Attackers disguise malicious content using a variety of techniques that range from the ultra-simple (yet effective) base64 encoding to the more advanced polymorphic and most advanced – metamorphic. Techniques like base64 encoding simply use a thin veil to hide from defensive technologies looking for tell-tale constants like common commands used in PowerShell or other scripts.
Polymorphic and metamorphic malware are both techniques to evade signature-based detection by sending the same core functionality in many copies but via a unique package of bytes each time.
What’s the difference between polymorphic and metamorphic? Here are some animal-based similes. When applied to malware, polymorphism reminds of an octopus or chameleon changing its outward appearance; while both remain the same animal on the inside. On the other hand, think about a caterpillar’s metamorphosis into a butterfly. The caterpillar basically dissolves into fundamental biologic components and then reassembles into a different animal.
Polymorphic has different meanings according to the context. Ironically, within software coding the word has 2 meanings that are kind of the opposite. Within legitimate, traditional coding, polymorphism means that different classes of objects may share the same interface but have completely different internal implementations. So, you can tell any object with the IUpdate interface to .update() itself and one object may do that by storing its value in the registry while another updates its row in a database. So different classes may have the same external appearance but very different internals.
But in the context of malware, polymorphism is almost the opposite. Each copy of a polymorphic malware looks different but they all do the same thing. Polymorphism in malware is usually implemented via encryption. The bulk, core functionality of the malware is encrypted while in transit. And a different encryption key is used with each copy. In this case the encryption is not used for secrecy but to simply give the contents a different “appearance” in terms of its bytes. A small decryption routine, usually with the key embedded, decrypts the content once deployed on a new system. If the malware replicates and spreads it reencrypts itself with a new key. Thus, each copy looks different. Polymorphic malware has its limitations though since it looks the same once it’s decrypted so memory scanning can have some success against it – especially block-based scanning.
Metamorphic malware is much more sophisticated. In this case, for each copy, the core logic is completely re-coded. So, each copy of the malware accomplishes the same nefarious tasks drawn by the attacker, but the actual code is very different – basically along the lines of “multiple ways to skin the cat”. Fortunately for the malicious coder, they do not necessarily have to write the code in such a way it can re-code itself, which would be a gargantuan task and prone to bugs without any way to test each copy. Instead, they write the malware and compile it as normal and then pass it through a morphing engine which not only re-writes their code but can also embed the morphing engine so that when the malware replicates it produces a unique re-morphed copy.
In this real training for free event, we will dive into polymorphic and metamorphic malware in depth and look at real world examples. Some of the things you learn is how a morphing engine comprises:
- Disassembler
- Code analyzer
- Transformer
- Assembler
And some of the techniques used by the transformer incorporate:
- Instruction substitution
- Register swapping
- Garbage code insertion
- Code reordering
- Structure resequencing
- Control flow obfuscation
Our sponsor for this session is KnowBe4. Their team has done a lot of research on morphic malware.
They will briefly show you a demonstration of how Cloud Email Security can help identify and guard against data breaches due to malicious email attacks.
Please join us for this real training for free session.