'Stealth' Worm Hinders Sandbox Analysis

Tuxedo Jack writes "The Register reports that the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code. Windows machines, as per the norm, are the only vulnerable ones, and it still requires user intervention to infect. Perhaps future worms will start including this 'bug' in their releases. We can only hope not." It doesn't sound like a bug at all, from the virus writer's perpective.

so is this what MSFT does?

[garcia]

They make such bad code knowing that it won't be looked at and hope that the hackers won't be able to find the holes?

Without the recent access to the source for IE we would never have found out about BMP overflows, etc. Which was just poor and lazy coding.

Re:so is this what MSFT does?

[spitzak]

This is about the fourth time I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist. Is there any documented evidence that this has been used in *any* virus/worm/hacks? And has there actually been more than one bug found (I suspect not, since trolls keep saying "bmp bug! bmp bug! bmp bug!") I don't think so.

Availability of the source code does not lead to exploits. Anybody with even a moderate amount of experience with software development would know this. If the exploit was evident by looking at the code, the code writer would probably fix it. Every single exploit is discovered by accident, put in a "bug report", and the code writer has to spend a huge amount of time figuring out exactly how his code, which looks just fine, is producing the unwanted behavior. The discovery of unwanted behavior is exactly equal in both open and closed source.

In fact the advantage of open source is not that it has fewer bugs, but that when such unwanted behavior is discovered by accident, a huge number of people will try to fix it. Even people who get it wrong will produce modified versions that are less likely to be attacked by a virus.

Re:so is this what MSFT does?

[aardvarkjoe]

This is about the fourth time I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist.

Er ... don't know about anyone else, but "They make such bad code knowing that it won't be looked at and hope that the hackers won't be able to find the holes?" doesn't sound much like apologism to me. (Doesn't sound much like proper grammar, either, but I suppose that's beside the point.) If anything, the fact that we haven't heard about a rash of new exploits based on it seems to indicate that broken portions of the code aren't as obvious and easy to fix (or exploit) as some parties like to claim.

Re:so is this what MSFT does?

[maximilln]

The parent is horribly bipolar.

I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist

Actually an apologist wouldn't be spouting about the BMP exploit. Rather an apologist would be trying to dismiss it as you do in here:

Is there any documented evidence that this has been used in *any* virus/worm/hacks?

There. Now you're being the closed source apologist by saying,"We're sorry about the BMP thing but does it really make a difference?" Since it's been pointed out that the BMP thing was only present in older editions of MSIE (5.5?) it's pretty plausible that the forensic trail of tracking any exploits is long covered, formatted, and reinstalled.

And has there actually been more than one bug found

The security industry has its hands full simply processing data on exploits which are submitted. The people who have time to go over that released source code routine by routine, structure by structure, loop by loop, aren't going to tell you about it first. If they're nefarious they're not telling anyone.

Additionally, did you read this yesterday? Did you try contacting the authors who published those vulnerabilities? It's quite possible that they came onto those vulns by looking at the source code.

So sit down and...

If the exploit was evident by looking at the code, the code writer would probably fix it

That's a bit shallow minded. Not every programmer who works for MS was a 4.0 overachiever who visualized code loops and logic flow in real time. Very few middle managers were 4.0 overachievers--many got to their position because they were better at social networking than coding networks. By the time the code gets to the upper management it's not being audited line by line. Even 4.0 students aren't always guaranteed overachievers with amazing perceptual abilities. Many 4.0 students know how to stand in line and keep their mouths shut. That's the most assured way to a 4.0.

Every single exploit is discovered by accident

I would agree that the majority of exploits are discovered by someone noticing erratic behavior in a program and taking the initiative to dig in deeper. However I know a number of people who take great delight in poring over changelogs and then going back to audit source code when "Bug in <sourcefile.c> fixed." The changelog may have been a roadsign but when sourcefile.c is 1000+ lines it's still a testament to skill to find the bug which was fixed.

Mailers?

[Deflagro]

Now just imagine if someone wanted to actually be malicious with this stuff..
I wonder if a virus with some code to re-partition your drive on a reboot would cause this issue to be taken more seriously.
I think we're just lucky these writers don't do more with the holes Microsoft gives them.

Re:Mailers?

[Tyler+Eaves]

The thing with destructive viruses is that they don't tend to spread very far, since by definition they take their host (and thus themselves) out after a few minutes or hours, where as something like Code Red, Nimda, etc,etc, can go for years without being removed.

Re:Mailers?

[ites]

Read about the mechanics of disease spread with respect to viruses and you'll see why this does not happen.

Highly damaging viruses don't spread far. Today's virus/work/trojan writers want to capture large numbers of zombie PCs and resell these networks. They aim for control, not damage. It's about money, not vandalism.

Re:Mailers?

[Deflagro]

But technically, if someone decided to make the virus malicious and mail itself out first before injecting the damaging code...then you can have a Code Red that kills machines.
Although, like a poster below, the data changing aspect would be a more annoying bug.

I'm just saying that MS can be made to look real bad in the eyes of corporations. Mind you, the person responsible for something like that would get the death sentence under Patriot Act or something i'm sure.

Re:Mailers?

[(54)T-Dub]

Yes, but the longer a host is infected the more opportunities it has to infect other machines. Especially if the user doesn't know they are infected. Not to mention the "hype" factor of big destructive viruses tends to help quell their outbreak.

Re:Mailers?

[Lumpy]

but creating an ebola computer virus would not be hard.

code red for example if it had a timed payload that X minutes after infection kill the machine and that number of minutes was 3 days in the future it would be able to widely spread and STILL cause the death of the host machines.

the scaries is the stealth virus that spreads slowly, is silent and act's mostly benign for 90 to 120 days then simply kicks in for a full boat infection/attack+death 4 hours after final activation.

by the time it was discovered most people would be helpless.

Re:Mailers?

[king-manic]

However, Virelence will dictate response. the RPC worms are stilla round because some machines have never been patched. Thus it will be a issue until all machine are pacthed. However the stoned temple monkey is no longer aorund. IT killed the computer so it mediated a response either the machien died or admins raced to fix it.

Critical mass for infection is harder to reach if your lethal. The virus writter would have to predict reactive patterns and behavior in the wild. Hard. A lethal virii would have a shorter window. If it had a syncranized dormancy and waited till critical mass, then maybe. But you have to balance more time to get caught vs more time to spread.

Sloppy or devious?

[hcdejong]

From the article: "I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
I'm sure it's lost something in the translation. The rest of the article suggests it's by design rather than accident.

Hex it?

[Gunfighter]

Can't they break it down with a hex editor and see what's under the hood?

Re:Hex it?

[Jonboy+X]

Can't they break it down with a hex editor and see what's under the hood?

Not really. It's kinda like looking at that blueprints to a race car. Even if you know every little bit of the thing, you don't really understand what it does or how it does it until you can take it out on the test track.

Besides, looking at compiled code in a hex editor is kinda like looking at a jpeg in a hex editor. Maybe you see some interesting patterns, but it's tough to get the big picture.

BTW, yes, it is bad analogy week here on Slashdot. Didn't you get the memo?

Re:Hex it?

Apparently they want to run it in one of the "modern" debuggers. If the program manages to run through a few very simple tests, it'll detect it's in a debugger environment and can easily self-destruct.

I did things like this years ago when fiddling around with a copy protection scheme. (Remember those days?) Trivial, really .. but they're right: I don't think things like that have been done in a while. Some vandal's been playing with the Way-Back Machine :-)

If you really step through the code with a debugger, you can see the tests and traps (if you know what to look for) and avoid them. But that's tedious, to say the least.

Obviously somebody at the virus scanner companies couldn't be bothered, and was impressed with or surprised by a lousy "debugger bit test".

Re:Strange

[cuzality]

"The greatest trick the Devil ever pulled was convincing the world he didn't exist." --Verbal Kint

And the greatest trick this guy pulled is making himself look like an ID10T...

Ironic quote

[mabu]

"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.

Considering virus writers are more motivated by being devious than impressing analysts, doesn't it seem inappropriate to assume the coding was "sloppy?"

what is it gonna be?

"This piece of code is so sloppy, it's devious," said Mircea Ciubotariu

If it's intentional, it's not sloppy...
If it's not intentional, it's not devious...

More damaging.

[khasim]

If the virus randomly changed a few numbers in a few of the Excel spreadsheets it could access.

Damaging the computer itself is too easy to catch and causes people to take it seriously.

Changing data has more implications for CORPORATIONS and would take longer to detect.

Re:More damaging.

[ArsenneLupin]

All this would still be way to tame. Why stop at corrupting data, when you can have way much more fun leaking it?

Or even more fun, long documents you produce for meetings or public distribution. Embeded within are names harvested from your address book appended with a few choices words?

Why not scan Word documents for names, and cross-reference those with your address book? As soon as a match is found, mail them said document. John Smith will surely be glad to learn that you intend to announce to him at next week's meeting that you'll fire him. Or ACME-soft will be pleased to learn that you are so dissatified with their service that you are shopping for a competitor ;-) But fore-warned is fore-armed. Endless fun!

Re:More damaging.

[nine-times]

'Next-gen: Random sentence inclusion into all word docs, change #'s in excel sheets, alter contents of address books, random data into access/sql databases.

That sh*t would be brutal to deal with.

Its one thing to know you have to restore from backups after a harddrive is wiped, or you just can't seem to shake the virus.

Its a whole other ballgame when the virus goes undetected for a month and the excel sheets you've been conducting your business with have been screwed with. Yeah, you can restore and recreate a month's worth of work, but how do you account for the decisions you've made with bad data over the course of that month?'

You're absolutely right, and I bet most people aren't taking what you're saying seriously enough. Do you know how many businesses keep track of things, even financial data, in just Excel spreadsheets? I mean, NO real paper trail, and even nothing clear to check the numbers against?

Even when you're talking about corrupting data, it's one thing to delete a random letter from a word document- a spell-check will probably catch it. If a virus added a particular sentence to word documents (the same sentence each time), you can at least find out if the document has been corrupted by searching for that sentence. Even random sentences, which would be much harder to deal with, would be noticable when someone goes to read it. However, shifting individual numbers in an Excel document 10%, up or down, randomly? That could easily go unnoticed for a long time, and even when you go to the backups, how do you know you have retrieved an old enough version to be an uncorrupted version?

The idea kind of reminds me of the Office Space/Superman III scheme of writing a virus that rounds down to the nearest cent and sends the excess to a bank account.

Re:More damaging.

[shopi]

How about not changing nor destroying documents, but *encrypting* them? Then you could extort those companies and goverments with your secret key.

This is called "cryptovirology" and here is a really interesting book about it.

Hack it

[Manip]

It isn't that complicated to find the part of a code that causes a break in execution (end-point). So when it detects the debugger and breaks execution couldn't you reverse engineer it from that point and maybe write a mod (like a game crack) to avoid the debugger detection?

This would allow the rest of the program to work as normal just without the self-defence code.

Code sloppy?

[g0bshiTe]

My guess is that they are so confounded, that by releasing that statement labelling the coding as sloppy they hope to draw the writer out in some way. Seems they are going for his/her ego.

Because hey no coder legit or illicit wants to be thought of as a sloppy coder.

Re:AV software particularly effective?

[Azrael+Newtype]

The talk of running in a sandbox enviornment was for AV software companies. They intentionally release viruses into a sandbox environment in order to figure out how they work to develop the countermeasures included in their updates. A regular user with AV software doesn't have a separate sandbox for running e-mail usually, so it'd install into the main system, and therefore infect, and the AV software wouldn't even see it, as it won't until they release new DAT files for whatever AVS you run.

Re:"So sloppy it's devious"?

[shadowcabbit]

One or the other... devious or sloppy... but surely not both.

Yes, it is both. It's sloppy because whoever wrote this virus forgot to disable the suicide code before releasing it into the wild. The writer obviously would have written this into the virus during development so that he didn't hose his own machine.

It's devious because now virus writers know that "forgetting" to "fix" their virus pisses off more people in high places, instead of just plain pissing off more people. It wastes resources and diverts attention from bigger threats-- or smaller threats which just get lucky.

It's a tactic so totally stupid that it borders on brilliance.

Custom VMWare environment or hardware?

[swb]

I'm kind of surprised that AV companies don't use custom VMware-type environments that can be debugged at a level above what the virus or any other processor could detect, or use special hardware/simulators that also can't be detected.

I'd think this would give them greater granularity and more control over the entire environment than trying to just run in it in a standard debugger.

Re:Custom VMWare environment or hardware?

[Alsee]

I think he means more advanced hardware that would be impossible to detect. Slave a CPU to an external master CPU. The master CPU would be completely invisible to the slave. All of the slave's registers and interrupts and RAM would be undetectable because they would be perfectly authentic. Give the master CPU total read/write access and the ability to single step the slave CPU's clock. The slave couldn't even detect timing anomolies because all extra processing would be done on the master CPU, plus the slave's clock itself could be undetectably paused - the actual CPU clock line.

I assume Intel and AMD must already have almost exactly this sort of hardware available for development work.

I guess the virus could then try to look to peripheral hardware for timing information, like video cards and harddrives. On one hand it would be a major pain for an AV company to accurately virtualize the timing in peripherals, but on the other hand the virus writer is facing unknown peripherals connected to an unknown system with wildly variable timings.

-

It's New Coke!

[blueZhift]

This reminds me of the whole New Coke thing years ago. Was it pure genius that Coke managed to sap Pepsi sales with the sweeter more Pepsi-like New Coke while hanging on to loyal customers with the reintroduced Coka Cola Classic, or was it a colossal blunder that they were just lucky enough to escape and still get ahead? Who knows? Unless the virus writer is caught, we may never know. Right now, I guess he or she is saying, "Yeah, I meant to do that!"

In any case, I guess when it comes to virus writing sloppy coding pays off. And perhaps sloppy != stupid, unless of course you get caught! I suppose the next trick is for someone to release a code obfuscator that produces sloppy looking code.

DCMA Violation!

Hey... If they reverse engineer this thing, won't they be violating the DCMA? I say the virus writer should sue all the anti-virus companies.

By copying parts of the virus into their virus scanning signatures, perhaps everyone running the anti virus software is also violating the DCMA, I say fire off a few hundred law suits and see what happens.

(Maybe with thinking like this RIAA will hire me.) ;-)

How does this equate to sloppy?

I don't understand... Why are they saying the code is sloppy? It seems to me that what they are doing is intentional. So it's not sloppy in the sense that it is full of mistakes.

I also don't understand how stopping execution if your product is being debugged equates to "sloppy". It seems to me that a large number of software companies would WANT their software to behave in this way to make reverse engineering and hacking harder?

In fact, if it is so difficult for antivirus companeis to debug this, when why isn't more software using this technique to make piracy more difficult, and/or hacking network games harder?

Re:How does this equate to sloppy?

[Ytsejam-03]

I don't understand... Why are they saying the code is sloppy? It seems to me that what they are doing is intentional.

This is a very short article, and I don't think that the author thought this behavior was due to sloppy code. Note the first two paragraphs:

"There's a new mass mailing virus in town, and it's built to make life for AV researchers even more difficult.

Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection. The ploy prevents casual perusal of the code by researchers and (potentially) rival virus writers."

The reference to sloppy code is only is only made in the following quote from the article:

"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.

As another poster suggested, perhaps something got lost in the translation.

While this may make the virus a little harder to analyze, I don't see how it would slow the anti-virus companies down much. Anti-virus researchers would simply need to change the code, disabling the section that checks to see if a debugger is attached. This is likely a simple matter of disassembling the code and changing the appropriate jump statement.

Re:Strange

very good programmers dont write viruses, they have better things to do and create with their time.

Dear me, how remarkably fucking stupid.

[devphil]

This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior.

We call those heisenbugs and they are the bane of a programmer's existence. The whole damn point of a debugger is to replicate the same behavior as normal, not allow the program to choose to exhibit a different behavior.

"I'm going to look at you more closely now. Please act normal. (But it's your call if you don't.)"

Yeah, that "surprise inspection" works great everywhere else, why not in programming? Fucking morons...

I was happier not knowing about this function. soundman32, I shake my fist at thee. :-)

Bug/sandbox?

[julesh]

A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox"

Sounds more like a bug in the sandbox to me. A sandbox should be indistinguishable from running on a real non-virtualised computer.

Re:You're missing the point

[magefile]

Look, I disagree with the GP too, but your counterargument is bogus. First, many file systems (HFS, ext2-3 spring to mind) don't need debugging. Second, the warranty is set to just under the MTBF for a reason, and there's no tin-foil hat their - the companies will admit it, because there's nothing illegit or sneaky about it.

OTOH, you have a group of largely unknown people writing viruses, and a group of people who profit off of their bad behavior. Besides, even if the AV companies didn't have a symbiotic relationship with the writers, why spark an arms race?

You're assuming people would fix it...

[rsilvergun]

most people don't fix their computers until they no longer work at all. A virus like this would have little impact on the computer. If it was well hidden enough, it wouldn't get fixed when the person call tech support for other problems either. The key is being quite and unintrusive right up till the end, then you lay waste to the computer.

Frankly, I'm with the first poster. I good 'ole fashion hard disk reformatter would light some fires out there. I'm tired of seeing people with 5 or 6 viruses, uncountable spyware programs and everthing on their computer broken wanting the damn things fixed without a clean install because they don't know what a file is and have no idea how to back things up.

What a bizzare statement

[autopr0n]

It would seem that making a virus hard to debug/analize would be the hallmark of a well-written virus, not a poorly made one.

I realize that 'easy to exicute' is a design goal of most software writers, but I'd think virus writers would want to focus on other things.

So all I need is a debugger running?

So all I need is a debugger running to defeat this program? :\

Re:Finally!

[juhaz]

There are other examptions in DMCA than those two, virus research would probably be under the "Security testing" exception.

This exception permits circumvention of access control measures, and the development of technological means for such circumvention, for the purpose of testing the security of a computer, computer system or computer network, with the authorization of its owner or operator.