hello i know this vid is pretty old but i hope you can provide some context for me; what did you mean by decrypted body shape when talking about the deference between oligo/poly/meta -morphic viruses ? is it referring to the dynamic behavior of the malware ?
Hi. It refers to the main code of the malware that is hidden by encryption. It shall illustrate that metamorphic viruses change their own instructions with every new generation of the virus, whereas the main polymorphic virus code usually looks the same after unpacking.
Like always a great video! When do the most viruses start a new generation and decompile themselves? Every new start? Could you maybe go a little bit deeper into the metamorphism stuff in a separated video? Maybe reverseengineering a virus that uses this technique, so you can show us, what types of opcode patterns are replaced (examples)?
Thank you. :) When a virus starts a new generation depends on the virus family. The simplest ones do it every time the host file is executed. More advanced viruses reside in memory, may hook interrupt handlers and start the infection routine if a certain interrupt happens. Some make it dependent on a date, some may infect only 1 out of 10 times randomly. Usually the polymorphic and metamorphic viruses will create a new generation (a differently looking virus body or decrypter) with each infection. I am not sure yet what videos I will do. I cannot promise anything.
hello ,iam new to this channel . Can u give advice on someone who wants to pursue a career in malware analysis . what books to read ? how to learn and skills to get a job ? since most companies ask for certificates ? I am a graduate and hav worked in the machine learning field and know programming
@@MalwareAnalysisForHedgehogs now with the advent of generative ai and how much machine learning has progressed, do you think its possible for attackers to leverage this technology to make even stronger polymorphic malware?
@@abysmal7000 The advantage of polymorphically packed malware (from the viewpoint of the threat actor) is that you have only a small piece of code, the stub, that you need to tweak and change in order to evade pattern scanning on files. However, polymorphic malware can still be detected in-memory, since the body of the malware did not change--it gets unpacked in-memory. Now, with AI, it is relatively easy to just tell the AI to rewrite the whole malware code while keeping the same functionality and so also not only evade pattern scanning on disk but also in-memory. If everything is changed, there is no pattern that can match anywhere. Plus, if done right, this can be done everytime the malware execute, thus, creating a malware that constantly evolves just like old viruses did. One of the reasons metamorphic viruses are not prevalent, is because they are so difficult to implement.
topic of Win32 file infectors is old, IMHO world has move on and this topic is irrelevant nowadays...or maybe I'm wrong but I haven't heard about file infector in more than 5 years
Do you think it is irrelevant just because the media doesn't cover it? I have gotten more in-the-wild virus samples to analyse in the past 3 years than I can count. And no, this video is not about "Win32 file infectors".
Also, sometimes encrypted files can be detected by AVs once they are unpacked in memory. Nice video, Karsten!
True, but by then it might be too late.
A FANTASTIC breakdown 👌👏🏽. Thanks for simplifying this topic, you actually answered questions that I didn't even know I had
Nice explanation! Thanks for the book recommendation too, definitely going to check that out!
hello i know this vid is pretty old but i hope you can provide some context for me; what did you mean by decrypted body shape when talking about the deference between oligo/poly/meta -morphic viruses ? is it referring to the dynamic behavior of the malware ?
Hi. It refers to the main code of the malware that is hidden by encryption.
It shall illustrate that metamorphic viruses change their own instructions with every new generation of the virus, whereas the main polymorphic virus code usually looks the same after unpacking.
Holy crap! I didn't know anything about Metamorphic types!
Thanks for the awesome breakdown and explanation.
Good video, simple and fast, how i like it
this is really off topic but, when I watched this I realized u were wearing the same shirt as me. is that shirt from express by any chance?
Haha, that's indeed off topic. I don't have this shirt anymore and don't remember where it was from. But most of my shirts were from Superdry.
Thanks for the concise and clear explanation about this thrilling topic.
By the way, which software do you use to draw so fancy notes?
Thank you! :) I use MyPaint
Like always a great video!
When do the most viruses start a new generation and decompile themselves? Every new start?
Could you maybe go a little bit deeper into the metamorphism stuff in a separated video? Maybe reverseengineering a virus that uses this technique, so you can show us, what types of opcode patterns are replaced (examples)?
Thank you. :)
When a virus starts a new generation depends on the virus family. The simplest ones do it every time the host file is executed. More advanced viruses reside in memory, may hook interrupt handlers and start the infection routine if a certain interrupt happens. Some make it dependent on a date, some may infect only 1 out of 10 times randomly. Usually the polymorphic and metamorphic viruses will create a new generation (a differently looking virus body or decrypter) with each infection.
I am not sure yet what videos I will do. I cannot promise anything.
MalwareAnalysisForHedgehogs Thanks for making it clear! :)
Brilliant and well explained video, mate. It helped me so much xx
Thanks mate, keep going 🖐️
hello ,iam new to this channel . Can u give advice on someone who wants to pursue a career in malware analysis .
what books to read ?
how to learn and skills to get a job ? since most companies ask for certificates ?
I am a graduate and hav worked in the machine learning field and know programming
Read Practical Malware Analysis and Do your own reversing at home in a Virtual Machine
Can you recommend any AVs for Linux and Windows?
I would love to, but I work for an AV company. So I am biased. :P
MalwareAnalysisForHedgehogs I would trust whatever you work on :)
Windows Defender is the best now
MarKac got hit by a custom virus which turned it off yesterday ¯\_ (ツ) _/¯
Sasha P. I recommend using sandboxie too and not running unknown files with admin rights if unsure submit file to virustotal.com
do computer viruses use AI to increase their efficiency?
There are none that I know off.
@@MalwareAnalysisForHedgehogs now with the advent of generative ai and how much machine learning has progressed, do you think its possible for attackers to leverage this technology to make even stronger polymorphic malware?
@@abysmal7000 It is more interesting for metamorphic malware than polymorphic one. It might even trigger a come-back of metamorphism.
@@MalwareAnalysisForHedgehogs could you please elaborate on this? it is very interesting and I know very little about malware
@@abysmal7000 The advantage of polymorphically packed malware (from the viewpoint of the threat actor) is that you have only a small piece of code, the stub, that you need to tweak and change in order to evade pattern scanning on files. However, polymorphic malware can still be detected in-memory, since the body of the malware did not change--it gets unpacked in-memory.
Now, with AI, it is relatively easy to just tell the AI to rewrite the whole malware code while keeping the same functionality and so also not only evade pattern scanning on disk but also in-memory. If everything is changed, there is no pattern that can match anywhere.
Plus, if done right, this can be done everytime the malware execute, thus, creating a malware that constantly evolves just like old viruses did.
One of the reasons metamorphic viruses are not prevalent, is because they are so difficult to implement.
Thank .well explained from algerie
Thanks
Nice video as always!! :)
topic of Win32 file infectors is old, IMHO world has move on and this topic is irrelevant nowadays...or maybe I'm wrong but I haven't heard about file infector in more than 5 years
Do you think it is irrelevant just because the media doesn't cover it? I have gotten more in-the-wild virus samples to analyse in the past 3 years than I can count.
And no, this video is not about "Win32 file infectors".
MalwareAnalysisForHedgehogs you talking about new file infectors? Or Sality, Virut, Xpaj ?