Andy Walker wrote:
> Dustin Cook wrote:
>
>> If you have any questions, I will
>> monitor this thread; you may respond here or in email.
>
> Ok, say I'm a malware writer and want to evade your program. It seems
> to me that all I have to do is pad a few kilobytes of garbage into my
> program and randomly modify the size every now an then. I could evade
> your program for a very long time under that scenario. Is that
> correct?

if you're willing to manually change your malware in that way on a
regular basis then yes you'd probably be able to evade bughunter - not
to mention a number of other products... zlob anyone?

if the algorithm for producing the transformations is known then the
complexity of detecting all forms is comparable to polymorphic (or
perhaps metamorphic depending on the complexity of the transformations)
detection...

if the algorithm is not known (server-side polymorphism) or if the
transformations are not algorithmic (manual transformation) then the
complexity is as yet unbounded and there's no good solution for it...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"