PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER
{IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,231/DS-SIM {DCPO}
SUBJ:  POLYMORPHIC VIRUSES {AUTOMATED SYSTEMS SECURITY INCIDENT
SUPPORT TEAM {ASSIST} 92-38}
1.  BACKGROUND: THIS IS A PRIORITY ALERT THAT INTERRUPTS THE
SEQUENCE OF THE BASELINE PACKAGE OF MESSAGES CURRENTLY BEING ISSUED
BY ASSIST.  COMPUTER VIRUSES CAN BE DETECTED BY SOFTWARE THAT
RECOGNIZES EITHER THE UNUSUAL BEHAVIOR OR STATIC PRESENCE OF THE
MALICIOUS CODE.  VIRUS BEHAVIOR ANALYZERS FORM RESIDENT OPERATING
SYSTEM EXTENSIONS THAT ATTEMPT TO DETECT SOFTWARE THAT ACTS IN A
VIRUS-LIKE MANNER (E.G. MODIFYING EXECUTABLES).  SOME OF TODAY'S
"SMARTER" VIRUSES HAVE ALREADY DEVELOPED METHODS FOR AVOIDING THIS
TYPE OF DETECTION.  STATIC PRESENCE SCANNERS SEARCH THE ENTIRE
SYSTEM FOR "FINGERPRINTS" OF KNOWN VIRUSES.  SCANNERS ARE ONLY ABLE
TO IDENTIFY VIRUSES THAT HAVE AN ENTRY IN THE 
SCANNERS "FINGERPRINT" FILE.
2.  DISCUSSION: A NEW TYPE OF SELF-MODIFYING ULTRA-STEALTH VIRUSES,
CALLED POLYMORPHIC VIRUSES, HAVE BEGUN TO PROPAGATE THROUGH THE
WORLD'S COMPUTER COMMUNITY.  THE POLYMORPHIC VIRUS SCRAMBLES ITSELF
USING A RANDOM NUMBER GENERATED BY THE SYSTEM CLOCK.  BY ALTERING
EVERY BYTE OF ITSELF WHEN IT ENTERS A NEW ENVIRONMENT BASED ON A
RANDOM NUMBER, THE NEWLY PROPAGATED VIRUS IS ABLE TO ESCAPE
DETECTION BY MOST VIRUS SCANNING PROGRAMS.  THE SMALL KERNEL OF CODE
USED TO UNSCRAMBLE THE BODY OF THE VIRUS AVOIDS BEING
"FINGERPRINTED" BY INTERSPERSING DO-NOTHING STATEMENTS AMONG THOSE
THAT DO THE UNSCRAMBLING (E.G. MOVE A TO A).  AS THE VIRUS COPIES
ITSELF TO A NEW DESTINATION, IT RANDOMLY SELECTS AND DISTRIBUTES DO-
NOTHING STATEMENTS FROM A SELF-CONTAINED LIST INTO ITS OWN CODE.
3.  THE "DARK AVENGER" BULLETIN BOARD SYSTEM, WHICH DISSEMINATES
VIRUS CODE, HAS RECENTLY PUBLISHED THE COMPLETE SOURCE CODE FOR THE
DARK AVENGER MUTATION ENGINE.  THE MUTATION ENGINE IS A CODE KERNEL
THAT CAN BE ATTACHED TO AN EXISTING OR FUTURE VIRUS AND TURN IT INTO
A SELF-ENCRYPTING POLYMORPHIC VIRUS.  THE MUTATION ENGINE USES A
META LANGUAGE DRIVEN ALGORITHM GENERATOR THAT ALLOWS 
IT TO CREATE COMPLETELY ORIGINAL ENCRYPTION ALGORITHMS.  A VARYING
AMOUNT OF NEEDLESS INSTRUCTIONS ARE THEN INSERTED INTO THE UNIQUE
ALGORITHM, RESULTING IN DECRYPTION ALGORITHMS THAT RANGE IN LENGTH
FROM 5 TO 200 BYTES LONG.
4.  RECOMMENDATIONS:  THE NEXT GENERATION OF VIRUSES WILL BE MORE
DIFFICULT TO DETECT, SO IT WILL BE EVEN MORE IMPORTANT TO MAINTAIN
TIGHT CONTROL OVER ADP SYSTEMS AND SECURITY.  INTRODUCTION OF
SOFTWARE, HARDWARE AND BOOT-UPS (AVOID BOOT-UPS FROM FLOPPY DISK)
MUST BE CAREFULLY MONITORED TO PREVENT INTRODUCTION OF MALICIOUS
CODE INTO ADP SYSTEMS.  VIRUS DETECTION METHODS ARE CHANGING AS A
RESULT OF THE INTRODUCTION OF POLYMORPHIC VIRUSES AND THE MUTATION
ENGINE, SO IT IS VERY IMPORTANT TO ACQUIRE UPDATES TO THE ANTI-VIRUS
SOFTWARE BEING USED AT YOUR SITE AS SOON AS THE UPDATES ARE ISSUED. 
A PATTERN MATCHING VIRUS SCANNER IS STILL AN EFFICIENT AND USEFUL
TOOL FOR DETECTING THE SEVERAL THOUSAND WELL-KNOWN VIRUSES, BUT IT
IS LIMITED TO THE VIRUSES IT RECOGNIZES AND THE VIRUSES DETECTED
HAVE ALREADY INFECTED THE SYSTEM.  IF FEASIBLE, USE OF A VIRUS
BEHAVIOR ANALYZER IN CONJUNCTION WITH A SCANNING PROGRAM IS
RECOMMENDED TO ENSURE THE HIGHEST LEVEL OF ANTI-VIRUS PROTECTION. 
5.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL AT
"DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."