can anyone explain to me what is 'encrypted' virus... i read in many books and txt's that .. at some point virus writers started to encrypt thir viruses to avoid AV ... but how exactly is that done... i mean... if something is encrypted how can it be executed...

i also read that they make polymorphic encryption engines... if a encyption key is random how can the virus decrypt... again...

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by etruscan
can anyone explain to me what is 'encrypted' virus... i read in many books and txt's that .. at some point virus writers started to encrypt thir viruses to avoid AV ... but how exactly is that done... i mean... if something is encrypted how can it be executed...

i also read that they make polymorphic encryption engines... if a encyption key is random how can the virus decrypt... again...

What your talking about is mostly popular in scripts (IE) macro worms. In the macro virii like the ones which I've seen that have encryption all mostly works like this...

First it sets a cypher at the begining of the code so the rest of the encrypted script will make sense, then it sets itself up to run at the startup, after that they'll setup a mailer or just copy itself to FTP shareing directories and wait for peaple to download it, and sometimes it'll run a payload (IE) stupid messages, drops & runs other scripts, screws with the boot.ini in a box with like XP, deletes files, and blah... blah... blah... and near the end of the script it runs the encryption.

So basicly it cyphers through its own code & runs the rest of the just before re-encrypting itself.

**Thread moved from Web Security to Anti Virus Security**

Very interesting subject!!!

found this:

At the same time, virus writers developed methods to hide their viral code in plain view by altering its appearance. Polymorphic viruses encrypt their code using a variety of encryption schemes with varying decryption routines. However, the viral code can be readily identified once decrypted, thanks to the unchanging portions of their code, such as a data area filled with string constants. Polymorphic viruses must have a "head" or decryptor that exists to decrypt the encoded virus and allow it to run. Polymorphic viruses may alter their appearance by changing the order of subroutines, and injecting random junk code like NOP (null operation) instructions. Examples of polymorphic viruses include SMEG.Pathogen (whose U.K. writer was caught and sentenced to 18 months) and Elkern, the companion virus to the Klez worm.



from security focus (http://www.securityfocus.com/infocus/1626)

ok... so if there's a head or decryptor present then why not just scan for it's string instead of looking for encrypted part of the virus