Editing Metamorphic code

{{Short description|Type of code used by computer viruses}}'''Metamorphic code''' is code that when run outputs a [[logical equivalence|logically equivalent]] version of its own code under some [[Interpretation (logic)|interpretation]]. This is similar to a [[Quine (computing)|quine]], except that a quine's [[source code]] is exactly equivalent to its own output. Metamorphic code also usually outputs [[machine code]] and not its own source code.

==Overview==
Metamorphic code is used by [[computer virus]]es to avoid the [[pattern recognition]] of [[anti-virus software]]. Metamorphic viruses often translate their own binary code into a temporary representation, editing the temporary representation of themselves and then translate the edited form back to machine code again.<ref>{{cite web |url=http://vx.netlux.org/lib/vmd01.html |title=Metamorphism in practice or "How I made MetaPHOR and what I've learnt" |website=VX Heavens |date=February 2002 |archive-url=https://web.archive.org/web/20070602061547/http://vx.netlux.org/lib/vmd01.html |archive-date=June 2, 2007 |url-status=dead}}</ref> This procedure is done with the virus itself, and thus also the metamorphic engine itself undergoes changes, which means that no part of the virus stays the same. This differs from [[polymorphic code]], where the polymorphic engine can not rewrite its own code. 

Metamorphic code is used by some viruses when they are about to infect new files, and the result is that the next generation will never look like current generation. The mutated code will do exactly the same thing (under the [[Interpretation (logic)|interpretation]] used), but the child's binary representation will typically be completely different from the parent's. Mutation can be achieved using techniques like inserting [[NOP (code)|NOP]] instructions ([[brute-force attack|brute force]]), changing what [[Processor register|register]]s to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

Metamorphism does not protect a virus against [[heuristic analysis]].{{fact|date=February 2015}}

Metamorphic code can also mean that a virus is capable of infecting executables from two or more different [[operating system]]s (such as [[Microsoft Windows|Windows]] and [[Linux]]) or even different [[computer architecture]]s. Often, the virus does this by carrying several viruses within itself. The beginning of the virus is then coded so that it translates to correct machine-code for all of the platforms that it is supposed to execute in.<ref>{{cite magazine|url=http://phrack.org/issues/57/14.html#article|magazine=Phrack Magazine|title=Architecture Spanning Shellcode|date=August 11, 2001|volume=11|issue=57|archive-url=https://web.archive.org/web/20231204045816/http://phrack.org/issues/57/14.html#article|archive-date=December 4, 2023|url-status=live}}</ref> This is used primarily in [[Shellcode|remote exploit injection code]] where the target platform is unknown.

==Metamorphic viruses==
* [[Simile (computer virus)|Simile]]
* [[ZMist (computer virus)|ZMist]]
* Lacrimae<ref>Peter Ferrie [https://www.virusbulletin.com/virusbulletin/2008/02/crimea-river "Crimea River"], VB, 2008</ref>

==See also==
* [[Self-modifying code]]
* [[Strange loop]]
* [[Polymorphic code]]
* [[Timeline of notable computer viruses and worms]]

==References==
{{reflist}}

==External links==
* [https://www.cs.umd.edu/~mmazurek/414-papers/hunting-for-metamorphic.pdf Hunting for Metamorphic]

{{DEFAULTSORT:Metamorphic Code}}
[[Category:Computer viruses]]