W
WimHamhuis
Found @ website : http://z0mbie.host.sk/pww.txt
PERVERT WORLD WIDE
------------------
Almost all trojans and viruses are detected using simple signatures.
Which means that simple crc is calculated on the entire file, or on
some parts of the code being checked.
There are thousands of simple signatures already stored in the antiviral
databases. Each signature is equivalent to hours of an aver's work.
Using simple length disassembler and some simple rules, it is possible
to analyze an arbitrary executable file and change some instructions
in it, so that it will run the same as before, but file's checksum will
be changed.
This means that antivirus will no longer be able to identify these files
by using the previous checksums.
A tool called "Code Pervertor" was written some years ago. It can
analyze a PE file and swap a few equivalent instructions, such as "test
eax, eax" with "or eax, eax" and vice versa.
Another similar process is "diversification", which means the random
changing of some data offsets within all system DLLs and services.
Diversification complicates exploitation based on fixed address usage and
will probably soon be implemented as a security measure.
Now imagine that some worm "perverted" and "diversified" all executable
files it found on a machines over the net. It is likely that the same
vulnerable machines will also contain trojans. So when all these trojans
become unique, what avers will do?
There are two methods of detecting such a modified files.
First method is to modify files before analyzing, the same as "code
pervertors" do, but without the randomization. For example, if some
instructions can be interchanged with each other, perform one-way changes
only, for example replace all "or eax, eax" with "test eax, eax", but not
vice versa.
This method has tons of negative aspects: there can be many different
methods of file modification, but some of them can be
irreversible.
The second method consists of re-writing all checksum algorithms
and recalculating all the signatures. The new checksum algorithm should
become invariant to simple modifications such as swapping equal
or interchangable instructions with each other.
This method is something like image recognition, where the new algorithm can
return an equal result for many different data inputs.
This method also has a serious disadvantage. If someone introduced a new
file modification method, the checksum algorithm will have to be once again
changed and all the antiviral signatures recalculated.
A few hundred infected machines with automatic "pervertors" will catch all
the new just-released worms and viruses and modify 'em "on the fly",
automatically spawning new variants.
2004.03.01
But as all good antivirus programmers know, the checksum of the virusdefinition
file in whole would be changed, and the antivirus program could then be auto-
matically be instructed to download the virusdefinition file in whole, undo-ing
the damage, or checking the individual entrys in the database for correctness.
Wim Hamhuis
PERVERT WORLD WIDE
------------------
Almost all trojans and viruses are detected using simple signatures.
Which means that simple crc is calculated on the entire file, or on
some parts of the code being checked.
There are thousands of simple signatures already stored in the antiviral
databases. Each signature is equivalent to hours of an aver's work.
Using simple length disassembler and some simple rules, it is possible
to analyze an arbitrary executable file and change some instructions
in it, so that it will run the same as before, but file's checksum will
be changed.
This means that antivirus will no longer be able to identify these files
by using the previous checksums.
A tool called "Code Pervertor" was written some years ago. It can
analyze a PE file and swap a few equivalent instructions, such as "test
eax, eax" with "or eax, eax" and vice versa.
Another similar process is "diversification", which means the random
changing of some data offsets within all system DLLs and services.
Diversification complicates exploitation based on fixed address usage and
will probably soon be implemented as a security measure.
Now imagine that some worm "perverted" and "diversified" all executable
files it found on a machines over the net. It is likely that the same
vulnerable machines will also contain trojans. So when all these trojans
become unique, what avers will do?
There are two methods of detecting such a modified files.
First method is to modify files before analyzing, the same as "code
pervertors" do, but without the randomization. For example, if some
instructions can be interchanged with each other, perform one-way changes
only, for example replace all "or eax, eax" with "test eax, eax", but not
vice versa.
This method has tons of negative aspects: there can be many different
methods of file modification, but some of them can be
irreversible.
The second method consists of re-writing all checksum algorithms
and recalculating all the signatures. The new checksum algorithm should
become invariant to simple modifications such as swapping equal
or interchangable instructions with each other.
This method is something like image recognition, where the new algorithm can
return an equal result for many different data inputs.
This method also has a serious disadvantage. If someone introduced a new
file modification method, the checksum algorithm will have to be once again
changed and all the antiviral signatures recalculated.
A few hundred infected machines with automatic "pervertors" will catch all
the new just-released worms and viruses and modify 'em "on the fly",
automatically spawning new variants.
2004.03.01
But as all good antivirus programmers know, the checksum of the virusdefinition
file in whole would be changed, and the antivirus program could then be auto-
matically be instructed to download the virusdefinition file in whole, undo-ing
the damage, or checking the individual entrys in the database for correctness.
Wim Hamhuis