Re: Why not a changeling?

[mhw () WITTSEND COM (Michael H. Warfield)]

On Mon, May 22, 2000 at 08:58:29AM -0300, sigipp () WELLA COM BR wrote:
> Hi,

> Just one question (may be i did not understand the whole thing): If a virus is
> built of two parts, a "payload" and a scrambler/descrambler with proprietary
> algoritm, the virus scanners do not depend on detecting the "payload", they
> simply depend on detecting the scrambler.

> Well, you could scramble the scrambler, but you see...

> The only thing i can imagine is, using a standard scrambler (like md5), which is
> installed at the user and is not part of the virus. The result of the scrambler
> should depend on a key (unlike simple compacting, zip and the like), and this
> key should be part of the virus, and on reduplicating itself, it should randomly
> generate a new key.

> A real amazing idea would be, create a scrambled virus, which, when descrambled
> with one key, result in one virus, and when descrambled with another key, should
> result in another virus. Well, but that´s utopia.

> If i missed anything, let me know.

        How about this for an idea...  This is primarily for the script
type viruses and worms...  Actual compiled code could be made to do the
same thing only much much uglier...

        Two parts.  Not a scrambler, but a descrambler that's the head.
Then you have the payload.  Within the payload is a special scrambler
(actually several scramplers and reference descramblers) that does
several things.

        1) It rehashes all the comments.  The comments could be random
noise, or deliberately deceptive code fragments.

        2) It randomizes the variable names.  This isn't as difficult as
it might sound.  All you need is a table of variable names to translate
(which can include the variable names in the scrambler/translater) and
run them (including the table) through a randomizer.  What comes out
is an identical program with all the variable names hashed to new
variable names and a new variable name translation table for the next
iteration.

        3) Randomize all neutral white space.  Basically take all the free
form white space separators and turn then into variable amounts of tabs,
spaces, line feeds, carriage returns, and form feeds.  Different lengths
and composition.

        4) Randomize the order of certain blocks of order independent code
(like variable initialization - just reorder the blocks or lines).

        If you have functions, you might try reordering the functions,
but I don't think that will buy you much.

        5) Selects a new scrambler (encoder) and descrambler (decoder) from
a set of selections and introduces a new key at random.

        6) Encodes the new payload with the new key using the new scrambler
algorithm and tacks it behind the new descrambler which includes new,
comments, new variable names, and new varying amounts of white space.

        Keep your fixed strings to a minimum length (assemble them in those
order independent blocks that get randomized) and you have a mutation
engine that will play hell with signature based detectors.

> Greetings
> Siegfried Gipp

        I agree with others...  The solution is not in detecting patterns
or signatures.  The solution is in prohibiting active content, whether
it's live scripts in E-Mail or documents with virulent macros.  The
problem is being attacked at the wrong point with the detectors (but,
if that's all we got, we use what we can).

        Mike

--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!