'Stealth' Worm Hinders Sandbox Analysis

Tuxedo Jack writes "The Register reports that the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code. Windows machines, as per the norm, are the only vulnerable ones, and it still requires user intervention to infect. Perhaps future worms will start including this 'bug' in their releases. We can only hope not." It doesn't sound like a bug at all, from the virus writer's perpective.

Strange

[Metteyya]

I've always heard that it takes a very good programmer to write effective and powerful virus.

Re:Strange

[cuzality]

"The greatest trick the Devil ever pulled was convincing the world he didn't exist." --Verbal Kint

And the greatest trick this guy pulled is making himself look like an ID10T...

Re:Strange

The creator of the Melissa virus left his email address in a comment. What sort of very good programmer uses comments?!?

The guy who framed that poor patsy for creating Melissa, that's who.

Mailers?

[Deflagro]

Now just imagine if someone wanted to actually be malicious with this stuff..
I wonder if a virus with some code to re-partition your drive on a reboot would cause this issue to be taken more seriously.
I think we're just lucky these writers don't do more with the holes Microsoft gives them.

Re:Mailers?

[Tyler+Eaves]

The thing with destructive viruses is that they don't tend to spread very far, since by definition they take their host (and thus themselves) out after a few minutes or hours, where as something like Code Red, Nimda, etc,etc, can go for years without being removed.

Re:Mailers?

[ites]

Read about the mechanics of disease spread with respect to viruses and you'll see why this does not happen.

Highly damaging viruses don't spread far. Today's virus/work/trojan writers want to capture large numbers of zombie PCs and resell these networks. They aim for control, not damage. It's about money, not vandalism.

Re:Mailers?

[Lumpy]

but creating an ebola computer virus would not be hard.

code red for example if it had a timed payload that X minutes after infection kill the machine and that number of minutes was 3 days in the future it would be able to widely spread and STILL cause the death of the host machines.

the scaries is the stealth virus that spreads slowly, is silent and act's mostly benign for 90 to 120 days then simply kicks in for a full boat infection/attack+death 4 hours after final activation.

by the time it was discovered most people would be helpless.

Re:Mailers?

[tmasssey]

You really don't think something like that would be noticed?

Let's imagine a *really* slowly reproducing virus: one that attempts to infect just a single computer a day. Now, you *could* go even slower, but 1 a day is pretty slow, wouldn't you agree?

Now, on day 1, there might be only a single packet sent by a single computer. I don't think anyone is going to notice that. But at some point, a large-enough collection of computers will send out these requests, and it will get noticed.

The question is, how many infected computers do you need before your attack is detected? If it's something like Code Red, a few thousand will get noticed: they spew out too many requests. One a day? It's harder to say. Will someone notice when there are 100,000 attacks a day? 1,000,000? But how long will it take to *get* to 100,000 infected computers? How many attacks will fail? Odds are, most of them will fail: not every IP has an attackable computer...

In other words, you could easily create a silent attack that doesn't kill anyone. Or a very noisy attack that also kills no one because it's stopped in time. Can you create a somewhat silent attack that infects a large number of people before they find out? Very tricky. It's an almost impossible balance: crash too soon and it doesn't really do anything, wait too long and it'll get caught.

To me, the better attack would be a *lightning* quick attack. Something like Slammer. According to this, Slammer was able to attack every vulnerable computer available in 20 minutes. I'm not sure how much I believe this, but I've heard that 15 Million computers were infected in that same 20 minutes. Is 15 Million dead computers enough for you?

Create a virus that spreads for an hour. Infect 15 million computers. Kill them. Good luck stopping that. The best part is, if you do your job correctly, either build a virus that only remains in memory or have it destroy the local copy of the virus in the process of killing the computer. Not only will the computers be dead, but it'll be *real* hard to figure out what hit you...

Now that I write that, that is a little scary...

Re:Mailers?

[mrogers]

This paper predicts that a fast-scanning Nimda-like worm launched against a small "hit list" of known vulnerable machines could infect millions of machines in minutes - too fast for any human-mediated response. Such a worm could reach saturation point and begin destroying its hosts before most admins had even noticed what was happening. Even those who noticed would not have time to study the worm's behaviour, let alone analyze its code. Stealth code would therefore be unnecessary, except to make it more difficult for subsequent investigations to identify the source of the worm.

The hit list technique speeds up the initial phase of infection, which is normally slow and vulnerable to isolated failures. The list is compiled ahead of time by normal vulnerability scanning; the machines on the list are simultaneously infected to start the attack. Each copy of the worm then scans for and infects further vulnerable machines as quickly as possible, dividing the address space at each hop to avoid unnecessary overlaps (some redundancy might be desirable, but completely random scanning would be inefficient). The list can be divided in a topology-aware way to reduce congestion that might otherwise limit the rate of infection.

Sloppy or devious?

[hcdejong]

From the article: "I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
I'm sure it's lost something in the translation. The rest of the article suggests it's by design rather than accident.

Easy way to be safe

[tomhudson]

So all you have to do to be safe is make sure you've got a debugger running, and the virus kills itself. I guess that adds new meaning to the term "de-bugger" :-)

The 2nd oldest trick in the book

[magefile]

"You're right, it's pure genius - they couldn't guess we'd do that, because only a frickin' idiot would do that!" - paraphrased from (approximately) 3.14 million movies.

Makes for better AV companies

[StickMang]

Maybe this will teach them how to teach outside the (sand)box! Maybe they can harness their synergy with this new paridigm shift into sandbox free thinking.

Ahh, its 1999 all over again :)

Re:Makes for better AV companies

[DA-MAN]

Score: +5 Buzzwords!

"So sloppy it's devious"?

[ites]

One or the other... devious or sloppy... but surely not both.

Maybe it's just a sign that malware is evolving along the same rules as organic life: accidental errors get selected for survival value and passed along to following generations.

Malware that detects and disables attempts to reverse engineer it... ?

Or perhaps we can read the anti-virus researcher's comments in a totally different light: /tinfoil on

"Most viruses [which we develop ourselves to stimulate sale of our products and services] have a function to let us easily identify and sandbox them. In this example, the function is broken. So sloppy it's devious [and perhaps intended as a warning that we're not paying our freelance coders enough]." /tinfoil off

Nah.

Re:"So sloppy it's devious"?

[Gigahertz]

Thats one way of looking at it... if you like looking at it the wrong way.

It was intentional, there is no question of this. It's funny that they're calling the code sloppy, and I wish I had a copy of the virus to see if I can figure out why they're saying this.... but its obviously intentional, but barely genious....

Too much is being made of it... It's not a new technique outside of viruses, it's been mentioned further up the page, and personally I've dealt with programs that do the same thing, and effort always wins. You find the test traps, and you patch around them. It's not even any harder for them to detect, or add signatures in their virus definitions for, it's only more difficult to analyze what it does, but we know its a virus... so this is a non-news waste of time, the attention brought to it assures that more viruses will come equipped with a debugger check, and likely some virus writer will take the extra effort to make the code SO complicated/long/difficult to trace through (this may be the case with them calling the code sloppy) and a lot of extra $$ will be wasted and probably find its way into the cost of anti-virus software subscriptions....

It's not as if virus writers are the anti-virus writers bread and butter.... oh wait... yeah they are.

Not a worm

[goldspider]

"...and it still requires user intervention to infect."

Then it's not a worm.

Re:Script kiddies becoming worse?

[irokitt]

Sounds like a strip kiddy tried to write a virus

Strippers writing viruses? Sounds like a Fox special. And, being your typical Slashdotter without a girlfriend, I have to ask, do you have pictures?

/grammar nazi

How does it do that?

[GillBates0]

Maybe this is a trivial question for l33t haxx0rz, but how would a program figure out it was running in a debugger? The register article doesn't explain this. Are the checks limited to a set of debuggers, which probably set a certain environment/variables which can be probed?

One possible method I would probably use (off the top of my head) is to find out the time elapsed between executing two instructions - the time would be fairly high if the code were being singlestepped to.

Re:How does it do that?

[JamesO]

You hook the int 2 (?) and int 3 during the run, so your code gets called before the debugger's breakpoint handler, amongst other techniques.

Have a look at this paper and be enlightened :)

Re:How does it do that?

[g0bshiTe]

The virus most likely makes use of the Windows API, in such a case the virus would just have to keep an eye on the memory, when it notices a BREAKPOINT set on a certain API call (which is usually never encountered on a normal computer, unless reversing) the program exits.

There are tons of CRACKME's (small program written solely for people to crack or bypass) I have seen which look for debuggers and will exit if encountered.

Re:How does it do that?

[ryants]

There are a couple of ways. Here's one that I took from "Building Secure Software". Debuggers tend to reset the processor instruction cache on every operation. Normally this doesn't happen except when a jump happens. So you can write code that changes instructions that should definitely be in the cache. If we're not running under the debugger, this has no effect, because the change doesn't cause the cache to refresh. Under a debugger, things can break:

1 cli

2 jmp lbl1

lbl1:
3 mov bx, offset lbl2

4 move byte ptr cs:[bx], 0C3h

lbl2:
5 nop

6 sti

; Continue normal operations here

Commentary:

1 Clear interrupt bit, so that code is sure to stay in the cache the entire time

2 Causes CPU I cache to reload

3 Store addr of lbl2

4 Store a RET over the nop at lbl2 (0C3h = RET)

5 nop to be clobbered only if under debugger

6 Remove interrupt bit

Of course you need to be a bit stealthier than this, but this is the basic idea.

Re:How does it do that?

[StillAnonymous]

There are literally dozens of ways to check for the presence of debuggers. Some people have already mentioned some here. Here's a few more:

Int68:

MOV AH, 43h
INT 68h
CMP AX, 0F386h
JZ FoundDebugger

Check for SoftIce(most common/powerful debugger) by using the CreateFileA API to check for the SICE VXDs.

And an interesting one found in the SafeDisc protection where(if I recall) they use a checksum of the GDT to decrypt a section of code. The debugger modifies this table and will cause the code to crash.

Ironic quote

[mabu]

"I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.

Considering virus writers are more motivated by being devious than impressing analysts, doesn't it seem inappropriate to assume the coding was "sloppy?"

"HER" code?

[md358]

C'mon, *her* code? Isn't that a bit gratuitous? I mean, we're talking about code here, not a delicious turkey dinner.

Sound familiar?

[captnjameskirk]

1) Contains a "bug", well let's just call it a "feature". 2) Sloppy code, but Hey! it works. Sort of. 3) Run on Windows only. Sounds like every piece of comercial software sold by Microsoft to me.

More damaging.

[khasim]

If the virus randomly changed a few numbers in a few of the Excel spreadsheets it could access.

Damaging the computer itself is too easy to catch and causes people to take it seriously.

Changing data has more implications for CORPORATIONS and would take longer to detect.

Re:More damaging.

This comment should be Score:10

It has been awhile since a virus actually *did* something real bad to screw a user.

First Gen virii: Wipe hard drives, boot sectors, etc. For the most part, I haven't scene these for awhile...

Second Gen virii: Zombie annoying spam/dos crap that is annoyingly hard to remove. Slows the computer down but most clueless users probably don't even notice until one of us comes to clean off the 200 or so spyware/spam virus crap they have on thier machine...)

Next-gen: Random sentence inclusion into all word docs, change #'s in excel sheets, alter contents of address books, random data into access/sql databases.

That sh*t would be brutal to deal with.

Its one thing to know you have to restore from backups after a harddrive is wiped, or you just can't seem to shake the virus.

Its a whole other ballgame when the virus goes undetected for a month and the excel sheets you've been conducting your business with have been screwed with. Yeah, you can restore and recreate a month's worth of work, but how do you account for the decisions you've made with bad data over the course of that month?

Or even more fun, long documents you produce for meetings or public distribution. Embeded within are names harvested from your address book appended with a few choices words?

"Our gross margins have increased by 12% this last quarter and Larry Teasdale is teh suck."

Re:More damaging.

[nine-times]

'Next-gen: Random sentence inclusion into all word docs, change #'s in excel sheets, alter contents of address books, random data into access/sql databases.

That sh*t would be brutal to deal with.

Its one thing to know you have to restore from backups after a harddrive is wiped, or you just can't seem to shake the virus.

Its a whole other ballgame when the virus goes undetected for a month and the excel sheets you've been conducting your business with have been screwed with. Yeah, you can restore and recreate a month's worth of work, but how do you account for the decisions you've made with bad data over the course of that month?'

You're absolutely right, and I bet most people aren't taking what you're saying seriously enough. Do you know how many businesses keep track of things, even financial data, in just Excel spreadsheets? I mean, NO real paper trail, and even nothing clear to check the numbers against?

Even when you're talking about corrupting data, it's one thing to delete a random letter from a word document- a spell-check will probably catch it. If a virus added a particular sentence to word documents (the same sentence each time), you can at least find out if the document has been corrupted by searching for that sentence. Even random sentences, which would be much harder to deal with, would be noticable when someone goes to read it. However, shifting individual numbers in an Excel document 10%, up or down, randomly? That could easily go unnoticed for a long time, and even when you go to the backups, how do you know you have retrieved an old enough version to be an uncorrupted version?

The idea kind of reminds me of the Office Space/Superman III scheme of writing a virus that rounds down to the nearest cent and sends the excess to a bank account.

Elementary, my dear Watson...

[bfg9000]

This piece of code is so sloppy, it's devious

It shouldn't be hard to find the author, he obviously works at Microsoft.

Code sloppy?

[g0bshiTe]

My guess is that they are so confounded, that by releasing that statement labelling the coding as sloppy they hope to draw the writer out in some way. Seems they are going for his/her ego.

Because hey no coder legit or illicit wants to be thought of as a sloppy coder.

obscurity

[double_ooh]

The code is so bad that they can't read it, so it's insecurity through obscurity?

Re:Hex it?

[Jonboy+X]

Can't they break it down with a hex editor and see what's under the hood?

Not really. It's kinda like looking at that blueprints to a race car. Even if you know every little bit of the thing, you don't really understand what it does or how it does it until you can take it out on the test track.

Besides, looking at compiled code in a hex editor is kinda like looking at a jpeg in a hex editor. Maybe you see some interesting patterns, but it's tough to get the big picture.

BTW, yes, it is bad analogy week here on Slashdot. Didn't you get the memo?

Re:Hex it?

Apparently they want to run it in one of the "modern" debuggers. If the program manages to run through a few very simple tests, it'll detect it's in a debugger environment and can easily self-destruct.

I did things like this years ago when fiddling around with a copy protection scheme. (Remember those days?) Trivial, really .. but they're right: I don't think things like that have been done in a while. Some vandal's been playing with the Way-Back Machine :-)

If you really step through the code with a debugger, you can see the tests and traps (if you know what to look for) and avoid them. But that's tedious, to say the least.

Obviously somebody at the virus scanner companies couldn't be bothered, and was impressed with or surprised by a lousy "debugger bit test".

Finally!

[teamhasnoi]

Those DMCA violating virus 'terrorists' will be prevented from infringing the copyrights of the poor, disadvantaged virus writers.

This content author has villified every artist who has ever had their work reverse engineered.

This is a great day for copyright, authors, and those downtrodden by IP terrorists!

Re:Finally!

[Kissing+Crimson]

Mod parent up! This raises an excellent point: don't the AV companies daily violate the DMCA by reverse engineering virus code? If not, how long until somebody puts some kind of copy protection system into a virus and then sues all the AV companies? (I know, copy protection in a virus would be a bit odd, but hey...)

Clarification, there are 2 issues

[ItWasThem]

Hopefully this clears up the "Is it sloppy or is it devious?" posts. It is both.

Number 1 (from the article):
Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection. The ploy prevents casual perusal of the code by researchers and (potentially) rival virus writers.
So that part is intentional.

A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox". A sandbox is a virtual environment commonly used by AV researchers to look at the behaviour of malware in a safe environment.

So what I think they are saying is that even with it's ability to detect if it's being run in debug mode they would still normally be able to run it in a sandbox. Unfortunately (for the AV companies) there's the second thing. The seemingly unintentional bug that prevents it from working in a virtual environment.

Re:Clarification, there are 2 issues

[mikael]

The Good news: The virus writer has released a patch that fixes these two bugs

The Bad news: You can't download these patches, you have to wait for them to self-install onto your system.

Re:Hex it?

[HappyClown]

There's plenty of ways they'll be able to analyse it eventually, the problem is just that the tools they normally use trip up so they'll have to resort to more painful approaches and it'll take them a lot longer to figure out exactly what is going on.

Anti-debugging techniques have been in use for a long time. As an example, I remember attempting to reverse engineer some (ahem) commercial code about 15 years ago on x86 (MS-DOS). The first problem I hit was they'd replaced the keyboard interrupt (INT 9) with their own handler, so my debugger no longer responded to keypresses. After I worked around that I then discovered that they'd used the breakpoint interrupt (INT 3) to implement some critical functionality. Normal users would never even know, but as soon as you're in a debugging environment everything falls apart.

To be fair, them replacing the keyboard handler wasn't an anti-debugging feature but it still had the same effect since it still rendered my debugger impotent. It sounds like this virus has a similar effect.

Of course it wasn't long before the debuggers started to provide ways to overcome these types of problems, but it was always a constant game of leapfrog and I can't imagine much has changed.

It's part of the API - From MSDN

[soundman32]

IsDebuggerPresent
The IsDebuggerPresent function indicates whether the calling process is running under the context of a debugger.
This function is exported from KERNEL32.DLL.
BOOL IsDebuggerPresent(VOID)
Parameters This function has no parameters. Return Value If the current process is running in the context of a debugger, the return value is nonzero. If the current process is not running in the context of a debugger, the return value is zero. Remarks This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior. For example, an application could provide additional information using the OutputDebugString function if it is being debugged.

Stealth Worm???

[pandrijeczko]

Isn't a "stealth worm" that requires "user intervention" a paradox?

Custom VMWare environment or hardware?

[swb]

I'm kind of surprised that AV companies don't use custom VMware-type environments that can be debugged at a level above what the virus or any other processor could detect, or use special hardware/simulators that also can't be detected.

I'd think this would give them greater granularity and more control over the entire environment than trying to just run in it in a standard debugger.

Re:Hex it?

[micromoog]

It's hard, but not impossible. To go with your first analogy, a skilled auto engineer WOULD be able to tell you many things about the real-world performance, based only on reading the blueprint.

Unless the writer has gone to great lengths to obfuscate, a disassembler combined with a skilled x86 assembly programmer should be able to tell you all about what it does. Maybe the AV companies don't have those skills . . . methinks they should.

DCMA Violation!

Hey... If they reverse engineer this thing, won't they be violating the DCMA? I say the virus writer should sue all the anti-virus companies.

By copying parts of the virus into their virus scanning signatures, perhaps everyone running the anti virus software is also violating the DCMA, I say fire off a few hundred law suits and see what happens.

(Maybe with thinking like this RIAA will hire me.) ;-)

How does this equate to sloppy?

I don't understand... Why are they saying the code is sloppy? It seems to me that what they are doing is intentional. So it's not sloppy in the sense that it is full of mistakes.

I also don't understand how stopping execution if your product is being debugged equates to "sloppy". It seems to me that a large number of software companies would WANT their software to behave in this way to make reverse engineering and hacking harder?

In fact, if it is so difficult for antivirus companeis to debug this, when why isn't more software using this technique to make piracy more difficult, and/or hacking network games harder?

EULA

[Fuzzums]

A viruswriter should add an EULA to his/her virus.

- You may execute this virus 'as is'.

- We accept no claims of any kind of any or all damage done by this piece of software.

- You are responsible for the consequences of executing this software.

- You are NOT allowed to disassemble the code (DCMA).

- etc, etc..

Dear me, how remarkably fucking stupid.

[devphil]

This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior.

We call those heisenbugs and they are the bane of a programmer's existence. The whole damn point of a debugger is to replicate the same behavior as normal, not allow the program to choose to exhibit a different behavior.

"I'm going to look at you more closely now. Please act normal. (But it's your call if you don't.)"

Yeah, that "surprise inspection" works great everywhere else, why not in programming? Fucking morons...

I was happier not knowing about this function. soundman32, I shake my fist at thee. :-)

Re:Okay...?

[ePhil_One]

viruses embed themselves in other programs.

You're right.

This program doesn't infect other programs, it just runs as a separate program placed in your Windows\system directory.

Wouldn't that qualify it as a "Trojan Horse" then? Generally a Trojan Horse is a program that tricks the user into running by appearing as something it is not (hence the double extension trick). Of course the classic Trojan Horse appears to be one thing (like a weather program, or an clock syncronizer) but while it does that thing it secretly does something else, like install keyloggers, adware, etc.

Admittedly, the AV makers have been trying to pollute the definitions, calling these e-mail Trojans "worms" in a PC attempt to avoid assigning blame to the users, but I've always felt these three definitions to be pretty clear and well defined.

Re:Hex it?

[frenetic3]

I'm guessing it's a standalone EXE, and it would require some advanced knowledge, but you could create the process with the CREATE_SUSPENDED flag and then inject code to replace in the import table any API calls the virus uses to detect the debugging environment (I'm guessing the one they use is the simple IsDebuggerPresent() Win32 API call)

This used to be a pretty heinous hack but seems well documented now; googling for the keywords:

SetThreadContext ebp eip CreateProcess CREATE_SUSPENDED WriteProcessMemory

will get you some interesting results and tutorials.

* http://codeproject.com/system/api_spying_hack.asp
* http://tochna.technion.ac.il/project/Win32APIInter ceptor/doc/Win32APIInterceptorNew.pdf

Pretty cool shit.. anyway, the point is after you put a dummy IsDebuggerPresent that always returns false, you can step through it normally.

Or, heh, a method that would probably be a million times easier would to simply step through the code until it calls IsDebuggerPresent and change the value of EAX to 0 after it returns (since the return value of functions is placed in EAX after return).

Anyway, just musing and putting up those links because I learned a lot about how Windows internals work through playing with things like that and figured others might want to learn.

-fren

I knew it!

[Stevyn]

There is still a way to blame microsoft for this!!! I was getting a little worried there.

Nothing new

Viruses which could detect that they are being run in a debugger were common 10 years ago when I used to work for an anti-virus company. For example, One-Half is such a virus.

Bug/sandbox?

[julesh]

A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox"

Sounds more like a bug in the sandbox to me. A sandbox should be indistinguishable from running on a real non-virtualised computer.

Sloppy code?

[wvitXpert]

Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code.

Hmmm... let me guess, the virus is written in such sloppy code that it just blends right in with the Windows code? ;^)

Re:so is this what MSFT does?

[maximilln]

The parent is horribly bipolar.

I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist

Actually an apologist wouldn't be spouting about the BMP exploit. Rather an apologist would be trying to dismiss it as you do in here:

Is there any documented evidence that this has been used in *any* virus/worm/hacks?

There. Now you're being the closed source apologist by saying,"We're sorry about the BMP thing but does it really make a difference?" Since it's been pointed out that the BMP thing was only present in older editions of MSIE (5.5?) it's pretty plausible that the forensic trail of tracking any exploits is long covered, formatted, and reinstalled.

And has there actually been more than one bug found

The security industry has its hands full simply processing data on exploits which are submitted. The people who have time to go over that released source code routine by routine, structure by structure, loop by loop, aren't going to tell you about it first. If they're nefarious they're not telling anyone.

Additionally, did you read this yesterday? Did you try contacting the authors who published those vulnerabilities? It's quite possible that they came onto those vulns by looking at the source code.

So sit down and...

If the exploit was evident by looking at the code, the code writer would probably fix it

That's a bit shallow minded. Not every programmer who works for MS was a 4.0 overachiever who visualized code loops and logic flow in real time. Very few middle managers were 4.0 overachievers--many got to their position because they were better at social networking than coding networks. By the time the code gets to the upper management it's not being audited line by line. Even 4.0 students aren't always guaranteed overachievers with amazing perceptual abilities. Many 4.0 students know how to stand in line and keep their mouths shut. That's the most assured way to a 4.0.

Every single exploit is discovered by accident

I would agree that the majority of exploits are discovered by someone noticing erratic behavior in a program and taking the initiative to dig in deeper. However I know a number of people who take great delight in poring over changelogs and then going back to audit source code when "Bug in <sourcefile.c> fixed." The changelog may have been a roadsign but when sourcefile.c is 1000+ lines it's still a testament to skill to find the bug which was fixed.

not

[Moderation+abuser]

Hmm, scan word docs looking for legalese adding and removing the word "not" at appropriate points.

should/will/must should/will/must not

Fairly simple but that alone could cause some interesting effects on contracts etc. I'm sure there are other simple and more effective ways of changing the meaning of sentences which would require the re-reading of them by the authors to guarantee that the meaning is correct.

You're assuming people would fix it...

[rsilvergun]

most people don't fix their computers until they no longer work at all. A virus like this would have little impact on the computer. If it was well hidden enough, it wouldn't get fixed when the person call tech support for other problems either. The key is being quite and unintrusive right up till the end, then you lay waste to the computer.

Frankly, I'm with the first poster. I good 'ole fashion hard disk reformatter would light some fires out there. I'm tired of seeing people with 5 or 6 viruses, uncountable spyware programs and everthing on their computer broken wanting the damn things fixed without a clean install because they don't know what a file is and have no idea how to back things up.

Remember the old days

[Eudial]

Remember the old days of self modifying assembly code?

(ie:
instruction purpose
1-20 alter instruction 21-40
21-40 alter instruction 1-20, jump to 1
1-20 do something
21-40 alter 50-70 and 1-20
50-70 do something, jump to 1-20)

All alteration naturally is done in the most tricky of ways.

Ah, those were the days.

vindication

[sacrilicious]

the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code.

See, this is what I've been trying to tell my boss: I'm not writing sloppy code, I'm trying to prevent people from reverse engineering our product!

We visionaries are always persecuted.