I am not versed in the field. But what the article seems to say is that signature AV detectors are able to be bypassed by storing the malware in the exe image in a form that does not match the signature. So if something simple like XORing each byte with the character 'x' to encrypt it, fools the AV then other stuff like compression with a password should too I would think.
He does note that heuristic detection is another matter. Meaning watching the code execute and getting suspicious if it does stuff like rewrite the registry in ram or whatever.
All this stuff getting us away from doing things in a straight ahead manner is getting depressing. I am convinced that all the stupid password requirements(for online accounts as example) are designed to get users to lock themselves out of their own accounts. I mean if online banking is being penetrated by dictionary attacks it means they have no security and are letting bots attempt hundreds of logons per second. At least to my way of thinking.
It seems to me like security for the sake of selling more security. In the end your identity is still stolen if someone has your SSN and all the rest is crap. They should just pass a law that malware vendors put a comment in the header "THIS IS MALWARE" so we don't have to keep updating databases every day.
