Differences between version 5 and previous revision of PolyMorphicVirusses.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 5 | Last edited on Thursday, June 3, 2004 6:48:07 pm | by PerryLorier | Revert |
| Older page: | version 4 | Last edited on Thursday, June 3, 2004 8:12:44 am | by RuudSchramp | Revert |
@@ -3,14 +3,14 @@
Virusses clearly are programs. they can have a significant size that make them easy to scan for.
Step one to make a virus polymorphic is to encrypt the most of the program using some form of encryption. However the decrypter would probably still be the same, making a virus scanner scan for that.
However for a certain decryption e.g. a fix XOR of all bytes of the code, several different implementations are possible e.g. by:
-1)
permutation of registers
-2)
replacing register moves by Push Pop operations
-3)
using jmp instructions to alter the order of instructions
-4)
inserting NOP operations
-5)
inserting dummy operations that have no effect on the normal flow
+#
permutation of registers
+#
replacing register moves by Push Pop operations
+#
using jmp instructions to alter the order of instructions
+#
inserting NOP operations
+#
inserting dummy operations that have no effect on the normal flow
etc. etc.
polymorphic virusses include a mutation engine that can create millions of different implementations of the same algorithm. this makes these virusses very difficult to detect by antivirus programs [ClamAV].
[http://en.wikipedia.org/wiki/Computer_virus]
