Used in Computer Viruses
Part 1Copyright (C) 05/1995 by Howard Fuhs
According to popular wisdom technical progress cannot be held back. In the case of computer viruses you certainly have to agree with this statement. In the first years of computer viruses it was sufficient for the anti-virus researcher to analyse the virus code thoroughly and choose a sequence of bytes that could be used to uniquely identify the virus at hand. This virus signature was simply added to the database of a string scanner. Well maintained string scanners had a very high detection rate and the anti-virus industry thought the problem was under control.
An obvious way to defeat string scanners was to write a computer virus, which modified each new copy of its code so much that a scanner looking for a particular byte sequence would no longer be able to detect the virus. Viruses with the property of being able to modify themselves are called mutating or polymorphic viruses.
Polymorphic viruses use code modification or code encryption techniques to avoid detection by anti-virus scanners. The virus encrypt most of its code using a new encryption key for each new instance of the virus. Only the decryption routine necessary to recreate the virus code is left unencrypted. To protect the decryption code from detection by string scanners it is changed sufficiently in each copy of the virus (infection) not to be identifiable by means of a fixed byte sequence, while at the same time maintaining its functionality.
This technical progress was not to be limited to the first polymorphic viruses. As is the case with the Virus Construction Kits, the first object files containing encryption routines soon emerged, just needing to be linked into existing viruses to make these polymorphic. That made the work easier for the clueless virus writers, who did not themselves have the ability to create an encryption routine. Through the international networks these ready-made polymorphic routines were soon spread all over the world and made available to a wide audience. Thus, the first polymorphic generator came from Sofia, Bulgaria. It was designed by a programmer calling himself the "Dark Avenger".
A polymorphic routine obviously functions in the same fashion, no matter which type of program it is used to encrypt. In some of the documentation enclosed with polymorphic engines it is thus often stated that the writer only releases the software for use in data security programs, and that insertion into viruses is forbidden. Nevertheless most polymorphic routines are designed for inclusion into viruses and only of limited usefulness for other purposes.
The MuTation Engine was the first polymorphic encryption routine that was specially designed for inclusion in viruses.
In the enclosed documentation file the following sequence is included:
"MuTation Engine <tm>
Version 0.90ß (17-08-91) (C) 1991 CrazySoft, Inc. written by Mad Maniac
You are free to include this Engine in viruses. Using it in another way is prohibited. You are free to give it to people that will only use it in this way. MuTation Engine is free.
As mentioned above, the different polymorphic engines might be used in other programs. In this case that is expressly prohibited. It is, however, highly unlikely that anyone using the engine for different purposes would be prosecuted by the virus writer...
The MtE version 0.90ß is programmed in assembler and assembled using Borland Turbo Assembler 2.5. The file containing the MtE, MTE.OJB, has a size of 2 kB. The source code of a demo virus enabling you to test the encryption engine immediately, was included in the original MtE distribution archive. A short while after the publication of MtE, a disassembly script was published. It enabled you to study exactly how the MtE was designed and how it worked.
Later a version 1.00ß was published.It contained a modification of the built-in random number generator. It is now assumed that version 1.00ß was not written by the original programmer.
The MtE is the most widespread polymorphic engine. It is currently used in approximately 36 different viruses. It is safe to assume that the MtE is detected by all good anti-virus systems and thus no longer poses any signifikant threat.
The TridenT Polymorphic Engine was published in 1992 by a Dutch virus writer using the Pseudonym Masud Khafir. This individual had already appeared earlier as a member of a group of virus writers named Trident Virus Research Group.
The author of TPE, who was already known as a writer of very advanced viruses, was inspired by the advent of the MtE to try to write an equally advanced polymorphic routine to encrypt viruses. In the final notes of the enclosed documentation Masud Khafir writes:
"First, I want to thank Dark Avenger from Bulgaria for his nice "Mutation Engine" program. This fine program has been a great source of inspiration for the TPE!"
Masud Khafir has so far published four versions of TPE. The file TPE.OBJ has a size of 1.6 kB and is used in at least nine viruses. In each new version of TPE errors in earlier versions are corrected. E.g. the decryption routine in version 1.1 did not function reliably on all processor types. This was corrected in versions 1.2 and 1.3. Version 1.2 could only be used in viruses that always occupied the same memory space. This was changed in version 1.3. Finally, version 1.4 featured a considerably more complex encryption engine.
All version of the TPE should certainly be reliably detected by all good anti-virus programs. However, recent scanner tests surprisingly shows this not to be the case.
The Darivinian Genetic Mutation Engine is a variant of the TPE. The DGME was published as source code in the book "Computer Viruses, Artificial life and Evolution" by Mark Ludwig. According to himself, the author published DGME in order to provide a tool to research "evolutionary conditions". Using the DGME it is supposedly possible to design a virus, 99.9% of the instances of which are detected by a given anti-virus program in the first mutation stage of the virus. As the virus develops further by undergoing several mutation stages it becomes more and more difficult to detect by the same anti-virus product. The basic idea is to develop Computer viruses, which by going through several evolutionary generations gradually develop into forms that cannot be detected by anti-virus systems. In the same book an example virus, SCAN-Slip, is published. The DGME can be embedded in this virus and tested. No virus is known, which actually incorporates the DGME.
The NuKe Encryption Device was published in October 1992. It is written by Nowhere Man, who had already previously published the Virus Creation Lab. According to information in the source code to version 0.90ß the program was not supposed to be given to anybody outside the virus programmer group NuKe. Nevertheless a fully commented program source was published, making it easy. for programmers to introduce modifications.
All good anti-virus systems reliably detect NED, which consequently no longer poses real danger.
In 1993 Dark Angel's Multiple Encryptor was published as source code in the 40HEX underground magazine. Dark Angel is a member of the Canadian-American virus writer group Phalcon/SKISM. He has also designed the virus construction kits PS-MPC and G2. In connection with the commented source for DAME, Dark Angel published a treatise titled Advanced Polymorphic Primer in 40HEX. In a later issue of the magazine the commented source code for DAME version 0.91 was published. In this version a number of errors had been corrected and some technical improvements introduced. The original DAME 0.90 has a size of 1.5 kB. For version 0.91 this has increased to 1.9 kB. DAME is detected by all good anti-virus systems.
In the last few years it is noticeable that Taiwanese programmers occupy a stronger and stronger position, particularly in the field of polymorphic generators. The Dark Slayer Mutation Engine was the first polymorphic generator from this part of the world. lt was published September 28, 1993, in Taiwan, programmed by a 17 year old high school student calling himself Dark Slayer. The DSME was programmed with Microsoft's MASM package. Documentation in Chinese and English as well as an assembler source listing for a test virus is enclosed. Also this virus writer refers in his documentation to the MtE by Dark Avenger. The DSME is not as advanced as MtE or TPE. It is one of the simpler polymorphic engines.
The Dark Slayer Confusion Engine was published in April 1994 by the same programmer, who had programmed the DSME. The DSCE is a thoroughly reworked version of the DSME containing much more complex encryption. Also in this case a test virus as well as Chinese and English documentation are supplied. The size of the file DSCE.OBJ is 3.4 kB. We know of no virus using this engine.
The Guns'n'Roses Polymorphic Engine is written by the Taiwan virus writer Slash Wu. lt was published in 1994. Only documentation in Chinese is supplied, and very little is known in the West regarding this engine. E.g. it is not known whether it is integrated into any virus. The name of the engine indicates that the writer is a fan of heavy metal music. The file GPE.OBJ was produced with Turbo Assembler 1.0 and takes up 2.8 kB.
The Golden Cicada Abnormal Engine from Taiwan was published in January 1995.
Also in this case only Chinese documentation is provided, and little is known about this engine. It is quite similar to DSME and DSCE in several respects. The size of GCAE.OBJ is 3.5 kB. It is not yet known whether this engine is used in any viruses.
No less than nine different version of MutaGEN were published between January and July 1994, the most recent being version 2.0. Thus, this is one of the best known polymorphic encryption routines. The American virus writer MnemoniX has corrected bugs with each new version as well as expanded the technical functionality of the routine.
This is an excerpt from the version list enclosed with the engine:
1194 personal release
.90ß 2194 first official beta test version released. Sometimes scanned as TpE, confained minor bugs.
.95ß 2194 fixed bugs & made less scannable
1.00 3194 first official version. Functionality perfect, as far as I can see.
1.10 4194 Added more variability in code and optimised existing code. Also added another demonstration virus.
1.lb 4194 Fixed protected mode bug, I think. (Thanks Memory Lapse)
1.2 5194 Improved code yet more, added more power and polymorphism.
(Also, the first demo virus no longer scans as Ash.)
1.3 6194 Optimized some code and added more weird twists and turns in code.
2.0 7194 The definitive version.
I fixed bugs with the IN and REP instructions that would occasionally cause problems.
Added many calls and
jumps to make detection much more difficult. If there is a next version,
it will simply be smaller."
The size of the file MUTAGEN.OBJ (version 2.0)is 2.4 kB. Two test viruses are included as assembler listings.
The Simulated Metamorphic Encryption Generator raised some eyebrows when it appeared in 1994, because it was included in some very difficult and dangerous viruses. SMEG was produced by the English virus writer, who called himself the Black Baron, and who is currently awaiting sentencing for violations of the Computer Misuse Act after being convicted some months ago. SMEG version 0.1 was introduced in the Pathogen virus. SMEG version 0.2 encrypted the QUEGG virus from the same programmer, and SMEG 0.3 was delivered as a OBJ file for including in other viruses. According the the writer, SMEG uses exclusively 8086/88 instructions, and is thus able to run on all PCs ranging from the first PCs to the latest Pentium Computers. The size of the enclosed documentation is over 25 kB.
The particularity of SMEG is the comprehensive and very well written "junk Code Generator", which serves to inject random and from the point of view of functionality unimportant code sequences into a virus to change and encode it. In general, badly written junk Code Generators produce code, which is faulty or cannot execute in the given environment. This leads to viruses, which fail to run or crash the computer in certain instances of their mutations. In both cases the chance of the virus being detected quickly is high. Not so with SMEG. In version 0.3 the junk Code Generator is improved compared to versions 0.1 and 0.2.
SMEG.OBJ is produced with TASM 2.15 and has a size of 2.3 kB. SMEG is used in several viruses, and far from all anti-virus systems detect this engine reliably.
The underground magazine Crypt Newsletter published ULTIMUTE as commented source code in December 1993. According to the writer, who calls himself Black Wolf, ULTIMUTE is "written for security-type applications and other areas where mutation Of executable code is necessary". Indeed, ULTIMUTE was used in Black Wolfs File Protection Utilities. These utilities allows the user to implement a password encryption in .COM and EXE files. The encryption algorithm is extremely simple. No virus is known, which uses ULTIMUTE, as expressly requested by the programmer. The file ULTIMUTE.OBJ has a size of 1.7 kB.
One of the most recent polymorphic engines is Virogen's Irregular Code Engine. Version 0.2a was published 11.02.1995. Virogen is probably a member of the American virus writer group NUKE.
Three test viruses are supplied with VICE. The engine contains a junk Code Generator, which is designed to foil one particular anti-virus product by using certain interrupt calls. VICE.OBJ was coded in TASM 2.0, and the size is 2 kB.
Version 0.llb of the Compact Polymorphic Engine was published as a COM-file in 1994. The encryption engine is only 1.3 kB in size. No documentation was published with this engine, and research shows it to be a fairly simple generator with a number of important bugs. No viruses using it are known.
The commented source code for the Visible mutation Engine was published in the Spring 1993 issue of trade joumal of virus programming, Computer Virus Developments Quarterly. The encryption is quite simple, and according to the publication it is intended for research and educational purposes only. The file VME.OBJ has produced with TASM 3.2, and the size is 2 kB. It is not known whether the routine is used in any viruses.
The Phantasie mutation Engine was published as a UU-Encoded file on the German FIDO-Net in January 1995. PME was written by Burglar, who presumably comes from Taiwan. Only version 1.0 is known. The size is 1.7 kB. No virus using this engine is known. PME is a relatively badly written mutation engine, which is not very complex.
When I started to research this subject in my own archives I was very surprised to find how many polymorphic engines showed up. When I asked other anti-virus researches for more information, these provided even more different engines. lf someone had asked me beforehand how many of these engines existed, only the five or so most common would have sprung to mind.
It is a matter of concern that so many new engines have been pubfished in Taiwan lately. A veritable quest for leadership in this field seems to have arisen, so where the leadership in virus production earlier was to be found in East Europe, it may have to be sought in the Far East in the future. There are many signs of this, e.g. the fact that five new polymorphic engines have been published in this part of the world within the last two years.
There still is a great jump from the capabilities of existing polymorphic engines to those theoretically possible, so there is ample room for the creation of new and serious problems for the computer using community within the area of polymorphic engines. It does not help that people such as Mark Ludwig distribute CD ROMs containing thousands of viruses as well as virus creation software and fully commented polyorphic engine source code.