I know for a fact that the average bad guy does this. Google "fud crypter", they are programs that take malware and makes it Fully UnDetectable by encrypting it, similar to how upx does it. Even skiddies use them.
Heh, I went back and forth between highlighting the "can" in my post. I think you can make a great case that they do not do all the things they could be doing, and there's been rather more focus on the sort of things that have produced bloatware rather than better virus scanning.
But it should be pointed out that in the arms race it should generally be expected that the mid-level underground is always pretty much exactly one step ahead of Symantec etc. It's the nature of the arms race that they are in that the attackers have the temporal advantage. The question is less about whether a given technique works today and more about how long it works. The big advantage an intelligence agency and a large attacker has that doesn't apply to the mid-level underground is that their malware won't (or shouldn't) be detected by the various early-detection techniques that the anti-virus companies have, because they aren't necessarily just going to release their stuff into any place the antivirus company will see. Ideally, they'll simply never see it, which is why its interesting when these "escape".
But it should be pointed out that in the arms race it should generally be expected that the mid-level underground is always pretty much exactly one step ahead of Symantec etc. It's the nature of the arms race that they are in that the attackers have the temporal advantage. The question is less about whether a given technique works today and more about how long it works. The big advantage an intelligence agency and a large attacker has that doesn't apply to the mid-level underground is that their malware won't (or shouldn't) be detected by the various early-detection techniques that the anti-virus companies have, because they aren't necessarily just going to release their stuff into any place the antivirus company will see. Ideally, they'll simply never see it, which is why its interesting when these "escape".