[MLUG] New Virus Technology and Zombies?

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "'EMAIL:PROTECTED'" <EMAIL:PROTECTED>
Subject: [MLUG] New Virus Technology and Zombies?
From: "Davis, Ryan WILEY (UMC-Student)" <EMAIL:PROTECTED>
Date: Mon, 19 Feb 2001 08:36:07 -0600
Reply-To: EMAIL:PROTECTED
Sender: EMAIL:PROTECTED

I was wondering if any of you knew anything about this.

Currently there is a new virus technology out that is said to be some of the
most complex virus writing seen to date. I got this info out of Symantecs
SARC newletter on Saturday. I looked it up and couldnt find much on it.
Currently the Zmist file they refer to is just based on what is called the
Mist Engine. Symantec doesnt have much listed for this at all. Looks kindof
scary. Below is the text from the bulletin. Couldnt find anywhere online
that had much for links. Im downloading the Zine now. Either they are
hosting on a 486 box on a dial-up modem or their sites getting hammered now.
Ive been downloading for a while now on campus and I only have 8% of a 737K
file that contains the Zine put out by this Virus creator named Zombie The
zine is called "total zombification". If anyone gets it before I do could I
look at it. Nothing on Kaspersky right now about this either. Also checked
NAI, none there.

Also, did you guys hear about the PHP virus thats out too? Weird stuff man.

<Insert Witty Quote or email tag here>

Ryan

**********************************************************************
                     Gorillas in the Mist
                                                                            
         
During VB 2000 Dave Chess and Steve White demonstrated their research result
on Undetectable Viruses. Early this year the Russian virus writer
Zombie released his "Total Zombification" magazine with a set of articles
and viruses of his own. One of the articles in the magazine was titled
"Undetectable Virus Technology". Zombie has demonstrated already his set of
polymorphic and metamorphic virus writing skills. His viruses have been
distributed for years in source format and other virus writers have modified
them to create new variants. Certainly this will be the case with Zombie's
latest creation W95.Zmist. 

Many of us have not seen for a few years a virus approaching this
complexity. We could easily call Zmist one of the most complex binary
viruses ever written. W95.SK, One_Half, ACG, and a few other virus
names popped to our mind for comparison. Zmist is a little bit of
everything: it is an entry point obscuring virus that is metamorphic.
Moreover the virus randomly uses an additional polymorphic decryptor. 
The virus supports a unique new technique: code integration. The Mistfall
engine contained in the virus is capable of decompiling Portable
Executable files to its smallest elements, requiring 32MB! of memory.
Zmist will insert itself into the code: it moves code blocks out of the
way,inserts itself, regenerates code and data references, including
relocation information, and rebuilds the executable. This is something which
was never seen in any previous viruses.

Zmist occasionally inserts jump instructions after every single instruction
of the code section, each of which will point to the next instruction.
Amazingly these horribly modified applications will still run as before,
just like the infected executables do, from generation to generation. In
fact we have not seen a single crash during the test replications. Nobody
expected this to work, not even its author Zombie. Although it is not
foolproof it seems to be good enough for a virus. It takes some time for a
human to find the virus in infected files. Because of this extreme
camouflage Zmist is easily the perfect anti-heuristics virus.

A few years ago several anti virus researchers claimed  that algorithmic
detection has no future. We would like to turn that around, claiming that
virus scanners will have no future if they do not support algorithmic
detection at the database level. It is amazing to see how polymorphic
viruses become more and more advanced over the years. Such
metamorphic creations will come very close to the concept of an
undetectable virus. 

The computing environment did change. Modern viruses completely
support this new environment. In the next couple of years we will see how
complex DOS viruses would be today if the environment had not changed
during the last few years.

[Editors Note:The complete article includes a detailed technical description
of W95.Zmist and will be published in the March Edition of
Virus Bulletin, and the SARC web site at http://www.sarc.com/].

                     By Peter Ferrie and Peter Szor
                     SARC, APAC & USA.
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

Follow-Ups:
- Re: [MLUG] New Virus Technology and Zombies?
  - From: Michael <EMAIL:PROTECTED>

Prev by Date: Re: [MLUG] samba problems
Next by Date: Re: [MLUG] Windows XP User Login
Previous by thread: Re: [MLUG] Windows XP User Login
Next by thread: Re: [MLUG] New Virus Technology and Zombies?
Index(es):
- Date
- Thread