RealNews

An Analysis of Simile

Virus writers have always tried to develop new methods to make malware detection more difficult. For instance, encryption was a natural step in virus evolution when scanners started to use databases with scan strings for detection. When scanners started to handle encryption patterns generically, first oligomorphism (a limited form of polymorphism – the polymorphic decryptor can have a strictly limited, relatively small number of shapes) and then polymorphism were introduced. Then, as emulation was used more and more by antivirus programs, it became clear that new methods must be developed to hide the viral code. For example, Ply was a simple DOS virus that used an interesting technique, based on the fact that Intel opcodes are variable in size. It padded every instruction that was not 3 bytes in length with no-operation instructions. These 3-byte pieces would be randomly linked with jumps, and, inside each piece that contained a non-3 byte opcode, the padded instruction(s) could be shifted. In 1998, another virus appeared that was able to show something new. Lexotran was a polymorphic DOS virus; but the polymorphism was unusual: there were no constant parts of the code, even after decryption. Another DOS virus, ACG, which was developed even earlier, was one of the first viruses that had no constant parts in the body. Full Story

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.