 Welcome to my analysis for hedgehogs. Let's talk about viruses and I mean specifically the malware type virus, the malware that self-replicates by infecting other files on the system. But let's take a look at a simple virus. So a simple virus has the so-called virus body that's the main code of the virus. It does the infection searches for files that it wants to infect and then there are also encrypted viruses. So at some point virus writers discovered that it makes sense to encrypt them. So antivirus products have a harder time to detect them. But still there needs to be some code that decrypts the encrypted virus body, which is a so-called decrypto code. That's a bit smaller usually. So the AV, the antivirus, will usually put pattern on the virus body if it's not encrypted, right? But the encrypted virus, the antivirus product can still use a pattern but put that on the decryptor. We take as a given that the decryptor is long enough and unique enough so they would usually be able to find some kind of pattern for the decryptor in that case and they can also detect this kind of virus and they would have to change the decryptor to make it undetected again. So that's why at some point virus writers made their decryptors polygomorphic, which means they had several decryptors in the virus body. So if the virus creates a new generation of itself, so if it replicates, it would choose one of ant decryptors to apply. And so there are several of them. There could be three but there could also be a few hundreds but it's not so much that some of them might also just modify some proportions of the decryptor so it's just slightly different. That's also possible but in any case the number of decryptors that's possible is not that high. Antiviruses could still use n-signature patterns to detect all of them. It's tedious but it's possible and some antiviruses started at this point to apply dynamic decryption meaning they for instance emulate the code to get the decrypted portion of the virus. So the next more advanced stage is the polymorphic virus and with the polymorphic virus you also have an encrypted virus body but the decryptor, the possibilities for the decryptor are so high you cannot apply pattern signatures anymore. So it would be millions of possible decryptors and they achieve this by modifying the decryptor. Some viruses will actually look for compilers on the system they infect and then have the source code carrying in the virus body and then change the source code then recompile the source code for the decryptor so it looks very different every time they create a new generation. So in this case no pattern detection is possible but they can apply dynamic decryption like by emulation for instance. Yeah and metamorphic viruses are an entirely different breed so to speak. In any case with oligomorphic or polymorphic viruses the decrypted virus body just looks the same in this case visualized by a rectangle with some dots in it so it's always the same decrypted virus body. The metamorphic virus changes its own body shape all the time so every time it creates a new generation and so we have different shapes for this and it achieves that by changing the execution flow by adding junk instructions and so on so there are different possibilities to do that and yeah you can apply the pattern detection here. The only thing you can do is use algorithmic detections and heuristic detection so it's quite hard to detect them but it's also very hard to write those kind of viruses. If you want to know more about this topic I suggest you read the book the art of computer virus research and defense by Peter Zaw. It's pretty old but it's still valid up to this day and also the contents of this video are based on the theoretical stuff in the book so read it and well have fun see you next time.