymorphic macro viruses at all? (...and what to do with them)
Gabor Szappanos Virus Buster
This presentation will investigate how the currently known polymorphic macro viruses
fit into the usual terms used for binary polymorphic viruses and what special detection
procedures have been implemented and should be developed to fight them.
The first question to answer is whether there are any of them that can be qualified as
polymorphic. Most of them are very simple, variable-name changers, that would not be
polymorphic if VBA were a compiled language. There are several, more complicated, encrypted
viruses, some of them even with polymorphic encryptors.
We will investigate how different the replicated specimen of a particular virus are.
Obviously it is dependent on the representation (source code vs. opcode vs. execode),
but several code normalization techniques - most of which have been used in virus scanners
for several years - exist, that transform the code into more or less identical form.
However, these methods lose information that could be important especially in the case of
encrypted macro viruses.
There are even more complicated viruses where these simple procedures are not sufficient.
In these cases the development of advanced techniques is required, which include intelligent
code parsing and analysis, leading the AV products very close to actual macro code emulation.
del.icio.us 
digg this
This month's VB100 test saw some major changes and a radical overhaul of the VB100 test methodology - for the first time allowing products to use their 'cloud' look-up systems. John Hawes has all the details.