Re: Re: Question about Viruses

[Peter Kosinar <goober () nuf ksp sk>]

> > Nope, unless you inserted the newline into some kind of string, you've
> > only doubled the number of source codes... Though, you could have
> > also tried space<->tab and CRLF<->LF conversion (and combination thereof),
> > thus quadrupling the number of sources! :-)
>
> Forgive the ignorance, but is that all a polymorphic virus is? Someone
> adding useless code to the app to change its signature?

Depending on what you mean by "adding useless code". First, polymorphism 
is a property of the virus, not of the author; so it's rather "something 
adding useless code to itself to avoid detection". Basically, it ranges 
from simple things like generating the decryption routine from a 
pre-defined set of instructions, through padding the space between 
instructions by some equivalents of no-ops, up to generating the code 
which generates the actual body of the virus (yes, code generating code), 
and finishing with something like re-building the whole code (akin to 
de-compilation of itself, mutation and re-compilation).

As you can guess, the higher you go on the scale, the more difficult it is 
to achieve true functionality (a non-trivial fraction of incredibly 
difficult-to-detect complicated polymorphic viruses doesn't work for more 
than one or two generations).

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.