Vulnerability Development mailing list archives

Re: Why not a changeling?

From: zuul () LLS SE (Daniel Petzen)
Date: Tue, 23 May 2000 00:31:36 +0200


On Mon, 22 May 2000 sigipp () WELLA COM BR wrote:

Hi,

Just one question (may be i did not understand the whole thing): If a virus is
built of two parts, a "payload" and a scrambler/descrambler with proprietary
algoritm, the virus scanners do not depend on detecting the "payload", they
simply depend on detecting the scrambler.


  Agreed.


Well, you could scramble the scrambler, but you see...


  Jupps. That was the idea. I did get pointed out (in a friendly and
constructive way) that I was ages behind on morphing code. With the
feeling of ignorance somewhat dampened by my previous disclaimer (with the
notion that I'm a happy newbie at this) I found an excellent article which
very briefly mentioned the basics of polymorphing code
(http://www.bocklabs.wisc.edu/~janda/polymorf.html).

  If I haven't gone to soft in the head this is about the modification of
the actual operation codes and in some cases disrupting the sequence of
execution. But it also describes decryptors that are composed of
precalculated code segments which would probably be very close to what I
thought I came up with. Stubborn as I am, I still think there are some
interesting stuff to be discovered here though. In combination with
polymorphing code it could be quite a bother to detect.

  The easiest detection would probably be to let the descrambler code do
it's stuff in a virtual environment and the do the pattern matching on the
resulting descrambled payload. That would however use up some CPU.


The only thing i can imagine is, using a standard scrambler (like md5), which is
installed at the user and is not part of the virus. The result of the scrambler
should depend on a key (unlike simple compacting, zip and the like), and this
key should be part of the virus, and on reduplicating itself, it should randomly
generate a new key.


  I see your point. Where would a better hiding place for the scrambler be
but in the OS? But are there OS:es which support reverseable key-based
encryption? Aren't methods such as MD5 irreverseable hash-algorithms?


A real amazing idea would be, create a scrambled virus, which, when descrambled
with one key, result in one virus, and when descrambled with another key, should
result in another virus. Well, but that´s utopia.


  I'll have to get back to you on that one :-)


If i missed anything, let me know.


  Nah, I think that would probably be me as usual...

  // Zuulie


Greetings
Siegfried Gipp

Current thread:

Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Daniel Petzen (May 22)
- fdmount 0.8 exploit Paulo Ribeiro (May 22)
- Conserver Overflow James Snow (May 23)
- Re: Why not a changeling? Jeff Bachtel (May 23)
- Re: Why not a changeling? Michael H. Warfield (May 24)
- <Possible follow-ups>
- Re: Why not a changeling? Michael Wojcik (May 22)
  - Re: Why not a changeling? White Vampire (May 23)
    - Re: Why not a changeling? Dick St.Peters (May 25)
    - Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Michael Wojcik (May 22)

(Thread continues...)