An Analysis of Simile

by Adrian Marinescu
Sept. 24, 2017 1 comment Symantec Encryption & Authentication detection viralcode virus

Virus writers have always tried to develop new methods to make malware detection more difficult. For instance, encryption was a natural step in virus evolution when scanners started to use databases with scan strings for detection. When scanners started to handle encryption patterns generically, first oligomorphism (a limited form of polymorphism - the polymorphic decryptor can have a strictly limited, relatively small number of shapes) and then polymorphism were introduced. Then, as emulation was used more and more by antivirus programs, it became clear that new methods must be developed to hide the viral code. For example, Ply was a simple DOS virus that used an interesting technique, based on the fact that Intel opcodes are variable in size. It padded every instruction that was not 3 bytes in length with no-operation instructions.

2flash 8 months, 1 week ago

Simile was a game changer in the security field. Virus creators will always try to come up with 'revolutionary' codes... so we always have to be prepared for them.