Defeating polymorphism: beyond emulation

Adrian E. Stepan Microsoft

The most used method of detecting malware relies on signatures extracted from the malware body. Attempting to defeat this method and evade detection, malware writers have resorted to code obfuscation techniques, thus creating polymorphic viruses.

There are several well-known methods of decrypting polymorphic viruses, such as emulation, cryptanalysis (X-Ray) and dedicated decryption routines. Each of these methods has some limitations: X-Ray can only handle simple decryptions; dedicated routines require significant development effort and neither scales well with the number of detected viruses. Emulation doesn't have these weaknesses but emulating code is significantly slower than executing it on a real CPU. Therefore a very complex polymorphic virus would take unreasonably long to emulate until it is decrypted.

This paper proposes a new method of dealing with polymorphic malware. The method relies on dynamically disassembling the analysed code and performing just-in-time compilation targeted for the host CPU. The code obtained as a result can be safely executed on the host CPU, with little degradation in execution speed, compared to the original code. This provides the same flexibility as emulation, but performance, in terms of speed, is dramatically improved. Additionally, the method could be used for other purposes, such as generic unpacking of packed executables, and behaviour-based analysis of complex code.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The material presented is so interesting that it would be worth attending VB just to get my hands on the proceedings. I especially enjoyed the last-minute presentations.’

Poll

Who in your company is responsible for installing software patches?

Leave a comment

VB100 certification

The final VB100 of the year sees a double whammy of potential pitfalls for our comparative participants - the Vista operating system, which still seems shiny and new as well as a little scary (to both developers and users), as well as the x64 architecture, whose ostensible compatibility with standard 32-bit software belies oddities and intricacies that developers ignore at their peril. The announcement of the test brought a few surprises, as several regulars opted to skip this one, but the majority of veteran competitors took part as usual, along with several newer faces, many of whom look set to join the ranks of our regulars.
See full results.

Virus Bulletin currently has 148,287 registered users.

Fighting malware and spam