3

Can a polymorphic/metamorphic worm use (the same) mutex? This would solve the problem of grinding the network into the ground and consuming all resources with multiple instances of the worm. Is the problem that something this complex would need to be written in assembly, which doesn't have support for mutexes?

Out of curiosity, all polymorphic/metamorphic code I've seen is file infecting viruses. Has anyone heard of a polymorphic/metamorphic stand alone worm? It seems it would be easier to program than a file infector.

Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • What kind of entity would a worm (polymorphic or not) use as a mutex over whatever network it infects machines on? Sometimes, multiple processes use directories in a filesystem as a mutex, but that's local to one machine. – Bruce Ediger Jul 03 '12 at 21:16
  • @BruceEdiger what I'm saying is at there would be 1 copy of the worm on each machine (on the network) instead of 100. The 1 worm propigating itself (e.g. mass mailer) would be a lot less resource intense than 100 worms mass mailing (per machine). Did I understand what your saying? – Celeritas Jul 03 '12 at 21:32
  • In general, interacting processes (OS processes or threads, worms, servers/clients) have to have some independent entity to use as a mutex. Threads in a Linux process use memory bytes manipulated by special instructions. Processes use directories, whose creation and deletion is guaranteed atomic by the OS. Java threads synchronize on an object known to all threads. What will your worms use as a mutex? – Bruce Ediger Jul 03 '12 at 21:50
  • The point of polymorphic malware is to have no identifiable pattern. If you use a mutex, you need to know the name of the mutex. To know the name of the mutex, there must be a pattern to it. If there's a pattern to it, the AV can use that pattern to detect the malware. – Polynomial Jul 04 '12 at 15:56

2 Answers2

2

Short answer: no.

The point of polymorphic malware is to have no identifiable pattern. If you use a named mutex, you need to know the name of the mutex on both processes. To know the name of the mutex, there must be a pattern to it. If there's a pattern to it, the AV can use that pattern to detect the malware.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • What if a virus has hard coded into it a name of a file it will use as a mutex and if that file doesn't exist it assumes it is infecting a new system and rewrites itself using the metamorphic engine and gives it self a new mutex (that it creates before running the new generation of itself)? Is there viruses like that? – Celeritas Jul 30 '12 at 18:00
  • If it was hard coded, the AV engine could detect it. If it changes the name randomly as part of its polymorphism engine, how would a new infection know what the new name is? – Polynomial Jul 30 '12 at 19:34
  • But you still need a known token for *both*, which means that the AV only needs to identify the pattern of mutexes. Also, mutexes aren't filenames, they're named system objects. If you had completely random names, you'd still have generation code that contains a pattern. Or you'd end up with different "generations" infecting the same system. – Polynomial Jul 30 '12 at 19:49
  • I better explained myself why don't we continue this here: http://security.stackexchange.com/questions/17862/would-this-be-plausible-for-a-metamorphic-virus-not-repeatedly-infecting-same-s – Celeritas Jul 30 '12 at 20:07
  • Could the downvoter explain themselves? – Polynomial Jul 31 '12 at 07:29
2

Sure. A polymorphic worm can certainly use a "mutex" if it wants, to coordinate its activity. Nothing prevents it from doing so.

Depending upon what method it uses, this may provide a signature that signature-based A/V can use to recognize presence of the worm. Some of these methods may be easier for signature-based A/V to recognize than others. There are sneaky methods that a worm could use to coordinate between its instances that might not be trivial for A/V to detect.

For instance, one way that a polymorphic worm could coordinate its actions across all of its instances would be to communicate over the network with a command-and-control (C&C) server. The C&C server can track all instances and tell them what to do. Read about botnets for more. The C&C channel is a potential way that A/V can detect such bots, but there are also ways that bot operators can make the C&C channel stealthier, and ultimately this is a cat-and-mouse game.

I think the question you asked is of dubious practical relevance. Large-scale worms these days are passe. Instead of trying to infect millions of machines and get in the news, these days bad guys try to stay under the radar. Usually a much smaller botnet suffices, and it's not that hard to assemble one. Nor do they need sophisticated super-genius level exploits; given the number of poorly secured machines on the Internet, it's just not that hard for them to assemble a botnet with a few hundred or a few thousand compromised machines.

D.W.
  • 98,420
  • 30
  • 267
  • 572