Polymorphic Software Viruses
In just a year production of polymorphic viruses became a “trade”, followed by their “avalanche” in 1993. The authors of viruses were competing not in creating the toughest virus but the toughest polymorphic mechanism instead.
These viruses require special methods of detection, including emulation of the viruses’ executable code, mathematical algorithms of restoring parts of the code and data in virus etc.
Ten more new viruses may be considered non-100 percent polymorphic (that is they do encrypt themselves but in the decryption routine there always exist some no-changing bytes).
However to detect them and to restore the infected objects’ code, decrypting is still required – because the length of no changing code in the decryption routine of those viruses is too small.
Polymorphic generators were also developed together with polymorphic viruses. Several new ones appeared utilizing more complex methods of generating polymorphic code.
They became widely spread as archives containing object modules, documentation and examples of use. By the end of 1993 there were seven known generators of polymorphic code. Since then every year brought several new polymorphic generators.
Automating Production and Viral Construction Sets
Only in the middle of 1992 progress in the form of automating production touched the world of viruses. In July 1992 the first viral code construction set for IBM PC compatibles called VCL (Virus Creation Laboratory) is declared for production.
This set allowed generating well commented source texts of viruses in the form of assembly language texts, object modules and infected files themselves. VCL uses standard windowed interface.
With the help of a menu system one can choose virus type, objects to infect (COM or/and EXE), presence or absence of self encryption, measures of protection from debugging, inside text strings, optional 10 additional effects etc.
Viruses can use standard method of infecting a file by adding their body to the end of file, or replace files with their body destroying the original content of a file, or become companion viruses.
And then it became much easier to do wrong: if you want somebody to have some computer trouble just run VCL and within 10 to 15 minutes you have 30-40 different viruses you may then run on computers of your enemies.
The further the better. In July the first version of PS-MPC (Phalcon/Skism Mass-Produced Code Generator) appeared. This set does not have windowed interface, it uses a configuration file to generate viral source code.
This file contains description of the virus: the type of infected files (COM or EXE); resident capabilities (unlike VCL, PS-MPC can also produce resident viruses); method of installing the resident copy of the virus; self encryption capabilities; the ability to infect COMMAND.COM and lots of other useful information.
Another construction set G2 (Phalcon/Skism’s G2 0.70 beta) has been created. It supported PS-MPC configuration files, however allowing much more options when coding the same functions.
So in what way did the virus construction sets influence software life?
We now had another tendency in development of computer viruses: the increasing number of “construction set” viruses; more lazy people join the ranks of virus makers, downgrading a respectable and creative profession of creating viruses to a mundane rough trade.