Re: Re: Question about Viruses

[Peter Kosinar <goober () nuf ksp sk>]

> Anybody observed a case where Vir2 went looking for a call site to hijack,
> and it found a call inside Vir1 rather than the original code?  Or do most
> of these things target a known fixed call inside the original rather than
> scanning the binary looking for a suitable opcode (similar to 'hydan' scanning
> for suitable opcodes for encoding a stego imprint on a binary?)

I don't recall seeing such a case, but there are many techniques that can 
be used for EPO-like infection, so it's just improbable, not impossible. 
However, the most common ones use just searching for some specific API 
call (possibly replacing all occurances of this call, thus eliminating the 
risk of double-infection) or searching for a particular [class of] opcodes 
in the code section. Others can modify SEH handlers addresses or global 
constructors/destructors lists.

On the other hand, the bodies of the viruses are usually heavily encrypted 
(otherwise it'd be much simpler to look for the body itself, instead of 
devising some anti-EPO trick), so if Vir2 really proceeded up to the body 
of Vir1, it'd probably just damage it (so that neither of them would 
work), instead of really infecting the file.

That being said, I think it'd be pretty easy to construct a file which 
would improve chances of such spectacular chained infection happening :-)

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.