Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Reverse Engineering Help In Stopping Worms?

Posted by Hemos on from the yes-but-to-what-extent dept.

krozinov writes "The goal of this paper is to try to answer the following three questions: How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently? The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."

6 of 187 comments (clear)

  1. Re:What about worm EULAs? by oberondarksoul · · Score: 2, Informative

    They'd never be able to; to come out and say "you reverse engineered my virus" would be a confession of having written the virus in the first place, and would probably result in their prosecution. If I were a virus author, I'd keep my head down whilst inwardly laughing, not pop out and say 'I did it'.

    --
    And tomorrow the stock exchange will be the human race
  2. Little help, but help anyway... by gmuslera · · Score: 2, Informative

    3 points:
    - knowing how it technically works dont disable the social engineering component, very trivial worms were very sucessful just for that.
    - there are a lot of worms that have the source available in a way or another, from the first ILoveYou worm (well, most .vbs ones are that way) to latests Bagle or Netsky variants, that even have the source attached.
    - Some worms also are maybe simple exploits of software vulnerabilities or weakeness (mostly MS.*, but there are some for other developers and operating systems). What must be understood there is not the worm source, but what it exploit and why that software is used.

  3. Exploit the worm's scanning engine to slow it by ftzdomino · · Score: 4, Informative

    Most worms these days scan IPs to find other exploitable hosts. I always thought we should look for exploits in the worm's scanning engine and then attempt to crash it by responding to its scanning requests with data which would do something like exploit a buffer overflow or off by one attack. These crashing response daemons would be located on systems which don't normally take requests of the service type the worm exploits. That way these would be very unlikely to affect anything legitimate. A worm whose scanning code has been crashed would be unlikely to infect other systems. It's also unlikely that crashing the scanning code would affect other services on the infected machine, limiting the legal liability of such a thing.

    I've had some luck against people scanning web servers for formmail.pl scripts. My formmail.pl sends random data without any CR or LF. One script so far accepted 2gb of data before disconnecting.

  4. Re:This isn't reverse engineering at all! by Daengbo · · Score: 4, Informative

    No. What you described is clean-room reverse engineering. Regular old run-of-the-mill reverse engineering means taking the "black box" and figuring out exactly what it does.

    --
    Put identity in the browser.
  5. Re:Understanding The Pathology Is Important But... by Anonymous Coward · · Score: 1, Informative

    It's useful to compare the way in which viruses infect both cells and operating systems.

    Viruses find a way into a cell by penetrating the cell membranes and getting as far as the production machinery of the cell. Some ways of achieving this are by having a protein coating that allows the virus to get through cell walls and. Other ways include slipping in through the receptors on the cell surface.

    With computers, these are the equivalent of trojan horse, and buffer overflow attacks. A virus doesn't have to get as a far as the cell nucleus or kernel. It just has to get as far as something that allows the virus to make copies of itself.

    The immune system is our equivalent of anti-virus protection, but even in our system, it is possible for it to create false positives (ie autoimmune diseases). It works by detecting protein fragments that are not normally found in the body.

    With both systems (biological and digital), the battle is reduced down to detecting particular combinations of sequences (protein or byte) that never change. And like AIDS, some computer viruses are able to restructure themselves to avoid detection.

    The main ways of preventing virus infections are well known:

    1. Have up to anti-virus software

    2. Avoid the use of scripts that can be downloaded and executed arbitarily, and which have full file and network access.

    3. Unfortunately, the use of plugins can allow this to happen. Simply by having web browser that allows you to download any particular file type and a desktop which allows you to automatically run an application associated with that file type, the responsibility for your system security is no longer owned by a single process.

    o Avoid the use of compressed data formats that allow ambiguous decompression sizes (eg. have a local buffer preallocated to a particular size, assuming that no run-length sequence wlll ever exceed this size), thus allowing stack overrun attacks. This includes audio, video and image and volume data. Fortunately, this is fixed by the no-execute bit.

  6. Re:This isn't reverse engineering at all! by Anonymous Coward · · Score: 1, Informative

    The term "reverse engineering" simply refers to studying how a product works, usually to learn more information about the internal details than is published by the manufacturer. That's all.

    Reverse engineering is NOT the subsequent creation of another product that utilizes this information. The term for that is plain, simple engineering (without the "reverse" prepended).

    The discovery of unpublished information is still reverse engineering, regardless of what is done with that information. It does not matter if it is forgotten, used by the same people, or "thrown over the wall" as in the famous Compaq case of creating a workalike PC bios.

    There is also a common misconception that reverse engineering, to be "legal", must necessarily be done by different people than those who utilize that information to do regular engineering (usually to produce an interoperable product). Just because Compaq used an ultra-conservative approach, intended to make defending themselves against IBM, does not mean that a less conservative approach is illegal. Ultimately, what is legal vs unlawful is decided in court. There is a lot of case law where reverse engineering was considered lawful WITHOUT the "thrown over the wall" approach that Compaq used.