funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Question about Viruses

From: Valdis.Kletnieks () vt edu
Date: Fri, 07 Jul 2006 19:05:03 -0400
On Sat, 08 Jul 2006 00:30:52 +0200, Peter Kosinar said:


Thus, the infections by two different EPO's can actually commute (in the 
sense of the file being infected by Vir1 and Vir2 can result in exactly 
the same file as if the file was infected by Vir2 and Vir1 in that order). 
In fact, the "infection-graph" of a program can no longer be assumed to be 
linear (as it used to be in the good old times with just simple infectors 
around) and it can (theoretically, practical samples of this kind have not 
been observed) be arbitrarily complex DAG (directed acyclic graph).


Anybody observed a case where Vir2 went looking for a call site to hijack,
and it found a call inside Vir1 rather than the original code?  Or do most
of these things target a known fixed call inside the original rather than
scanning the binary looking for a suitable opcode (similar to 'hydan' scanning
for suitable opcodes for encoding a stego imprint on a binary?)

Attachment: _bin
Description: 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: