ZMist: next generation viruses coming up

Discussion in 'malware problems & news' started by Paul Wilders, Mar 5, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    During VB 2000 Dave Chess and Steve White demonstrated their research result on Undetectable Viruses. Early this year the Russian virus writer Zombie released his "Total Zombification" magazine with a set of articles and viruses of his own. One of the articles in the magazine was titled "Undetectable Virus Technology".

    Zombie has demonstrated already his set of polymorphic and metamorphic virus writing skills. His viruses have been distributed for years in source format and other virus writers have modified them to create new variants. Certainly this will be the case with Zombie's latest creation W95.Zmist.

    Many of us have not seen for a few years a virus approaching this complexity. We could easily call Zmist one of the most complex binary viruses ever written. W95.SK, One_Half, ACG, and a few other virus names popped to our mind for comparison. Zmist is a little bit of everything: it is an entry point obscuring virus that is metamorphic. Moreover the virus randomly uses an additional polymorphic decryptor.

    The virus supports a unique new technique: code integration. The Mistfall engine contained in the virus is capable of decompiling Portable Executable files to its smallest elements, requiring 32MB! of memory. Zmist will insert itself into the code: it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable. This is something which was never seen in any previous viruses.

    Zmist occasionally inserts jump instructions after every single instruction of the code section, each of which will point to the next instruction. Amazingly these horribly modified applications will still run as before, just like the infected executables do, from generation to generation. In fact we have not seen a single crash during the test replications. Nobody expected this to work, not even its author Zombie. Although it is not foolproof it seems to be good enough for a virus. It takes some time for a human to find the virus in infected files. Because of this extreme camouflage Zmist is easily the perfect anti-heuristics virus.

    A few years ago several anti virus researchers claimed that algorithmic detection has no future. We would like to turn that around, claiming that virus scanners will have no future if they do not support algorithmic detection at the database level. It is amazing to see how polymorphic viruses become more and more advanced over the years. Such metamorphic creations will come very close to the concept of an undetectable virus.

    The computing environment did change. Modern viruses completely support this new environment. In the next couple of years we will see how complex DOS viruses would be today if the environment had not changed during the last few years.

    Note:The complete article includes a detailed technical description of W95.Zmist and will be published in the March Edition of Virus Bulletin, and the SARC web site at www.sarc.com/ .

    regards.

    paul
     
  2. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    What next?  Transcendental virii?
     
  3. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Soon virus writers will just pull up infront of your house, kick the door in, throw you out of your computer chair, take your hard drive out, put a sledgehammer through your screen and leave.

    The means ones will light your house on fire as the leave.
     
  4. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Zombie is one of the world's best virus coders at the moment. From a technical point of view his 'work' is very impresive and a big problem for anti virus companies. It seems there is no program which detects ZMist 100% correctly. Kaspersky reworked their signatures last week and caused some false positives. That's why this virus came back to media interesst again. As far I know the ZMist virus never made it 'in the wild'. Maybe because it was never released in a binary format. Only as (assembler) source code.

    And the article from Peter Szor of SARC is a real good (but very technical) reading.

    wizard
     
  5. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Then it's about time someone paid him enormous sums to change the colour of his hat, wouldn't you say?
     
  6. Liquid_Fish

    Liquid_Fish Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    81
    This is very impressive from a technical stand point.  I can't even imagine how damaging this could be in the wild.  I can see the next generation that spreads itself around to different dll's on your system, imagine how hard that would be to detect.
     
  7. FanJ

    FanJ Guest

    Use NISFileCheck, make a database with it containing all the dll files on your system, run NISFileCheck every day for changes, and at least you will see whether any dll file was changed, deleted, or new.

    For guidelines see this thread:
    http://www.security-pro.co.uk/yabb/YaBB.pl?board=osif;action=display;num=1013708171
     
  8. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    MY question is, what AV solution provides the best protection against something like this?

    Also, will NOD32 and NAV 2002 co-exist peacefully? (From my experience NAV 2002 and McAfee AV will NOT - but that probably the fault of incredible-crash-prone McAfee.)

    TIA
     
  9. FanJ

    FanJ Guest

    Hi javacool,

    I guess so, yes; that means:
    At least on my machine NOD32 and NAV2000 do (will hopefully upgrade to NAV2003 when it arrives later this year; I guess somewhere in the beginning of the second half of the year);  together with some other AV's.
     
  10. Liquid_Fish

    Liquid_Fish Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    81
    Thanks!!  never heard of it before and I love the price!
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    javcool,

    According to the  virus author, Dr. Webb AV performs best in detecting this specific one (it's not ITW, so I presume he tested this himself). The man is a genius, but nevertheless: for what it's worth.

    regards.

    paul
     
  12. Liquid_Fish

    Liquid_Fish Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    81
    FanJ,  

    I have created a new thread in "Other Security Issues" that I would like your input on.   The thread is "NIS File Check Settings"

    Thanks.
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    As for NOD32: here's a copy and paste from Eset/NOD32 regarding ZMist we received some hours ago (relevant part):

    Nice message for all NOD32 users   ;)

    regards.

    paul
     
  14. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    THE OTHER ONE BETTER BE NAV 2002 ERRRRRRRRRR
     
  15. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    im sorry but that guys to smart for his owen good although i admire and envy him he must be put to death and burn at the steak lol.

    I know it sounds harsh but that level of inteligents and then he writes it and sends it out.

    its straight up terroisim but find were he lives  and take him out.

    see  every century thers that one guy thats ahead of his time if wed had whacked thomas edison we have no electricity same here if we had whack this guy wed would niot have such a virus as dangeriouse as that  this man is way to smart  and that warrents assasination lol.

    now im all parynoyed i wold had been happy with my illustion of grandger that i was safe lol ighnorence is bliss lol it relly is lol.
     
  16. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    MRBLAZE, don't worry too much it doesn't seem like this guy actually sends them out, he just makes them.

    Besides, computers are not the only things in the world you know. Go outside and play beach ball in your back yard with your family one weekend, and leave your computers off. It is very refreshing to get away from the stress of computers for a while.
     
  17. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol your right i just hate to think a 3000 dollar computer with all the latest security software can be put out and rendeerd useless thats what i was feeling lol.

    You know this guy is so talented and awsome he should make a all in one security system tool with a cool interface  it would be simple to use like trojan check except it in enghlish compatiable with all os.

    with his talent he can make anti worm trojan malware,viruse all in one simple to use utlity and with his know how he can write it for all the viruses he makes  and even ones that dont exsit yet lol.

    what i mean is hed be will respected by hackers and at the same time security web sites.

    a. all hackers would buy his software because he  is the big bad of cyber space so he knows what hes doing and whast too look for.

    b.wed all buy it because he writes the stuff and see;s things with a new tisted perspective meaning he can easly say will if i wanted to do this id do it this way then he would say now to defeat what i just did i do this and walah.

    truely a waist of awsome talent.

    Some one buy this guy nod nav tds  if you reading this act fast offer him what ever he wants woman cars  hes like a cyber rap star bling bling baby lol.

    to bad you guys at wilder  cant hook up can you imagine a wilders all in one security utlity blaze drewls.

    i mean you guys are always playing with all these great toys and finding ways to beat it just for fun wouldnt it be nice to get payed big for a love of a hobby.
     
Loading...
Thread Status:
Not open for further replies.