Comparison between Metamorphic Viruses & Polymorphic Viruses (once the most deadly threat)
The most deadly of mallware for now! (:AGY)
Metamorphic Viruses can reprogram itself. Often, it does this by translating its own code into a temporary representation, edit the temporary representation of itself, and then write itself back to normal code again. This procedure is done with the virus itself, and thus also the metamorphic engine itself undergoes changes. This is used by some viruses when they are about to infect new files, and the result is that the “children” will never look like their parents. The computer viruses that use this technique do this in order to avoid the pattern recognition of anti-virus software: the actual algorithm does not change, but everything else might.
Metamorphic code is more effective than polymorphic code. This is because most anti-virus software will try to search for known virus-code even during the execution of the code. Whether Heuretics & proactive defense & behavioral analysis can effectively stop these next generation of mallware, that remains to be seen.
There may be a chance that even HIPS cannot stop metamorphic viruses.To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of it is part of the metamorphic engine.
A metamorphic virus thwarts detection bys ignature-based (static) AV technologies by morphing its
code as it propagates. The virus can also thwart detection by emulation-based (dynamic) technologies.
Polymorphic virus are viruses that changes its virus signature (i.e., its binary pattern) every time it replicates and infects a new file in order to keep from being detected by an antivirus program.
What is a polymorphic virus?
A polymorphic virus is one that produces varied but operational copies of itself. This strategy assumes that virus scanners will not be able to detect all instances of the virus. One method of evading scan-string driven virus detectors is self-encryption with a variable key.
More sophisticated polymorphic viruses (e.g., V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with “noise” instructions (e.g., a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g., Subtract A from A, and Move 0 to A). A simple-minded, scan-string based virus scanner would not be able to reliably identify all variants of this sort of virus; in this case, a sophisticated scanning engine has to be constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism used so far is the Mutation Engine (MtE), which comes in the form of an object module. With the Mutation Engine, any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules.
The advent of polymorphic viruses has rendered virus scanning an increasingly difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.
It is known that polymorphic viruses were once the most difficult viruses to detect,the best AV app can detect max.30% of unknown polymorphic viruses!!!.
AV Comparatives used only 12 known polymorphic viruses and many AVs already had the problems with them.
How about METAMORPHIC VIRUSES which are even more powerful??? (:SHY)
Note: I accidentaly encountered one of these viruses, it crippled my previous nod32 v2.7 & destroyed it!!!. Heuretics & selfdefense or proactive defense can do little against it. I had to reformat my harddisk, Good thing I have DVD backup of my files…