'Stealth' Worm Hinders Sandbox Analysis
Tuxedo Jack writes "The Register reports that the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code. Windows machines, as per the norm, are the only vulnerable ones, and it still requires user intervention to infect. Perhaps future worms will start including this 'bug' in their releases. We can only hope not." It doesn't sound like a bug at all, from the virus writer's perpective.
They make such bad code knowing that it won't be looked at and hope that the hackers won't be able to find the holes?
Without the recent access to the source for IE we would never have found out about BMP overflows, etc. Which was just poor and lazy coding.
Now just imagine if someone wanted to actually be malicious with this stuff..
I wonder if a virus with some code to re-partition your drive on a reboot would cause this issue to be taken more seriously.
I think we're just lucky these writers don't do more with the holes Microsoft gives them.
Der Tod ist der einzige Weg hier raus!
From the article: "I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
I'm sure it's lost something in the translation. The rest of the article suggests it's by design rather than accident.
"The greatest trick the Devil ever pulled was convincing the world he didn't exist." --Verbal Kint
And the greatest trick this guy pulled is making himself look like an ID10T...
"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
Considering virus writers are more motivated by being devious than impressing analysts, doesn't it seem inappropriate to assume the coding was "sloppy?"
"This piece of code is so sloppy, it's devious," said Mircea Ciubotariu
If it's intentional, it's not sloppy...
If it's not intentional, it's not devious...
If the virus randomly changed a few numbers in a few of the Excel spreadsheets it could access.
Damaging the computer itself is too easy to catch and causes people to take it seriously.
Changing data has more implications for CORPORATIONS and would take longer to detect.
My guess is that they are so confounded, that by releasing that statement labelling the coding as sloppy they hope to draw the writer out in some way. Seems they are going for his/her ego.
Because hey no coder legit or illicit wants to be thought of as a sloppy coder.
I am Bennett Haselton! I am Bennett Haselton!
Can't they break it down with a hex editor and see what's under the hood?
Not really. It's kinda like looking at that blueprints to a race car. Even if you know every little bit of the thing, you don't really understand what it does or how it does it until you can take it out on the test track.
Besides, looking at compiled code in a hex editor is kinda like looking at a jpeg in a hex editor. Maybe you see some interesting patterns, but it's tough to get the big picture.
BTW, yes, it is bad analogy week here on Slashdot. Didn't you get the memo?
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
Apparently they want to run it in one of the "modern" debuggers. If the program manages to run through a few very simple tests, it'll detect it's in a debugger environment and can easily self-destruct.
.. but they're right: I don't think things like that have been done in a while. Some vandal's been playing with the Way-Back Machine :-)
I did things like this years ago when fiddling around with a copy protection scheme. (Remember those days?) Trivial, really
If you really step through the code with a debugger, you can see the tests and traps (if you know what to look for) and avoid them. But that's tedious, to say the least.
Obviously somebody at the virus scanner companies couldn't be bothered, and was impressed with or surprised by a lousy "debugger bit test".
One or the other... devious or sloppy... but surely not both.
Yes, it is both. It's sloppy because whoever wrote this virus forgot to disable the suicide code before releasing it into the wild. The writer obviously would have written this into the virus during development so that he didn't hose his own machine.
It's devious because now virus writers know that "forgetting" to "fix" their virus pisses off more people in high places, instead of just plain pissing off more people. It wastes resources and diverts attention from bigger threats-- or smaller threats which just get lucky.
It's a tactic so totally stupid that it borders on brilliance.
"Why Subscribe?" Good question...
I'm kind of surprised that AV companies don't use custom VMware-type environments that can be debugged at a level above what the virus or any other processor could detect, or use special hardware/simulators that also can't be detected.
I'd think this would give them greater granularity and more control over the entire environment than trying to just run in it in a standard debugger.
Hey... If they reverse engineer this thing, won't they be violating the DCMA? I say the virus writer should sue all the anti-virus companies.
;-)
By copying parts of the virus into their virus scanning signatures, perhaps everyone running the anti virus software is also violating the DCMA, I say fire off a few hundred law suits and see what happens.
(Maybe with thinking like this RIAA will hire me.)
I don't understand... Why are they saying the code is sloppy? It seems to me that what they are doing is intentional. So it's not sloppy in the sense that it is full of mistakes.
I also don't understand how stopping execution if your product is being debugged equates to "sloppy". It seems to me that a large number of software companies would WANT their software to behave in this way to make reverse engineering and hacking harder?
In fact, if it is so difficult for antivirus companeis to debug this, when why isn't more software using this technique to make piracy more difficult, and/or hacking network games harder?
We call those heisenbugs and they are the bane of a programmer's existence. The whole damn point of a debugger is to replicate the same behavior as normal, not allow the program to choose to exhibit a different behavior.
"I'm going to look at you more closely now. Please act normal. (But it's your call if you don't.)"
Yeah, that "surprise inspection" works great everywhere else, why not in programming? Fucking morons...
I was happier not knowing about this function. soundman32, I shake my fist at thee. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox"
Sounds more like a bug in the sandbox to me. A sandbox should be indistinguishable from running on a real non-virtualised computer.
most people don't fix their computers until they no longer work at all. A virus like this would have little impact on the computer. If it was well hidden enough, it wouldn't get fixed when the person call tech support for other problems either. The key is being quite and unintrusive right up till the end, then you lay waste to the computer.
Frankly, I'm with the first poster. I good 'ole fashion hard disk reformatter would light some fires out there. I'm tired of seeing people with 5 or 6 viruses, uncountable spyware programs and everthing on their computer broken wanting the damn things fixed without a clean install because they don't know what a file is and have no idea how to back things up.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
It would seem that making a virus hard to debug/analize would be the hallmark of a well-written virus, not a poorly made one.
I realize that 'easy to exicute' is a design goal of most software writers, but I'd think virus writers would want to focus on other things.
autopr0n is like, down and stuff.