PDA

View Full Version : Polymorphic decryption/encryption


vect0r
August 12th, 2008, 15:00
Hi,

I have a question regarding polymorphism in malware. It seems like a simple question so I've posted in this section. I have read alot of material, over 25 seperate papers and a range of articles on VX Heavens, not to mention a number of posts here also and I have found conflicting information and nothing concrete enough to answer my question.

The question - In polymorphic malware, the focus is on obfuscating the decryptors. This decryptor is prepended to the encrypted malware body. What I want to clarify is how is the encryption carried out? What is not made clear, is whether the decryptors are generated first and then the corresponding encryptor is generated or whether an encryptor is created and then the subsequent decryptor then follows?

Any clarification would be welcome

evaluator
August 14th, 2008, 14:17
i tiNk, mostly there are simple inversible algoritms..

vect0r
August 14th, 2008, 14:44
Hey Eval,

thanks for the reply, yes it seems this is mostly the case. Some malware such as W32/Gobi creates the decrytor and stores the steps in a table, once its is created, the corresponding encryptor is created. In others it varies. Took a while to get there, but its clear to me now.