Read the original article here.

---

Okay, here is the detailed educational resource on Metamorphic Code, reframed within the context of "The Forbidden Code: Underground Programming Techniques They Won’t Teach You in School."

---

Metamorphic Code: The Evolving Threat They Don't Teach You In School

In the cat-and-mouse game between attackers and security professionals, simply changing the payload of malicious code isn't enough. The method used to deliver or execute that payload can become a signature itself. This is where techniques like metamorphic code come into play – code that doesn't just hide its data, but constantly reinvents its own structure and appearance to avoid detection. This is sophisticated stuff, operating in the dark corners where signature-based security measures fall short.

What is Metamorphic Code?

Let's start with the core concept. It's about code that transforms itself.

Metamorphic code: A type of computer program that, when executed (or when preparing to replicate), generates a logically equivalent version of its own code. This new version performs the exact same functions as the original, but its underlying binary representation is significantly different.

Think of it this way: it's like a shapeshifter. The creature always does the same thing (attacks, infects), but its physical form is never the same twice. This contrasts with something like a Quine, which simply outputs an exact copy of its own source code. Metamorphic code outputs a different binary representation of itself, which, when interpreted, results in the same logical operations. Crucially, this output is usually in machine code, not a high-level source code representation.

The Primary Purpose: Evading Signature-Based Detection

The main reason anyone would employ metamorphic techniques is simple: invisibility.

Signature-based antivirus and intrusion detection systems work by scanning files or network traffic for known patterns (signatures) associated with malicious code. If the code always looks the same, or even if just a small part of it (like a decryptor stub in polymorphic code) remains constant, security software can create a signature for that specific pattern.

Metamorphic code directly attacks this principle. By generating a unique version of itself each time it propagates or executes, it ensures that a simple byte-for-byte or small pattern signature based on a previous encounter will fail to identify the new instance.

The Engine of Transformation: How Metamorphism Works

So, how does code change itself so fundamentally while keeping its functionality? Metamorphic code typically employs a complex process:

1. Self-Representation: The malicious code contains within itself the ability to understand and process its own structure. This might involve translating its own machine code into a temporary, intermediate representation (like an abstract syntax tree, a custom instruction set, or even a simple sequence of logical operations).
2. Modification: The code then operates on this intermediate representation. This is where the mutation happens. It applies various transformations and obfuscation techniques to the code logic or structure at this intermediate level.
3. Regeneration: After modification, the code translates the altered intermediate representation back into executable machine code. This new machine code is the 'next generation' of the metamorphic program.

The crucial, and most sophisticated, aspect of true metamorphic code is that the engine performing this transformation process also undergoes changes during the mutation. In simpler polymorphic code, the part responsible for decryption might stay largely the same, making it a potential weak point for signature detection. In metamorphic code, the entire structure, including the transformation logic itself, is subject to change. This makes it significantly harder to create reliable signatures for any part of the code.

The Art of Mutation: Techniques Under the Hood

Achieving logical equivalence while radically altering the binary structure requires a bag of tricks. Here are some common techniques used in metamorphic engines:

• NOP Instruction Insertion (Padding):

  NOP (No OPeration): A machine instruction that does nothing except take up execution cycles and space in the code. By inserting random NOP instructions throughout the code, the overall binary pattern changes drastically without affecting the program's logic. This is a basic, but effective, padding technique. Imagine adding random blank spaces and comments throughout source code – it changes the file size and appearance but not the execution.

• Register Substitution: Many operations can use different general-purpose registers. A metamorphic engine can analyze the code and replace instances where one register is used with another, inserting necessary MOV instructions to transfer values between registers. For example, instead of ADD EAX, EBX, the engine might rewrite it as MOV ECX, EAX; ADD ECX, EBX; MOV EAX, ECX. This changes the instructions and register usage without altering the final result stored in EAX.
• Instruction Substitution (Equivalent Instructions): Many processor instructions have equivalents or can be replaced by a sequence of other instructions that achieve the same outcome. For example:
  • INC EAX (increment EAX by 1) can be replaced by ADD EAX, 1.
  • XOR EAX, EAX (set EAX to zero) can be replaced by MOV EAX, 0 or SUB EAX, EAX.
  • A simple jump (JMP) might be replaced by a combination of conditional jumps and a NOP sled. Metamorphic engines can identify these patterns and substitute them randomly.
• Code Reordering: If a sequence of instructions doesn't have direct data dependencies (i.e., the output of one instruction isn't needed as input for the very next one), their order can often be shuffled without changing the program's outcome. A metamorphic engine can analyze these dependencies and reorder blocks of independent instructions.
• Control Flow Obfuscation: The sequence of execution can be altered by inserting redundant jumps or modifying the structure of loops and conditional statements while preserving the original logic. For instance, replacing a direct jump to a label with a jump to a different location that then jumps to the original label.

By combining these techniques and applying them randomly or based on complex rules, a metamorphic engine can produce vastly different binary outputs for the exact same malicious functionality.

Metamorphism vs. Polymorphism: The Key Difference

This is a crucial distinction often confused in discussions of malware.

Polymorphic Code: Code that encrypts its malicious payload and attaches a small, varying decryptor stub. When executed, the decryptor decrypts the payload and then executes it. The payload is constantly changing (encrypted differently each time), but the decryptor stub, which is the executable part initially, changes less dramatically and can sometimes be detected by signatures.

The fundamental difference lies in what changes.

• Polymorphic: The encrypted payload changes, but the decryption mechanism (the engine) is largely static, making the decryptor stub a signature target.
• Metamorphic: The entire code, including the transformation engine itself, changes. There is no static part that reliably serves as a signature.

Think of polymorphism as using different keys to unlock the same type of box containing different contents. You can detect the box type or the mechanism for using the key. Metamorphism is like building a new type of box and lock each time, and even changing the tools used to build the box and lock.

The Limits: Heuristic Analysis

While metamorphic code is powerful against signature-based detection, it doesn't offer complete immunity.

Heuristic Analysis: Security analysis that attempts to detect malicious code not by matching known signatures (patterns) but by observing its behavior, characteristics, and potential actions. This can include looking for suspicious API calls (like file writing, process injection, network connections), file modifications, network activity patterns, or analyzing the code's structure for suspicious complexity or obfuscation traits.

Even if the code looks different each time, it still does the same thing. If it's a virus, it will still try to infect files or spread. If it's ransomware, it will still try to encrypt data. Heuristic analysis focuses on these actions and behaviors, which the metamorphic process is designed not to change. A piece of metamorphic malware might evade a signature check, but it could still be flagged if it attempts to open system files for writing or make unusual network connections.

Furthermore, the metamorphic engine itself can sometimes exhibit characteristics that heuristics can detect, such as large size (due to the embedded transformation logic) or complex, heavily obfuscated code structures.

Beyond Evasion: Metamorphism and Multi-Platform Code

There's a less common, secondary meaning of "metamorphic code" mentioned in some contexts. This refers to a single piece of code capable of executing correctly on multiple different operating systems or even different computer architectures.

This is often achieved by embedding several different versions of the malicious payload within the single code package – one compiled for Windows, one for Linux, one for a specific CPU architecture, etc. The initial part of the code then contains logic to detect the target environment it finds itself in and direct execution to the appropriate embedded payload.

This technique is particularly useful in scenarios like remote exploit injection where an attacker gains a foothold on a system but doesn't initially know its exact OS or architecture. The injected code can "metamorph" in the sense that it adapts to the detected environment by selecting the correct path, rather than completely transforming its own instructions. While technically different from the code-transformation-for-evasion meaning, it shares the idea of a single code entity adapting or changing based on its environment.

Notorious Examples in the Wild

Metamorphic viruses are relatively rare compared to polymorphic ones, primarily because the complexity of writing a robust metamorphic engine is significantly higher. However, some notable examples have demonstrated the capabilities:

• Simile (W32/Simile): An early and complex metamorphic virus known for its highly sophisticated mutation engine, capable of generating drastically different versions of itself.
• ZMist (W32/ZMist): Another highly complex virus that used advanced techniques to achieve a high degree of polymorphism and attempted metamorphic behavior.
• Lacrimae: A more recent example exhibiting metamorphic characteristics, demonstrating the continued use of this concept.

These examples represent milestones in the evolution of malware sophistication, pushing the boundaries of code obfuscation and evasion.

Related Concepts

Exploring metamorphic code naturally touches upon other fascinating areas:

• Self-Modifying Code: Code that alters its own instructions while it is running. While metamorphic code generates a new version of itself (often before infecting a new target or before the core malicious payload runs), the metamorphic engine itself might use self-modification techniques during its execution to make analysis harder or to perform the transformation.
• Strange Loop: A concept from Gödel, Escher, Bach referring to hierarchical systems where traversing levels up or down eventually leads back to the starting point. Code that processes and reinvents itself is a practical (and often malicious) manifestation of a strange loop in programming.

Conclusion

Metamorphic code represents one of the pinnacle techniques in malware design aimed at evading traditional signature-based defenses. By constantly transforming its own binary structure, including the very engine that performs the transformation, it presents a moving target that is incredibly difficult to pin down with static patterns. While not invincible against advanced behavioral and heuristic analysis, understanding metamorphic techniques is crucial for anyone delving into the deeper, more complex aspects of cybersecurity, both for defense and for understanding the sophisticated threats that exist in the wild. It's a stark reminder that security isn't just about finding known patterns, but about understanding behavior and anticipating change.