The Anti-Virus/IDS fantasy world

["No Body" <usanonymous () gmail com>]

I'm curious:  what exactly makes writing malware difficult?  Consider a
sophisticated modern mass-mailer with a backdoor.  In my experience, it
consists of:

A)  Code to inject a thread into explorer.exe;  that thread then contains:
B)  Code to report to a central server via HTTP;
C)  A SOCKS proxy thread and/or remote file system viewer;
D)  A routine to scour the disk for email addresses;
E)  An SMTP client;
F)  Code to ensure that the worm starts every time the system boots (almost
always via the registry), and maybe
G)  Code to make sure its registry key / executable are not deleted.
Each component is no more than 1,000 lines of code, and each is easily
testable.  For good measure, the binaries is are usually packed with either
FSG or UPX.

Your standard IRC trojan is even less sophisticated.  Trojan downloaders are
literally less than ten lines of C code to write.  BHOs, as well, are much
easier to write than they are to analyze (if you don't believe me, try it).
SymbianOS malware is excruciatingly difficult to analyze, while the malware
authors have an emulator and an SDK with a rich collection of examples to
work with.

I just don't see the "incredibly hard" part in writing malware:  are you
referring to some other class of malware than the ones I've described?  I
agree with Sophos (while at the same time thinking AV is snake-oil):
statically analyzing malware is substantially harder than writing it.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave