I wrote a paper on dynamic decryption procedures in malicious software which can be found here: http://www.seguritos.org/phpnuke/DESCARGAS/DDP%20in%20Malware-OAHR.pdf
Although the use of these techniques might prevent traditional computer viruses and worms from spreading, they seem particularly useful for targeted using certain types of malware (e.g. trojans and spyware). However, they increase the analysis of malware considerably. With the increase of targeted attacks and the development of more complex malware, malware analysts and computer forensic investigators should be prepared to handle these threats (theory on these attacks dates from 1998 so it wouldn't be strange that they are being employed already in the wild). After discussing this threat with several malware researchers for some time I've seen different responses. Some malware researchers accept that this might be an issue while others don't believe it is practical. The purpose of the paper is to show that these techniques are indeed practical and useful for attackers: malware analysts and forensic investigators should always be able to identify the use of cryptography to conceal part of the code, but they can't access the whole code within a reasonable time frame (i.e. know exactly what every part of the malware does) in all cases. More research in this area is therefore essential. There is a small POC at the end of the paper to show how easy this thing is to implement for you to play with (tested with DevC++ and OpenSSL libraries on Windows XP). The chosen key in the example should be easy to brute force but the idea is to give you a feeling of what it would look like to analyze malware implementing such techniques. Regards, Omar Herrera
