Vulnerability Development mailing list archives
Re: Why not a changeling?
From: sebastion () IRELANDMAIL COM (Jeff Bachtel)
Date: Tue, 23 May 2000 11:06:39 -0500
On Mon, May 22, 2000 at 08:58:29AM -0300, sigipp () WELLA COM BR wrote:
Hi, Just one question (may be i did not understand the whole thing): If a virus is built of two parts, a "payload" and a scrambler/descrambler with proprietary algoritm, the virus scanners do not depend on detecting the "payload", they simply depend on detecting the scrambler. Well, you could scramble the scrambler, but you see...
Actually, many viruses do scramble (obfuscate) their decoder with NOP's (both real NOP's and logical) and code rearrangement, that was one of the big breakthroughs when polymorphic virii came about.
The only thing i can imagine is, using a standard scrambler (like md5), which is installed at the user and is not part of the virus. The result of the scrambler should depend on a key (unlike simple compacting, zip and the like), and this key should be part of the virus, and on reduplicating itself, it should randomly generate a new key.
Er, as far as I know, md5 is a message digest algo, you'd need a true decryption library on the machine the virus jumps to. However, that makes it even more trivial for AV software to detect suspicious activity (woohoo, this code is requesting this bit of data be decrypted. Lets make a note of that, and if it tries to jump there later, we know we probably have a virus. Or a game.), and is not much of a win.
A real amazing idea would be, create a scrambled virus, which, when descrambled with one key, result in one virus, and when descrambled with another key, should result in another virus. Well, but that´s utopia.
The above paragraph assumes either a custom obfuscation/encryption algorythmn (detectable [maybe] by AV software) or a solved DES/md5/whatever set (fairly intractable). And interesting idea, put forth in Graham Watkin's (sp) book _Virus_ (definately a piece of fiction ;) is a piece of code that is self-evolving, that is that starts off as a relatively small seed but grows into larger, more sophisticated code. This is an even more difficult idea to implement by hand, as it would (probably) involve the determination of a base system and the chaotic controls that should be applied to it in order to effect a set of data at the chaotic system's end of run. jeff (except for the problem being mathematically non-trivial, it would make for an interesting compression algorithmn, too)
If i missed anything, let me know. Greetings Siegfried Gipp
Current thread:
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Daniel Petzen (May 22)
- fdmount 0.8 exploit Paulo Ribeiro (May 22)
- Conserver Overflow James Snow (May 23)
- Re: Why not a changeling? Jeff Bachtel (May 23)
- Re: Why not a changeling? Michael H. Warfield (May 24)
- <Possible follow-ups>
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? Dick St.Peters (May 25)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? Maxime Rousseau (May 23)
- Re: Why not a changeling? Michael Wojcik (May 23)
- Re: Why not a changeling? White Vampire (May 25)