Vulnerability Development mailing list archives
Re: Why not a changeling?
From: mrousseau () LABCAL COM (Maxime Rousseau)
Date: Tue, 23 May 2000 10:00:38 -0400
I think the idea is to split up the descrambler into many parts that would not be detectable by themselves. If you mess up the line order of the operations the AV will not be able to detect a long sequence of 'maliciously' tagged operations. If you get it well, the only kind of lines the AV will have to work with will be stuff like "if (true) then" or other standard looking mathematical operations that might happen in any script. Say you encrypt your virus prior to speadign with a key that is the infected hard disk's serial num (that would be a bad idea but, anyway), if you have your key in a variable that has a randomly long name and use a ROT13 variant in regards to that key... There is nothing that is very virus specific besides the payload, and thats scrambled. That looks very nice in theory but im not sure if its all that easy to code:) Another cute solution: Can an anti-virus read into a .vbe file? (microsoft obsfucated vbscript). ! From: sigipp () WELLA COM BR ! ! Just one question (may be i did not understand the whole ! thing): If a virus is ! built of two parts, a "payload" and a scrambler/descrambler ! with proprietary ! algoritm, the virus scanners do not depend on detecting the ! "payload", they ! simply depend on detecting the scrambler. ! ! Well, you could scramble the scrambler, but you see... ! ! The only thing i can imagine is, using a standard scrambler ! (like md5), which is ! installed at the user and is not part of the virus. The ! result of the scrambler ! should depend on a key (unlike simple compacting, zip and ! the like), and this ! key should be part of the virus, and on reduplicating ! itself, it should randomly ! generate a new key.
Current thread:
- fdmount 0.8 exploit, (continued)
- fdmount 0.8 exploit Paulo Ribeiro (May 22)
- Conserver Overflow James Snow (May 23)
- Re: Why not a changeling? Jeff Bachtel (May 23)
- Re: Why not a changeling? Michael H. Warfield (May 24)
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? Dick St.Peters (May 25)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? Maxime Rousseau (May 23)
- Re: Why not a changeling? Michael Wojcik (May 23)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? rain forest puppy (May 23)
- Re: Why not a changeling? Michael Wojcik (May 25)
- Re: Why not a changeling? prole (May 25)
- Re: Why not a changeling? Maxime Rousseau (May 25)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 29)