This presentation will be about a virus/worm framework which takes advantage of the abundance of NOP-areas produced by modern compilers in executables.

The virus is bound to the x86 CPU architecture (with the possibility of porting it to other CISC architectures); however, a key feature of this infection vector is that the virus is operaing system independent. The majority of my work so far has been done on GNU/Linux but tests have been run on Windows XP, NetBSD and FreeBSD. Future targets include Solaris/x86 and Mac OS X/x86. It should be noted that this is not an ELF or PE/COFF virus: it is executable format independent.

This presentation will explain, in gory-detail, how I implemented the generation zero NOP-infectors in C and how self-replication is done in the assembly version. I will describe the algorithms and data structures involved; and I will talk about the many challenges in implementing them and how those problems were solved.

I will talk about possible methods of detection, prevention and what sysadmins might do to protect themselves. I will also talk about future plans for the virus.

Download: http://www.secure-software-engineering.com/downloads/recon2006/recon2006_Lopes_Multi_Cavity_Infection.tgz