Are there any polymorphic macro viruses at all? (...and what to do with them) presented at Virus Bulletin 2002

by Gabor Szappanos (Virus buster),

Tags: Security


Summary : This presentation will investigate how the currently known polymorphic macro viruses
fit into the usual terms used for binary polymorphic viruses and what special detection
procedures have been implemented and should be developed to fight them.

The first question to answer is whether there are any of them that can be qualified as
polymorphic. Most of them are very simple, variable-name changers, that would not be
polymorphic if VBA were a compiled language. There are several, more complicated, encrypted
viruses, some of them even with polymorphic encryptors.
We will investigate how different the replicated specimen of a particular virus are.
Obviously it is dependent on the representation (source code vs. opcode vs. execode),
but several code normalization techniques - most of which have been used in virus scanners
for several years - exist, that transform the code into more or less identical form.
However, these methods lose information that could be important especially in the case of
encrypted macro viruses.
There are even more complicated viruses where these simple procedures are not sufficient.
In these cases the development of advanced techniques is required, which include intelligent
code parsing and analysis, leading the AV products very close to actual macro code emulation.