Professional Documents
Culture Documents
Anti Heuristic Techniques
Anti Heuristic Techniques
BLACK JACK
Introducion
-----------
In the early days of computer virii it was sufficient for AV programs to
search for a set of virus patterns. But the number of virii increased more
and more rapidly, and so the AV people invented something called heuristics
to make our job harder. Heuristic scanners emulate the code of every program
they scan in a so-called "virtual machine" and search for virus-like actions.
So it should be *theoretically* possible to find every new virus.
Theoretically, because of course these code analysers can't emulate the
"real" CPU to 100%, and so not every virus gets actually cought. So in my
humble opinion, it is the damn duty of us, the VX community, to search for
the flaws in these heuristic engines and exploit them for our own goals. What
I'm talking of are tricks to fool these engines, to make our newest creations
invisible to those evil programs which want to find&kill our babies to. This
is in my opinion one of the most interesting fields in virus programming
(it's always a great feeling to outsmarten your enemies ;-) ). Here are the
results of the research I've done into this topic in the last time.
Know your enemies!
------------------
If you want to make your virii anti-heuristic, the first thing you need are
heuristic scanners to test your creations with. I recommend you to get as
many as them as possible, because every one has different storng points and
flaws. I'll give you a short list of scanners I use/test and where to get
them:
-> Thunderbyte Antivirus (http://www.thunderbyte.com): In the earlier days
this was considered one of the best scanners, but nowadays it is considered
quite weak by most VXers, at least its "heuristics" (it's actually based on
little scanstrings). But on the other hand it comes with a lot of other AV
utilities beside the scanner (checksummer, cleaner, memory resident
utilities...). A lot of stuff to work around for those of you who are
interested in retro structures, but this is a different story...
By the way, I would recommend you to get version 7.xx besides the actual one,
because this version allows you to make your own scanstrings. Can be quite
important if you accidentally infect yourself...
-> F-prot (http://www.datafellows.com): Isn't too bad, although there are
a lot of better ones. The interesting thing about it is that the last versions
had much better heuristics than the current ones. So I recommend you to get
yourself somewhere a copy of v2.28 or something like that (I use v2.27), and
to test your virus with both versions. Another interesting feature of this
scannner is its /PARANOID command line parameter. If you use it, the scanner
goes into a highly sensible mode (with a lot of false positives). For that
reason it isn't really necessarry to beat even f-prot/paranoid, but if you do
so, you know that your anti-heuristic tricks are *really* good.
-> AVP (http://www.avp.ch): In my opinion the best heuristic scanner, really
hard to fool. I used version 3.0 build 128
-> NOD (http://www.eset.sk): Nearly as good as AVP
-> Dr. Web (http://www.dials.ru): Also a very good one. Those russians know
how to make good AVs...
-> Dr Solomon's (http://www.drsolomon.com): A mid quality scanner from our
friends at NAI, but still better than McAfee (*duh*)
-> Ikarus Antivirus (http://www.ikarus.at): A product of middle quality, I
just use it because of patriotic reasons.
This trick fooled AVP, Dr. Web, f-prot v3.04 (even with the /PARANOID flag),
but not f-prot v2.27, Nod, Ikarus and Dr. Solomon's. f-prot v2.27 and Ikarus,
on the other hand were fooled by the "normal" PIQ trick (which doesn't run
on modern processors, you remember).