Vulnerability Development mailing list archives
Re: Why not a changeling?
From: sigipp () WELLA COM BR (sigipp () WELLA COM BR)
Date: Mon, 22 May 2000 15:32:53 -0300
Hi, o.k. you are right. MD5 is one-way. But may be some (even very simple) symmetric encryption, too. It is only to hide the code. May be simply xor-ing with a key, where the key should be different in every virus (known location to enable the virus to find the key). But the whole thing was not intended to discuss ideas on how writing stealth viruses, i am not a virus coder. It was a response to a message about an undetected virus, which was not detected by the virus scanners because it was compacted (zipped or something like that). And i doubt it would be that simple. Compacting an archive always results in the same compact archive, regardless of the algorithm. So to hide it from any pattern matching, you have to not alter the compacting (scrambling) algorithm, but the result, i.e. make the result not dependent of the algorithm, but of some key. But even like this, the initial routine would still be detectable by virus scanners. Even if the descrambling algorithm is not part of the virus, the routine to call the standard installed descrambling function is still the same and is detectable. To create a truly stealth virus, you have to encrypt it without any decrypting code, and on some day later send a worm through the internet which decrypts any of those viruses out there. For example consider hiding viruses in images (steganos) and placing them on often visited websites. Nobody would ever see any difference, they are too minimal to be noticeable. Then after a few months place a worm which checks the local browser cache directory, tries to extract those viruses, and if there, start them. These viruses would be undetectable, in fact, as long as they are hidden in the image, they are no viruses. They could spread over the whole world, bypassing all firewalls and all virus detection programs, and simply sit there and wait for doomsday. Then a new worm will activate them. Well, only some silly ideas... Greetings Siegfried Gipp
Current thread:
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Daniel Petzen (May 22)
- fdmount 0.8 exploit Paulo Ribeiro (May 22)
- Conserver Overflow James Snow (May 23)
- Re: Why not a changeling? Jeff Bachtel (May 23)
- Re: Why not a changeling? Michael H. Warfield (May 24)
- <Possible follow-ups>
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? Dick St.Peters (May 25)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? Maxime Rousseau (May 23)
- Re: Why not a changeling? Michael Wojcik (May 23)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? rain forest puppy (May 23)
- Re: Why not a changeling? Michael Wojcik (May 25)
- Re: Why not a changeling? prole (May 25)
- Re: Why not a changeling? Maxime Rousseau (May 25)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 29)