{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

striking.similarities - WHITE PAPER Symantec Security...

Info iconThis preview shows pages 1–5. Sign up to view the full content.

View Full Document Right Arrow Icon
INSIDE INSIDE Replication Routine EPO Mechanism Polymorphic Decryptor Metamorphism Replication Payload W32/Simile Striking Similarites: Win32/Simile and Metamorphic Virus Code by Frédéric Perriot Senior Software Engineer Péter Ször Architect Peter Ferrie Principal Software Engineer WHITE PAPER Symantec Security Response
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
2 Symantec STRIKING SIMILARITES: WIN32/SIMILE AND METAMORPHIC VIRUS CODE Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Replication Routine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 EPO Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Polymorphic Decryptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Metamorphism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 W32/Simile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Background image of page 2
Introduction Win32/Simile is the latest “product” of the developments in metamorphic virus code. The virus was released in the most recent 29A, #6, issue in early March 2002. The virus writer, who calls himself "The Mental Driller," wrote this virus. Some of his previous viruses, such as Win95/Drill (which used the Tuareg polymorphic engine), have proved challenging to detect. Win32/Simile moves yet another step up the scale of complexity. The source code of the virus is approximately 14,000 lines of assembly code. The metaphoric engine itself takes up approximately 90% of the virus code, which is extremely powerful. The author named the virus "MetaPHOR," which stands for Metaphoric Permutating High-Obfuscating Reassembler. The first generation virus code is approximately 32KB, and there are three known variants of the virus in circulation. Certain AntiVirus (AV) companies from some major corporations in Spain received samples of the original variant, which was released in issue 29A, indicating a minor outbreak. Win32/Simile is highly obfuscated and challenging to understand. The virus attacks the disassembling, debugging, and emulation techniques, as well as the standard evaluation-based techniques for virus analysis. As with many other complex viruses, Simile uses EPO techniques. 3 Symantec STRIKING SIMILARITES: WIN32/SIMILE AND METAMORPHIC VIRUS CODE
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Symantec STRIKING SIMILARITES: WIN32/SIMILE AND METAMORPHIC VIRUS CODE Replication Routine Simile contains a basic, direct action replication mechanism that attacks PE files on the local machine and the network. The emphasis is clearly on the metamorphic engine, which is unusually complex. EPO Mechanism The virus searches and replaces all of the possible patterns of certain call instructions (those that reference ExitProcess() API calls) to point to the beginning of the virus code. Thus, the main entry point of the file is not altered. Sometimes the metamorphic virus body is placed together with a polymorphic decryptor at the same location within the file. In other cases, the polymorphic decryptor is placed at the end of the code section, while the virus body is placed in another section. This is to further confuse the location of the virus body.
Background image of page 4
Image of page 5
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}