Reversing of executable files is the only base to write undetectable viruses.

This is based on the following axiom: complexity C1 of detecting virus itself, when virus location is given, and complexity C2 of finding possible virus locations within infected objects, are different; and total complexity of detecting virus precence is a product of them, i.e. C1 * C2. Both complexities are interrelated; and both are limited by the object to be infected. This means that there exists some maximal complexity, which, when reached, will divide object and virus into different parts. As such, our task is to build optimal infection methods: when product of these complexities will be maximal, but not critically high, and thus only iteration-based detection methods will be effective.

For example. Writing poly decryptor is good, but inserting it always into constant place, such as end of last section, is bad. Writing very big poly decryptor is bad in any case. Putting plain virus, into any place of the program, even into random place, is bad. So, the questions are: how much should be the virus polymorphic; in how many ways may it be inserted into file; and, because these two things are interrelated, where is the optimal combination.

To find answers to these questions, virus must know everything about itself and about file to be infected. First part can be easily achieved; this was shown us in lots of metamorphic viruses. Second part is much harder, and this is also the subject of this article: how can virus to find out more information about the file it want to infect.

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org