Learn More
As virtual machine emulators have become commonplace in the analysis of malicious code, malicious code has started to fight back. This paper describes known attacks against the most widely used virtual machine emulators (VMware and VirtualPC). This paper also demonstrates newly discovered attacks on other virtual machine emulators (Bochs, Hydra, QEMU, and(More)
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form, without the prior written permission of the publishers. ABSTRACT As virus writers developed numerous polymorphic engines, virus scanners became stronger in their defense against them. A virus scanner which used a code emulator to detect viruses looked(More)
As virtual machine emulators have become commonplace in the analysis of malicious code, malicious code has started to fight back. This paper describes known attacks against the most widely used virtual machine emulators (VMware and VirtualPC). This paper also demonstrates newly discovered attacks on other virtual machine emulators (Bochs, Hydra, QEMU,(More)
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers. W32/Simile is the latest 'product' of the developments in metamorphic virus code. The virus was released in the most recent 29A #6 issue in early March 2002. The virus was written by the virus writer(More)
One of the things that almost all anti-malware researchers have in common is a copy of Interactive DisAssembler (IDA). It is perhaps the best tool we have for disassembling files, since it is capable of so many important things: it displays the file more or less as it really appears in memory, applying relocations, and resolving imports. IDA can follow all(More)
The release of the long-delayed EOF-rRlf-DoomRiderz virus zine probably marks the last of its kind. While the quality is not terribly high, there are some viruses of interest. A series of analyses in alphabetical order begins with this one: W32/Divino. The virus begins by storing the selector of the local descriptor table in the ImageBase fi eld in the PEB,(More)
It was a Tuesday and it was sunny outside, but I was inside waiting for my email client to finish retrieving messages. It was stuck on one mail that had a huge attachment: a sample of W32/Zellome. W32/Zellome arrives as an email attachment. It seems to exist only to demonstrate its polymorphic engine, since the worm component is messy and(More)
LOOK A LOOK A LOOK A LOOK A LOOK AT THA T THA T THA T THA T THAT ESCARGOT T ESCARGOT T ESCARGOT T ESCARGOT T ESCARGOT In 2003 I wrote 'A recompiling virus like W95/Anxiety, but without needing the source code, combined with an inserting virus like W95/ZMist, but without rebuilding the file manually ... The beast is unleashed' (see VB, April 2003, p.5). Now,(More)