This is where metamorphism enters into the picture. Metamorphism is the
next logical step after polymorphism. Instead of encrypting the program’s
body and making slight alterations in the decryption engine, it is possible to
alter the entire program each time it is replicated. The benefit of metamor-
phism (from a malware writer’s perspective) is that each version of the mal-
ware can look radically different from any other versions. This makes it very
difficult (if not impossible) for antivirus writers to use any kind of signature-
matching techniques for identifying the malicious program.
Metamorphism requires a powerful code analysis engine that actually
needs to be embedded into the malicious program. This engine scans the pro-
gram code and regenerates a different version of it on the fly every time the
program is duplicated. The clever part here is the type of changes made to the
program. A metamorphic engine can perform a wide variety of alterations on
the malicious program (needless to say, the alterations are performed on the
entire malicious program, including the metamorphic engine itself). Let’s take
a look at some of the alterations that can be automatically applied to a program
by a metamorphic engine.
Instruction and Register Selection Metamorphic engines can actually
analyze the malicious program in its entirety and regenerate the code for
the entire program. While reemitting the code the metamorphic engine
can randomize a variety of parameters regarding the code, including the
specific selection of instructions (there is usually more than one instruc-
tion that can be used for performing any single operation), and the selec-
tion of registers.
Instruction Ordering Metamorphic engines can sometimes randomly
alter the order of instructions within a function, as long as the instruc-
tions in question are independent of one another.
Reversing Conditions In order to seriously alter the malware code, a
metamorphic engine can actually reverse some of the conditional state-
ments used in the program. Reversing a condition means (for example)
that instead of using a statement that checks whether two operands are
equal, you check whether they are unequal (this is routinely done by
compilers in the compilation process; see Appendix A). This results in a
significant rearrangement of the program’s code because it forces the
metamorphic engine to relocate conditional blocks within a single func-
tion. The idea is that even if the antivirus program employs some kind
of high-level scanning of the program in anticipation of a metamorphic
engine, it would still have a hard time identifying the program.
Garbage Insertion It is possible to randomly insert garbage instructions
that manipulate irrelevant data throughout the program in order to
further confuse antivirus scanners. This also adds a certain amount of284 Chapter 8