funsec mailing list archives
Re: Re: Question about Viruses
From: Peter Kosinar <goober () nuf ksp sk>
Date: Sat, 8 Jul 2006 18:15:36 +0200 (CEST)
Nope, unless you inserted the newline into some kind of string, you've only doubled the number of source codes... Though, you could have also tried space<->tab and CRLF<->LF conversion (and combination thereof), thus quadrupling the number of sources! :-)Forgive the ignorance, but is that all a polymorphic virus is? Someone adding useless code to the app to change its signature?
Depending on what you mean by "adding useless code". First, polymorphism is a property of the virus, not of the author; so it's rather "something adding useless code to itself to avoid detection". Basically, it ranges from simple things like generating the decryption routine from a pre-defined set of instructions, through padding the space between instructions by some equivalents of no-ops, up to generating the code which generates the actual body of the virus (yes, code generating code), and finishing with something like re-building the whole code (akin to de-compilation of itself, mutation and re-compilation).
As you can guess, the higher you go on the scale, the more difficult it is to achieve true functionality (a non-trivial fraction of incredibly difficult-to-detect complicated polymorphic viruses doesn't work for more than one or two generations).
Peter -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Overloading AV software, was Question about Viruses, (continued)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Dude VanWinkle (Jul 08)
- Re: Re: Question about Viruses Peter Kosinar (Jul 08)
- Re: Re: Question about Viruses Drsolly (Jul 08)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- RE: Overloading AV software, was Question about Viruses Peter Kosinar (Jul 07)
- Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)
- Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
- RE: Overloading AV software, try #2 Drsolly (Jul 07)