ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Heuristic Technology ³ Billy Belceb£/DDT ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ By seeing the title, you can think that this article will talk about the way for defeat heuristic scanners and such like. No, my intention is to share my ideas. This article wasn't dessigned for the ppl that doesn't have imagi- nation. I think that the imagination is our weapon, and this little document is only about my ideas in a determinated moment of my life, so if you think i'm wrong, just demonstrate it, and i'll very pleased. Anyway, here you have % What is heuristic? % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Is the analysis and the extrapolation of the data based in the experiences that happened in the past, and its consequences. Yeah, the experience is the mother of the science. This theory seems simple: too little lines... but the concept is very important. Imagine you crash your car just after ignore a stop... i'm sure that you won't do it anymore :) It seems that we (the hu- mans) act basing our knowledge in the experience of the errors we made in the past. In another kind of language, we can say that the heuristic is the way for le arn by basing our theories in the empiric knowledge. So now you can unders- tand what the hell the heuristic AV do: they search basing its criterions in the "experience" of what the viruses use to do. But this isn't a 100% heur- istic software: the "experience" was previuosly coded, so the word heuristic is misused when we are talking about an AV. % A better approach to heuristic in AV % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ What do they search for? It's very simple, they search for the code of the things that the viruses ussually do, as code for intercept functions, load the boot sector, a decryption loop... So, don't believe the things the AV companies ussually say (shit like "We detect the 100% of the known viruses and the unknown too"), because that are fucking lies. The heuristic is easi- ly foolable: just do something strange for perform an ussual action, and voila! your virus is anti-heuristics. Programs like TBAV have the huge fail that they don't look the content of the registers so... what if we move in the register we want a xored value, and later re-xor it? Hey! The AV will be mad ;) I've explained more of this shit in the article "Harder to Detect", in this same magazine :) % Interest for VX? % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Mmmm... i find this interesting. Just imagine if we code something that can learn the way that a file is executed, using only a complex routine that saves each step of the execution, and the weak points of the executed file, and with enough criterion to decide if the file is infectable or not. It can sound like sci-fi, but i think that the computer viruses will grow in this way, in a future. The objective is create something following moreless this shit: ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Preparation for execution ÃÄÄ¿ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ Program loaded in memory ÃÄÄ´ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÃÄ´ Virus following execution ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ Execution ÃÄÄ´ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ³ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ Return control to OS ÃÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ The description is a little vague, i know, but it can (i hope) guide your steps to the rite way. But i don't mean that the virus will be able to iden- tify and infect new kinds of executables and such like. Remember that the heuristic is based in the experience, so a good choice will be build tables for each file executed, and when a determinated number of files of a deter- minated kind are executed, compare each table and look what things are equal and what doesn't, in order to catch all the usual things that the executable files do. So, we will need as the basical "toolkit", for do something alike what i am trying to describe, a good code emulator, and a lot of good ideas, because this matter wasn't discussed in the past (at least i think it), and it needs an overdose of good ideas. The emulator, must emulate ALL the program execution, and look for the most used things (interrupts and such like). % Sci-fi? % ÄÄÄÄÄÄÄÄÄÄÄ People, when reading this will think that i wrote it when i was drunk (well, it was :) , but i think that this could be made, but in the future... When? I don't know. But it could be made. The only problem could be the size: a good emulator + a good code generator + the virus body = huge virus. But... who cares about a virus of 30k? In the HDs of the computers of this time there's a lot of space... And if you optimize your code a lot (hi Super!), the size of the thingy will decrease a lot. Anyway, nowadays there isn't something like i'm trying to describe... But there is a lot of interesting ideas about this same matter, and the ones i like most are the StarZer0 ones (hi T00FIC! ;). The nearest approach of what i'm trying to describe are the metamorphic viruses. But the project of heuristic applied to viruses is more complex (and cool i think :P). % Last Update % ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Coincidence? Bad luck? Fuck! I realized that Rajaat made an article about the same matter as i do... but... the problem is that i wrote this little article in late October/early November of 1998, and 29A#3 wasn't released yet! Anyway i think that this is a very different article, and the only they have common is the label "Heuristic". Anyway, i hate my life. Btw, i really recommend you to read Rajaat's document, because it's good to see always more than a viewpoint in all the things of the life. (Rajaat: CoF rulez!!!!) Billy Belceb£, mass killer and ass kicker