Bene ci sono tecniche di offuscamento più complesse. Ad esempio il malware metamorfico e polimorfico.
C'è un articolo su searchsecurity di Margareth Rose che spiega come funziona:
Metamorphic and polymorphic malware are two categories of malicious
software programs (malware) that have the ability to change their code
as they propagate.
Metamorphic malware is rewritten with each iteration so that each
succeeding version of the code is different from the preceding one.
The code changes makes it difficult for signature-based antivirus
software programs to recognize that different iterations are the same
malicious program.
In spite of the permanent changes to code, each iteration of
metamorphic malware functions the same way. The longer the malware
stays in a computer, the more iterations it produces and the more
sophisticated the iterations are, making it increasingly hard for
antivirus applications to detect, quarantine and disinfect.
Polymorphic malware also makes changes to code to avoid detection. It
has two parts, but one part remains the same with each iteration,
which makes the malware a little easier to identify.
For example, a polymorphic virus might have a virus decryption routine
(VDR) and an encrypted virus program body (EVB). When an infected
application launches, the VDR decrypts the encrypted virus body back
to its original form so the virus can perform its intended function.
Once executed, the virus is re-encrypted and added to another
vulnerable host application. Because the virus body is not altered, it
provides a kind of complex signature that can be detected by
sophisticated antivirus programs.
In another example, a new key might be randomly generated with each
copy to change the appearance of the encrypted virus body -- but the
virus decryption routine woud remain constant. In either scenario, it
is the static part of the code that makes it possible for an
anti-virus program to identify the presence of malware.
Metamorphic malware is considered to be more difficult to write than
polymorphic malware. The author may use may use multiple
transformation techniques, including register renaming, code
permutation, code expansion, code shrinking and garbage code
insertion. Consequently, advanced techniques such as generic
decryption scanning, negative heuristic analysis, emulation and access
to virtualization technologies are required for detection.
Ora, se stai cercando di mantenere le cose piccole, XOR è un modo eccellente per scrivere il tuo virus. XOR è un'istruzione che il tuo processore capisce, quindi questo significa che per implementare un codificatore XOR avrai bisogno solo di poche righe di codice assembly (se stai scrivendo il virus in assembly) opposto a grandi quantità di codice quando vuoi implementare entrambi delle tecniche sopra citate.