Re: Why not a changeling?

[mrousseau () LABCAL COM (Maxime Rousseau)]

I think the idea is to split up the descrambler into many parts that
would not be detectable by themselves. If you mess up the line order of
the operations the AV will not be able to detect a long sequence of
'maliciously' tagged operations. If you get it well, the only kind of
lines the AV will have to work with will be stuff like "if (true) then"
or other standard looking mathematical operations that might happen in
any script. Say you encrypt your virus prior to speadign with a key that
is the infected hard disk's serial num (that would be a bad idea but,
anyway), if you have your key in a variable that has a randomly long
name and use a ROT13 variant in regards to that key... There is nothing
that is very virus specific besides the payload, and thats scrambled.

That looks very nice in theory but im not sure if its all that easy to
code:)

Another cute solution:
Can an anti-virus read into a .vbe file? (microsoft obsfucated
vbscript).

!  From: sigipp () WELLA COM BR
!
!  Just one question (may be i did not understand the whole
!  thing): If a virus is
!  built of two parts, a "payload" and a scrambler/descrambler
!  with proprietary
!  algoritm, the virus scanners do not depend on detecting the
!  "payload", they
!  simply depend on detecting the scrambler.
!
!  Well, you could scramble the scrambler, but you see...
!
!  The only thing i can imagine is, using a standard scrambler
!  (like md5), which is
!  installed at the user and is not part of the virus. The
!  result of the scrambler
!  should depend on a key (unlike simple compacting, zip and
!  the like), and this
!  key should be part of the virus, and on reduplicating
!  itself, it should randomly
!  generate a new key.