Let me explain a little bit, yesterday i had a dream.There was some new worm that spread everywhere via some 0 day exploit.
When it was spreading it made a new copy of itself and executed the copy on the target pc.
While making a new copy it also hex-edited it self everytime, therefore everytime a new copy was made it hex-edited making it impossible for av's to detect it?.
I'm not a programmer or anything so i have litle to no info about this, but can a virus like this be made? if so can av's find a way to detect it everytime it makes a new copy.
Dont call me crazy or anything it was just a dream i had yesterday :)
- Or you could just deploy multiple forms of the same virus @ the same time. This way not all could be detected @ once. Also u could make it update every so often with a new version. Also i wouldnt really see why it would be "impossible" to have a self hexing worm/virus, only that u would never know what part the av's would choose in the defs. U might also to just have to have a "package" of the virus and the hex editor. Alternatly u could put them together some way and make the virus copy itself. Then edit only the virus part of the prog. I have no idea if any of this makes sense. Just thinking. Peace ;)
One day i was thinking about something similary. in fact, when you del the bot, it copies 2 times itself in an other place, with other name etc, some kind of mythoogique hydra, when you cut his head, 2 are created ^^
My First Post....
I'm so happy.. im finally a member of GSO :P
regarding the hex editing of the .exe, it is possible and it works.
I played with it in the past while studying virii (as a hobby) it is called mutation, basically it works by replacing instructions like mov ax, 0 to xor ax, ax
Well at least a few years ago it worked like this with some virri i disassembled
hmmm so the hex editing can be done (in the context of what we are talking about )...... interesting
and
Quote
Unfortunately, that's possible.
The file injects itself into another process, runs there, and edits&saves the original file, so it will work...
i prusume u are talking about when someone tries to delete it... why do you find this unfortunate... because its a complete pain in the @s$ or what because if i were able to do that i think it would be fancinating... but yeah i have been hit with a virus that duplicates itself on delete and is moved and renamed and it drives me nuts !
Let me explain a little bit, yesterday i had a dream.There was some new worm that spread everywhere via some 0 day exploit.
When it was spreading it made a new copy of itself and executed the copy on the target pc.
While making a new copy it also hex-edited it self everytime, therefore everytime a new copy was made it hex-edited making it impossible for av's to detect it?.
I'm not a programmer or anything so i have litle to no info about this, but can a virus like this be made? if so can av's find a way to detect it everytime it makes a new copy.
Dont call me crazy or anything it was just a dream i had yesterday :)
THIS IS POSSIBLE but not with just coding it's pretty simple it won't be like hex edititing it must be like a compressor i use it on my bots too they all got updated compressions (private though) i use an old rxbot i think it's 2 years old now and it's not detected it's simply a packed rbot exe, a compressor exe (like upx but that would be bad cause av's will detect it), a decompressor exe and and update.exe all packed in 1 exe that extracts in systemdir every time the bots come online they will autorun the update.exe that will check my site for updated stuff if it got updated stuff it will automaticly run the decompressor first and than update to the new compressor :) simple methode though i got like 100 bots in 30 sec if i spread :) ppl think wrong bout spreaders sub7 spreader doesn't work? that's the only spreader i use :/ i got 60k again after i lost 45k cause of account ban of my dns ^^
i think that this could be very possible! if you wre to create a polymorphic genrator that added random buffers, to totally random locations in the code. it could be acheived by making the junk buffers with JMPs over the junk to the original code.
this would look like this.
original
start of VRi
find files
infect files
spread over I-Net
(filtered) the user a bit
laugh in his pwned face
end
start of VRi
JMP dsafasdfasdf
asdfasdfds
find files
infect JMP dskjfkdsjflsdjsad
dsffadffdssa
files
spre JMP sdfjksdfjdsfsa
asdfsdafsadf
ad over I-Net
(filtered) the user a bit
laugh in his pwned face
end
by adding junk to totally random places, the sig of the virii will eventually be split by the junking mechanism., and the Junk buffers would never harm it, because the CPU would always see a JMP before the junk and skip over it.
yeah... the more i read this thread the more i think we should stop talking about it because i know the only point to make something like this woudl to be either to hack a hell of a lot of computers or to piss the heck out of people you know... either way i dont think its a good idea... im sure other people agree, but making this topic knowledgable to users could be a bad idea....
One day i was thinking about something similary. in fact, when you del the bot, it copies 2 times itself in an other place, with other name etc, some kind of mythoogique hydra, when you cut his head, 2 are created ^^
You could do that by injecting the virus in another process and hooking the delete file api and then catch if your own file gets deleted and make new ones.
isn't it also possible you make an exe with 10 different virusses in it
when you execute that exe it makes 10 different exe's(virusses)
is different paths
those 10 will make again the 10 different virusses this will make that pc already have 100 virussus(10 different) on it if those 100 again make 10 exe files you already have 1000 viruses and so it never stops
Sign In
Register
Help
MultiQuote
