[Dshield] F-Secure: So who is Diabl0?

Stephane Grobety security at admin.fulgan.com
Tue Aug 30 17:04:08 GMT 2005


j> I disagree. It's not as easy as you think to just pop open a binary and
j> start changing stuff.

Actually, it is most of the time.

j> What about lengths of data and instructions in 
j> memory?

What about it ? What these people do is replace data with data of
equivalent length. Some strings gets padded with 0's and that's about
it.

j> You run into a big problem when what you want to change doesn't 
j> fit into the hardcoded structure of the binary you already have, so this 
j> doesn't work. Give it a try.

I've done it more than enough (although not for modifying viruses or
worms, mind you: not my kind of "game"). It depends on what you want
to change but many things are no problem at all. Most strings are
null-terminated anyway and structures are often nicely padded within
the binary file.

of course, you can't change a program behavior altogether. But
changing the target botnet, the name of the payload files or things
like that are probably easy to play with.

Good luck,
Stephane



More information about the list mailing list