Re: Why not a changeling?

[sigipp () WELLA COM BR (sigipp () WELLA COM BR)]

Hi,

o.k. you are right. MD5 is one-way. But may be some (even very simple) symmetric
encryption, too. It is only to hide the code. May be simply xor-ing with a key,
where the key should be different in every virus (known location to enable the
virus to find the key).

But the whole thing was not intended to discuss ideas on how writing stealth
viruses, i am not a virus coder. It was a response to a message about an
undetected virus, which was not detected by the virus scanners because it was
compacted (zipped or something like that). And i doubt it would be that simple.
Compacting an archive always results in the same compact archive, regardless of
the algorithm. So to hide it from any pattern matching, you have to not alter
the compacting (scrambling) algorithm, but the result, i.e. make the result not
dependent of the algorithm, but of some key.

But even like this, the initial routine would still be detectable by virus
scanners. Even if the descrambling algorithm is not part of the virus, the
routine to call the standard installed descrambling function is still the same
and is detectable. To create a truly stealth virus, you have to encrypt it
without any decrypting code, and on some day later send a worm through the
internet which decrypts any of those viruses out there. For example consider
hiding viruses in images (steganos) and placing them on often visited websites.
Nobody would ever see any difference, they are too minimal to be noticeable.
Then after a few months place a worm which checks the local browser cache
directory, tries to extract those viruses, and if there, start them. These
viruses would be undetectable, in fact, as long as they are hidden in the image,
they are no viruses. They could spread over the whole world, bypassing all
firewalls and all virus detection programs, and simply sit there and wait for
doomsday. Then a new worm will activate them.

Well, only some silly ideas...

Greetings
Siegfried Gipp