[lol-lol]

I would argue that this one was more sophisticated: http://pferrie.tripod.com/papers/zmist.pdf

What I am seeing lately with malware is increasing decline in sophistication, today malware is lame compared to the malware created around 2000. I would think that level of low level knowledge is rapidly dropping. When there were still real file infectors, there were some serious nasty technologies involved (btw, todays ransomware is a very old concept (http://virus.wikidot.com/onehalf) but it was used to prevent virus removal instead of making money).

[rollulus]

I agree. Mistfall (and z0mbie himself) was years ahead of its time.

For those not aware of Mistfall: typical viruses simply append their code to the target. To avoid detection, polymorphism was introduced: viruses generate permutations of decryption logic for the actual static but encrypted virus body. The next step was metamorphism: the virus body itself got permuted. Mistfall was one step further: it disassembled the host, merged in its own permuted body and rebuilt the host. Here is an article by the author himself [1]. This was in 2000.

In general, before hacking and cybercrime became a commercial activity, there was a lively virus writing scene, where highly skilled people played the cat and mouse game with anti virus producers, created magazines with the sources of their creations and wrote articles.

Too bad that z0mbie disappeared. Sometimes when news about elite Russian hackers hits the news I wonder if it's him.

[1]: http://z0mbie.daemonlab.org/autorev.txt

[lol-lol]

Maybe another link for those who love malware history, this site also just vanished...

https://web.archive.org/web/20110205151357/http://www.rootki...

> "merged in its own permuted body and rebuilt the host."

Actually it was even more sophisticated, it not only merged its permutated body into the host, but rather rearanged the host in a way to merge chunks of its body between the chunks of host original code, using jmp instructions to keep the code flow, where entry point was inserted on random. If he would further armored it by additional polymorphism layers for each chunk this would make it even algorythmicaly impossible to detect (on the other side, even now, no one can claim it can detect all the permutations, while the disinfection is limited to "delete infected files"). This was work of art (I was a malware analyst), todays malware is a joke compared to what z0mbie was doing (even if I could argue that there is lot to do on windows, infecting MBR and owning the Windows by serving them the calls to yourself is still (maybe I am outdated?) something to be seen. I would really love to shake his hand even if we were on oposite sides :)

[lol-lol]

People are still keeping mirrors of 29a :)

http://dsr.segfault.es/stuff/website-mirrors/29A/

And mirror of z0mbie (mistfall author) site http://z0mbie.daemonlab.org/

I am really interested what happened with z0mbie... he just vanished at some point...

[ktpsns]

Maybe it is the other way around: Todays malware (or a portion of it) is written so good that you don't know about it. Maybe someday another whistleblower will let us know.

[johnwbyrd]

Other than permuting itself, what did it do that was sophisticated? Code morphing viruses have been around for a very long time, much longer than 2000. Simple replication does not constitute sophistication. Even my brother in law does that.

[lol-lol]

Read whole article :)

Sometimes how you do it is far more interesting than what you do (but it might be a tad more complex to understand).