 -=( ---------------------------------------------------------------------- )=-
 -=( Natural Selection Issue #1 --------------- Great Debate : Metamorphism )=-
 -=( ---------------------------------------------------------------------- )=-

 -=( 0 : Contents --------------------------------------------------------- )=-

 0 : Contents
 1 : Introduction
 2 : Questions
 3 : Conclusion

 -=( 1 : Introduction ----------------------------------------------------- )=-

 Ever since the  days of the  first metamorphic viruses  like ACG and  TMC, the
 idea of mutating a virus to  eliminate any possible scan strings has  captured
 the imagination of virus writers world wide.  Suddenly, it was shown that some
 of the  same ideas  used in  polymorphic decryptors  could be  applied to  the
 entire virus body.

 Time passed, into  a new century  in fact, and  several excellent examples  of
 metamorphic virus have appeared (like Zmist).  But the question still remains,
 what does the virus scene think of metamorphism?   Does  metamorphism  deliver
 the goods or is polymorphism here to stay?

 We would like  to thank all  those who took part in this Great Debate.  Thanks
 go to the following people for participating:   CyberYoda,  a_guy_in_the_wind,
 CyberWarrior, mandragore, Rezial, Knowdeth, DoxtorL, and anonymous.

 -=( 2 : Questions -------------------------------------------------------- )=-

 How do  you see  the application  of metamorphic  technology.  Is  it the best
 thing to come out of the virus scene, or unstable dead weight?

 CyberYoda>  Metamorphic technology  is  an evolutionary  step forward in virus
             writing technology.  Done properly it is a powerful technique in a
             virus writer's tool box.

 a_guy_in_the_wind>  The answer is hard, if metamorphism seems to be the top of
             the  top  technology,  to  me it  seems  that  there's  no  "good"
             metamorphism, well some are very efficient,  but Im very sceptical
             about it,  for the implementation  to be done in the rules of art,
             it need deep algorithm studies and  mathematical proove to be sure
             of not a complete  reverse/cryptanalysis,  as you should do in the
             professional world,  added to  this you have  to design strong and
             complex code to manage this, well I think such a work is much okay
             for a team work,  but as most coders work alone,  you wont see lot
             of meta.

 CyberWarrior>  Metamorphie is a  great way to hide  viruses and they  say lots
             about the coder who did them (as long as they arent ripped or from
             other coders ;)

 mandragore>  Let's  put  the  virus  scene  apart.   The  application  of such
             technologies  is  obvious;  to  evolve  like a  biological  virus.
             This  similarity is  a good  short and  long term  adaptation  for
             viruses : some kind of poly nowadays,  it could become the elegant
             way to cross  invade system and evade detectors.   As long as it's
             not 50k of 'did you see my code'.

 Rezial>     TMC crashed a lot.   I haven't heard  any antivirus  companies say
             "Sorry we  don't detect  that virus,  it is too  metamorphic".   I
             think it is well  established that Metamorphism  doesn't work very
             well yet :)

 Knowdeth>   Could be a good thing for ASM coder's, Dead weight for HLL.   Last
             thing I want to see is a 1mb meta visual basic virus.

 DoxtorL>    Interesting theoric technology.

 anonymous>  It's not  the best thing to come out of the viruses scene,  that's
             the virus  itself.  But  it's  certainly not  unstable dead weight
             either. We've seen plenty of proof of that.


 What do you think the base purpose of metamorphic technology is and how do you
 compare that with the capability of polymorphic technology?  For example,  how
 efficient are they in making a virus undetectable?

 CyberYoda>  The soul purpose of metamorphic technology is to delay  as long as
             possible the  understanding and  reliable detection  of the virus.
             Given the same level of complexity,  a metamorphic virus should be
             a little more difficult to understand and detect than polymorphic.

 a_guy_in_the_wind>  Well,  good polymorphism have fooled antivirus, as well do
             good metamorphic ones, well,  I find meta is way more boring to do
             than polymorphic  engine,  but I  dont like that  much polymorphic
             engine,  metamorphism is in  principle a good idea, many ppl wrote
             about it,  application  seems  quite more  hard,  and need  lot of
             motivation.

 CyberWarrior>  i think  its a nice  way to code  multi file  types  infectors.
             making  a virus undetectable  is not a  question of  encryption or
             plain code.   as long as av  is able  to trace the  code they will
             detect it.   polymorphie  and metamorphie  are as  good as  normal
             encryptions if they are well done.  but those dont offer that many
             scanstrings as encrypted or unencrypted viruses.

 mandragore>  For me,  metamorphism  is a  kind of  polymorphism.   But if  you
             consider   the  second  one  as   Random  Decrypting  Algo,   then
             metamorphism goes one step further. It lets control over the whole
             body  theorically,  and practically  if the  engine is  well done.
             Changing  shapes  is  the  best  way to  avoid  all  kind of  algo
             scanners,  but one  must still  care about  heuristics,  integrity
             checkers, and so on...

 Rezial>     It started  off as a replacement  for polymorphism,  as decryptors
             were too easily detected with statistical instruction analysis and
             code  emulation.   But when  they emulate  your metamorphed  code,
             whenever you  call an API you are open  to the same code emulation
             problem as before,  and this is why current metamorphism is almost
             useless.   I don't think the solution  to a detection technique is
             to throw  more code  at the  problem.   It  requires  a  different
             thinking strategy.

 Knowdeth>   To give the asm coder's something to have a fit with :-) Well poly
             and og is  possible for what I deal with,  so I don't see a change
             coming any time  soon as morphic virii go  at least from how I see
             it.  Then again there is that you never know factor,  and tomorrow
             someone could pull some strange Batch I-Worm with full meta.  I've
             seen stranger.

 DoxtorL>    Metamorphic technology  makes close  the fusion  between the  host
             code and the virus code.
             But it's usually  alot of  work for nothing.   (see mental driller
             virus, "etapux", now easily detected)
             The power of microprocessors makes easier the job of antiviruses.

 anonymous>  the purpose of  metamorphism is exactly  the same as polymorphism,
             to make the virus  harder to detect.  The less constant code/data,
             the harder it is to detect the virus and since a polymorphic virus
             has to have constant code/data  (even though its encrypted)  and a
             metamorphic virus doesn't have to have constant code/data. I'd say
             a metamorphic  virus has to be more successful.  Though everything
             can be detected.


 Would you feel comfortable writing  a Metamorphic engine right now?   Have you
 ever done so, or tried to?  How did it go?

 CyberYoda>  While it is  within  my abilities  to write  a simple  metamorphic
             engine, I've never attempted the feat in assembly.

 a_guy_in_the_wind>  At the moment ?  Nope, I dont have time for it,  and also,
             Im rudely working on other topics,  I have started a library about
             assembly  disassembly,  designed  to  be  callable,  with  easy  &
             flexible  apis,  then I  started writing  a little  motor  who was
             supposed  to   disassemble  and   mute  into   others  couple   of
             instruction, the algorithm were bad thought,  well,  to be honest,
             it started to bore me lot.

 CyberWarrior>  very comfortable  to write  one to  infect  different kinds  of
             files.   its not as  easy as  "just" changing  the entry  point to
             the code  but  working  fine and  it  doesnt  offer av  that  many
             scanstrings  =]

 mandragore>  Yup i already tried, it went rather fine actually.   I thought it
             would be harder but it only involved things i already knew.   What
             i tried  for my  last creation is some metamorphism  embedded in a
             tunneler usin contexts.

 Rezial>     No.

 Knowdeth>   For what I code I don't even know if it would be applicable,  much
             less possible.

 DoxtorL>    It's a hard job,  to tell the truth i have never written that sort
             of viruses , neither polymorphic viruses as well.

 anonymous>  Yes, I'd feel comfortable writing a metamorphic engine.  I've done
             so.  There are just  as many ways  to do metamorphism  as there is
             ways to  do polymorphism.  The better  metamorphism you want,  the
             more complex your code gets, alot more complex.


 What do you think are the key parts to writing a good metamorphic engine,  and
 what are the most difficult aspects?

 CyberYoda>  A  strong  understanding  of  machine language  and  creativity is
             necessary,   but  having  enough  patience  is the  most difficult
             requirement to fulfill.

 a_guy_in_the_wind>  Well,  I think you need very good bases in disassembly and
             assembly,  as first,  for second,  you need  to have  a very  good
             management with  instruction couple and their results,  last part,
             and this is very interesting part to develop,  I think the analyst
             part of meta, the right shortcut to do, to retrieve what initially
             the conceptor  of the  virus really  wanted to do,  and choose  an
             other permutation, a good idea seems to get down to the binary and
             start a  study  of  the  result  of a  couple of  instruction,  so
             multiple instruction will be recognized perfectly, instruction can
             lie on their aspect, they wont lie on the result :)

 CyberWarrior>  the most difficult one is that u need some opcode knowledge but
             guess every asm reference can fix that  ;]

 mandragore>  Gettin  the idea is  pretty simple,  what's harder is  taking all
             cases in  consideration,  and  forgettin  a bug  somewhere  in the
             opcode interpretor..   The one  which happens at  3% but takes you
             forever to find )

 Rezial>     Considering  the  only  factor to  gain from  in  metamorphism  is
             obscuring the intent of your code,  the "key part" to metamorphism
             is more == better,  and hiding easter egg code swapping / mutation
             / dropping  routines  within  the  garbage.   The  most  difficult
             aspect is how to  deal with wasted  months of work when AV  detect
             your virus anyway.  That, and debugging :)

 Knowdeth>   Never made one so I couldn't tell you.

 DoxtorL>    For me,  these kind of viruses are a bit mysterious.  I suppose to
             write this kind of  viruses you have to think  a long time to plan
             how the virus will change/mutate.
             Maybe the  main problem is to make the virus having no fixed bytes
             or  patterns.   It's more  difficult than  to write a  polymorphic
             virus,  a decent metamorphic virus  has no encrypted bytes or only
             few  ones.   In a  polymorphic  virus,  usually  the main  part is
             encrypted with a different key/encrypting algorithm.

 anonymous>  The key parts  of writing  a good  metamorphic engine,  must be to
             swap code and data around, change order of execution,  modify code
             and add new code.  The most difficult  aspects is  separating code
             from data.


 In  the future,  do you  think we'll  see a  larger or  smaller percentage  of
 viruses written with metamorphic engines, and why?

 CyberYoda>  I believe  there will  be a smaller percentage  of viruses written
             with a  metamorphic  engine as  the number  of coders  capable  of
             creating a stable metamorphic virus is decreasing, while the cheap
             knock offs of viruses always seem to increase.

 a_guy_in_the_wind>  I have no idea  on the question,  I think it  will go with
             the scene, sleeping and sleeping more :)

 CyberWarrior>  a smaller precentage.   those days  new viruses  are written in
             visual basic  or delphi  packed with  upx or  other file  packers.
             newbies dont mess with asm any more.   they start with  .bat those
             days which  is completely useless in my  eyes since  WinME+ doesnt
             really support .bat any more.   and metamorphic engines written in
             visual basic,  delphi or c/c++/c#  are difficult to do since there
             is no real wanted access on the file opcodes.   Guess main problem
             is that most zines release tutorials about how coding viruses with
             batch or basic.  hope this will change soon  =]

 mandragore>  I don't think so.  Visual Basic doesn't support it )
             It's an  in depth  conception  which can  be done in  assembly and
             barely in  other languages.   And there  are fewer  and fewer  asm
             coders.  Today's goals are fast spreading,  fast infecting.  Retro
             and hiding  technologies  aren't part  of it.   This  position  is
             understandable because AVs are loosin for now on this field.   But
             soon they'll  be able  to correctly  filter mails  and so on,  and
             microsoft  could secure its stuff one day  (not today ok).   Let's
             hope coders  will grow  and be at  the rendez vous,  and ready  to
             evolve.  The solution is already there..

 Rezial>     Less.   There are less assembly language coders,  and although you
             can do it in macro viruses, I think these will eventually die out.
             It is hard to get people to legitimately open macro'd documents as
             it is, let along randomly emailed ones :)

 Knowdeth>   Honestly without,  I see  more and more HLL,  its rare to see poly
             much less a meta, I  see things getting  bigger,  but then again I
             said that when someone told me my 45k was huge, now you find 150k+
             virii all over the place.

 DoxtorL>    I  doubt  we will  see  a larger  percent  of viruses  using  that
             technology.   Too much work  and the need to  have a good skill in
             asm.

 anonymous>  A larger percent of viruses written  will be metamorphic.  Because
             that  is the  development  of viruses.  Just look  how fast  virus
             coders began adding polymorphism to their viruses.

 -=( 3 : Conclusion ------------------------------------------------------- )=-

 As expected,  there are wide range  of views on  metamorphism.   The only  two
 common answers  seem to be that they are difficult and  most people are rather
 cynical  in  expecting  more of  them.   But  then,  perhaps  the  rarity  and
 difficulty of metamorphism is what makes people so interested in them.

 -=( ---------------------------------------------------------------------- )=-
 -=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=-
 -=( ---------------------------------------------------------------------- )=-
