Which type virus has the capability of changing its signature and its form?
|
Third-party analysis of a “similar” file specimen can be helpful guidance; it should not be considered dispositive in all circumstances. Show
Anti-virus signatures are typically generated based upon specific data contents or patterns identified in malicious code. Signatures differ from heuristics—identifiable malicious behavior or attributes that are nonspecific to particular specimen (commonly used to detect zero-day threats that have yet to be formally identified with a signature). ☑Anti-virus signatures for a particular identified threat varies between anti-virus vendors,1 but many times, certain nomenclature, such as a malware classification descriptor, is common across the signatures (for example the words “Trojan,” “Dropper,” and “Backdoor” may be used in many of the vendor signatures). These classification descriptors may be a good starting point or corroborate your findings, but should not be considered dispositive; rather, they should be taken into consideration toward the totality of the file profile. ☑Conversely, if there are no anti-virus signatures associated with a suspect file, it may simply mean that a signature for the file has not yet been generated by the vendor of the anti-virus product, or that the attacker has successfully (albeit likely temporarily) obfuscated the malware to thwart detection. ☑Third-party analysis of a similar malware specimen by a reliable source can be an incredibly valuable resource—and may even provide predictors of what will be discovered in your particular specimen. While this correlative information should be considered in the totality of your investigation, it should not replace thorough independent analysis. Read moreNavigate DownView chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B978159749470000005X Analysis of a Malware SpecimenCameron H. Malin, ... James M. Aquilina, in Malware Forensics Field Guide for Linux Systems, 2014 IntroductionThrough the file profiling methodology, tools, and techniques discussed in Chapter 5, substantial insight into the dependencies, strings, anti-virus signatures, and metadata associated with a suspect file can be gained, and in turn, used to shape a predictive assessment as to the specimen’s nature and functionality. Building on that information, then in this chapter, we will further explore the nature, purpose, and functionality of Video.exe by conducting a dynamic and static analysis of the binary. Recall that dynamic or behavioral analysis involves executing the code and monitoring its behavior, interaction, and effect on the host system, whereas, static analysis is the process of analyzing executable binary code without actually executing the file. During the course of examining the suspect program, we will demonstrate the importance and inextricability of using both dynamic and static analysis techniques to gain a better understanding of a malicious code specimen. As the specimen examined in this chapter is actual malicious code “from the wild,” certain references such as domain names, IP addresses, company names and other sensitive identifiers are obfuscated for privacy and security purposes. A computer virus is a program or malicious code that spreads between computers and performs destructive activities on the system. It spreads by attaching a copy of itself to a program file. The viruses simply replicate, display messages, and others might deliver a portion of the malicious code to a program that has the ability to corrupt programs, delete files, format the hard drive, and destroy valuable information. Polymorphic Virus:‘Poly’ refers to many and ‘morphic’ refers to forms. Therefore as the name suggests polymorphic virus is a complicated computer virus that changes its form as it propagates to avoid detection by antivirus. It is a self-encrypting virus that pairs a mutation engine along with a self-propagating program code. A Polymorphic Virus Consists of:
Working of Polymorphic Virus: Infection process in case of polymorphic virus Whenever a virus is detected by antivirus software, it gets blacklisted and any other virus with similar characteristics gets automatically blocked. In the case of the polymorphic virus, with each mutation, the basic function performed by the virus remains the same even though the signature or decryption routine changes. The antivirus software that uses traditional signature-based detection fails to find and block malicious code after the signature and decryption routine changes. So the virus makes a copy of itself and the mutation engine. Then the mutation engine is invoked and a new decryption routine having no resemblance to the previous decryption routine is generated. Next, the virus encrypts its body and mutation engine and appends the new decryption routine, encrypted virus, and mutation engine onto the new program. How Polymorphic Code is Generated?Polymorphic code uses a mutation engine along with the polymorphic code. The mutation engine produces a randomized decryption routine and changes the file name of the polymorphic code from infection to infection. The virus locates new programs to infect and attaches the copy of its body and mutation engine to the new program. This helps the polymorphic virus to spread and cause destruction to the system without getting detected and blocked by any antivirus based on the traditional signature detection approach. Detection of Polymorphic VirusPolymorphic viruses can easily fool the conventional antivirus software using signature-based detection. However, these viruses can be detected by new security technologies which use machine learning and behavior detection to identify any anomalous behavior in the system. Which of the following virus change their signature every time?Polymorphic viruses: These viruses have the ability to change their own signature at the time of infection. These viruses are very complicated and are difficult to detect. Polymorphic viruses cannot be detected by the signature based antivirus.
Which viruses are capable of changing their appearance by changing their codes *?Polymorphic viruses
Was this answer helpful?
Which malware type can change code and signature patterns with each?Polymorphic malware uses an encryption key to change its shape and signature. It combines a mutation engine with self-propagating code to change its appearance continuously and rapidly morph its code.
Which type of virus will change its form in order to avoid detection?A polymorphic virus is a harmful, destructive or intrusive type of malware that can change or "morph," making it difficult to detect with antimalware programs. Evolution of the malicious code can occur in a variety of ways such as filename changes, compression and encryption with variable keys.
|
