funsec mailing list archives
Re: Re: Question about Viruses
From: Peter Kosinar <goober () nuf ksp sk>
Date: Sat, 8 Jul 2006 01:19:44 +0200 (CEST)
Anybody observed a case where Vir2 went looking for a call site to hijack, and it found a call inside Vir1 rather than the original code? Or do most of these things target a known fixed call inside the original rather than scanning the binary looking for a suitable opcode (similar to 'hydan' scanning for suitable opcodes for encoding a stego imprint on a binary?)
I don't recall seeing such a case, but there are many techniques that can be used for EPO-like infection, so it's just improbable, not impossible. However, the most common ones use just searching for some specific API call (possibly replacing all occurances of this call, thus eliminating the risk of double-infection) or searching for a particular [class of] opcodes in the code section. Others can modify SEH handlers addresses or global constructors/destructors lists.
On the other hand, the bodies of the viruses are usually heavily encrypted (otherwise it'd be much simpler to look for the body itself, instead of devising some anti-EPO trick), so if Vir2 really proceeded up to the body of Vir1, it'd probably just damage it (so that neither of them would work), instead of really infecting the file.
That being said, I think it'd be pretty easy to construct a file which would improve chances of such spectacular chained infection happening :-)
Peter -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: Overloading AV software, was Question about Viruses, (continued)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- RE: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Dude VanWinkle (Jul 08)
- Re: Re: Question about Viruses Peter Kosinar (Jul 08)
- Re: Re: Question about Viruses Drsolly (Jul 08)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- RE: Overloading AV software, was Question about Viruses Peter Kosinar (Jul 07)
- Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)