Re: Why not a changeling?

[zuul () LLS SE (Daniel Petzen)]

On Sun, 21 May 2000, Bluefish wrote:

> Hmmmm..
> 1. Morphing scriptviruses has been discussed in Bugtraq after the
>    melisa problems IIRC. A semi-working morphing engine for VBA was
>    developed and tested.

  Ok. I'm sorry I missed this. As I said in the disclaimer, I'm new at
this.

> 2. Morphing executable has been known for ages.

  Well, that's a comfort. It was to obvious to be undiscovered by so many
competent people in that long time.

> In case 2, the code can be written so that it will be somewhat close to
> what some "legal" software does. Therefor, new virusscanners often rely on
> decoding the virus and then checking the contest of the encrypted
> software.

  By this I guess that you mean that the virusscanner have the ability to
decode jumptables and chained jumps to a sequntial code and then do the
final pattern matching?

> Case 1 is less researched as there is no (AFAIK) morphing script virus in
> the wild. But if my memory is correct, an engine has been published in
> bugtraq. (don't kill me if I'm wrong, not entirely certain)

  Once again, please forgive me for missing this out. In my defence I
would like to point out that the latest MS virus, AFAIK, rendered havoc
with a static payload which had the ability to change the subject and mime
header "randomly". Compared to a totally morphing virus this is childs
play.

  If this is the case, then it's maybe time to revoke some of the old
techniques just to prove that fighting the symptoms of the problem isn't
the right approach, but rather to cure the problems.

  // Zuulie

> ..:::::::::::::::::::::::::::::::::::::::::::::::::..
>      http://www.11a.nu || http://bluefish.11a.nu
>     eleventh alliance development & security team