40Hex Number 7 Volume 2 Issue 3 File 005 Well, by far the most incredible creation in the virus community that has surfaced is the MtE. We aren't going to go into details about it, but we are definately going to give you as much news as we have collected. In this file: Article 1: A note from Vesselin Bontchev Article 2: Steve Gibson tells us how to avoid polymorphic viruses Article 3: An article from Newsday about McAfee Article 4: NIST Expert Warns Feds to Find Better Ways to Head Off Viruses Article 5: Some messages posted on Smartnet about MtE <<<<<<<<<< Article 1: <<<<<<<<<< ====From the Virus-L Digest via NIST===== Date: 10 Feb 92 20:40:23 +0000 >From: bontchev fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: DAV/Sourcer/Rape (PC) RUTSTEIN HWS.BITNET writes: > First, has anyone heard about Dark Avenger's latest? I got a report > secondhand last week that he'd come up with a new gem...I believe the > report came from a researcher in the UK. Fridrik/Vesselin/others, can > you confirm/deny this report? Yeah, I can confirm it... :-( And it is a first-hand information, since I have it. The long-rumored Mutating Engine is real and is circulated to several virus exchange BBSes... :-(( The bad news is that the damn thing really mutates, no kidding! It comes as an OBJ file, which is supposed to be linked to any virus, with a detailed do-it-yourself guide, and with a demo virus. The demo virus is in source, but the source of the Mutating Engine (called MtE) is not provided. According to the docs, what we have is version 0.90-beta of the MtE, but version 0.91 is also known to exist... I'm wondering what will be implemented more in version 1.00... :-((( The damn thing is really difficult to crack! I mean, it contains no encryption or anti-debugging and anti-disassembling thechniques, but it mutates too well... I have observed changing of encryption algorithms, random bytes padding, usage of different ways to express one and the same algorithm (yeah, that's right - different ways, not just modifying the opcodes and inserting do-nothing instructions)... The currently most mutating virus (V2P6Z) is a toy compared to it... The worst of all is that just anybody can sit and use it to create a virus. Well, some experience in assembly language programming is needed, so the kids from RABID, NukE, and the other punk virus writing groups that use to write overwriting viruses in high-level languages will have a little bit of trouble to learn how to use it... But a very little bit! Currently there are only two viruses, which use the MtE. The first is the demo virus in the package (a silly, non-resident, COM file infector, infects only the files in the current directory), and a virus, called Pogue, which has been available on some VX BBSes in the USA. McAfee's SCAN 86-B claims to be able to detect the Pogue virus. Unfortunately, I haven't had the time to verify this (I recieved the virus just two days ago). There are reports that in fact not all possible variants of the virus are detected. SCAN 86-B DOES NOT detect the MtE for sure - I tested it on the demo virus supplied with the package. As a conclusion, don't panic. Currently there are only two viruses, using the MtE and both are too silly to pose a serious threat. Copies of the MtE have been provided to several anti-virus researchers (no, don't write me to ask for a copy, you won't get one), including McAfee Associates, Fridrik Skulason, Dr. Solomon, etc., so there are a lot of people working right now on the problem. The good news is that once we learn to recognize the MtE, we'll be able to detect -any- new viruses that are using it. Oh, yes, just out of interest. The whole package comes in a neat ZIP archive, with -AV code for "CrazySoft, Inc.". The Bulgarian hackers have demonstrated again that the -AV authenticity verification in PKZIP is just crap, so PLEASE DO NOT RELY ON IT! <<<<<<<<<< Article 2: <<<<<<<<<< >From InfoWorld Magazine Tech Talk by Steve Gibson AT LAST, HOW TO PROTECT YOURSELF FROM POLYMORPHIC VIRUSES My past two columns concerning the threat presented by polymorphic viruses triggered an informative conversation with the industry's chief virus researcher, John McAfee. During that conversation I learned that things are even worse than I'd supposed. It turns out that the "Dark Avenger" bulletin board system, which disseminates virus code, has recently published source code for the Dark Avenger Mutation Engine. The Mutation Engine is nothing less than a first-class code kernel that can be tacked onto any existing or future virus to turn it into a nearly impossible to detect self-encrypting virus. My examination of a sample virus encrypted by the Mutation Engine provided by McAfee revealed alarming capabilities. Not only do the Dark Avenger Mutation Engine viruses employ all of the capabilities I outlined in last week's column, but they also use a sophisticated reversible encryption algorithm generator. The Mutation Engine uses a meta-language-driven algorithm generator that allows it to create an infinite variety of completely original encryption algorithms. The resulting unique algorithms are then salted with superfluous instructions, resulting in decryption algorithms varying from 5 to 200 bytes long. Because McAfee has already received many otherwise known viruses that are now encapsulated with the Mutation Engine's polymorphic encryption, it's clear that viruses of this new breed are now traveling among us. It is clear that the game is forever changed; the sophistication of the Mutation Engine is amazing and staggering. Simple pattern-matching virus scanners will still reliably detect the several thousand well-known viruses; however, these scanners are completely incapable of detecting any of the growing number of viruses now being cloaked by the Dark Avenger Mutation Engine. So what can we ultimately do to thwart current and future software viruses? After brainstorming through the problem with some of our industry's brightest developers and systems architects, I've reached several conclusions. First, scanning for known viruses within executable program code is fundamentally a dead end. It's the only solution we have for the moment, but the detectors can only find the viruses they are aware of, and new developments such as the Mutation Engine render even these measures obsolete. Second, detecting the reproductive proclivities of viruses on the prowl is prone to frequent false alarms and ultimately complete avoidance. With time the viruses will simply circumvent the detectors, at which time the detectors will only misfire for self-modifying benign programs. Third, the Achilles' heel of our current DOS-based PC is its entirely unprotected nature. As long as executable programs (such as benign and helpful system utilities) are able to freely and directly access and alter the operating system and its file system, our machines will be vulnerable to deliberate attack. So here's my recommendation. Only a next-generation protected-mode operating system can enforce the levels of security required to provide complete viral immunity. By marking files and code overlays as "read and execute only" and by prohibiting the sorts of direct file system tampering performed by our current crop of system utilities, such operating systems will be able to provide their client programs with complete viral immunity. The final Achilles' heel of a protected-mode operating system is the system boot process, before and during which it is still potentially vulnerable. By changing the system ROM BIOS' boot priority to favor hard disk over floppy, this last viral path can be closed and blocked as well. (Steve Gibson is the developer and publisher of SpinRite and president of Gibson Research Corp., based in Irvine California...) <<<<<<<<<< Article 3: <<<<<<<<<< Date: Mon, 06 Apr 92 14:18:09 -0400 >From: Joseph Halloran Subject: NY Newsday Article on McAfee & Viruses (NOTE: The following article was published as a whole in the April 5, 1992 edition of New York Newsday, page 68. It is reprinted below without the express consent of Joshua Quittner, New York Newsday, or the Times-Mirror Company) SOFTWARE HARD SELL ------------------ "Are computer viruses running rampant, or is John McAfee's antivirus campaign running amok?" -By Joshua Quittner, staff writer John McAfee is doing one of the things he does best: warning a reporter about the perils of a new computer virus. "We're into the next major nightmare -- the Dark Avenger Mutating Engine," McAfee says, ever calm in the face of calamity. "It can attach to any virus and make it mutate." The ability to "mutate" makes it virtually undetectable to antivirus software, he explains. "It's turning the virus world upside down." But wait. This is John David McAfee, the man who once ran a service that revolved around the curious premise that, if you paid him a member- ship fee and tested HIV-negative, you could have AIDS-free sex with other members for six months. This is the man who jumped from biological viruses to computer viruses and quickly became a flamboyant expert on the new demi-plague, showing up at the scene of infected PCs in his Winnebago "antivirus paramedic unit." And this is the same man who started something called the Computer Virus Industry Association, and, as chairman, made national headlines last month by saying that as many as _five million_ computers might be infected with a virus named Michelangelo. The virus turned out to be a dud, in the opinion of many industry experts. But not before McAfee became a media magnet: In the weeks be- fore March 6, when Michelangelo was supposed to erase the hard disks of infected IBM and compatible PCs, he was featured by Reuters, the Associated Press, USA Today, the Wall Street Journal, "MacNeil/Lehrer News Hour," CNN, "Nightline," National Public Radio and "Today." What some news reports failed to point out, however, is that McAfee is also the man who runs Santa Clara, Calif.-based McAfee Associates, a leading manufacturer of antivirus software, and that he stood to benefit from publicity about Michelangelo. McAfee won't reveal sales, but it seems clear they shot up during the two-week frenzy. "People kept saying I hyped this, I hyped this," said McAfee, who still defends the notion that Michelangelo was widespread. "I never contacted the press -- they called me." McAfee's detractors say the Michelangelo scare was mainly hype and media manipulation, a parade in which most of the floats were built by McAfee. They say McAfee helped drive the rush to buy antivirus soft- ware -- with his products poised to sell the most -- while boosting the profile of McAfee Associates, a company that recently received $10 million from venture capitalists McAfee says are waiting to sell stock publicly. And, critics say, while McAfee touts a recent evaluation that rated his software alone as 100 percent effective in finding virtually every known virus, he funded the evaluation and picked his competitors. "He does know the issue of viruses, no doubt about it," said Ken Wasch, executive director of the 900-member Software Publishers Assoc- iation. "But his tactics are designed to sell _his_ software." McAfee says the media consistently misquoted him about how widespread Michelangelo was. And his company didn't profit from the virus, he says, but actually suffered due to the free advice his staff was dispensing. "It does not benefit me in any way or shape or form to exaggerate the virus problem." Even McAfee's detractors admit his programs do what they're supposed to do: track down coding that's maliciously placed in software to make it do anything from whistle "Yankee Doodle" to erase valuable data. His strongest distribution channel is shareware, a kind of software honor system common on electronic bulletin boards. PC users can download the programs over phone lines and pay later if they find them useful. McAfee's programs are "probably the most popular shareware programs of all time, second only to PKZIP," which compresses data, said George Pulido, technical editor of Shareware Magazine. He said McAfee's programs have been copied by millions of people, although only about 10 percent of shareware users actually pay. A more reliable money-maker is corporate site licenses, where McAfee is one of the three biggest players. Michael Schirf, sales manager of Jetic Inc., a Vienna, Va., company that is McAfee's sales agent for the Mid-Atlantic region, claimed more than 300 of the Fortune 500 companies have licensed his software, paying $3,250 to $20,000, depending on the number of PCs. During the Michelangelo scare, "you couldn't get through to us at one point because of people asking about it and trying to get it," Schirf said. Certainly, McAfee's software wasn't the only antivirus software selling. Fueled by giveaways of "special edition" programs that scanned exclusively for the Michelangelo virus, sales of general antivirus packages were a bonanza for everyone in the business, including Norton/ Symantec and Central Point Software, two other leading sellers. "Our sales of antivirus software were up 3,000 percent," said Tamese Gribble, a spokesman for Egghead Software, the largest discount software retailer in the country. "We were absolutely swamped." Rod Turner, a Norton executive vice president, said antivirus sales increased fivefold. "We didn't make any product in advance," he said, "so we were caught with our pants down." Companies like Norton that sell factory-shipped software couldn't ramp up quickly enough to take full advantage of the situation. But McAfee's software comes mostly through electronic bulletin boards and sales agents, giving him a nearly limitless capability to meet demand. "I can supply as many copies of the software as I have blank diskettes to put it on," Schirf said. The Michelangelo scare was also good for pay-by-the-hour on-line information services such as Compuserve, which saw a huge increase in the time users logged on looking for advice on Michelangelo. Indeed, a virus forum on Compuserve was hugely popular, with users downloading antivirus programs, including McAfee's, 49,000 times that week, Compuserve spokesman Dave Kishler said. Compuserve made more than $100,000 from the online time. McAfee makes an attractive industry spokesman. Tall and lean, with a mellifluous voice, he speaks in perfect sound bites -- an antidote to the unquotably bland men who otherwise dominate the antivirus business. A mathematician who got into programming when he graduated from Roanoke College, McAfee, 47, said he has held a dozen jobs, ranging from work on a voice-recognition board for PCs to consulting for the Brazilian national phone company in Rio de Janeiro. His first mention in the media was in connection with the American Association for Safe Sex Practices, a Santa Clara club formed so that its members could engage in AIDS-free sex. For a $22 fee, members whose blood tested HIV-negative were given cards certifying them AIDS-free, buttons saying "Play it Safe," and were entered on McAfee's on-line data base. Updates, every six months, cost $7. Anyone who knows anything about AIDS knows a certificate that someone is AIDS-free is good only until the person has sex with or shares an intravenous needle with an infected person. When asked now about the safe-sex group, McAfee at first denied anything but a passing affiliation: "I worked for those people as a con- tractor," he said, adding, "It was not my company." But later, when he was reminded that both the San Diego Tribune and the San Francisco Chronicle described him in feature stories as the entrepreneur who started the organization ("I believe I am providing an environment where people who are sexually active can feel more safe and secure," he told the Tribune in a March 9, 1987, story), McAfee sidestepped the ownership question. He said the group performed a valuable function, maintaining a data base on AIDS and information about the disease. "I thought they were pretty well ahead of their time," he said, quickly locating a 1987 newsletter put out by the group, which featured articles such as "Kissing and AIDS" and "The Apparent Racial Bias of the AIDS Virus." The association no longer exists. "They came and went pretty fast," McAfee said, chuckling. McAfee got his first taste of computer viruses at around that time. "It was an accident, like anything else in life," he recalled. "I got a copy of the Pakistani Brain. I think I got it from one of the local colleges. It was the program of the year." The program, reportedly written by two Pakistani students trying to foil software pirates, destroyed some PC data. By 1989, McAfee was a virus expert, selling the first antivirus software and offering to make house calls with his Winnebago cum computer lab. "John's antivirus unit is the first specially customized unit to wage effective, on-the-spot counterattacks in the virus war," McAfee and a co-author reported in "Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other Threats to Your System," their 1989 book. "Event- ually, there will be many such mobile search, capture and destroy anti- virus paramedic units deployed around the world." He had also founded the Computer Virus Industry Association, with himself as chairman. "The CVIA is nothing more than McAfee," said Wasch, of the Software Publishers Association. "I had a run-in with him three years ago about that." Wasch said he had been asked by other antivirus businesses to look into McAfee's group after claims surfaced that he was railroading companies into joining -- something McAfee vigorously denies. Wasch said he believes the assocation was a self-serving group that did little more than support McAfee's business. "It would be like Microsoft creating the Windows Support Association as a front to promote its Windows software," Wasch said. McAfee denies the CVIA is a front and said Wasch's group was threatened by the creation of the virus association. "They wanted to take us over," he said. In any event, he said, the association is now managed by others and his involvement is minimal, adding, "It's more of a nuisance to me." But he does say the association is dependent on his private business for much of its virus data. "McAfee Associates has all the numbers," he said. Detractors say McAfee now uses another association to hype his programs. The National Computer Security Association released one of the few ratings of antivirus software, with McAfee's program on top -- a comparison he's quick to cite. But that may be because he influenced which software would be compared with his and how the tests were run, said David Stang, who founded the for-profit association in Washington, D.C., two years ago. Stang recently left the association and started a new one after a falling-out with McAfee over testing procedures. Stang said one of the assocation's functions was to "certify" antivirus software -- to test and rate competing programs. "It was his [McAfee's] idea that we certify products," Stang said. And when no company rushed forward to pay $500 to have its software rated, McAfee "sent me the products and the check and said 'go certify.'" McAfee says he spent thousands of dollars to evaluate some of his competitors' programs. In February, 1992, in fact, he paid for his own and the other five programs to be certified. His was ranked 100 percent effective. The others ranged from 44 percent to 88 percent effective. "If your product competes with mine, I'd like for those customers of mine to know that your product isn't as good as mine," he said. But in the February certification, notably absent were McAfee's biggest competitors: Dr. Solomon's ToolKit and Skulason's F-Prot. "I've got 75 competitors. I pick the ones who are going to give me the most trouble that month," McAfee explained. The February evaluation was actually a second, and more favorable test, that Stang says he performed at McAfee's request. Stang said McAfee was dissatisfied with the assocation's methods -- it tested the software against a "library" of viruses that McAfee thought wasn't comprehensive enough. So Stang said he agreed to use a new library that he claims was built on viruses McAfee found and supplied. Scores for McAfee's program rose while some others dropped sharply. McAfee said Stang's virus library was incomplete and his testing methods "wishy- washy," and he defended the new library's independence. "This is not something that anybody, let alone me, could mess with," said McAfee. "You can't jimmy these scores. You can't say that McAfee buys more certifications, therefore he'll get a better score, because other vendors would complain." "They wouldn't let me get away with it." [John McAfee] <<<<<<<<<< Article 4: <<<<<<<<<< From: Government Computer News March 30, 1992 By: Kevin Power, GCN staff "NIST Expert Warns Feds to Find Better Ways to Head Off Viruses" BALTIMORE - In the wake of the Michelangelo scare, a top security expert with the National Institute of Standards and Technology has warned agencies against relying too heavily on virus scanning software. Anti-virus software ia a useful detection tool, but it often takes too long to use and does not solve fundamental problems, said Dennis Steinhauer, manager of the computer security evaluation group at NIST's Computer Systems Laboratory. He spoke at the March meeting of the National Computer System Security and Privacy Advisory Board. Steinauer said the fallout from Michelangelo was minimal, thanks to early detection, plenty of publicity and governmentwide [sic] warnings. But he also stressed that vendors and agencies need more effective methods of protecting against viruses in newly acquired hardware and software. "What were believed to be reliable channels may no longer be," he said. "There's a lot that needs to be done to make sure that users receive better assurances that products are not contaminated. This incident may have undermined consumer confidence." Steinhauer said one solution would be to build hardware and operating systems that are less vulnerable. For example, vendors can isolate the boot sector of a hard drive to guard against infection. But agencies tend to shy away from such serious measures, because they force managers make hard choices about system functionality and user requirements, Steinhauer said. "We have the technology to do what is necessary. But we don't know what the price is to the user," he said. "The question is whether I'm willing to have my machine hobbled for protection. It's similar to installing a governor on a car to limit a vehicle's speed to 55 miles per hour." Agencies still are surveying for possible damage inflicted by Michelangelo, Steinhauer said. But he said the incident showed NIST officials that more agency computer emergency response teams (CERTs) are needed. CERTs, established in some agencies for just such attacks, worked well, Steinhauer said. The teams coordinate their work through the Forum on Incident Response and Security Teams, or FIRST. But Steinhauer said it was evident that not enough agencies have established CERTs. Internal agency security teams did their jobs, but the government needs a better way to distribute security advisories and handle less-publicized emergencies, Steinhauer said. <<<<<<<<<<< Article 5A: <<<<<<<<<<< Date: 05-29-92 (21:06) Number: 3019 of 3059 (Echo) To: BILL LAMBDIN Refer#: NONE From: CHARLIE MOORE Read: NO Subj: POLYMORPHIC VIRUSES 1/2 Status: PUBLIC MESSAGE Conf: VIRUS (52) Read Type: GENERAL (+) Note: This message is a repost -- I tied up the first by failing to set the lines per message < 99. My apologies to all. Bill, regarding how McAfee's Scan detects the DAME you stated: BL>Trust me. It is still string searches. McAfee finds those three BL>bytes, and then follows the steps to decrypt the virus to memory. If BL>it continues long enough to possitively identify the DAME, Scan BL>reports the virus, and looks at the next Now, being in the security business, and probably a bit paranoid as a result, when I see or hear "Trust me", I get a little queezy. I don't know the source of your information Bill (perhaps you'll let us know) but I don't think it's correct. On May 11, 1992, McAfee Associates was featured in a news release about the DAME -- Dark Avenger Mutation Engine No Threat to Protected PCs. Below is a quote from this release that does not track with what you're telling me (BTW, it was McAfee Associates who sent me the news release -- did not see it until today though). The Mutation Engine, however, uses a special algorithm to generate a completely variable decryption routine each time. "The result is that no three bytes remain constant from one sample to the next," said Igor Grebert, senior programmer at McAfee Associates. "This makes detection using conventional string-matching techniques impossible." Now, in my last message to you I stated that I understood three bytes did remain constant (I got this info from two sources; Hoffman's Vsum204 and tech support at Fifth Generation Systems -- I now suspect Hofman is wrong and tech support at Fifth Generation Systems was probably just parroting Hoffman's Vsum. As I've stated before, solid technical information about the DAME is limited! Today, I called Igor Grebert at McAfee Associates to verify that he was properly quoted in the news release -- he was. Igor would not tell me in detail how McAfee's Scan detects the DAME; however, he did assure me that searching for a three-byte string was not the technique used. BL>CM> I don't think anyone, not even the Dark Avenger himself, can put an BL>CM> accurate number on the possible virus mutations generated by the BL>Again trust me. It is mathmatics pure and simple. BL>the DAME randomly picks a 32 bit seed. Each bit will either be a 1 or 0. BL>... according to my scientific calculator, or 4.3 billion possible BL>combinations in english. BL>If the numbers above ring bells, it is binary plain and simple. Well Bill, I'm certainly not going to argue with your calculator. :-) However, my point was, and remains, that the possible numbers associated with a random seed are not necessarily equal to the possible number of mutations the DAME is capable of generating. Now, as I stated to you in my original message, solid information on the DAME (in particular, how it works interactively with its various segments of code) is limited. Even the most experienced and best qualified researchers often don't agree on certain aspects and more than a few questions remain about the limits of variability and related issues. Below is the latest and best info I've seen that gives some insight into the complexity here. The message was posted on the Internet's Virus-L Conference; its author, Vesselin Bontchev, is one of the most highly respected virus researchers in the world. Date: 21 May 92 22:11:43 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Detecting the MtE (PC) Almost half an year has passed since the Dark Avenger's Mutating Engine (MtE) has been made available to the anti-virus researchers. Currently several scanners claim to detect it with "100 % reliability". Do they really succeed however? We decided to run some tests at the VTC. The tests are preliminary and were performed by Morton Swimmer. The Fear virus was used (a minor Dedicated patch) to generate 9,471 infected files. The files were generated by the natural infection process - the reason was to also test the randomness of the random number generator supplied with the MtE. Of those 9,471 infected examples 3 turned out to be duplicates, which yelded to 9,468 different instances of the virus. It also means that the random number generator is rather good... Those examples filled a 40 Mb disk (which didn't permit us to generate 10,000 different examples, as we wished initially). We wanted to keep them all, in order to be able to reproduce the tests. The three scanners were run on those virus samples. The scanners were the three that showed best detection rate on our collection, merely Dr. Solomon's FindVirus (version 4.15 with drivers from May 15, 1992), Fridrik Skulason's F-Prot 2.03a, and McAfee's SCAN 89-B. All the three scanners failed the test, each in a different way. FindVirus showed the worst results. It did not detect 744 virus samples (7.86 %). F-Prot did not detect 13 examples (0.14 %). SCAN did not detect 4 examples (0.04 %). SCAN shows the best detection rate in the case of MtE, but we also got a report for one false positive. For the average users the above rates might appear to be high enough. What are 4 undetected infected files when almost 10,000 infected ones have been properly detected? Well, it does matter. When you are looking for a particular known virus, anything below 100 % detection means that your program fails to detect it reliably. Rmember that a single not detected file may re-start the epidemy. There is another thing to be concerned about. The MtE uses a 128-byte random number generator, which means that theoretically it can exist in 2^512 different variants. And 0.04 % of this is still quite a CM> [Hmm... yet a different number of possible mutations?] lot... Suppose that some virus writer runs the same tests (or even more elaborate ones) and determines for which values of the random number generator the virus is not detected. Then he can create a new random number generator (the MtE provides the possibility for user-supplied random number generators to be plugged in), which generates -only- those values... Such a virus will not vary a lot, but it will still mutate and -all- its mutations will escape that particular scanner... As I mentioned in the beginning, those were only preliminary tests. We intend to modify the random number generator so that it will generate consecutive (instead of random) numbers and to create a few hundreds thousands mutations by keeping only those which a particular scanner does NOT detect. We'll then re-run the tests for random ranges of consecutive mutations. All we can say now is that neither of the three scanners mentioned above is able to detect MtE-based viruses with 100 % reliability. Currently I am aware of the existence of at least three other scanners which claim 100 % detection of the MtE. One comes with the new version of V-Analyst III, the second has been designed by IBM, and the third is Dutch scanner. As soon as we get them we'll re-run the tests. Regards, Vesselin ----------------------End of Vesselin's Message---------------------- Bill, I'll follow up on the subsequent tests Vesselin intends to run and report the results to you. One thing I've learned in this business is that accurate and solid information is sometimes hard to come by and the experts don't always have all the answers. Although I think Vesselin's above message is pretty solid, I also think he fails to consider something: on the one hand, he states a theoretical 2^512 (in contrast, your number is 2^32) different variants; yet, his empirical data produces 3 duplicate mutations from a run of less than 10 thousand. I think this is rather odd from a statistical perspective. Regards, Charlie Moore <<<<<<<<<<< Article 5B: <<<<<<<<<<< Date: 05-30-92 (15:08) Number: 3021 of 3059 (Echo) To: BILL LAMBDIN Refer#: NONE From: CHARLIE MOORE Read: NO Subj: POLYMORPHIC VIRUSES Status: PUBLIC MESSAGE Conf: VIRUS (52) Read Type: GENERAL (+) Bill, here's a followup post from Vesselin regarding the DAME: -----------------Extracted from Internet's Virus-L-------------------- Date: 27 May 92 08:44:06 +0000 From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) Subject: Re: Detecting the MtE (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: > MtE. Of those 9,471 infected examples 3 turned out to be duplicates, > which yelded to 9,468 different instances of the virus. It also means Correction: a fourth duplicate has been found later. Therefore the total number of generated different mutations used during the test is only 9,467. > Currently I am aware of the existence of at least three other scanners > which claim 100 % detection of the MtE. One comes with the new version > of V-Analyst III, the second has been designed by IBM, and the third > is Dutch scanner. As soon as we get them we'll re-run the tests. We tried out the Dutch scanner. Its authors were present during the test. When they saw the results, they decided that the program is not ready to be tested yet and promised to send us a fixed version soon... :-) We just received the V-Analyst III scanner; we haven't tested it yet. As soon as the test is performed, I'll post the results. Meanwhile we received and tested yet another scanner which claims "100% detection of the MtE-based viruses". It is a German product, called AntiVir IV and produced by H+BEDV. The version tested was 4.03 of May 15, 1992, beta version. It missed 584 mutations (6.17 %). Regards, Vesselin - -- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN ** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany