Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another new worm??? (technical)

From: pierre () DATARESCUE COM (Pierre Vandevenne)
Date: Fri, 23 Jun 2000 21:40:47 +0200

On Fri, 23 Jun 2000 12:24:35 -0700 (PDT), Max Vision wrote:


On Fri, 23 Jun 2000 15:08:16 +0200, Bluefish wrote:
Change random bytes in a worm like Love Letter, it will keep to work in
90% of the cases.

Change random bytes in a virus written in assembly language, it crashes
in 99.9% of the cases.


disclaimer: the following is just speculation

I realize this is terribly inefficient, however, these percentages can
probably be greatly reduced by adding nop instructions every other
instruction.


1) you can't add them randomly because they would split multi byte/word
instructions and lead to a crash anyway.

8Bh 44h 24h 4h

move eax, [esp+4]

has three wrong places for the nop for example

2) there are many techniques to achieve polymorphism in assembler, such
as modifying nibbles, inserting streams meaningless instructions (push
pop pairs, do nothing logical operators, shifts of unused registers
etc... but these require complex coding (which was the point : it is
not easy to do.).

Pierre


---
http://www.datarescue.com/idabase/ida.htm
IDA Pro 4.1 - Yes, we have done it again !
Previous By Date Next
Previous By Thread Next

Current thread: