VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Pervert world wide

29a [#8
March 2004

[Back to index] [Comments]

Almost all trojans and viruses are detected using simple signatures. Which means that simple crc is calculated on the entire file, or on some parts of the code being checked.

There are thousands of simple signatures already stored in the antiviral databases. Each signature is equivalent to hours of an aver's work.

Using simple length disassembler and some simple rules, it is possible to analyze an arbitrary executable file and change some instructions in it, so that it will run the same as before, but file's checksum will be changed.

This means that antivirus will no longer be able to identify these files by using the previous checksums.

A tool called "Code Pervertor" was written some years ago. It can analyze a PE file and swap a few equivalent instructions, such as "test eax, eax" with "or eax, eax" and vice versa.

Another similar process is "diversification", which means the random changing of some data offsets within all system DLLs and services. Diversification complicates exploitation based on fixed address usage and will probably soon be implemented as a security measure.

Now imagine that some worm "perverted" and "diversified" all executable files it found on a machines over the net. It is likely that the same vulnerable machines will also contain trojans. So when all these trojans become unique, what avers will do?

There are two methods of detecting such a modified files.

First method is to modify files before analyzing, the same as "code pervertors" do, but without the randomization. For example, if some instructions can be interchanged with each other, perform one-way changes only, for example replace all "or eax, eax" with "test eax, eax", but not vice versa.

This method has tons of negative aspects: there can be many different methods of file modification, but some of them can be irreversible.

The second method consists of re-writing all checksum algorithms and recalculating all the signatures. The new checksum algorithm should become invariant to simple modifications such as swapping equal or interchangable instructions with each other.

This method is something like image recognition, where the new algorithm can return an equal result for many different data inputs.

This method also has a serious disadvantage. If someone introduced a new file modification method, the checksum algorithm will have to be once again changed and all the antiviral signatures recalculated.

A few hundred infected machines with automatic "pervertors" will catch all the new just-released worms and viruses and modify 'em "on the fly", automatically spawning new variants.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka