Slashdot Mirror
'Stealth' Worm Hinders Sandbox Analysis
Tuxedo Jack writes "The Register reports that the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code. Windows machines, as per the norm, are the only vulnerable ones, and it still requires user intervention to infect. Perhaps future worms will start including this 'bug' in their releases. We can only hope not." It doesn't sound like a bug at all, from the virus writer's perpective.
I've always heard that it takes a very good programmer to write effective and powerful virus.
They make such bad code knowing that it won't be looked at and hope that the hackers won't be able to find the holes?
Without the recent access to the source for IE we would never have found out about BMP overflows, etc. Which was just poor and lazy coding.
Now just imagine if someone wanted to actually be malicious with this stuff..
I wonder if a virus with some code to re-partition your drive on a reboot would cause this issue to be taken more seriously.
I think we're just lucky these writers don't do more with the holes Microsoft gives them.
Der Tod ist der einzige Weg hier raus!
From the article: "I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
I'm sure it's lost something in the translation. The rest of the article suggests it's by design rather than accident.
Since they claim it requires user intervention, that would make it a virus, since worms are self-propagating.
Of course, given the accuracy I've come to expect from Slashdot summaries, it could be a new version of MS IE...
You are in a maze of twisted little posts, all alike.
Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection.
Would that make this worm a 'night crawer'?
Badum Ching!
So all you have to do to be safe is make sure you've got a debugger running, and the virus kills itself. I guess that adds new meaning to the term "de-bugger" :-)
"You're right, it's pure genius - they couldn't guess we'd do that, because only a frickin' idiot would do that!" - paraphrased from (approximately) 3.14 million movies.
Maybe this will teach them how to teach outside the (sand)box! Maybe they can harness their synergy with this new paridigm shift into sandbox free thinking.
:)
Ahh, its 1999 all over again
StickMan
www.rageagainst.net
Just what we wanted - buggy bugs, erm, viruses!
You know something's wrong with the world, when the malicious software itself is flawed..
http://efil.blogspot.com/
One or the other... devious or sloppy... but surely not both.
/tinfoil on
/tinfoil off
Maybe it's just a sign that malware is evolving along the same rules as organic life: accidental errors get selected for survival value and passed along to following generations.
Malware that detects and disables attempts to reverse engineer it... ?
Or perhaps we can read the anti-virus researcher's comments in a totally different light:
"Most viruses [which we develop ourselves to stimulate sale of our products and services] have a function to let us easily identify and sandbox them. In this example, the function is broken. So sloppy it's devious [and perhaps intended as a warning that we're not paying our freelance coders enough]."
Nah.
Sig for sale or rent. One previous user. Inquire within.
Then it's not a worm.
"Ask not what your country can do for you." --John F. Kennedy
Strippers writing viruses? Sounds like a Fox special. And, being your typical Slashdotter without a girlfriend, I have to ask, do you have pictures?
If my answers frighten you, stop asking scary questions.
One possible method I would probably use (off the top of my head) is to find out the time elapsed between executing two instructions - the time would be fairly high if the code were being singlestepped to.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
Considering virus writers are more motivated by being devious than impressing analysts, doesn't it seem inappropriate to assume the coding was "sloppy?"
"This piece of code is so sloppy, it's devious," said Mircea Ciubotariu
If it's intentional, it's not sloppy...
If it's not intentional, it's not devious...
C'mon, *her* code? Isn't that a bit gratuitous? I mean, we're talking about code here, not a delicious turkey dinner.
1) Contains a "bug", well let's just call it a "feature". 2) Sloppy code, but Hey! it works. Sort of. 3) Run on Windows only. Sounds like every piece of comercial software sold by Microsoft to me.
If the virus randomly changed a few numbers in a few of the Excel spreadsheets it could access.
Damaging the computer itself is too easy to catch and causes people to take it seriously.
Changing data has more implications for CORPORATIONS and would take longer to detect.
Sure, but they can't step through it. The virus detects the debugging environment and exits.
tasks(723) drafts(105) languages(484) examples(29106)
The formal definition changes depending on who you ask, but in this case, the key attribute that defines this as a worm instead of a virus is that viruses embed themselves in other programs. This program doesn't infect other programs, it just runs as a separate program placed in your Windows\system directory.
This piece of code is so sloppy, it's devious
It shouldn't be hard to find the author, he obviously works at Microsoft.
I'm not normally an irrational zealous dickhead, but I figure "When in Rome..."
It isn't that complicated to find the part of a code that causes a break in execution (end-point). So when it detects the debugger and breaks execution couldn't you reverse engineer it from that point and maybe write a mod (like a game crack) to avoid the debugger detection?
This would allow the rest of the program to work as normal just without the self-defence code.
My guess is that they are so confounded, that by releasing that statement labelling the coding as sloppy they hope to draw the writer out in some way. Seems they are going for his/her ego.
Because hey no coder legit or illicit wants to be thought of as a sloppy coder.
I am Bennett Haselton! I am Bennett Haselton!
The code is so bad that they can't read it, so it's insecurity through obscurity?
Can't they break it down with a hex editor and see what's under the hood?
Not really. It's kinda like looking at that blueprints to a race car. Even if you know every little bit of the thing, you don't really understand what it does or how it does it until you can take it out on the test track.
Besides, looking at compiled code in a hex editor is kinda like looking at a jpeg in a hex editor. Maybe you see some interesting patterns, but it's tough to get the big picture.
BTW, yes, it is bad analogy week here on Slashdot. Didn't you get the memo?
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
Apparently they want to run it in one of the "modern" debuggers. If the program manages to run through a few very simple tests, it'll detect it's in a debugger environment and can easily self-destruct.
.. but they're right: I don't think things like that have been done in a while. Some vandal's been playing with the Way-Back Machine :-)
I did things like this years ago when fiddling around with a copy protection scheme. (Remember those days?) Trivial, really
If you really step through the code with a debugger, you can see the tests and traps (if you know what to look for) and avoid them. But that's tedious, to say the least.
Obviously somebody at the virus scanner companies couldn't be bothered, and was impressed with or surprised by a lousy "debugger bit test".
This content author has villified every artist who has ever had their work reverse engineered.
This is a great day for copyright, authors, and those downtrodden by IP terrorists!
Hopefully this clears up the "Is it sloppy or is it devious?" posts. It is both.
Number 1 (from the article):
Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection. The ploy prevents casual perusal of the code by researchers and (potentially) rival virus writers.
So that part is intentional.
A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox". A sandbox is a virtual environment commonly used by AV researchers to look at the behaviour of malware in a safe environment.
So what I think they are saying is that even with it's ability to detect if it's being run in debug mode they would still normally be able to run it in a sandbox. Unfortunately (for the AV companies) there's the second thing. The seemingly unintentional bug that prevents it from working in a virtual environment.
The talk of running in a sandbox enviornment was for AV software companies. They intentionally release viruses into a sandbox environment in order to figure out how they work to develop the countermeasures included in their updates. A regular user with AV software doesn't have a separate sandbox for running e-mail usually, so it'd install into the main system, and therefore infect, and the AV software wouldn't even see it, as it won't until they release new DAT files for whatever AVS you run.
I'm always right and I can prove it, because to the best of my knowledge, I've never been wrong.
Found embedded in the virus code... 56 42 56 63 72 69 70 74 20 72 6f 58 6f 72 7a 21
Isaiah 43:19 (NCV)
Look at the new thing I am going to do. It is already happening. Don't you see it?
Anti-debugging techniques have been in use for a long time. As an example, I remember attempting to reverse engineer some (ahem) commercial code about 15 years ago on x86 (MS-DOS). The first problem I hit was they'd replaced the keyboard interrupt (INT 9) with their own handler, so my debugger no longer responded to keypresses. After I worked around that I then discovered that they'd used the breakpoint interrupt (INT 3) to implement some critical functionality. Normal users would never even know, but as soon as you're in a debugging environment everything falls apart.
To be fair, them replacing the keyboard handler wasn't an anti-debugging feature but it still had the same effect since it still rendered my debugger impotent. It sounds like this virus has a similar effect.
Of course it wasn't long before the debuggers started to provide ways to overcome these types of problems, but it was always a constant game of leapfrog and I can't imagine much has changed.
IsDebuggerPresent
The IsDebuggerPresent function indicates whether the calling process is running under the context of a debugger.
This function is exported from KERNEL32.DLL.
BOOL IsDebuggerPresent(VOID)
Parameters This function has no parameters. Return Value If the current process is running in the context of a debugger, the return value is nonzero. If the current process is not running in the context of a debugger, the return value is zero. Remarks This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior. For example, an application could provide additional information using the OutputDebugString function if it is being debugged.
No sharp objects, I'm a programmer!
Isn't a "stealth worm" that requires "user intervention" a paradox?
Gentoo Linux - another day, another USE flag.
I'm kind of surprised that AV companies don't use custom VMware-type environments that can be debugged at a level above what the virus or any other processor could detect, or use special hardware/simulators that also can't be detected.
I'd think this would give them greater granularity and more control over the entire environment than trying to just run in it in a standard debugger.
Unless the writer has gone to great lengths to obfuscate, a disassembler combined with a skilled x86 assembly programmer should be able to tell you all about what it does. Maybe the AV companies don't have those skills . . . methinks they should.
This reminds me of the whole New Coke thing years ago. Was it pure genius that Coke managed to sap Pepsi sales with the sweeter more Pepsi-like New Coke while hanging on to loyal customers with the reintroduced Coka Cola Classic, or was it a colossal blunder that they were just lucky enough to escape and still get ahead? Who knows? Unless the virus writer is caught, we may never know. Right now, I guess he or she is saying, "Yeah, I meant to do that!"
In any case, I guess when it comes to virus writing sloppy coding pays off. And perhaps sloppy != stupid, unless of course you get caught! I suppose the next trick is for someone to release a code obfuscator that produces sloppy looking code.
To the making of books there is no end, so let's get started
Hey... If they reverse engineer this thing, won't they be violating the DCMA? I say the virus writer should sue all the anti-virus companies.
;-)
By copying parts of the virus into their virus scanning signatures, perhaps everyone running the anti virus software is also violating the DCMA, I say fire off a few hundred law suits and see what happens.
(Maybe with thinking like this RIAA will hire me.)
Uh huh, that's what it was, sloppy coding that leads to one's new virus being very difficult to analyze and fight...
It was a joke! When you give me that look it was a joke.
I don't understand... Why are they saying the code is sloppy? It seems to me that what they are doing is intentional. So it's not sloppy in the sense that it is full of mistakes.
I also don't understand how stopping execution if your product is being debugged equates to "sloppy". It seems to me that a large number of software companies would WANT their software to behave in this way to make reverse engineering and hacking harder?
In fact, if it is so difficult for antivirus companeis to debug this, when why isn't more software using this technique to make piracy more difficult, and/or hacking network games harder?
A viruswriter should add an EULA to his/her virus.
- You may execute this virus 'as is'.
- We accept no claims of any kind of any or all damage done by this piece of software.
- You are responsible for the consequences of executing this software.
- You are NOT allowed to disassemble the code (DCMA).
- etc, etc..
Privacy is terrorism.
--
This sig is inoffensive.
A NYC lawyer blogs. http://www.chuangblog.com/
AV Guy: Man you are really sloppy! Virus Writer: Sloppy like a fox!
SIGFAULT
We call those heisenbugs and they are the bane of a programmer's existence. The whole damn point of a debugger is to replicate the same behavior as normal, not allow the program to choose to exhibit a different behavior.
"I'm going to look at you more closely now. Please act normal. (But it's your call if you don't.)"
Yeah, that "surprise inspection" works great everywhere else, why not in programming? Fucking morons...
I was happier not knowing about this function. soundman32, I shake my fist at thee. :-)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
You're right.
This program doesn't infect other programs, it just runs as a separate program placed in your Windows\system directory.
Wouldn't that qualify it as a "Trojan Horse" then? Generally a Trojan Horse is a program that tricks the user into running by appearing as something it is not (hence the double extension trick). Of course the classic Trojan Horse appears to be one thing (like a weather program, or an clock syncronizer) but while it does that thing it secretly does something else, like install keyloggers, adware, etc.
Admittedly, the AV makers have been trying to pollute the definitions, calling these e-mail Trojans "worms" in a PC attempt to avoid assigning blame to the users, but I've always felt these three definitions to be pretty clear and well defined.
You are in a maze of twisted little posts, all alike.
This used to be a pretty heinous hack but seems well documented now; googling for the keywords: will get you some interesting results and tutorials.
* http://codeproject.com/system/api_spying_hack.asp
* http://tochna.technion.ac.il/project/Win32APIInte
Pretty cool shit.. anyway, the point is after you put a dummy IsDebuggerPresent that always returns false, you can step through it normally.
Or, heh, a method that would probably be a million times easier would to simply step through the code until it calls IsDebuggerPresent and change the value of EAX to 0 after it returns (since the return value of functions is placed in EAX after return).
Anyway, just musing and putting up those links because I learned a lot about how Windows internals work through playing with things like that and figured others might want to learn.
-fren
"Where are we going, and why am I in this handbasket?"
There is still a way to blame microsoft for this!!! I was getting a little worried there.
Someone, anyone, clue me in to what's going on.
[Fuck Beta]
o0t!
Viruses which could detect that they are being run in a debugger were common 10 years ago when I used to work for an anti-virus company. For example, One-Half is such a virus.
A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox"
Sounds more like a bug in the sandbox to me. A sandbox should be indistinguishable from running on a real non-virtualised computer.
Look, I disagree with the GP too, but your counterargument is bogus. First, many file systems (HFS, ext2-3 spring to mind) don't need debugging. Second, the warranty is set to just under the MTBF for a reason, and there's no tin-foil hat their - the companies will admit it, because there's nothing illegit or sneaky about it.
OTOH, you have a group of largely unknown people writing viruses, and a group of people who profit off of their bad behavior. Besides, even if the AV companies didn't have a symbiotic relationship with the writers, why spark an arms race?
Highly damaging viruses don't spread far.
Unless the damage is delayed and/or random.
Big counterexample is AIDS:
- Attacks the immune (i.e. antivirus) system directly.
- Goes dormant until the infected cell is activated for other purposes.
- Mutates "rapidly" for a virus (though slowly on reproductive cycle time scales), resulting in mutiple strains from a single infection after a few years.
- Infects slowly enough that it doesn't create a tight cluster of infected individuals.
This enables it to spread widely before the occasional activation of the immune system cells carrying it expand its infection in an exponential cascade taking out the doomed host.
Birthday viruses / easter eggs are a simple mechanism to allow wide spread of computer viruses before they take out their hosts - and the hosts that are down at that time provide a reinfection reservoir. But it's primitive compared to AIDS.
A highly damaging virus could be made which makes random choices on when to utterly trash its host.
They aim for control, not damage. It's about money, not vandalism.
Unfortunately, while there are several criminal enterpises spreading worms/trojans/viruses whose intent is to create DDoS zombies, spam remailers, or keylogger/filters looking for bank account access or other sensitive information, there are still plenty of virus authors chasing other things - including those who will vandalize machines for the fun of it.
And there are power groups with significant membership whose agendas would be advanced by taking out as much as possible of the IT infrastructure of the world - the more widespread and more lasting the damage, the better for their purposes. A family of worms with AIDS-like properites would serve their interests nicely.
Finally - while diseases evolve to be relatively benign, they do so randomly (and designed programs often don't do quite what was intended, especially on first release). Sometimes you get one that strikes a balance between spread and damage that results in a massive, widespread dieoff among the host populatin before the combined evolution of the disease and hosts contain its remanents. Classic example: Bubonic Plague.
So let's not be lulled by analogies to the common cold and childhood diseases. They're the result of a lot of death and misery before the diseases found a stable niche. And while computer viruses share much of the math of disease spread they are designed, not evolved, and can easily have properties rarely seen in nature.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
This could be a pain if it evolves further - and that the virus writers figure out ways of exploiting the debuggers that are running. I'm not aware of any exploits for any debuggers - so that's good atleast!
It is not easy to make a software emulation of hardware that is exact without taking a huge performance hit. The processor, yes, but all that peripheral hardware is where the real emulation work is. Early versions of the UAE Amiga emulator emulated the video scan in the Amiga custom chips pixel-by-pixel, and it was so slow that UAE stood for "Useless Amiga Emulator." They later settled on refeshing the video on the (emulated) horizontal scanline flyback, which broke some exotic plasma-screen demos (which manipulated the palette in the middle of a scanline...try doing that on a PC!) but at least made UAE useful.
Of course some partisan wankers had to write sofware that detected the emulation evironment & refused to run, apparently in the belief that emulation would kill the Amiga hardware market (not admitting that it was already cold & dead).
What you describe can be done in hardware though, consisting of an FPGA + CPU board that plugs into the CPU socket and a communication cable to a separate debuggging PC. They are called In-Circuit Emulators (ICE) and are expensive, but very powerful, tools popular for embedded development.
Hmm, scan word docs looking for legalese adding and removing the word "not" at appropriate points.
should/will/must should/will/must not
Fairly simple but that alone could cause some interesting effects on contracts etc. I'm sure there are other simple and more effective ways of changing the meaning of sentences which would require the re-reading of them by the authors to guarantee that the meaning is correct.
Government of the people, by corporate executives, for corporate profits.
those already exist. they have for quite some time.
They're using their grammar skills there.
most people don't fix their computers until they no longer work at all. A virus like this would have little impact on the computer. If it was well hidden enough, it wouldn't get fixed when the person call tech support for other problems either. The key is being quite and unintrusive right up till the end, then you lay waste to the computer.
Frankly, I'm with the first poster. I good 'ole fashion hard disk reformatter would light some fires out there. I'm tired of seeing people with 5 or 6 viruses, uncountable spyware programs and everthing on their computer broken wanting the damn things fixed without a clean install because they don't know what a file is and have no idea how to back things up.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Remember the old days of self modifying assembly code?
(ie:
instruction purpose
1-20 alter instruction 21-40
21-40 alter instruction 1-20, jump to 1
1-20 do something
21-40 alter 50-70 and 1-20
50-70 do something, jump to 1-20)
All alteration naturally is done in the most tricky of ways.
Ah, those were the days.
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
It would seem that making a virus hard to debug/analize would be the hallmark of a well-written virus, not a poorly made one.
I realize that 'easy to exicute' is a design goal of most software writers, but I'd think virus writers would want to focus on other things.
autopr0n is like, down and stuff.
See, this is what I've been trying to tell my boss: I'm not writing sloppy code, I'm trying to prevent people from reverse engineering our product!
We visionaries are always persecuted.
- First they ignore you, then they laugh at you, then ???, then profit.
Gee... a virus that does things different when in a debugger or emulator? Sounds an aweful lot like a certain version of Turbotax about 2 years back... Do we have a prime suspect yet?
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
Too much flash. Why go for Ebola when Mad Cow would be much more deadly and likely to be mistaken for Alzheimer's.
That's the problem with viruses these days, too much flash. Either it saturates a network spreading itself, or it quickly kills the host. Either way it brings way too much attention to itself to be truly scary.
How's this for a thought experiment;
Write a small, stealthy piece of code that would randomly change a single digit in a single number found in a random Word or Excel etc. file by some small random amount once a day. It propagates by attaching portions of itself to no more than 1 email message/irc chat/telnet/ftp/video conference or other communication application a day. Until all of the pieces are present in memory, all the code does is attach itself to some systems process and look for the rest of itself. When all of it has been received it adds itself to some innocuous systems level process and begins changing values and slowly sending itself out around the world.
So what good would that do? Well it doesn't draw attention to itself, neither in its mode of operation nor the way it spreads itself. Therefore while it would propagate slowly, no one would ever be looking for it. It's payload could cause great amounts of harm without ever giving the user any reason to think that his computer might be infected. What happens if it's on a pharmacy/hospital computer and it changes the dose of a prescription? Most pharmacies these days use numbers as a prescription ID. 20034978 might be a beneficial prescription while 20034879 could be deadly. We lost a Mars probe because someone didn't convert between feet and meters correctly. What if they did and a virus like this deftly changed it behind their back? A million widgets at $1.24 each is a lot different that a million widgets at $1.98. Building a bridge with a support beam that's 84.539 meters long isn't the same as one of 84.639 meters. You see where this is going don't you. Taken by themselves they look like simple user errors.
The computer, or user, is diagnosed with Alzheimer's when it's actually infected with Creutzfeldt-Jakob. Machine's get rebuilt, people loose money, or get killed, and no one ever suspects that a very stealthy virus is the root cause of it all.
That my friends is what I would call truly scary.
someone247356
Just my $0.02 (Canadian, before taxes)