Vulnerability Development mailing list archives
Re: Another new worm??? (technical)
From: pierre () DATARESCUE COM (Pierre Vandevenne)
Date: Fri, 23 Jun 2000 21:40:47 +0200
On Fri, 23 Jun 2000 12:24:35 -0700 (PDT), Max Vision wrote:
On Fri, 23 Jun 2000 15:08:16 +0200, Bluefish wrote: Change random bytes in a worm like Love Letter, it will keep to work in 90% of the cases. Change random bytes in a virus written in assembly language, it crashes in 99.9% of the cases.disclaimer: the following is just speculation I realize this is terribly inefficient, however, these percentages can probably be greatly reduced by adding nop instructions every other instruction.
1) you can't add them randomly because they would split multi byte/word instructions and lead to a crash anyway. 8Bh 44h 24h 4h move eax, [esp+4] has three wrong places for the nop for example 2) there are many techniques to achieve polymorphism in assembler, such as modifying nibbles, inserting streams meaningless instructions (push pop pairs, do nothing logical operators, shifts of unused registers etc... but these require complex coding (which was the point : it is not easy to do.). Pierre --- http://www.datarescue.com/idabase/ida.htm IDA Pro 4.1 - Yes, we have done it again !
Current thread:
- Re: Another new worm???, (continued)
- Re: Another new worm??? ~jim (Jun 20)
- Re: Another new worm??? Justin Randall (Jun 20)
- Re: Another new worm??? (long) Pierre Vandevenne (Jun 21)
- Re: Another new worm??? Joe Gee (Jun 20)
- Re: Another new worm??? Dan Schrader (Jun 21)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 22)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? (technical) Max Vision (Jun 23)
- Re: Another new worm??? (technical) Pierre Vandevenne (Jun 23)
- Re: Another new worm??? Bennett Todd (Jun 21)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Re: Another new worm??? (technical) Bluefish (Jun 23)
- Capturing System Calls Green Charles Contr AFRL/IFGB (Jun 22)
- Re: Capturing System Calls Christofer C. Bell (Jun 22)
- Re: Capturing System Calls Steve Mosher (Jun 22)
- Re: Capturing System Calls Chon-Chon Tang (Jun 22)
- Re: Capturing System Calls Jonathan Leto (Jun 22)
- Re: Capturing System Calls Michal Zalewski (Jun 22)