TL;DR
Yes, some viruses *do* write assembly code instead of directly creating machine code. These viruses typically store their malicious instructions as human-readable assembly language and then use an assembler (either built-in or external) to convert it into executable machine code at runtime or during infection. This makes them harder to detect because static analysis focuses on finding pre-existing machine code patterns, not the source code.
How Assembly Viruses Work
- Assembly Code as Payload: Instead of embedding binary (machine code) directly into the virus file, these viruses store their core logic in assembly language. This looks like instructions such as
MOV AX, 10orADD BX, CX. - Assembler Requirement: To execute this code, an assembler is needed. There are a few ways this happens:
- Built-in Assembler: Some viruses include a small assembler routine within themselves. This means the virus can convert its assembly instructions into machine code on the infected system without needing external tools.
- External Assembler: The virus relies on an assembler already being present on the target system (e.g., NASM, MASM). It might try to locate one or require it as a prerequisite for execution.
- Runtime Assembly: The assembly code is assembled *during* the virus’s operation. This could be:
- At Infection Time: When infecting files, the virus might assemble its payload before writing it into the target file.
- Just Before Execution: The virus assembles the necessary code right before attempting to run a malicious function.
- Obfuscation: Assembly language is more easily obfuscated than machine code. This means viruses can change the appearance of their assembly instructions without altering their functionality, making detection harder.
; Example of simple obfuscation - adding a useless instruction MOV AX, 10 ; Original instruction XOR EAX, EAX ; Add a no-op (doesn't change value) MOV AX, 10 ; Re-add the original instruction
Why Use Assembly?
- Evasion: Static signature detection is less effective. Antivirus software often looks for specific sequences of machine code bytes. Assembly viruses change these byte patterns frequently through assembly and obfuscation.
- Polymorphism & Metamorphism: Assembly allows for easier creation of polymorphic (changing code appearance) and metamorphic (rewriting itself entirely) viruses.
- Complexity: It can be harder to reverse engineer assembly code compared to directly analysing machine code, especially if the virus uses complex techniques.
How to Protect Yourself
- Keep Your Antivirus Updated: Modern antivirus software is getting better at detecting assembly viruses through behavioural analysis and heuristics.
- Regular Scans: Perform full system scans regularly, not just quick scans.
- Be Careful with Downloads: Avoid downloading files from untrusted sources. This is the most common infection vector.
- Software Restriction Policies/AppLocker (Windows): These tools can prevent execution of unsigned or unknown code.
; Example PowerShell command to block a program: New-AppLockerPolicy -Name "MyPolicy" Add-AppLockerRule -PolicyName "MyPolicy" -Path "C:Program FilesSuspiciousProgram.exe" -Permission Deny - Sandboxing: Run suspicious programs in a sandbox environment to isolate them from your main system.
Virtual machines (VMs) are excellent for sandboxing.
- Disable Macros: If you receive documents with macros, disable them unless you trust the source.
Detecting Assembly Viruses
- Behavioural Analysis: Look for unusual processes or file modifications.
- Disassembly Tools: Use tools like IDA Pro, Ghidra, or x64dbg to disassemble the code and examine its instructions.
These tools convert machine code back into assembly language.
- Monitoring System Calls: Assembly viruses often make specific system calls. Monitoring these can reveal malicious activity.