Hacker News new | ask | show | jobs
by rollulus 2956 days ago
I agree. Mistfall (and z0mbie himself) was years ahead of its time.

For those not aware of Mistfall: typical viruses simply append their code to the target. To avoid detection, polymorphism was introduced: viruses generate permutations of decryption logic for the actual static but encrypted virus body. The next step was metamorphism: the virus body itself got permuted. Mistfall was one step further: it disassembled the host, merged in its own permuted body and rebuilt the host. Here is an article by the author himself [1]. This was in 2000.

In general, before hacking and cybercrime became a commercial activity, there was a lively virus writing scene, where highly skilled people played the cat and mouse game with anti virus producers, created magazines with the sources of their creations and wrote articles.

Too bad that z0mbie disappeared. Sometimes when news about elite Russian hackers hits the news I wonder if it's him.

[1]: http://z0mbie.daemonlab.org/autorev.txt
2 comments
lol-lol 2956 days ago
Maybe another link for those who love malware history, this site also just vanished...

https://web.archive.org/web/20110205151357/http://www.rootki...

> "merged in its own permuted body and rebuilt the host."

Actually it was even more sophisticated, it not only merged its permutated body into the host, but rather rearanged the host in a way to merge chunks of its body between the chunks of host original code, using jmp instructions to keep the code flow, where entry point was inserted on random. If he would further armored it by additional polymorphism layers for each chunk this would make it even algorythmicaly impossible to detect (on the other side, even now, no one can claim it can detect all the permutations, while the disinfection is limited to "delete infected files"). This was work of art (I was a malware analyst), todays malware is a joke compared to what z0mbie was doing (even if I could argue that there is lot to do on windows, infecting MBR and owning the Windows by serving them the calls to yourself is still (maybe I am outdated?) something to be seen. I would really love to shake his hand even if we were on oposite sides :)

link
lol-lol 2956 days ago
People are still keeping mirrors of 29a :)

http://dsr.segfault.es/stuff/website-mirrors/29A/

And mirror of z0mbie (mistfall author) site http://z0mbie.daemonlab.org/

I am really interested what happened with z0mbie... he just vanished at some point...

link