kaze
EOF#2
July 2008
The main thing i really enjoy in virus writing is neither spreading nor weird target platform infection, it's just AV detection evading. And when I say stealth, i don't mean "kill any AV running on the victim's OS", I mean: not detected. But to be honest, writing a long-enough undectetd virus begins to be a real challenge. Nowadays, even the most advanced poly engines get detected in a few days. A few years ago, some little tricks like including big loops in decryptors, generating a lot of junk or using uncommon opcodes could fool some of the weakest emulators. But new techniques like code normalization can detect easily such tricky polymorphized decryptors.
I'll try to present here a new approach to evade av detection. Instead of increasing the complexity of the decryptor, as most of the actual poly engines tend to, we will try to build a decryptor that looks as common as possible, hopping for the AV to cancel emulation. We will try to increase the risk of false positive during virus detection. This approach has been implemented in my last virus, win32.leon, which can be found in the virus section of this emag.