<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
I have to disagree with you (I tried to get out of this one since I
used to work for an AV company) but I agree with Dave completly.<br>
<br>
If sophos is correct why aren't they detecting 100% of the project
mimic from 29a which is over 5 years old? metamorphic was designed and
used on malware, also covert channels ARE used in malware and I have
seen malware use 0hday on java to inject itself.<br>
<br>
Obviously that takes a little more skill than what you are writting
here, since most of antivirus just hook into functions and try to
analize what you are doing and scan if you look like a virus based on
next instructions (That is why antivirus didn't really like Vista's
antihook protection, they just couldn't hook themselves, a no no since
they have their own API!)<br>
<br>
I saw someone that is a Genius (gotta say it), Oded Horowitz (did I get
the last name right) 3 years ago with a code that blowed my mind, a
binary analizer and detected not changes but other stuff (I promised
not to disclose the complete stuff) but I think it would be a good time
to have him on this conversation.<br>
<br>
BTW didn't @stake have a binary decompiler/detection tool? did THAT
ever work?<br>
<br>
BTW I could say the same thing on AVs and analisis:<br>
<br>
- Registry Hook - 100 lines of code<br>
- mail*() hook - 150 lines of code<br>
- _write(), _read(), _open() hooks - 500 lines of code<br>
- Heristics engine - Bought from F-Prot<br>
- Getting owned by a 1024 uppercase zip file name - PRICELESS<br>
<br>
That is why most AVs have to blacklist, and why then you have signature
variations, Kaspersky has smaller sigs because the way they use the
engine, but still, everything can be tricked.<br>
<br>
my $0.02<br>
<br>
//Nahual<br>
<br>
<br>
No Body wrote:
<blockquote
cite="mid4945bec00706121433j7fa76056k7df09115fb089cc3@mail.gmail.com"
type="cite">
<p>I'm curious: what exactly makes writing malware difficult?
Consider a sophisticated modern mass-mailer with a backdoor. In my
experience, it consists of:</p>
<p>A) Code to inject a thread into explorer.exe; that thread then
contains:<br>
B) Code to report to a central server via HTTP;<br>
C) A SOCKS proxy thread and/or remote file system viewer;<br>
D) A routine to scour the disk for email addresses;
<br>
E) An SMTP client;<br>
F) Code to ensure that the worm starts every time the system boots
(almost always via the registry), and maybe<br>
G) Code to make sure its registry key / executable are not deleted.</p>
<div>Each component is no more than 1,000 lines of code, and each is
easily testable. For good measure, the binaries is are usually packed
with either FSG or UPX. </div>
<div> </div>
<div>Your standard IRC trojan is even less sophisticated. Trojan
downloaders are literally less than ten lines of C code to write.
BHOs, as well, are much easier to write than they are to analyze (if
you don't believe me, try it). SymbianOS malware is excruciatingly
difficult to analyze, while the malware authors have an emulator and an
SDK with a rich collection of examples to work with.
</div>
<p>I just don't see the "incredibly hard" part in writing malware:
are you referring to some other class of malware than the ones I've
described? I agree with Sophos (while at the same time thinking AV is
snake-oil): statically analyzing malware is substantially harder than
writing it.
</p>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Dailydave mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com</a>
<a class="moz-txt-link-freetext" href="http://lists.immunitysec.com/mailman/listinfo/dailydave">http://lists.immunitysec.com/mailman/listinfo/dailydave</a>
</pre>
</blockquote>
<br>
</body>
</html>