Thursday, May 11, 2006

Malicious cryptography: armored virus

When the malware is detected, it is regarded as new code to be analyzed.
When the analysis is completed, signatures and heuristics are created to
enable anti-virus software to block this malware

In order to avoid this "problem," a malware writer must delay, or even
forbid, the analysis of his malignant creature what's called _armored virus_.

It has several techniques:

both the binary and the process were ciphered

several interruptions, including debugging ones, are hooked
by Whale, and it also hides in high memory before decreasing the max
limit of memory known by DOS, which was prominent at the time.

the code changes depended on the architecture (8088 or 8086),
and had what is known as anti-debug
(if a debugger is detected, the keyboard is blocked and Whale kills itself).

No comments: