Slashdot Mirror
'Stealth' Worm Hinders Sandbox Analysis
Tuxedo Jack writes "The Register reports that the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code. Windows machines, as per the norm, are the only vulnerable ones, and it still requires user intervention to infect. Perhaps future worms will start including this 'bug' in their releases. We can only hope not." It doesn't sound like a bug at all, from the virus writer's perpective.
I've always heard that it takes a very good programmer to write effective and powerful virus.
They make such bad code knowing that it won't be looked at and hope that the hackers won't be able to find the holes?
Without the recent access to the source for IE we would never have found out about BMP overflows, etc. Which was just poor and lazy coding.
Now just imagine if someone wanted to actually be malicious with this stuff..
I wonder if a virus with some code to re-partition your drive on a reboot would cause this issue to be taken more seriously.
I think we're just lucky these writers don't do more with the holes Microsoft gives them.
Der Tod ist der einzige Weg hier raus!
From the article: "I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
I'm sure it's lost something in the translation. The rest of the article suggests it's by design rather than accident.
Sounds like a strip kiddy tried to write a virus, got lucky and is now making alot of trouble. Maybe this is the virus of the future... write it totally backwards or in a different language and then watch the anti-vir companies squirm.
I like muppets.
Since they claim it requires user intervention, that would make it a virus, since worms are self-propagating.
Of course, given the accuracy I've come to expect from Slashdot summaries, it could be a new version of MS IE...
You are in a maze of twisted little posts, all alike.
Can't they break it down with a hex editor and see what's under the hood?
-- Stu
/. ID under 2,000. I feel old now.
Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection.
Would that make this worm a 'night crawer'?
Badum Ching!
So all you have to do to be safe is make sure you've got a debugger running, and the virus kills itself. I guess that adds new meaning to the term "de-bugger" :-)
"You're right, it's pure genius - they couldn't guess we'd do that, because only a frickin' idiot would do that!" - paraphrased from (approximately) 3.14 million movies.
Maybe this will teach them how to teach outside the (sand)box! Maybe they can harness their synergy with this new paridigm shift into sandbox free thinking.
:)
Ahh, its 1999 all over again
StickMan
www.rageagainst.net
Just what we wanted - buggy bugs, erm, viruses!
You know something's wrong with the world, when the malicious software itself is flawed..
http://efil.blogspot.com/
One or the other... devious or sloppy... but surely not both.
/tinfoil on
/tinfoil off
Maybe it's just a sign that malware is evolving along the same rules as organic life: accidental errors get selected for survival value and passed along to following generations.
Malware that detects and disables attempts to reverse engineer it... ?
Or perhaps we can read the anti-virus researcher's comments in a totally different light:
"Most viruses [which we develop ourselves to stimulate sale of our products and services] have a function to let us easily identify and sandbox them. In this example, the function is broken. So sloppy it's devious [and perhaps intended as a warning that we're not paying our freelance coders enough]."
Nah.
Sig for sale or rent. One previous user. Inquire within.
Then it's not a worm.
"Ask not what your country can do for you." --John F. Kennedy
One possible method I would probably use (off the top of my head) is to find out the time elapsed between executing two instructions - the time would be fairly high if the code were being singlestepped to.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I'm not familiar with how AV software innards work, but if the virus exit()s if it detects itself running in a debugging environment, wouldn't AV software make the virus moot?
I mean, it still resides on your machine, but it refuses to run.
tasks(723) drafts(105) languages(484) examples(29106)
"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
Considering virus writers are more motivated by being devious than impressing analysts, doesn't it seem inappropriate to assume the coding was "sloppy?"
is another worm that I'll never see on my Windows box!
"This piece of code is so sloppy, it's devious," said Mircea Ciubotariu
If it's intentional, it's not sloppy...
If it's not intentional, it's not devious...
--
This sig is inoffensive.
C'mon, *her* code? Isn't that a bit gratuitous? I mean, we're talking about code here, not a delicious turkey dinner.
1) Contains a "bug", well let's just call it a "feature". 2) Sloppy code, but Hey! it works. Sort of. 3) Run on Windows only. Sounds like every piece of comercial software sold by Microsoft to me.
If the virus randomly changed a few numbers in a few of the Excel spreadsheets it could access.
Damaging the computer itself is too easy to catch and causes people to take it seriously.
Changing data has more implications for CORPORATIONS and would take longer to detect.
The formal definition changes depending on who you ask, but in this case, the key attribute that defines this as a worm instead of a virus is that viruses embed themselves in other programs. This program doesn't infect other programs, it just runs as a separate program placed in your Windows\system directory.
This piece of code is so sloppy, it's devious
It shouldn't be hard to find the author, he obviously works at Microsoft.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
It isn't that complicated to find the part of a code that causes a break in execution (end-point). So when it detects the debugger and breaks execution couldn't you reverse engineer it from that point and maybe write a mod (like a game crack) to avoid the debugger detection?
This would allow the rest of the program to work as normal just without the self-defence code.
My guess is that they are so confounded, that by releasing that statement labelling the coding as sloppy they hope to draw the writer out in some way. Seems they are going for his/her ego.
Because hey no coder legit or illicit wants to be thought of as a sloppy coder.
I am Bennett Haselton! I am Bennett Haselton!
The code is so bad that they can't read it, so it's insecurity through obscurity?
This content author has villified every artist who has ever had their work reverse engineered.
This is a great day for copyright, authors, and those downtrodden by IP terrorists!
Comment removed based on user account deletion
Hopefully this clears up the "Is it sloppy or is it devious?" posts. It is both.
Number 1 (from the article):
Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection. The ploy prevents casual perusal of the code by researchers and (potentially) rival virus writers.
So that part is intentional.
A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox". A sandbox is a virtual environment commonly used by AV researchers to look at the behaviour of malware in a safe environment.
So what I think they are saying is that even with it's ability to detect if it's being run in debug mode they would still normally be able to run it in a sandbox. Unfortunately (for the AV companies) there's the second thing. The seemingly unintentional bug that prevents it from working in a virtual environment.
Found embedded in the virus code... 56 42 56 63 72 69 70 74 20 72 6f 58 6f 72 7a 21
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
BAM! Take that!
cuzality..... 1
goldspider....0
IsDebuggerPresent
The IsDebuggerPresent function indicates whether the calling process is running under the context of a debugger.
This function is exported from KERNEL32.DLL.
BOOL IsDebuggerPresent(VOID)
Parameters This function has no parameters. Return Value If the current process is running in the context of a debugger, the return value is nonzero. If the current process is not running in the context of a debugger, the return value is zero. Remarks This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior. For example, an application could provide additional information using the OutputDebugString function if it is being debugged.
No sharp objects, I'm a programmer!
Isn't a "stealth worm" that requires "user intervention" a paradox?
Gentoo Linux - another day, another USE flag.
I'm kind of surprised that AV companies don't use custom VMware-type environments that can be debugged at a level above what the virus or any other processor could detect, or use special hardware/simulators that also can't be detected.
I'd think this would give them greater granularity and more control over the entire environment than trying to just run in it in a standard debugger.
This reminds me of the whole New Coke thing years ago. Was it pure genius that Coke managed to sap Pepsi sales with the sweeter more Pepsi-like New Coke while hanging on to loyal customers with the reintroduced Coka Cola Classic, or was it a colossal blunder that they were just lucky enough to escape and still get ahead? Who knows? Unless the virus writer is caught, we may never know. Right now, I guess he or she is saying, "Yeah, I meant to do that!"
In any case, I guess when it comes to virus writing sloppy coding pays off. And perhaps sloppy != stupid, unless of course you get caught! I suppose the next trick is for someone to release a code obfuscator that produces sloppy looking code.
To the making of books there is no end, so let's get started
you know you've gone insane when..
you try to think up a random number and the first thing you think of is pi.
Hey... If they reverse engineer this thing, won't they be violating the DCMA? I say the virus writer should sue all the anti-virus companies.
;-)
By copying parts of the virus into their virus scanning signatures, perhaps everyone running the anti virus software is also violating the DCMA, I say fire off a few hundred law suits and see what happens.
(Maybe with thinking like this RIAA will hire me.)
That using softice to make isdebuggerpresent() return false was sooooooo hard.
Uh huh, that's what it was, sloppy coding that leads to one's new virus being very difficult to analyze and fight...
It was a joke! When you give me that look it was a joke.
I don't understand... Why are they saying the code is sloppy? It seems to me that what they are doing is intentional. So it's not sloppy in the sense that it is full of mistakes.
I also don't understand how stopping execution if your product is being debugged equates to "sloppy". It seems to me that a large number of software companies would WANT their software to behave in this way to make reverse engineering and hacking harder?
In fact, if it is so difficult for antivirus companeis to debug this, when why isn't more software using this technique to make piracy more difficult, and/or hacking network games harder?
A viruswriter should add an EULA to his/her virus.
- You may execute this virus 'as is'.
- We accept no claims of any kind of any or all damage done by this piece of software.
- You are responsible for the consequences of executing this software.
- You are NOT allowed to disassemble the code (DCMA).
- etc, etc..
Privacy is terrorism.
>>What's the opposite of PRO....CON. What's the opposite of PROgress...?
;-)
errr...CONventions?
I'm kidding, everyone knows it's congress.
So rise up, all ye lost ones, as one, we'll claw the clouds.
So, will Secunia add this to Windows or mysteriously add 2 more to Linux, Apple, et al?
--
This sig is inoffensive.
A NYC lawyer blogs. http://www.chuangblog.com/
That would require the anti-virus companies do something more than sit around and find viruses and write signatures that match.
The Symantec's and McAfee's fo the world have got a nice symbiotic relationship with virus writers. Why would you interrupt cash flow to try to essentially "escalate the tech war"?
Think about it. I think its the dirty secret of all the anti-virus companies. I think they all suck, as do their products.
--Tom
AV Guy: Man you are really sloppy! Virus Writer: Sloppy like a fox!
SIGFAULT
We call those heisenbugs and they are the bane of a programmer's existence. The whole damn point of a debugger is to replicate the same behavior as normal, not allow the program to choose to exhibit a different behavior.
"I'm going to look at you more closely now. Please act normal. (But it's your call if you don't.)"
Yeah, that "surprise inspection" works great everywhere else, why not in programming? Fucking morons...
I was happier not knowing about this function. soundman32, I shake my fist at thee. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
So what prevents the AV to hack KERNEL32.DLL and make IsDebuggerPresent return FALSE?
On UNIX, you can attach one debugger at a time. I guess that this is also true for windows. The virus may try to debug itself - to detect/prevent others from debugging it. And even technique will not "save" the virus from inspection.
You're right.
This program doesn't infect other programs, it just runs as a separate program placed in your Windows\system directory.
Wouldn't that qualify it as a "Trojan Horse" then? Generally a Trojan Horse is a program that tricks the user into running by appearing as something it is not (hence the double extension trick). Of course the classic Trojan Horse appears to be one thing (like a weather program, or an clock syncronizer) but while it does that thing it secretly does something else, like install keyloggers, adware, etc.
Admittedly, the AV makers have been trying to pollute the definitions, calling these e-mail Trojans "worms" in a PC attempt to avoid assigning blame to the users, but I've always felt these three definitions to be pretty clear and well defined.
You are in a maze of twisted little posts, all alike.
The virus writers DO NOT WANT their worms to be destructive to the host IN ANY WAY.
If the worm did randomly corrupt the spreadsheet, the user will eventually clue to the fact that his PC is infected, and will take steps to clean it up.
What these guys want is a silent infection. They want your computer to stay infected forever, so that they may continue to use it forever. Thus, ANY effect of the worm that is negative to the computer owner is to be avoided (the worms that cause instability do so because they are poorly written, not by design).
Yes, if a worm writer wanted to be destructive to as many hosts as possible, then he would write his worm to silently infect as many hosts as possible until some trigger event, then wipe the hosts out.
But were he to do so, then he would not be able to resell the services of the infected machines to spammers and make money.
www.eFax.com are spammers
Code like this seems to call for a new class of debugger. How hard would be to write a "debugger" that functions as a state monitor of a virtual machine? The virtual machine could even do things like maintain the appearance of real time even if it is being single stepped. I suppose the debugger could even have "personalities". Basically, you'll need to ability to tie into arbitrary API and ABIs on the OS that is running in the debugger. This means the debugger would have to know quite a bit about the structure of OS it's hosting.
I suspect this sort of thing would be easier to do for FOSS OSes than Windows. But even on Windows, all sorts of known entry points and returns could be monitored. This could be a case where things like Palladium reduce security. A piece of malware would otherwise have no way of detecting it isn't running on a real machine. Palladium or NGSCB or whatever they're calling it this week of course includes measures to detect and frustrate virtual machine attacks.
There is still a way to blame microsoft for this!!! I was getting a little worried there.
Authorized Researcher Only.
Attachment: result.zip
You tend to do this kind of thing for debugging embedded realtime processors.
See my journal, I write things there
Someone, anyone, clue me in to what's going on.
[Fuck Beta]
o0t!
and the great debates over virii and viruses. usually viruses as applied to the cyber world.
So, why do we still use "worm"? It is not latiny scientific-geeky enough. We should be saying "vermis" singular and "vermi" plural, well, I think so anyway...
Viruses which could detect that they are being run in a debugger were common 10 years ago when I used to work for an anti-virus company. For example, One-Half is such a virus.
A worst-case scenario involving viruses would be if a virus writer were able to get his (always guys here doing this stuff) code into the compiliers for embedded systems. Then the virus could lie undetected in the millions of unnoticed systems in hospitals, air traffic controls, automobiles, traffic lights, ect... until activated by an external event or date. The effect for the West would be like Klattu's shutting down the electricity worldwide for a minute in "The Day the Earth Stood Still" (1951, Robert Wise, director).
The embedded microcontrollers have had the same price/performance gains as desktop/office PCs and now many have firmware systems that are too big to monitor on the assembly language level. Even 32K has lots of room to hold a nasty little bug undetected.
The companies that write compiliers for embedded systems are often very small. I'm not sure as to the extent that they realize the amount of damage that could be done by a virus in embedded systems firmware spread over millions of units. I'm sure that they're super professional, though. However, as the firmware development gets outsourced to the third world, this becomes an excellent undetectable opportunity to invoke major havoc.
On the same note, I would assume that all of the high tech military equipment that the USA has been selling to its allies over the past twenty years has trojans in the firmware that will render the equipment inoperable should the 'allies' try to use it against US forces. I mean, that just makes sense, doesn't it?
Anyone mention that a sandbox is a bit like the Matrix? In a way a sandbox is to a virus, what the matrix is to Neo. How can Neo find out he's inside the matrix, there are hardly any symptoms, apart from some glitches maybe. If viruswriters will adept this strategy to check for sandboxes(and they will) it is for AV companies to act on that. So AV companies have to be creative aswell as viruswriters have to be.... Point being, if sandboxes are essential to AV companies they will have to adjust their sandboxes or else abandon it's concept. What kind of adjustments could one make: 1 prevent detection of sandbox 2 prevent "exit-ing" by the virus from the sandbox Ad 1. One way to prevent detecting could be to add a virtual layer by creating a virtual OS inside a sandbox as to camouflage the fact that the virus is being executed inside a sandbox. (the matrix inside the matrix) Else abandon the sandbox concept and create an alternative. For instance... one could imagine creating a virus with an monitoring function as to find out malware and analyse it? (Somewhat like "agents" in the matrix.) -- Just being philosophical. --
It's amusing when the First Post gets modded redundant.
Yeah, this is definatly a trojan. A trojan doesn't neccesarily need to be a part of a program, it can pretty much anything (like an email) doing something not expected. A virus should be a program which actually INFECTS files - not just makes files up, but modifies existing files (or disks) to propegate itself. A worm is something that basically spreads itself through a network.
So really it's been probably years since we've really seen a virus outbreak. The problem is that you hand these terms to the media and they swirl them around since they really have no idea what they're really talking about. For the most part, it seems like AV companies have been keeping their terms strait, but now days you have online articles which incorrectly quote what the AV companies said it was.
A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox"
Sounds more like a bug in the sandbox to me. A sandbox should be indistinguishable from running on a real non-virtualised computer.
It's just a bit more work. Copyprotections have been doing this for ever. Well debuggers get better, but even more, it's not a problem for a skilled assembly hacker. The code exits? Ok, find where it exited, and change it so it doesn't do so. Continue debugging until it happens again, then patch around that, etc.
More work, but nothing that can't be eaisly overcome. Also, I'm not sure if you can detect the kernel debugger easily. Windows has a kernel debugger where you run one system in KD mode, and hook it to another system that actually runs the debugger. I'm not sure if Windows sets a flag to indicate the KD is running or not, and if it doesn't, it would be hard to detect.
Highly damaging viruses don't spread far.
Unless the damage is delayed and/or random.
Big counterexample is AIDS:
- Attacks the immune (i.e. antivirus) system directly.
- Goes dormant until the infected cell is activated for other purposes.
- Mutates "rapidly" for a virus (though slowly on reproductive cycle time scales), resulting in mutiple strains from a single infection after a few years.
- Infects slowly enough that it doesn't create a tight cluster of infected individuals.
This enables it to spread widely before the occasional activation of the immune system cells carrying it expand its infection in an exponential cascade taking out the doomed host.
Birthday viruses / easter eggs are a simple mechanism to allow wide spread of computer viruses before they take out their hosts - and the hosts that are down at that time provide a reinfection reservoir. But it's primitive compared to AIDS.
A highly damaging virus could be made which makes random choices on when to utterly trash its host.
They aim for control, not damage. It's about money, not vandalism.
Unfortunately, while there are several criminal enterpises spreading worms/trojans/viruses whose intent is to create DDoS zombies, spam remailers, or keylogger/filters looking for bank account access or other sensitive information, there are still plenty of virus authors chasing other things - including those who will vandalize machines for the fun of it.
And there are power groups with significant membership whose agendas would be advanced by taking out as much as possible of the IT infrastructure of the world - the more widespread and more lasting the damage, the better for their purposes. A family of worms with AIDS-like properites would serve their interests nicely.
Finally - while diseases evolve to be relatively benign, they do so randomly (and designed programs often don't do quite what was intended, especially on first release). Sometimes you get one that strikes a balance between spread and damage that results in a massive, widespread dieoff among the host populatin before the combined evolution of the disease and hosts contain its remanents. Classic example: Bubonic Plague.
So let's not be lulled by analogies to the common cold and childhood diseases. They're the result of a lot of death and misery before the diseases found a stable niche. And while computer viruses share much of the math of disease spread they are designed, not evolved, and can easily have properties rarely seen in nature.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
In Canada, anything you write or build is automatically copyrighted. That includes the form and the content.
I don't know about the US.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
This could be a pain if it evolves further - and that the virus writers figure out ways of exploiting the debuggers that are running. I'm not aware of any exploits for any debuggers - so that's good atleast!
For the worms which will detect and disable AV software....
What will the Windows community do when a virus disables the AV software and prevents it from loading?
The society for a thought-free internet welcomes you.
... it's a feature ;)
Hmm, scan word docs looking for legalese adding and removing the word "not" at appropriate points.
should/will/must should/will/must not
Fairly simple but that alone could cause some interesting effects on contracts etc. I'm sure there are other simple and more effective ways of changing the meaning of sentences which would require the re-reading of them by the authors to guarantee that the meaning is correct.
Government of the people, by corporate executives, for corporate profits.
Ive encountered a couple of worms and viruses that do just that.
its great cause it makes me a lot of money, charging for their removal.
And, isnt a better virus not a standalone .exe, but a patch that patches some critical file like win.exe or rundll32.exe or something? That way it is almost impossible to get rid of, since the user would have to find the origional file and copy it over, which would be made more difficult by the virus some way. Coupled with the changing-excel-values payload, that could be an extremely deadly virus that is very difficult to get rid of...
95% of all computer errors occur between chair and keyboard (TM)
Comment removed based on user account deletion
You're new here aren't you? That is the standard for M$FT appologism here on slashdot. Wait till you see some posts by linux advocates!
I found a new variant a couple of months ago. A bug that only occurs when I try looking for it. I found it while debugging something else, but tracing it through was causing the target machine to lock up completely every time on the most innocent of instructions. Run the code freely, and it would be fine. The odds are it was just the debugging process was messing with some critical timing of something in the hardware. As to what exactly, shall remain a mandelbug, but it was certainly a brainache at the time.
I was about to disagree with the thinking, but if I'm in charge of Symantec's AV division, I'm charged with maximizing cash flow.
The way you maximize cash flow is to get more subscribers, not come up with an ultimate virus protection.
If you come up with the ultimate protection, you sell it once. If you sell subscriptions based on the status quo, then figure it out.
That's not tin-hat thinking, that's how business is run. Its all about maximizing revenue, baby.
most people don't fix their computers until they no longer work at all. A virus like this would have little impact on the computer. If it was well hidden enough, it wouldn't get fixed when the person call tech support for other problems either. The key is being quite and unintrusive right up till the end, then you lay waste to the computer.
Frankly, I'm with the first poster. I good 'ole fashion hard disk reformatter would light some fires out there. I'm tired of seeing people with 5 or 6 viruses, uncountable spyware programs and everthing on their computer broken wanting the damn things fixed without a clean install because they don't know what a file is and have no idea how to back things up.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Remember the old days of self modifying assembly code?
(ie:
instruction purpose
1-20 alter instruction 21-40
21-40 alter instruction 1-20, jump to 1
1-20 do something
21-40 alter 50-70 and 1-20
50-70 do something, jump to 1-20)
All alteration naturally is done in the most tricky of ways.
Ah, those were the days.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
I am curious if there are such thing as viruses attacking specifically firewall and anti-virus apps. Anti-virus apps relies on viral signatures to detect them. But if one releases a new virus that slips past through an anti-virus app and prevents it from working properly in the future or modify firewall apps, a second (and third, fourth, ... ) virus may get in easily undetected.
Can anyone familiar with virus writing explain if it's possible or not (and why)?
Don't they realize their job is to produce easily counterable products that keep AV software writers in business? You might think they actually wanted their viruses to suceed or something....
The 1 000 000 monkey 'theory' could be true if you refer to 'perfect virus' instead of Shakespear.
1. Bob makes virus 'A 1.0' based on exploit 'A' releases its source. No payload of true significance.
2. Paul makes virus 'B 1.0' releases its source. This virus is of course based on exploit 'B'. No payload.
3. Saul takes A 1.0 addes B 1.0 + new 'BUG' and as a bonus includes code to wipe hdd whithin a short period.
you compile/build the blue print to get the exe/car. This is more like a parts list, or the remains of the car after being squashed. Or perhaps anologies just don't work when taken to far :)
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Make sure to strip the referrer if you think you want to check this out - please, don't feed the spammers ;)
Please remember that SoftICE comes from the name of an In-Circuit Emulator which mentioned in my other post. A good one will decode the instruction stream and allow to put watch points anywhere in memory. The operation of a true ICE is totally transpernt to software. SoftICE is just a software approximation, but you could do something similar with a complete software emulator such as Bochs which models the processor as software.
See my journal, I write things there
This raises an excellent point: don't the AV companies daily violate the DMCA by reverse engineering virus code? If not, how long until somebody puts some kind of copy protection system into a virus and then sues all the AV companies? (I know, copy protection in a virus would be a bit odd, but hey...)
I'm not saying that stupid things never happen in law (hell no I'm not saying that) but you are having a fallacy here. Law is not applied in a mechanistic fashion, like a computer program. Human intervention is present at many points (police, prosecutor, judge, jury) and usually prevents absurd scenarios like a law designed to prevent circumvention of computer security being used against those examining viruses.
Never ascribe to genius that which can be simply explained as an act of stupidity.
It would seem that making a virus hard to debug/analize would be the hallmark of a well-written virus, not a poorly made one.
I realize that 'easy to exicute' is a design goal of most software writers, but I'd think virus writers would want to focus on other things.
autopr0n is like, down and stuff.
See, this is what I've been trying to tell my boss: I'm not writing sloppy code, I'm trying to prevent people from reverse engineering our product!
We visionaries are always persecuted.
- First they ignore you, then they laugh at you, then ???, then profit.
...if you ran your virus inside a virtual machine (like VirtualPC), and stepped the machine through cycles to see what it does.
In other news, VMWare announces new partnership with Norton...
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Using a signal that would put the viruses into kill mode would let them spread until it was time to take down all infected machines at once. In kill mode, the virus would broadcast the kill signal to other infected hosts, and then cause havoc/destruction on its host.
In order to get around firewalls, the virus would have to hijack a common means of communication like email. It would not want to monitor any ports as virus researchers would be able to detect it and the incoming connections would likely be blocked by firewalls, and it wouldn't want to depend on opening any outgoing connections once in kill mode because this would likely be blocked by firewalls.
Using detectable means to spread in the first place is one thing, but keeping the kill signal functionality secret until after it was too late would be paramount for this scheme.
It might pick one or more popular email clients to hijack, monitoring incoming email messages as they are recieved or opened for a 'kill message'. A kill message might consist of a random number inserted into the message with certain properties like being divisible by 2243243243323243242342343243243254325215 with a remainder of 2822. The number might be segmented into chunks seperated by spaces so that no chunk was so long as to arouse suspicion. The number could be base 26 with the letters a-z serving as digits. That way, when properly broken up into eye pleasing random length 'words' the 'number-phrase' would be impossible to detect and filter using regular expressions. The number-phrase could be added to the first line of a random message in the infected person's inbox and forwarded ( or resent ) to random people that person knows via email. This would destroy the privacy of that person by sending their inbox messages, and propagate the kill signal in a way that can not be detected and filtered.
If, after recieving a kill signal, the virus waited a random amount of time up to a few hours, then you could choose the properties of a kill signal number to be able to set off the cascade by sending an infected person an inoccuous message with the phrase in it.
Suppose your phrase was: "My fortune cookie had one six twelve sixteen twenty two and thirty eight listed as lucky numbers." Concatenate the letters from a-z in that phrase, and you have a base twenty six number that isn't likely to appear in any other email message in the whole world ever. (Lotto numbers may be suspicious. Steganography is an art. Let the messages be monitored in all locations for a fixed length kill phrase, and non a-z characters ignored, and you could put your phrase anywhere say: Hey what's [up C00lguy77? SpikeyHamster29 was tal]king shit the other day about some stuff. This becomes: "uplguypikeyamsterwastal". That looks fairly unlikely to appear anywhere ever.
Take the remainder of "uplguypikeyamsterwastal" modulo "longpassword" and have your viruses require and generate random kill signals based on that criterion. Most likely the guy who gets the first kill signal will send their broadcast and then start recieving kill signals soon enough. It is always possible that it could be proven to have originated from that email, but if it was sent from a brand new hotmail account using a computer in a college computer lab while wearing a disguise through an anonymous remailer with a high minimum retention value to ensure that any video tapes from any cameras that had been taping the lab unbeknownst to the virus author had been written over by the time the message was sent. To a relay setup not to log anything running on stolen hardware that was slyly plugged into a forgotton network jack somewhere months ago by a guy dressed as a woman wearing a veil and which has been waiting for this moment ever since...
Of course nobody should ever write or release a virus.
Eat at Joe's.
Gee... a virus that does things different when in a debugger or emulator? Sounds an aweful lot like a certain version of Turbotax about 2 years back... Do we have a prime suspect yet?
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
Too much flash. Why go for Ebola when Mad Cow would be much more deadly and likely to be mistaken for Alzheimer's.
That's the problem with viruses these days, too much flash. Either it saturates a network spreading itself, or it quickly kills the host. Either way it brings way too much attention to itself to be truly scary.
How's this for a thought experiment;
Write a small, stealthy piece of code that would randomly change a single digit in a single number found in a random Word or Excel etc. file by some small random amount once a day. It propagates by attaching portions of itself to no more than 1 email message/irc chat/telnet/ftp/video conference or other communication application a day. Until all of the pieces are present in memory, all the code does is attach itself to some systems process and look for the rest of itself. When all of it has been received it adds itself to some innocuous systems level process and begins changing values and slowly sending itself out around the world.
So what good would that do? Well it doesn't draw attention to itself, neither in its mode of operation nor the way it spreads itself. Therefore while it would propagate slowly, no one would ever be looking for it. It's payload could cause great amounts of harm without ever giving the user any reason to think that his computer might be infected. What happens if it's on a pharmacy/hospital computer and it changes the dose of a prescription? Most pharmacies these days use numbers as a prescription ID. 20034978 might be a beneficial prescription while 20034879 could be deadly. We lost a Mars probe because someone didn't convert between feet and meters correctly. What if they did and a virus like this deftly changed it behind their back? A million widgets at $1.24 each is a lot different that a million widgets at $1.98. Building a bridge with a support beam that's 84.539 meters long isn't the same as one of 84.639 meters. You see where this is going don't you. Taken by themselves they look like simple user errors.
The computer, or user, is diagnosed with Alzheimer's when it's actually infected with Creutzfeldt-Jakob. Machine's get rebuilt, people loose money, or get killed, and no one ever suspects that a very stealthy virus is the root cause of it all.
That my friends is what I would call truly scary.
someone247356
Just my $0.02 (Canadian, before taxes)
Y sues Z for trade secrets, copyright infringement, violation of license, etc.
"By letting this virus infect your machine, you agree to the terms and conditions of the license. Even though we didn't ask you first."
Hmm... I'd like to see Y prove that anyone broke a license that they reasonably had a chance to accept/reject.
Not that this would ever happen in real life, obviously. The question is; could it? Answer- not in this situation!
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
So all I need is a debugger running to defeat this program? :\
But we have this, it's called Microsoft! You mean you don't have documented cases where Word or Excel crashes, and the file you open up again isn't quite the same as it was before? Or after converting a file between versions?
There was a psuedo virus for the amiga that did a very similar thing as your proposal. Now while lots of the code exploits were to do pretty graphic effects
,
(BTW where have all the characters falling off the screen exploits gone? Viruses used to be a method of showcasing crack skills, I'd like to see a return to viruses doing what hollywood promised us viruses would do.. pretty graphics I demand pretty graphics!).
As I recall the nastiest in terms of not being able to detect the thing, was the one that every 20 seconds or so (it varied each time) would randomly change letters you were typing.
It was so subtle in effect, that you assumed it was your poor typing for ages till the penny dropped.
Nothing worse for giving you those nagging paranoid self-doubts than reading back something you could have sworn you typed well, full of typos!
Seeing as the new breed of virus writers are now working for profit, organised crime, spammers, pc for hire etc. the scary part of your virus attack method, is that it has a very good motive attached to it...
Extortion... pay up or we will disclose your systems have been infected!
Think about most of the big companies that you know, and think about how many of tham would try and keep their infection as quiet as possible, and take the losses silently, rather than have their competitors, clients etc know that their data was corrupt.
Definately worth a bundle of notes to "big Dave" not to have their stock go through the floor.
of course the tin-foil crowd, will have already spotted that this would be exactly the sort of virus you would never hear about... which of course means it's already out there!
That's one hell of an idea. I hope the author of Atak doesn't read slashdot. heh.
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
Atak vs. SpamByte: Game Over Spammers/Crackers
Ok, with the risk of being the smart ass of the week ... ...
"Mach 10" means: the velocity of sound (a) times 10" under well defined conditions. a in gases depends on the density (rho), temperature (T), isentropic exponent (kappa) and the pressure (p) of the medium, air in this case. a=sqrt(kappa*R*T), with R being the special gas constant for air, or a=sqrt(kappa*p/rho).
Where a ("Ma 1") on sea level in standard atmosphere equates to 340 m/s, it decreases to 295 m/s in 20 km attitude. Still kinda fast
Was anyone else expecting him to sign this "someone243756"?
I hadn't heard of valgrind, so I looked it up. Unfortunately, this is isn't an x86 architecture, nor is it running Linux. The target machine has a multitude of sub-processors that mostly communicate via DMA. Odds are that the debugger was halting the main CPU at a critical point, starving something of the data it needed, and locking part of the system.