Ú¿ ÃÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ´ ÃÅÅÅÅÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÅÅÅÅ´ ÃÅÅÅ´ Some ideaz about future worm ÃÅÅÅ´ ÃÅÅÅ´ by Benny/29A ÃÅÅÅ´ ÃÅÅÅÅÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÅÅÅÅ´ ÃÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ´ ÀÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÙ One day, when I was thinking about my future projectz I sudenly remembered some idea I heard somewhere, some yearz ago... I advanced it and even when I haven't finished the worm using these ideaz (anyway, I have the main part already finished), I want to share them with you... the real reason why I don't have any worm is becoz the spreading mechanism dependz on some buffer-overflow bug of new versionz of IIS and/or Outlook that will allow to execute arbitrary code on remote machine. And becoz there's no such bug found, I have to wait for that (then I will finish it)...:-P Construction of unremovable worm .................................. My idea soundz for the first sight very weirdly. The problem of all wormz is (suprisely) their PRESENCE at the computer. If some worm is stored somewhere on the disk, in the memory, operating system, ... it can be alwayz found by scanner just becoz the worm is there... and the other side of the coin, it can be also removed when it is found. how to avoid the detection and remove capabilitiez of AV scannerz? Simply - avoid the presence of the worm at the computer ;-) How? There exist two areaz where the worm can be stored - disk and memory. And AV scannerz know that and their functionality dependz on these conditionz. So, the worm (1) should not be stored at any file on the disk. (2) should be stored in some process'es memory (e.g. the shell, explorer.exe), but not longer than necessary - spread_and_quit algorithm. it is very important to clean the memory when the worm quitz, so the worm will be really vanished. (3) should be able to spread without any help of user, using exploitz of some Internet service that will allow to remotely execute the worm-code. (4) should be fast-spreading - it should be able to (very fast) find all buggy Internet servicez and infiltrate them in a very short time. (5) should be morphed on every generation, using some external metamorphic engine (my BME32 or MDriller's MetaPHOR, for instance). (6) XXX (described below) Removement of the unremovable worm .................................... Well, the biggest benefit followz - in fact, the only place where the worm will be stored is CABLE that connectz computerz in network. Becoz of fast spreading capabilitiez and code metamorphism, it won't be able to catch and stop it with some ordinal AV. Worm would spread on until ALL buggy Internet servicez at ALL to-Internet-connected serverz would be patched. But can you imagine that EVERY server on Internet will be correctly patched, in a short time? It's impossible! So, if the only place where the worm is stored are CABLES (microwave connectorz, satelite recieverz, telephone linez etc...) the only way how to stop such worm without patching ALL systemz would be then DISCONNECT *ALL* BUGGY COMPUTERZ FROM THE INTERNET !!! You can see that both of those 2 only wayz are unrealisable. And I have to mention that if the worm would use some very spreaded-out bug, it would cause the collapse of the world-wide network (the wanted side effect of the worm)! I'm sure, that if the spreading algorithm would be advanced later, this worm could cause a REAL harm. XXX bonus ........... Perhaps, the alternative way how to STOP such virus would be paradoxly to create a new virus, with one addition (but I doubt AVerz would be allowed to do it ;-); one module that will - after successful infection - patch buggy system and so close the opened door. Is it science fiction? You decide... .................................................... . Benny / 29A . benny@post.cz . http://coderz.net/benny . ... perfectionist, maximalist, idealist, dreamer ...