Threat Research

Metamorphic Code In Ransomware

By Raul Alvarez | January 26, 2016

Ransomware is a category of malware that scrambles your files or lock your computer while asking for ransom.  We have encountered different versions of ransomware, and seen their effects.  We also have seen a different kind of ransomware that not only holds your computer for ransom, but also infects your files for persistency.

Virlock is a ransomware that locks your screen for ransom, while infecting your files with its malicious code. Virlock is an interesting malware not only because it is a ransomware and file infector in one, but due to its code implementation. One of which is its use of metamorphic code in some of its obfuscation technique. This article will delve a little deeper on how Virlock implements its metamorphic algorithm.

Primer

Metamorphic code is a little bit different from polymorphic code.  Metamorphic code is a technique of using different sets of assembly instructions to generate the same result.

For example, if you want to place a zero value (0) to a given register in assembly language such as EAX, several implementations are possible:

  • MOV EAX,0

                where EAX register gets 0 directly.

  • XOR EAX,EAX

                XORing the same register by itself also generates a zero value placed into a given register

  • SUB EAX,EAX

                SUBtracting any register by itself also generates the same result

The main purpose of generating a metamorphic code in a malware is to confuse a static signature detection of a given antimalware program. Using a metamorphic is simply an anti-static-detection technique.

Different Code, Same Malware

Virlock has a built-in metamorphic code generator. It generates a different metamorphic algorithm for each and every copy of Virlock. We will compare two different samples later.

These metamorphic code is the initial code executed by the malware. The main purpose of these codes is to generate a another set of malware code. Though, different copies of the malware run different metamorphic algorithms, they still decode the same set of code, part of which is shown below:

Address

Opcode

Assembly Code

00401000

B8 aabbccdd

MOV EAX, 0xddccbbaa

00401005

90

NOP

00401006

E9 80000000

JMP 0040108B

  • where 0xddccbbaa differs per sample, but the rest of the decoded code is similar.

Decoding  ‘B8 aabbcc’

For sample #1: to decode the first DWORD (B8 aabbcc), part of MOV EAX,0xddccbbaa  instruction, it uses the metamorphic code as shown in Figure 1. The metamorphic code in Figure 1, generates the instruction  MOV [EDI],ECX  where ECX contains B8 aabbcc , while EDI contains the address 0x00401000.

Figure 1

For sample #2, to generate the same bytes (B8 aabbcc), the malware uses a different metamorphic algorithm as shown in Figure 2. And the metamorphic code in Figure 2, generates the instruction  MOV [EAX],ESI  where ESI contains B8 aabbcc , while EAX contains the address 0x00401000.

Figure 2

Side-By-Side

Placing them together, we can see that we have two different sets of metamorphic algorithms, where the final result is to generate the DWORD (B8 aabbcc ) to be stored in the memory location 0x00401000.

Figure 3

Second And Third DWORD

In a similar context, figure 4 and 5 shows the metamorphic algorithm that generates the second and third DWORDs to complete the instructions below:

Address

Opcode

Assembly Code

00401000

B8 aabbccdd

MOV EAX, 0xddccbbaa

00401005

90

NOP

00401006

E9 80000000

JMP 0040108B

 

 

Figure 4

Figure 5

Wrap Up

We can see the sophisticated technique of employing a metamorphic algorithm in a malware. From a simple XOR EAX, EAX instruction to a varying number of bytes of instructions to decode another instruction or value is an interesting trivia question. One of the main reasons that a malware uses a complicated metamorphic code is to avoid detection from a static signature detection.

Don’t worry, we got you covered. 

Join the Discussion