###############################################################
####### Why generating trash-code, when we can steal it #######
############################################ by R3s1stanc3 ####
###############################################################

#########
# index #
#########
1. Intro
2. The idea
3. Example
4. Conclusion



1. Intro

Many  viruses  use  trash-code  as a polymorphic technique to change the
body  in  every generation. They add code to the body, that does nothing
e.g.  defining  variables,  moving  some  registers  around or sometimes
adding  some  comments  in scripting languages to change the filehashes.
I thought a bit about this technique and had an idea:


2. The Idea

The  technique  I thought of can only be used in scripting languages but 
I think it is better than adding comments that actually changes nothing.
My  idea  is  to  look  for  programms  written  in the same programming 
language  as  the  virus  and  scan  them  for  functions. If we found a 
function,  we  extract  it  and  simply  add it at a random place in the
virus.


3. Example

I  didn't write actual code but I will explain it for the language perl.
First,  we  look  for a perl file in the current directory, then we look
for  a  subroutine in that file ("sub [funcName] {") with a RegEx. After 
that,  we  will extract the whole subroutine simply by setting a counter
variable to 1 and count every "{" == +1 and "}" == -1 and if the counter
equals 0 we are at the end of the routine. Now we copy that routine at a
random  place  in our virus. That code will never be executed, but it is 
in  our  virus  and  it  is  really  random (and should theoretically be
functional)


4. Conclusion

I  think  this  technique is better than generating more or less obvious
trash-code  and  harder  to detect. Also it should be possible in almost
every scripting language to implement my technique.


R3s1stanc3 [vxnetw0rk]				March, 2013
r3s1stanc3@tormail.org - r3s1stanc3.virii.lu