Virus Companies Friend or Foe

[oex]

they are the same size and icon rc bits ran ok however there are differences in the files (some indicated below with FC)

In explorer tile view app and company name dont show on mine and if you right click and click properties only yours shows version tab


00000088: 04 90
00000089: 62 E2
0000008A: D0 B6
0000010C: 38 14
000001D0: 38 14
00000DC4: 90 8A
00000DD6: FD E2
00000DE6: 98 84
00000DF2: FA F2
00000E00: 3D 22
00000E12: B4 AD
00000E2C: B6 AF
00000E38: 57 48
00000E48: 2D 24
00000E54: F5 ED
00000E5C: F4 D9
00000E6E: 40 31
00000E7C: EE D3
00000E88: E9 E1
00000EA4: 34 09
00000EB8: 9B 80
00000EF2: D7 65
00001004: 04 90
00001005: 62 E2
00001006: D0 B6
0000103C: 04 90
0000103D: 62 E2
0000103E: D0 B6
00001054: 04 90
00001055: 62 E2
00001056: D0 B6
00001068: 9C 78
0000107C: 04 90
0000107D: 62 E2
0000107E: D0 B6
00001094: 04 90
00001095: 62 E2
00001096: D0 B6
000010A8: 84 60
000010BC: 04 90
000010BD: 62 E2
000010BE: D0 B6
000010D4: 04 90
000010D5: 62 E2
000010D6: D0 B6
000010E8: B4 90
000010FC: 04 90
000010FD: 62 E2
000010FE: D0 B6
00001104: 01 00
00001106: 00 01
00001108: 78 01

[oex]

I think the rc.exe supplied with masm is not capable of version tab rc? I noticed you built with a later version

[theunknownguy]

REPEAT 2000
   nop
ENDM

A very dangerous piece of code it seems

It is, lexotan32 methamorph code do something like this before adding the metamorphed data + junk opcodes.

And also i dont see the big blame to AV companys, is the heuristic method that cant keep going further. Making the virus is much more easier than make the detection.

The solution is on smarter systems of detection. Ofc is easy to say but, from the point of view of a metamorph virus + algorithm based on random numbers, the only thing to detect are little pieces of code block in the "core" (wich is always static).

Example:

Code Select Expand



Lexotan32 way to prepare the code block before addition of junk and others. 
And in other viruses that have no imagination....

REPEAT 2000
nop
ENDM

And i agree about AV company dont pay attention to "home developers", but should they?.

Finally:

Code Select Expand

"A detection complexity is determinated by the compression of the code plus the common usage of the instructions"

If a virus manage to self mutate its "core" (wich is static) with a algo that uses random numbers then you had just landed hell under AV company for a long time.

Lucky for AV companys, people with this level of knowledge dont care to do it.  :cheekygreen:

[oex]

I think the point with the example I gave is that this a is a very general rule. Just because this is found in a virus doesnt make it remotely dangerous it is simply padding.... Viruses open .exe files to modify their contents however you wouldnt highlight every application that opened a file as being a virus....

This isnt an intended stab at AV companies but more aimed at this rigourous discussion. It is often easy as with optimisation for time to be spent on the unneccesary whilst the blatently obvious is overlooked.

[theunknownguy]

I think the point with the example I gave is that this a is a very general rule. Just because this is found in a virus doesnt make it remotely dangerous it is simply padding.... Viruses open .exe files to modify their contents however you wouldnt highlight every application that opened a file as being a virus....

This isnt an intended stab at AV companies but more aimed at this rigourous discussion. It is often easy as with optimisation for time to be spent on the unneccesary whilst the blatently obvious is overlooked.

Well grandma say: "Is easier to prevent than to risk".

Also AV company it isnt like they say: "ok guys lets f*ck up all the work of home maker softs".

The thing is some virus and most new ones are detected by quiet small signatures and the virus makers try to make their work the more compressed and complex possible.

So if AV would have some kind of detection that could choose if some code block seems dangerous or not. (this is actually done by probability, but if they have a full match then its consider dangerous 100%) then the picture of false detection would change.