Zombie comes back from the dead

Users on the Focus Virus mailing list yesterday raised suspicions that a one year-old virus may now be posing a new and very real threat.

ZombieMist, or Zmist, which was created by Russian virus writer Zombie, one of the underground's prominent virus authors, is described by experts as "one of the most complex binary viruses ever written".

Reports of infection are only just coming in. At least two companies admitted to detecting the virus earlier this week and struggled to get rid of it.

ZombieMist earned its reputation in the security industry as an 'undetectable virus' because of the complexity of its metamorphic abilities and its support of a new technique known as code integration.

According to a white paper written on ZombieMist by Peter Szor, a virus researcher at Symantec, the 'Mistfall' engine contained within the virus is capable of allocating itself 32Mb of memory with which to decompile executable files.

The virus then inserts itself into the code by moving code blocks out of the way, regenerating data references and rebuilding the executable. Effectively, ZombieMist becomes the executable that it infects. "Something never seen before in previous viruses," according to Szor.

The worrying aspect is that the executable will still work. "In fact, we did not see a single crash during the test replications," explained Szor. "Nobody expected this to work, not even Zombie. Due to its extreme camouflage ZombieMist is clearly the perfect anti-heuristics virus."

The virus uses a brute force approach to spreading, infecting executables on the local machine then in directories referred to by the 'path' variable and on any fixed or remote network drives A-Z. The virus also uses an additional random polymorphic decryptor to make itself even harder to find.

At least three reports of infection have already cropped up this week, but there is some confusion as to whether the detections are genuine.

In all cases Kasperky Labs' AVP software was responsible for the detection and it is known that older versions of AVP have been detecting false positives for ZombieMist on a number of files.

Rumour has it that this may be because ZombieMist has it in for AVP in some way. The virus apparently checks to see if the local host is running AVP and, if so, tries to kill it.

Szor noted that a few years ago several antivirus researchers claimed that algorithmic detection had no future because of the development of viruses such as ZombieMist.

But he has taken this opportunity to turn that around by claiming that "virus scanners will have no future if they do not support algorithmic detection".

A comment in the virus code, which clearly throws down the gauntlet to antivirus researchers, reads: "So, poly-encrypted permutated viral body is completely integrated with target file. Hmm ... checkmate?"

Adamant that the virus fighters are not beaten, Szor stated: "It is amazing to see how polymorphic viruses become more and more advanced over the years. Such metamorphic creations will come very close to the concept of a theoretically undetectable virus.

"But for the time being, we are once again one step ahead of the virus writers. Checkmate? Not this time, Zombie."

Szor's white paper on ZombieMist can be found here.