Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Stealth' Worm Hinders Sandbox Analysis

Posted by timothy on from the analysis-says-your-sandbox-has-cats dept.

Tuxedo Jack writes "The Register reports that the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code. Windows machines, as per the norm, are the only vulnerable ones, and it still requires user intervention to infect. Perhaps future worms will start including this 'bug' in their releases. We can only hope not." It doesn't sound like a bug at all, from the virus writer's perpective.

33 of 461 comments (clear)

  1. Re:Okay...? by ePhil_One · · Score: 3, Funny
    Worm or Virus?

    Since they claim it requires user intervention, that would make it a virus, since worms are self-propagating.

    Of course, given the accuracy I've come to expect from Slashdot summaries, it could be a new version of MS IE...

    --
    You are in a maze of twisted little posts, all alike.
  2. Interesting Concept by pHatidic · · Score: 3, Funny

    Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection.

    Would that make this worm a 'night crawer'?

    Badum Ching!

  3. Easy way to be safe by tomhudson · · Score: 4, Funny

    So all you have to do to be safe is make sure you've got a debugger running, and the virus kills itself. I guess that adds new meaning to the term "de-bugger" :-)

  4. The 2nd oldest trick in the book by magefile · · Score: 4, Funny

    "You're right, it's pure genius - they couldn't guess we'd do that, because only a frickin' idiot would do that!" - paraphrased from (approximately) 3.14 million movies.

  5. Makes for better AV companies by StickMang · · Score: 5, Funny

    Maybe this will teach them how to teach outside the (sand)box! Maybe they can harness their synergy with this new paridigm shift into sandbox free thinking.

    Ahh, its 1999 all over again :)

    --
    StickMan
    www.rageagainst.net
    1. Re:Makes for better AV companies by DA-MAN · · Score: 5, Funny

      Score: +5 Buzzwords!

      --
      Can I get an eye poke?
      Dog House Forum
  6. geez! by manavendra · · Score: 2, Funny

    Just what we wanted - buggy bugs, erm, viruses!

    You know something's wrong with the world, when the malicious software itself is flawed..

    --
    http://efil.blogspot.com/
  7. Re:Script kiddies becoming worse? by irokitt · · Score: 4, Funny
    Sounds like a strip kiddy tried to write a virus

    Strippers writing viruses? Sounds like a Fox special. And, being your typical Slashdotter without a girlfriend, I have to ask, do you have pictures?

    /grammar nazi
    --
    If my answers frighten you, stop asking scary questions.
  8. Re:Okay...? by perly-king-69 · · Score: 1, Funny
    Of course, given the accuracy I've come to expect from Slashdot summaries, it could be a new version of MS IE...

    ...or a dupe.

    --

    --
    This sig is inoffensive.

  9. "HER" code? by md358 · · Score: 4, Funny

    C'mon, *her* code? Isn't that a bit gratuitous? I mean, we're talking about code here, not a delicious turkey dinner.

  10. Sound familiar? by captnjameskirk · · Score: 5, Funny

    1) Contains a "bug", well let's just call it a "feature". 2) Sloppy code, but Hey! it works. Sort of. 3) Run on Windows only. Sounds like every piece of comercial software sold by Microsoft to me.

  11. Elementary, my dear Watson... by bfg9000 · · Score: 5, Funny

    This piece of code is so sloppy, it's devious

    It shouldn't be hard to find the author, he obviously works at Microsoft.

    --

    I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."

  12. obscurity by double_ooh · · Score: 5, Funny

    The code is so bad that they can't read it, so it's insecurity through obscurity?

  13. Re:Hex it? by vasqzr · · Score: 1, Funny


    Can't they break it down with a hex editor and see what's under the hood?

    You've watched Hackers way too many times.

    Dade: This isn't a virus. It's a worm!

  14. Finally! by teamhasnoi · · Score: 5, Funny
    Those DMCA violating virus 'terrorists' will be prevented from infringing the copyrights of the poor, disadvantaged virus writers.

    This content author has villified every artist who has ever had their work reverse engineered.

    This is a great day for copyright, authors, and those downtrodden by IP terrorists!

  15. Hex Value Analysis by john.mull · · Score: 2, Funny

    Found embedded in the virus code... 56 42 56 63 72 69 70 74 20 72 6f 58 6f 72 7a 21

    --
    Isaiah 43:19 (NCV)
    Look at the new thing I am going to do. It is already happening. Don't you see it?
  16. Stealth Worm??? by pandrijeczko · · Score: 4, Funny

    Isn't a "stealth worm" that requires "user intervention" a paradox?

    --
    Gentoo Linux - another day, another USE flag.
  17. Re:Strange by Homology · · Score: 2, Funny
    I've always heard that it takes a very good programmer to write effective and powerful virus. /I>

    Not on Microsoft Windows, it seems. From the article it's even better if the virus writer is sloppy.

  18. EULA by Fuzzums · · Score: 5, Funny

    A viruswriter should add an EULA to his/her virus.

    - You may execute this virus 'as is'.

    - We accept no claims of any kind of any or all damage done by this piece of software.

    - You are responsible for the consequences of executing this software.

    - You are NOT allowed to disassemble the code (DCMA).

    - etc, etc..

    --
    Privacy is terrorism.
  19. Re:Okay...? by darkmeridian · · Score: 3, Funny
    Of course, given the accuracy I've come to expect from Slashdot summaries, it could be a new version of MS IE...

    ...or a dupe.


    --
    This sig is inoffensive.
    --
    A NYC lawyer blogs. http://www.chuangblog.com/
  20. Re:Strange by ObsessiveMathsFreak · · Score: 3, Funny

    Clearly sir, you have never heard of VBA.

    Empowering amatuers with sysadmin capabilities since 1993!
    Where would you like script kiddies to joyride your computer to today?

    --
    May the Maths Be with you!
  21. Simpson's adaptation by dfj225 · · Score: 3, Funny

    AV Guy: Man you are really sloppy! Virus Writer: Sloppy like a fox!

    --
    SIGFAULT
  22. Re:Strange by Anonymous Coward · · Score: 1, Funny

    I can't tell, are you being sarcastic?

    The creator of the Melissa virus left his email address in a comment. What sort of very good programmer uses comments?!?

  23. Re:Clarification, there are 2 issues by mikael · · Score: 4, Funny

    The Good news: The virus writer has released a patch that fixes these two bugs

    The Bad news: You can't download these patches, you have to wait for them to self-install onto your system.

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  24. Re:Strange by forrestt · · Score: 1, Funny

    That's because Windows is used to running such code.

  25. I knew it! by Stevyn · · Score: 5, Funny

    There is still a way to blame microsoft for this!!! I was getting a little worried there.

  26. Re:More damaging. by The+Conductor · · Score: 2, Funny

    Wan't a smilar virs targete at slashcoe?

  27. Read the Result! by Anonymous Coward · · Score: 1, Funny

    Authorized Researcher Only.

    Attachment: result.zip

  28. Re:Strange by Anonymous Coward · · Score: 5, Funny
    The creator of the Melissa virus left his email address in a comment. What sort of very good programmer uses comments?!?

    The guy who framed that poor patsy for creating Melissa, that's who.

  29. Sloppy code? by wvitXpert · · Score: 5, Funny
    Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code.
    Hmmm... let me guess, the virus is written in such sloppy code that it just blends right in with the Windows code? ;^)
  30. Re:not by Anonymous Coward · · Score: 1, Funny

    This is not a very scary idea...

  31. vindication by sacrilicious · · Score: 4, Funny
    the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code.

    See, this is what I've been trying to tell my boss: I'm not writing sloppy code, I'm trying to prevent people from reverse engineering our product!

    We visionaries are always persecuted.

    --
    - First they ignore you, then they laugh at you, then ???, then profit.
  32. TurboTax like virus? by hardaker · · Score: 3, Funny

    Gee... a virus that does things different when in a debugger or emulator? Sounds an aweful lot like a certain version of Turbotax about 2 years back... Do we have a prime suspect yet?

    --
    The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!