Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Reverse Engineering Help In Stopping Worms?

Posted by Hemos on from the yes-but-to-what-extent dept.

krozinov writes "The goal of this paper is to try to answer the following three questions: How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently? The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."

4 of 187 comments (clear)

  1. Re:What about worm EULAs? by oberondarksoul · · Score: 2, Informative

    They'd never be able to; to come out and say "you reverse engineered my virus" would be a confession of having written the virus in the first place, and would probably result in their prosecution. If I were a virus author, I'd keep my head down whilst inwardly laughing, not pop out and say 'I did it'.

    --
    And tomorrow the stock exchange will be the human race
  2. Little help, but help anyway... by gmuslera · · Score: 2, Informative

    3 points:
    - knowing how it technically works dont disable the social engineering component, very trivial worms were very sucessful just for that.
    - there are a lot of worms that have the source available in a way or another, from the first ILoveYou worm (well, most .vbs ones are that way) to latests Bagle or Netsky variants, that even have the source attached.
    - Some worms also are maybe simple exploits of software vulnerabilities or weakeness (mostly MS.*, but there are some for other developers and operating systems). What must be understood there is not the worm source, but what it exploit and why that software is used.

  3. Exploit the worm's scanning engine to slow it by ftzdomino · · Score: 4, Informative

    Most worms these days scan IPs to find other exploitable hosts. I always thought we should look for exploits in the worm's scanning engine and then attempt to crash it by responding to its scanning requests with data which would do something like exploit a buffer overflow or off by one attack. These crashing response daemons would be located on systems which don't normally take requests of the service type the worm exploits. That way these would be very unlikely to affect anything legitimate. A worm whose scanning code has been crashed would be unlikely to infect other systems. It's also unlikely that crashing the scanning code would affect other services on the infected machine, limiting the legal liability of such a thing.

    I've had some luck against people scanning web servers for formmail.pl scripts. My formmail.pl sends random data without any CR or LF. One script so far accepted 2gb of data before disconnecting.

  4. Re:This isn't reverse engineering at all! by Daengbo · · Score: 4, Informative

    No. What you described is clean-room reverse engineering. Regular old run-of-the-mill reverse engineering means taking the "black box" and figuring out exactly what it does.

    --
    Put identity in the browser.