I will be coming back soon.:)

John, ty for you the advice. it really made a difference

A point on hypervisor: I don’t think all CPUs have VMX extension, in fact, only high end computers get them. My laptop’s a recent one ( see my previous blogpost on a review on it. ), but it doesn’t have the VMX extension… ( Intel Core Duo CPU ). Furthermore, reading through the section on VMX in the Intel Developer’s Manual for Software Designer, is a pure headache, trapping intterrupt and stuff…

IceSword’s good stuff… sometime I feel that I am a bit over-reliant on it… In fact, it is involved in the process of removal of Spylocked.

Oh, and on social engineering. It’s quite sad that there’s so many IT illiteracy around the place. No wonder Microsoft can secure their market.

Oh, crackmes, I have done two at the moment. the first one’s more difficult then the second. The second can be found in this blog, written in TASM. I bet it won’t be anywhere near challenging to you. I will dig up my first one and send it to you. Sunny cracked it already.

Okay set that aside. I suggest that a future virus should take advantage of “hypervisor” of the new processors. It is extremely hard to detect such a virus, as it host the OS inside fake “nothing is wrong” environment and sit in between the hardware.

As for disabling Task Manager, you dont need to do that at all since your virus is well hidden from sight. DLL injection alone is not enough, but DLL injection + PEB hiding should keep your virus from prying eyes for a very very long time. (unless your virus happens to infect leet users who knows how to use IceSword , but that is none of our concern)

Virtualization is a very nice trick to keep your virus from being reverse engineered. It renders a lot of tricks virtually useless. You can see the virus, but youll never know what it does. An extra dose of creativity can guarentee AV vendors some headache.

————————————————————————————
Possible off-topic warning
————————————————————————————

I like to point out a sad fact is that a lot of people still fall for simple social engineering tricks like i_loev_you.jpg.vbs. People may have learned not to open attachments from email, but it seems they didnt realize not to trust any downloads they get off the net. You can easily snip a keylogger into a DoTA Blue Server installer and release it into the wild. You may be amazed by how easily people can fall for such tricks.

It wasnt the first time people came to me yelling “zomg my pc is full of spyware” and be amazed, they are infected with the same spyware for the 10000000000th … again. It was a simple virus that hid inside a pendrive, activated by autorun.ini. Guess what, AVs like AVG Free and NOD32 doesnt raise any alarm at ALL ! Theres another guy that is infected with that spyware told me “AV is not needed, cause I have ZoneAlarm”. ……………… speechless?

So we came to a conclusion, user lack of awareness about malwares is the problem. It takes only a noob virus to infect noob users.

————————————————————————————

PS. You write crackmes eh? So when can I get my hand on one of those ?

Okay set that aside. I suggest that a future virus should take advantage of “hypervisor” of the new processors. It is extremely hard to detect such a virus, as it host the OS inside “nothing is wrong” fake environment and sit in between the hardware.

As for disabling Task Manager, you dont need to do that at all since your virus is well hidden from sight. DLL injection alone is not enough, but DLL injection + PEB hiding should keep your virus from prying eyes for a very very long time. (unless your virus happens to infect leet users who knows how to use IceSword , but that is none of our concern)

Virtualization is a very nice trick to keep your virus from being reverse engineered. It renders a lot of tricks virtually useless. You can see the virus, but youll never know what it does. An extra dose of creativity can guarentee AV vendors some headache.

————————————————————————————
Possible off-topic warning
————————————————————————————

I like to point out a sad fact is that a lot of people still fall for simple social engineering tricks like i_loev_you.jpg.vbs. People may have learned not to open attachments from email, but it seems they didnt realize not to trust any downloads they get off the net. You can easily snip a keylogger into a DoTA Blue Server installer and release it into the wild. You may be amazed by how easily people can fall for such tricks.

It wasnt the first time people came to me yelling “zomg my pc is full of spyware” and be amazed, they are infected with the same spyware for the 10000000000th … again. It was a simple virus that hid inside a pendrive, activated by autorun.ini. Guess what, AVs like AVG Free and NOD32 doesnt raise any alarm at ALL ! Theres another guy that is infected with that spyware told me “AV is not needed, cause I have ZoneAlarm”. ……………… speechless?

So we came to a conclusion, user awareness about malwares is the problem. It takes only a noob virus to infect noob users.

————————————————————————————

PS. You write crackmes eh? So when can I get my hand on one of those ?