Dear James, WJK> You are effectively altering existing viruses to the point that WJK> AV scanners do not detect them. No, he is changing a few bytes only.
WJK> If your altered virus sample WJK> still executes correctly, you have simply created a new virus WJK> variant. No, there is no variant, the virus executes EXACTLY as before. A variant acts differenlty then a precedent version, else it would be no variant. To your AV engine it is a variant, yes, but only because it is flawed. WJK> Consequently, the issue that you describe is *not* a WJK> vulnerability issue, but rather just an example of a new variant WJK> that has not yet been added to an AV vendor's database of "known WJK> viruses". Thank you James, this _to my knowledge_ (perhaps the guy from vmyths knows better) is the first time the complete failure of todays AV solutions is shown naked publicaly directly by a representant of an AV company. This statement coming from a AV vendor is simply exposing what is known in the sec. community since many years. Instead of beahviour analysis, most AV vendors choose uterly stupid PE section fingerprints, defeated by adding a few bytes. Go figure. of course this is no vulnerability, it's a feature! My theory on this is simple : - ALL files can't be analysed the same way by AV engines (due to speed issues) (In other words not all analysis/fingerpritns is applied to every file) The solution was to make the engines a bit "smarter", i.e analyse the header to determine the type and then ONLY apply the signatures/heuristics which apply to the type of the file (i am not speaking about the extension of the file here) thus speeding up the process. Changing the header just makes the smart engines look...well... a bit dumb in my regards. -- Regards, Thierry Zoller http://thierry.sniff-em.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/