I cant really enjoy articles like this after seeing:
https://z0mbie.dreamhosters.com/ (yes, site looks like crap by today standards, but author was an evil genius)
"The virus supports a unique new technique: code integration. The Mistfall engine contained in the virus is capable of decompiling Portable Executable files to its smallest elements, requiring 32MB of memory. Zmist will insert itself into the code: it moves code blocks out of the way, inserts itself, regenerates code and data references (including relocation information), and rebuilds the executable. This is something that has not been seen in any previous virus. Zmist occasionally inserts jump instructions after every single instruction of the code section, each ofwhich will point to the next instruction. Amazingly, these horribly modified applications will still run as before, just like the infected executables do, from generation to generation. In fact we have not seen a single crash during the test replications. Nobody expected this to work, not even its author Zombie.Although it is not foolproof it seems to be good enough for a virus. It takes time for an individual to find the virus in infected files, due to Zmist's extreme camouflage, making it the perfect anti-heuristics virus."
It is interesting how in the modern computing, the whole “virus” (arbitrary-code-modifying, self-propagating) model s basically irrelevant. Sure, there is plenty of malware around, but it is all either “trojan” (distributing pre-modified binaries), or “worm” (entirely separate binaries).
The biggest contributing factor is likely internet - I don’t think I ever passed executables from one computer to another. The modern package management (think debsums), multi-user separation, digital signatures, open source and “cattle servers” helped a lot too.
It ia still interesting to read about old techniques, they were very ingenious, but it is approximately as relevent as steam train maintenance.
Reference please? I am not talking here about bright ideas... I am talking about something that is really bitch to implement (quite frankly I would rather take tinycc and mutate the c source (same goes for go source code) before compiling than going the LDE and Mistfall way but there might be something that I have missed in all those years) and I would love to see something that is beyond this. And imho, no, various payloads/drivers/rootkits/uefi/..., etc. doesnt come close in level of complexity. They are just bright ideas, but please I really would love to prove me wrong.
I would love to give some other example next time instead of 20+ years old piece of code. Please share the knowledge.
Wouldn't those sorts of modifications make the executable fail signature checks? I think most viruses don't use that sort of technique anymore because code signing prevents that sort of attack.
and
https://z0mbie.dreamhosters.com/autorev.txt https://z0mbie.dreamhosters.com/src/mistfall2/index.html
"The virus supports a unique new technique: code integration. The Mistfall engine contained in the virus is capable of decompiling Portable Executable files to its smallest elements, requiring 32MB of memory. Zmist will insert itself into the code: it moves code blocks out of the way, inserts itself, regenerates code and data references (including relocation information), and rebuilds the executable. This is something that has not been seen in any previous virus. Zmist occasionally inserts jump instructions after every single instruction of the code section, each ofwhich will point to the next instruction. Amazingly, these horribly modified applications will still run as before, just like the infected executables do, from generation to generation. In fact we have not seen a single crash during the test replications. Nobody expected this to work, not even its author Zombie.Although it is not foolproof it seems to be good enough for a virus. It takes time for an individual to find the virus in infected files, due to Zmist's extreme camouflage, making it the perfect anti-heuristics virus."
Search here for Zmist (Mistfall is the engine with sources in previous links) description: https://crypto.stanford.edu/cs155old/cs155-spring09/papers/v...
What I am seeing today as malware is a joke compared to those times. The knowledge is just lost.