Vulnerability Development mailing list archives
Re: Why not a changeling?
From: zuul () LLS SE (Daniel Petzen)
Date: Tue, 23 May 2000 00:31:36 +0200
On Mon, 22 May 2000 sigipp () WELLA COM BR wrote:
Hi, Just one question (may be i did not understand the whole thing): If a virus is built of two parts, a "payload" and a scrambler/descrambler with proprietary algoritm, the virus scanners do not depend on detecting the "payload", they simply depend on detecting the scrambler.
Agreed.
Well, you could scramble the scrambler, but you see...
Jupps. That was the idea. I did get pointed out (in a friendly and constructive way) that I was ages behind on morphing code. With the feeling of ignorance somewhat dampened by my previous disclaimer (with the notion that I'm a happy newbie at this) I found an excellent article which very briefly mentioned the basics of polymorphing code (http://www.bocklabs.wisc.edu/~janda/polymorf.html). If I haven't gone to soft in the head this is about the modification of the actual operation codes and in some cases disrupting the sequence of execution. But it also describes decryptors that are composed of precalculated code segments which would probably be very close to what I thought I came up with. Stubborn as I am, I still think there are some interesting stuff to be discovered here though. In combination with polymorphing code it could be quite a bother to detect. The easiest detection would probably be to let the descrambler code do it's stuff in a virtual environment and the do the pattern matching on the resulting descrambled payload. That would however use up some CPU.
The only thing i can imagine is, using a standard scrambler (like md5), which is installed at the user and is not part of the virus. The result of the scrambler should depend on a key (unlike simple compacting, zip and the like), and this key should be part of the virus, and on reduplicating itself, it should randomly generate a new key.
I see your point. Where would a better hiding place for the scrambler be but in the OS? But are there OS:es which support reverseable key-based encryption? Aren't methods such as MD5 irreverseable hash-algorithms?
A real amazing idea would be, create a scrambled virus, which, when descrambled with one key, result in one virus, and when descrambled with another key, should result in another virus. Well, but that´s utopia.
I'll have to get back to you on that one :-)
If i missed anything, let me know.
Nah, I think that would probably be me as usual... // Zuulie
Greetings Siegfried Gipp
Current thread:
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Daniel Petzen (May 22)
- fdmount 0.8 exploit Paulo Ribeiro (May 22)
- Conserver Overflow James Snow (May 23)
- Re: Why not a changeling? Jeff Bachtel (May 23)
- Re: Why not a changeling? Michael H. Warfield (May 24)
- <Possible follow-ups>
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? Dick St.Peters (May 25)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Michael Wojcik (May 22)