Ant brought next idea :
> "FromTheRafters" wrote:
>
>> Ant presented the following explanation :
>>> WRT R Lopez's OP; it is very easy to create an executable that has a
>>> unique signature on every download. There is no need for any special
>>> encryption techniqes. One way would be to build an executable with a
>>> section that is never used and fill it with random data. A script on
>>> the server then generates a random section and puts the thing together
>>> when the file is requested.
>>
>> Yes, I believe that I mentioned server side polymorphism.
>
> So you did.
>
>> Ray asked
>> about malware which encrypts its own signature as opposed to malware
>> which has its encryption or other polymorphism applied from without.
>
> I'm not sure what he means by "the badware uses encryption to change
> its signature". That would imply a virus. However, "badware" could
> mean the controlling software that generates the usual type of malware
> (real viruses are rare these days) - in which case my example applies.
Indeed. I considered the idea of exploit kits as well. He didn't say
virus so there was no need to go into the is it a virus or not debate
and he should be commended for using the term malware. Going by the
post's subject line it seemed to me that he was asking about malware
whose signature is determined and yet then changed by that very same
malware, such as the 'polymorphic slow' virus as mentioned in this
article.
http://repo.hackerzvoice.net/depot_madchat/vxdevl/vdat/polyevol.htm
"'Slow polymorphic' viruses are one such method. They are polymorphic,
but all samples generated on the same machine will seem to have the
same decryptor. This may mislead an anti-virus producer into attempting
to detect the virus with a single search string, as if it was just a
simple encrypted but not polymorphic virus."
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|