After serious thinking RayLopez99 wrote :
> The LA Times reports that the same family of virus/malware/badware that 
> infected Target a couple of years ago is making the rounds again this year, 
> targeting retailers.  The interesting thing to me was that the badware uses 
> encryption to change its signature.
>
> My question is whether any 'common' badware such as detectable by today's 
> commercial engines have this capability.  Names would be nice or just an 
> acknowledgement that such badware exists.  I'm curious as to how the 
> commercial anti-virus companies even detect this type of badware, maybe they 
> know of a initial signature that's always present before the badware morphs, 
> and they detect this signature?
>
> RL

This is the essence of what separates viruses from most other malware. 
Most of today's malware uses server side polymorphism to change its 
signature, but the polymorphic viruses accomplished this all by 
themselves.

Basically, they encrypt themselves as they reproduce and make a 
decryptor to decrypt it when the offspring itself executes. Then AV 
(not so much AM) detects the decryption algorithm which itself has 
polymorphism.

AV often has to emulate an execution environment to sandbox the 
decryptor to allow the beast to decrypt itself enough for not only 
detection, but for identification. This is one major reason why some of 
us like to emphasize that "virus" and "malware" are different despite 
what the average Joe thinks.

Actually, this technology is fairly old now, and it will be found in 
worms and viruses (self-replicating malware) which are less common than 
they used to be, and why one needs both AV *and* AM instead of just AM 
software.

You might like reading this:

https://www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
--- NewsGate v1.0 gamma 2