Polymorphic computer programs are computer programs, which have object code that varies between instances of the computer program. For example, polymorphic viruses are computer viruses, which have object code that varies between instances of the virus. Polymorphic viruses or computer programs may also be referred to as metamorphic or permuting. Some well-known methods of permutations and some polymorphs, for example, Win95/Bistro may perform combinations of types of permutations. In the alternative, some polymorphic replicators may be encrypted and decrypted using varying keys, which may change the object code of the virus before decryption.
Polymorphs such as, for example, Zperm may create varying copies of their own opcodes, which may perform the same tasks as the original opcodes. Other polymorphs such as, for example, Lexotan and W95/Puron may execute the same opcodes in the same order, but insert filler (or garbage) instructions and/or jumps between executed instructions. Other computer viruses may reorder their own subroutines (e.g., the Win32/Ghost virus), and/or recompile themselves into a polymorphic form with inserted filler (or junk) code on an infected machine with a compiler (e.g., Win32/Apparition).
Existing flow-graph-based commercial polymorph detectors may use, for example, reverse engineering and/or flow graphs including lines of assembly code. In one example, control flow graphs for functions may be mapped while ignoring instruction reordering and changes in register functions. A computer program may be reverse engineered and organized into a function call graph, with each function internally represented as a control flow graph.
In another example, a control flow graph including nodes, which are lines of assembly code may be created. In this example, matching may be automated, including, for example, recognition of opcodes, which may perform the same operation but have a different name. However, in this example, a human must recognize shuffled opcodes within remaining unmatched code.
In yet another example, polymorphs may be detected using both static and dynamic analysis. For example, a virtual computer may be created within a computer system for executing potentially infected files. A static analysis may use a byte sequence signature string analysis with wildcards for areas with varying opcodes. Byte sequence signature strings may be referred to as behavior signatures. A dynamic analysis may run the object code within an emulator (virtual computer), and may track the system requests (i.e., interrupt calls).
In another example, autoimmune systems may profile a computer or network to identify a normal state of self, for example, in terms of typical network connections and/or system calls. Regular checks of current state may then be compared to the stored profile. Unusual activity due to a virus, including polymorphic viruses, may be detected using these autoimmune systems.