Vulnerability Development mailing list archives
Re: Why not a changeling?
From: mhw () WITTSEND COM (Michael H. Warfield)
Date: Wed, 24 May 2000 14:45:13 -0400
On Mon, May 22, 2000 at 08:58:29AM -0300, sigipp () WELLA COM BR wrote:
Hi,
Just one question (may be i did not understand the whole thing): If a virus is built of two parts, a "payload" and a scrambler/descrambler with proprietary algoritm, the virus scanners do not depend on detecting the "payload", they simply depend on detecting the scrambler.
Well, you could scramble the scrambler, but you see...
The only thing i can imagine is, using a standard scrambler (like md5), which is installed at the user and is not part of the virus. The result of the scrambler should depend on a key (unlike simple compacting, zip and the like), and this key should be part of the virus, and on reduplicating itself, it should randomly generate a new key.
A real amazing idea would be, create a scrambled virus, which, when descrambled with one key, result in one virus, and when descrambled with another key, should result in another virus. Well, but that´s utopia.
If i missed anything, let me know.
How about this for an idea... This is primarily for the script type viruses and worms... Actual compiled code could be made to do the same thing only much much uglier... Two parts. Not a scrambler, but a descrambler that's the head. Then you have the payload. Within the payload is a special scrambler (actually several scramplers and reference descramblers) that does several things. 1) It rehashes all the comments. The comments could be random noise, or deliberately deceptive code fragments. 2) It randomizes the variable names. This isn't as difficult as it might sound. All you need is a table of variable names to translate (which can include the variable names in the scrambler/translater) and run them (including the table) through a randomizer. What comes out is an identical program with all the variable names hashed to new variable names and a new variable name translation table for the next iteration. 3) Randomize all neutral white space. Basically take all the free form white space separators and turn then into variable amounts of tabs, spaces, line feeds, carriage returns, and form feeds. Different lengths and composition. 4) Randomize the order of certain blocks of order independent code (like variable initialization - just reorder the blocks or lines). If you have functions, you might try reordering the functions, but I don't think that will buy you much. 5) Selects a new scrambler (encoder) and descrambler (decoder) from a set of selections and introduces a new key at random. 6) Encodes the new payload with the new key using the new scrambler algorithm and tacks it behind the new descrambler which includes new, comments, new variable names, and new varying amounts of white space. Keep your fixed strings to a minimum length (assemble them in those order independent blocks that get randomized) and you have a mutation engine that will play hell with signature based detectors.
Greetings Siegfried Gipp
I agree with others... The solution is not in detecting patterns or signatures. The solution is in prohibiting active content, whether it's live scripts in E-Mail or documents with virulent macros. The problem is being attacked at the wrong point with the detectors (but, if that's all we got, we use what we can). Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Daniel Petzen (May 22)
- fdmount 0.8 exploit Paulo Ribeiro (May 22)
- Conserver Overflow James Snow (May 23)
- Re: Why not a changeling? Jeff Bachtel (May 23)
- Re: Why not a changeling? Michael H. Warfield (May 24)
- <Possible follow-ups>
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? Dick St.Peters (May 25)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? White Vampire (May 23)
- Re: Why not a changeling? sigipp () WELLA COM BR (May 22)
- Re: Why not a changeling? Michael Wojcik (May 22)
- Re: Why not a changeling? Maxime Rousseau (May 23)
- Re: Why not a changeling? Michael Wojcik (May 23)
- Re: Why not a changeling? White Vampire (May 25)
- Re: Why not a changeling? rain forest puppy (May 23)