striking.similarities

striking.similarities - WHITE PAPER Symantec Security...

Info iconThis preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon
INSIDE INSIDE Replication Routine EPO Mechanism Polymorphic Decryptor Metamorphism Replication Payload W32/Simile Striking Similarites: Win32/Simile and Metamorphic Virus Code by Frédéric Perriot Senior Software Engineer Péter Ször Architect Peter Ferrie Principal Software Engineer WHITE PAPER Symantec Security Response
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Symantec STRIKING SIMILARITES: WIN32/SIMILE AND METAMORPHIC VIRUS CODE Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Replication Routine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 EPO Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Polymorphic Decryptor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Metamorphism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 W32/Simile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Background image of page 2
Introduction Win32/Simile is the latest “product” of the developments in metamorphic virus code. The virus was released in the most recent 29A, #6, issue in early March 2002. The virus writer, who calls himself "The Mental Driller," wrote this virus. Some of his previous viruses, such as Win95/Drill (which used the Tuareg polymorphic engine), have proved challenging to detect. Win32/Simile moves yet another step up the scale of complexity. The source code of the virus is approximately 14,000 lines of assembly code. The metaphoric engine itself takes up approximately 90% of the virus code, which is extremely powerful. The author named the virus "MetaPHOR," which stands for Metaphoric Permutating High-Obfuscating Reassembler. The first generation virus code is approximately 32KB, and there are three known variants of the virus in circulation. Certain AntiVirus (AV) companies from some major corporations in Spain received samples of the original variant, which was released in issue 29A, indicating a minor outbreak. Win32/Simile is highly obfuscated and challenging to understand. The virus attacks the disassembling, debugging, and emulation techniques, as well as the standard evaluation-based techniques for virus analysis. As with many other complex viruses, Simile uses EPO techniques. 3
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 4
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 8

striking.similarities - WHITE PAPER Symantec Security...

This preview shows document pages 1 - 4. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online