Vulnerability Development mailing list archives
Re: Another new worm??? (technical)
From: vision () WHITEHATS COM (Max Vision)
Date: Fri, 23 Jun 2000 12:24:35 -0700
On Fri, 23 Jun 2000 15:08:16 +0200, Bluefish wrote: Change random bytes in a worm like Love Letter, it will keep to work in 90% of the cases. Change random bytes in a virus written in assembly language, it crashes in 99.9% of the cases.
disclaimer: the following is just speculation I realize this is terribly inefficient, however, these percentages can probably be greatly reduced by adding nop instructions every other instruction. In machine code, many instructions are going to function as NOPs provided they don't involve flow control (jmp, call, etc) and don't interfere with variables/registers/etc that the actual intended code uses. I haven't spent the research time to say for sure, but I would speculate you could, by adding significant bloat, reduce the risk of a single byte change affecting your code to perhaps 1%? I wonder if this has a useful implementation: instructions a, b, and c written as a b c or a nop b bop c nop or a nop nop nop nop nop b nop nop nop nop nop c nop nop nop nop nop etc If you are in some situation where you have a finite amount of corruption, say an attack on your code versus something proportionate like a bad network connection, then you could actually increase code survivability by adding NOP-like bloat. (I can't think of any examples of naturally occuring disproportionate finite corruption - feedback welcome) For example if only one byte is going to be altered, you have something closer to 50% chance of your code crashing because it might now be one of the "nops" that is altered instead of your code, maybe a little higher because of things I mentioned, like jmp or call instructions, or other instructions that change how the program works or just invalid instructions altogether - but I am guessing that is probably only half, most instructions are harmless. I suppose if it didn't protect the code from attack (decreasing the effects of alteration of a few bytes) then it would certain help with obfuscation. But I've talked about that part before in public forums... This probably doesn't apply to scripting languages though, as the odds of a single byte causing an "invalid command" are far higher.. Years ago, Mark Ludwig (virus researcher, author of TLBBOCV) demonstrated how a single-byte alteration to a "format.com" type program would turn it into a self-replicating boot sector virus. The reference was to evolution of artificial life.. anyway, the speculation is fun :) Max
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? Bennett Todd (Jun 20)
- Re: Another new worm??? ~jim (Jun 20)
- Re: Another new worm??? Justin Randall (Jun 20)
- Re: Another new worm??? (long) Pierre Vandevenne (Jun 21)
- Re: Another new worm??? Joe Gee (Jun 20)
- Re: Another new worm??? Dan Schrader (Jun 21)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 22)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Christofer C. Bell (Jun 22)
- Re: Capturing System Calls Steve Mosher (Jun 22)
- Re: Capturing System Calls Chon-Chon Tang (Jun 22)
- Re: Capturing System Calls Jonathan Leto (Jun 22)