funsec mailing list archives
Re: Re: Question about Viruses
From: Drsolly <drsollyp () drsolly com>
Date: Sat, 8 Jul 2006 01:13:59 +0100 (BST)
What's an "EPO"?EPO - Entry Point Obfuscator -- is a virus which doesn't directly modify the entrypoint or code at the entrypoint, but rather performs some modification elsewhere in the code (like, repacing random "call" instruction in the code section by a call to itself). While this decreases its chances of being executed (it might insert itself into rarely or never used execution path), it's also pretty efficient as an anti-AV measure.
Oh, those. Yes, detection is trickier. I took the view (true at the time) that these were sufficiently rare (and not in-the-wild) that I needn't do the work needed to do a clean, I'd only offer the delete option.
Thus, the infections by two different EPO's can actually commute (in the sense of the file being infected by Vir1 and Vir2 can result in exactly the same file as if the file was infected by Vir2 and Vir1 in that order). In fact, the "infection-graph" of a program can no longer be assumed to be linear (as it used to be in the good old times with just simple infectors around) and it can (theoretically, practical samples of this kind have not been observed) be arbitrarily complex DAG (directed acyclic graph).
There's a danger in devising an arbitrarily complex situation, and trying to do something about it - you can wind up with a product that's too complex, without any benefit to the users because the complex situation hasn't actually happened.
Yes, exactly. That's one of the reasons why the number of "detected viruses" (= the number of different virus names that an AV can report) or number of used signatures cannot be used as any kind of metric of quality of the AV.
Good grief. You mean, there's people think it can? I know that when I was active in this area, most AV's couldn't actually tell the difference between the variants of a virus, because they weren't doing exact identification. So they actually had no way of knowing how many they detected. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Overloading AV software, was Question about Viruses, (continued)
- RE: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Dude VanWinkle (Jul 08)
- Re: Re: Question about Viruses Peter Kosinar (Jul 08)
- Re: Re: Question about Viruses Drsolly (Jul 08)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- RE: Overloading AV software, was Question about Viruses Peter Kosinar (Jul 07)
- Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)