-
Notifications
You must be signed in to change notification settings - Fork 0
/
malware
23 lines (18 loc) · 1.36 KB
/
malware
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
//this is about malware in general
// this section is from https://www.thesslstore.com/blog/polymorphic-malware-and-metamorphic-malware-what-you-need-to-know/
// and https://digitalguardian.com/blog/what-polymorphic-malware-definition-and-best-practices-defending-against-polymorphic-malware
//polymorphic malware:
- first of all polymorphism means changing appearance so the functionality is the same like 1+1 or 10-8 or -1000+1002
- is a type of malware that is able to change it's code/signature to avoid detection by AV engines in general, it modifies
parts of its code.
//metamorphic malware:
- this type is known to modify its entire code base in every version of itself and it's the most dangerous.
- some "simple" techniques include but not limited to : adding nop instructions , adding useless loops...
- othe "advanced" like : function reordering, program flow modification, static data structure modification...
//ip obfuscation:
- its possible to write an ip address in other bases other than base 10,
for example the ip address [10.1.10.1] could be writen in base 16 (hex) like [0xa.0x1.0xa.0x1]
or in base 2 (binary) like [$((2#1010)).$((2#1)).$((2#1010)).$((2#1))]
or a mix of the two bases [$((16#a)).$((2#0001)).$((16#a)).$((2#0001))]
or [0xa.$((2#1)).0xa.$((2#1))]
in the form of $((base#numberinbase)) for every entery. Note that enteries could be in any base.