securitybananas.com

In the on-going battle between virus-writers and avers, different techniques and methods are use by both parties. In this short article I will discuss some of them. Virus writers are using techniques like polymophic, epo or metamorphic to hide their code. Avers already know how to battle these.
So how would you in the first place want to detect a virus? By using Wildcards. Wildcards is one of the most famous detection techniques. Example of an AV vendor using this technique is ClamAV. ClamAV searches for pattern and includes some features to detect some polymorphic engines. You can easily defat this wildcards search by using an obfuscated polymorphic engine like Marburg.
Another trick to discover a virus is by using emulation. Emulation needs an entrypoint to begin the analysis. Most of virus writers bypass the whole emulation by a trick to avoid an entrypoint is discovered.
What other techniques use Avers? Static Analysis
Static Analysis contain two types the First is code Disassembling and the second is Static analysis for Executables. Code disassembling will not be discussed in this article.
Static analysis for Executables:
This type you can simply name it “Tracing the Registers Behavior”. This Analysis work by trace the registers and search for a register that should be in the decryptor the counter or the pointer and test if there are all the decryptor’s registers’  behavior. If there are so this code is decrypting the virus so we should emulate this code and test if the virus appeared in the memory. If not so the file is not infected.
How can this be defeated? Using Dynamic Register Swapping:

This idea was recently published on certain forums. Any playing with the register will defeat the static analysis of an executable. You could simply swap the registers in the middle of the code like this:
;ecx–>counter
xchg eax,ecx
;eax–>counter or ecx–>counter

This code will swap the registers in the middle of the decrypter code. The values will be exchanged and the eax will have the value of ecx and will act as a decryptor in the next instructions.
Another example:
;ecx–>counter
mov eax,ecx
;eax–>counter or ecx–>counter
This example will make the value of eax deleted but you will have two registers have the same value and also can any one of them act like the counter. Who will detect what you choose as a counter?  More scenarios for this trick are applicable. Avers need to keep up-to-date with the ‘latest’ tricks to modify their detection methods and algorithms.