37
-
Perl2Exe [26] that can convert Perl script to exe format.
-
"Quick Batch File compiler" [27] that can convert batch (.bat) files to exe
format.
-
"VB.Net to C# Converter" [28] that can convert existing VB.Net code to
C#.
We just finish to overview a small set of "source code playing" tools, there are
many other similar programs that deal with various technologies and also can be
used within discussed here subject.
All these nice and sometimes useful technologies for converting, obfuscating and
transforming the source code – could be a dangerous weapon in the hands of
malware writer.
Malware writer can turn these tools against us and create the Offline
Metamorphic Engine…
2.12.5 The Offline Metamorphic Engine.
After we learned so many simple ways to "morph" the malware code, the
malware writer can use them "effectively". By the term of "effectively", I mean –
using in a way, that will defeat or cause serious problems for the defending
software like antivirus. To do that, let's remember the core functionality design of
the signature based protection software:
-
To stop malware, the antivirus vendors must analyze the new threat,
create the signature and distribute it among their clients.
o
This fact gives to attackers a time window of at least 3-6 hours until
their malware is recognized at the client computer.
-
The most powerful (known to me) automated signature creation engine is
capable to analyze and create definitions for about 100.000 files in 24
hours (Symantec Digital Immune System).
Here are some more interesting and important facts:
-
There are many existing malware, which utilize various forms of poly- and
metamorphism, but they have the encryption\decryption engine build-in
into their code. The fact, that such engines are build-in into the malware
code, let the antivirus companies and virus researchers to decompile and
analyze the malware code.
-
To be able to create a good and effective signature definition for the
particular malware, the antivirus researchers prefer to analyze or be able
to extract the "germ" - the first generation malware (the pure malicious
 |
 |
 |