Let me explain a little bit, yesterday i had a dream.There was some new worm that spread everywhere via some 0 day exploit.

When it was spreading it made a new copy of itself and executed the copy on the target pc.

While making a new copy it also hex-edited it self everytime, therefore everytime a new copy was made it hex-edited making it impossible for av's to detect it?.

I'm not a programmer or anything so i have litle to no info about this, but can a virus like this be made? if so can av's find a way to detect it everytime it makes a new copy.

Dont call me crazy or anything it was just a dream i had yesterday

to randomly hex edit the internal code of the program would be impossible that is like

trying to make 1=2 with no formula, it dones't work it is simply impossible or at least

so i presume, i had an idea lot like yours once tho where i was thinking , say you have a

program called hack.exe and its on your desktop and say you try to move hack.exe from

your desktop to like program files that on that move it would execute... cause i was

thinking imagine uploading onto ftp's etc you could just automatically have access to

them just by a simple move of a butten, but then i realized how impossible that would be

although a great idea, still impossible

Oh damn.

It would be great if it was possible

- Or you could just deploy multiple forms of the same virus @ the same time. This way not all could be detected @ once. Also u could make it update every so often with a new version. Also i wouldnt really see why it would be "impossible" to have a self hexing worm/virus, only that u would never know what part the av's would choose in the defs. U might also to just have to have a "package" of the virus and the hex editor. Alternatly u could put them together some way and make the virus copy itself. Then edit only the virus part of the prog. I have no idea if any of this makes sense. Just thinking. Peace

One day i was thinking about something similary. in fact, when you del the bot, it copies 2 times itself in an other place, with other name etc, some kind of mythoogique hydra, when you cut his head, 2 are created ^^

Unfortunately, that's possible.
The file injects itself into another process, runs there, and edits&saves the original file, so it will work...

It could make modifications. It is like morphisism. The hard part would be *correctly* editing the virus code so that it could do new things.

My First Post....
I'm so happy.. im finally a member of GSO

regarding the hex editing of the .exe, it is possible and it works.
I played with it in the past while studying virii (as a hobby) it is called mutation, basically it works by replacing instructions like mov ax, 0 to xor ax, ax

Well at least a few years ago it worked like this with some virri i disassembled

Make it polymorphic or have it mutate like pedropalmeiro said.

hmmm so the hex editing can be done (in the context of what we are talking about )...... interesting

and


i prusume u are talking about when someone tries to delete it... why do you find this unfortunate... because its a complete pain in the @s$ or what because if i were able to do that i think it would be fancinating... but yeah i have been hit with a virus that duplicates itself on delete and is moved and renamed and it drives me nuts !

THIS IS POSSIBLE but not with just coding it's pretty simple it won't be like hex edititing it must be like a compressor i use it on my bots too they all got updated compressions (private though) i use an old rxbot i think it's 2 years old now and it's not detected it's simply a packed rbot exe, a compressor exe (like upx but that would be bad cause av's will detect it), a decompressor exe and and update.exe all packed in 1 exe that extracts in systemdir every time the bots come online they will autorun the update.exe that will check my site for updated stuff if it got updated stuff it will automaticly run the decompressor first and than update to the new compressor simple methode though i got like 100 bots in 30 sec if i spread ppl think wrong bout spreaders sub7 spreader doesn't work? that's the only spreader i use :/ i got 60k again after i lost 45k cause of account ban of my dns ^^

i think that this could be very possible! if you wre to create a polymorphic genrator that added random buffers, to totally random locations in the code. it could be acheived by making the junk buffers with JMPs over the junk to the original code.

this would look like this.

original

start of VRi
find files
infect files
spread over I-Net
(filtered) the user a bit
laugh in his pwned face
end

start of VRi
JMP dsafasdfasdf
asdfasdfds
find files
infect JMP dskjfkdsjflsdjsad
dsffadffdssa
files
spre JMP sdfjksdfjdsfsa
asdfsdafsadf
ad over I-Net
(filtered) the user a bit
laugh in his pwned face
end

by adding junk to totally random places, the sig of the virii will eventually be split by the junking mechanism., and the Junk buffers would never harm it, because the CPU would always see a JMP before the junk and skip over it.

yeah... the more i read this thread the more i think we should stop talking about it because i know the only point to make something like this woudl to be either to hack a hell of a lot of computers or to piss the heck out of people you know... either way i dont think its a good idea... im sure other people agree, but making this topic knowledgable to users could be a bad idea....

You could do that by injecting the virus in another process and hooking the delete file api and then catch if your own file gets deleted and make new ones.

isn't it also possible you make an exe with 10 different virusses in it
when you execute that exe it makes 10 different exe's(virusses)
is different paths
those 10 will make again the 10 different virusses this will make that pc already have 100 virussus(10 different) on it if those 100 again make 10 exe files you already have 1000 viruses and so it never stops

While we are being absolutely insane, why not incorporate a free cmdline antivirus scanner that picks up the viruses already infecting the system and then hexedit them in one of it's different ways and incorporate them into itself as it spreads as to make newly infected machines attract other crackers and steals their tools. Maybe it can return variations to the maker. I'm sure we could all go on. I don't want to ever see this virus. Some of these ideas are pure evil. Why doesn't someone make the first virus to clean the system of other viruses, spyware, and do some optimizations all while at a low process state and then remove itself? I can't be the first person to think of that. It's one of the main reasons that I think many people have less than benign intentions w/e they create a virus.

I had a really nice and long reply devised then my (filtered) DSL cut out again and it was lost. So all I'll say is polymorphic code is common in viruses today, and it's not that difficult to implement. All you need is a simple dissembler to match up commands, and then look for certain opcodes and codeblocks that can be duplicated in functionality but are different. Then replace them in random intervals throughout the code.

Changing the exe's on each new spread is the standard idea, and is easily done programatically.

speaking of multiplying.. i was cleaning a computer of virus's at work.. and the one windows folder (C:\windows\ and c:\windows\system32 ) had an INFINITE (or well alot) amoutn of virus's. I cant even remember the name, but the virus seemed to malfunction and kept making dupes of itself, becuse hte virus was only supposed to be a lame ass backdoor or something.. anyhow, after 3 days of continuous scanning in safemode ( p3 2.8ghz with 512 ram on teh machine) it wasnt even close to the end.. it went like this..

aasdfasdagasd.exe
absasdf.exe
abbasdfasdfasdf.exe
abbbbasdfasdf.exe
asdfasdfasdf.exe

after 3 dasy of scanning it was at

casdfasdfasd.exe
ccccasdfasdf.exe
ccccccasdfasdfasdfasdf.exe

ive cleaned off probably thousands of computers now, and i had seen nothing that crazy before.. i see like 10 bots a day, and 10 rootkits a day. (hence me visiting this site ) it was intense.. but it didnt chang eunfortunatley.. but as someone previously said.. WORSE than having 1 clsoe and 2 open, just kept making dupes. format C: saved the day.

haha i love he jump between assembly and back over to english, pseudocode at is finest.

I have seen something similiar on some new virii I hunted down and removed from a customers machine along time ago. I think it may be detectable now I havn't come across it lately.

Basically it starts the shell with "explorer.exe virus.exe" making the virus process show up as explorer.exe. It also will still start up in safe mode because it puts itself in the shell locations in the registry. As long as explorer is running it rewrites itself if virus.exe ever gets deleted and also spawns other processes with random file names and puts them in startup locations whose job it is to check on the other processes and files and make sure that stuff that gets deleted or killed gets put back.

It does alot of other stuff, but that is the interesting part I thought.