PolyMorphism...
September 2006, Security Focus — Latest polymorphism hides viruses better. A virus that infects AMD64−based Windows systems uses some tricky techniques to make defensive reverse engineering more difficult, security firm Symantec said this week. The virus, dubbed W64.Bounds, is not spreading in the wild, but was submitted as a proof of concept to antivirus researchers. The program is not easy to detect because it encrypts itself using a new algorithm and exploits a Windows feature available only on AMD64 systems to control execution, Peter Ferrie, senior antivirus researcher for Symantec, said in a post on the company's research blog.
"The AMD64 virus is both polymorphic and entrypoint obscuring," Ferrie stated in a second blog post. "The result is that it is not a simple matter to find the true start of the decryptor and to emulate from the wrong place can result in incorrect decryption."
Ferrie's blog postings:
http://www.symantec.com/enterprise/security_response/
weblog/2006/08/virus_qa_w3264bounds.html
http://www.symantec.com/enterprise/security_response/
weblog/2006/08/polymorphism_comes_to_the_amd6.html
Source: http://www.securityfocus.com/brief/292
"The AMD64 virus is both polymorphic and entrypoint obscuring," Ferrie stated in a second blog post. "The result is that it is not a simple matter to find the true start of the decryptor and to emulate from the wrong place can result in incorrect decryption."
Ferrie's blog postings:
http://www.symantec.com/enterprise/security_response/
weblog/2006/08/virus_qa_w3264bounds.html
http://www.symantec.com/enterprise/security_response/
weblog/2006/08/polymorphism_comes_to_the_amd6.html
Source: http://www.securityfocus.com/brief/292
posted by arkietechs at 7:00 AM
0 Comments:
Post a Comment
<< Home