Are there any polymorphic macro viruses at all? (...and what to do with them)

Gabor Szappanos Virus Buster

This presentation will investigate how the currently known polymorphic macro viruses fit into the usual terms used for binary polymorphic viruses and what special detection procedures have been implemented and should be developed to fight them.

The first question to answer is whether there are any of them that can be qualified as polymorphic. Most of them are very simple, variable-name changers, that would not be polymorphic if VBA were a compiled language. There are several, more complicated, encrypted viruses, some of them even with polymorphic encryptors. We will investigate how different the replicated specimen of a particular virus are. Obviously it is dependent on the representation (source code vs. opcode vs. execode), but several code normalization techniques - most of which have been used in virus scanners for several years - exist, that transform the code into more or less identical form. However, these methods lose information that could be important especially in the case of encrypted macro viruses. There are even more complicated viruses where these simple procedures are not sufficient. In these cases the development of advanced techniques is required, which include intelligent code parsing and analysis, leading the AV products very close to actual macro code emulation.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.