Video Screencast Help

Polymorphism comes to the AMD64

Created: 25 Aug 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:57:32 GMT
Peter Ferrie's picture
0 0 Votes
Login to vote

We recently saw the first polymorphic virus for the AMD64. It was released by the same virus writer responsible for the development of the first virus for the Intel Itanium platform; I suppose it was only a matter of time before this author began to do some serious research on the AMD64 platform, too.

The AMD64 virus is both polymorphic and entrypoint obscuring. The entrypoint obscuring is achieved in two ways: one is by making an unusual use of the Bound Import Table, the other is by creating a polymorphic decryptor that contains no explicit register initialization (e.g. MOV instructions). The result is that it is not a simple matter to find the true start of the decryptor and to emulate from the wrong place can result in incorrect decryption.

Interestingly, the virus author also created a 32-bit version of the same virus, using exactly the same techniques. This could be the start of a disturbing trend—simultaneous release of 32-bit and 64-bit viruses to cover all of the possibilities. The only thing worse than that would be to release a single virus that contains both of them, but we’ve already seen that in an earlier virus that is a member of the W32.Chiton family.