Malicious Cryptography June 7, 2006Posted by dhar in Security, Technology.
Security Focus is running an interesting article on Malicious Cryptograpy: how crypto is being used to produce sophisticated viruses. From the article:
A virus employing techniques to avoid or delay the analysis becomes what is called an armored virus. The first public armored virus fulfilling this goal was called Whale and first spread sometime in September 1990. It combined several techniques:
- Polymorphism: both the binary and the process were ciphered (there were 30 hardcoded versions).
- Stealth: several interruptions, including debugging ones, are hooked by Whale, and it also hides in high memory before decreasing the max limit of memory known by DOS, which was prominent at the time.
- Armoring: the code changes depended on the architecture (8088 or 8086), had intense use of obfuscation (useless code, identical conditions, redundant code, and so on) and had what is known as anti-debug (if a debugger is detected, the keyboard is blocked and Whale kills itself).