Msg : Prev 3986 / 4681 Next
1999-08-21 10:52:44

To  : All

Subj:

В свете последних событий 9


Привет All! 

from DP: 

=== Cut === 
и еще: я нашел статью веселина бончева, так он пpо подобное мyтиpование 
pассказывает, только пpименительно к виpyс-констpyктоpам:) 
( только не сочти это за обвинение в плагиате - ты знаешь, мне на такие 
понятия наплевать - но это очень напоминает движение по доpожке, вымощеной 
антивиpyсниками ) 

=== Cut === 
2.3. Virus Mutators. 

This threat is connected with the "glut", the "virus authoring 
packages", and the "polymorphism" problems, mentioned elsewhere in 
this paper. 

The idea is to create a program that takes an existing program (e.g., 
a known virus) and modifies it in such a way as to create an 
equivalent program. For instance, adjacent instructions that are not 
position-dependent could be swapped, one instruction could be replaced 
by a sequence of instructions that do the same thing, or with a call 
to a subroutine that does the same thing, and so on. Essentially, the 
MtE routine does exactly that to the decryptors it generates. The 
trick is to apply this method to a whole program, e.g. a virus. 

It is extremely difficult to create such a "mutating" program, but it 
is a far from impossible task. Therefore, in a worst-case scenario we 
should assume that sooner or later somebody will do it. 

Once such a program is created, a virus writer could take it and 
"apply" it to a whole collection of known viruses. The result will be 
that hundreds of new viruses will be generated. They will be very 
similar to the original ones, many of them will probably be detected 
as variants by the existing scanners, but nevertheless there will be 
hundreds, if not thousands of new viruses. And, applying the program 
many times, will result in many new thousands of new viruses being 
generated. The viruses themselves will not be polymorphic - they will 
be just new, and it will be very easy to generate them. 

Such a program (we shall call it a "virus mutator") will quickly make 
obsolete any known-virus scanners, virus classification schemes, or 
even virus authoring packages. It will be the ultimate virus 
authoring package. With it, everybody will be able to generate a 
practically unlimited number of new viruses, even without knowing what 
a virus is. And there will be no way a scanner could cope with the 
output of such a program, because the problem of equivalent program 
transformation is known to be NP-complete. 

What could be done about it? Firstly, no such program exists yet, 
and it is extremely difficult to write one, so this is not an imminent 
danger. Besides, most virus writers do not demonstrate any 
significant knowledge in theory of algorithms. Secondly, one could 
use a known-virus scanner to detect at least those of the viruses 
generated by a virus mutator, that have been found in the wild. 
Third, some algorithms for automatic scan string capturing could be 
implemented, like the ones used in the anti-virus product Victor 
Charlie. They work quite well for non-polymorphic viruses. Finally, 
the users should be educated not to rely on known-virus scanning 
techniques alone. 
=== Cut === 


С бестовыми регардами , Kostya Volkov aka Reminder 

--- 
* Origin: 2B OR (NOT 2B) = FF (2:4631/17) 
VX Heavens - коллекция вирусов,исходников и статей.
Нажми Alt + Home, чтобы перейти к первому сообщению
Пользовательского поиска