Small Is Still Beautiful

Saturday, February 09, 2008

One big problem of delay-trigger computer viruses nowadays is that the longer it stays in the victim system, the bigger then chance the antivirus program will successfully random hash scan the virus out. Another problem, though somewhat smaller, is that file-per-file antivirus scanners often detect virus signatures of file-attaching variants easily, thanks to AV engineers who look at caught strains from infected files and analyze signatures for the virus.

Chimera project aims to prove that by using collaborative multistrain nanoviruses, the antiviruses that work on signature detection can be bypassed repeatedly by the same strain even after a signature has been established. The main idea is to release multiple substrains of a single virus in the wild which, when complete, can be activated by a trigger fragment containing Memory Access Trigger instructions, can be accessed through relative memory hops in the VM cache on any RISC based system.

There will be three components in this concept. The substrains which should be at the minimum of three types will contain cryptoinformation of the base secondary memory relative location for the two other substrains containing the exec codes before and after the exec codes the substrain hosts. These cryptoinformation are encrypted using a common key of the releasing party and will vary per release. That way, no single signature will ever be derived and the fragment locations will be untraceable outside actual execution time.

A special substrain can be included for status check and it will be without any exec code fragment. It will, instead, contain the head substrain cryptoinformation of the first exec code segment and will be responsible for checking completeness of the multiple required substrains.

The trigger fragment substrain will likewise be lacking any exec code and will only contain the key for the cryptoinformation and the memory access trigger. Memory access triggers are so common, so small, AV engineers usually overlook them when searching for signatures to avoid any false triggering when scanning for the virus.

The special statuscheck stubstrain will prevent any unknown fragments to mutate the code and maintain good CRC, it can be invoked by hte trigger fragment before execution to prevent any incomplete runs. Upon execution, the trigger fragment will pass the instruction pointer from one fragment of code to anther, hosted in different files that are only "partially" infected, which AVs will only identify as "possibly corrupt".

This project will contain a proof-of-concept assembling a 96kb program across six substrains, contained in three mp3 files, 2 jpeg files and one executable binary.

(source: Project Chimera - ubiquity through collaborative computing whitepaper dated 2003, theoretical study introduction)

No comments:


Search This Blog

Most Reading