Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Another new worm??? (technical)

From: 11a () GMX NET (Bluefish)
Date: Sat, 24 Jun 2000 03:51:02 +0200


I wonder if this has a useful implementation:
instructions a, b, and c written as

a b c
 or
a nop b bop c nop


I have my doubt. Assume some code to be moderatly advanced, then it's
likely to be using all or almost all registers. If a nop suddenly becomes
a none-nop, it most likely will cause a failure. And chaning one nop into
another nop (like going from XCHG AH,AH to MOV AH,AH) should, if the
scanner is decently coded, make no difference.

Besides, in lowlevel (assembly) viruses, you typically use polymorphic
encryption which seems a lot more intelligent/scientific than randomly
changing one instruction of the machine code.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team
Previous By Date Next
Previous By Thread Next

Current thread: