Can Reverse Engineering Help In Stopping Worms?

krozinov writes "The goal of this paper is to try to answer the following three questions: How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently? The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."

Exploit the worm's scanning engine to slow it

[ftzdomino]

Most worms these days scan IPs to find other exploitable hosts. I always thought we should look for exploits in the worm's scanning engine and then attempt to crash it by responding to its scanning requests with data which would do something like exploit a buffer overflow or off by one attack. These crashing response daemons would be located on systems which don't normally take requests of the service type the worm exploits. That way these would be very unlikely to affect anything legitimate. A worm whose scanning code has been crashed would be unlikely to infect other systems. It's also unlikely that crashing the scanning code would affect other services on the infected machine, limiting the legal liability of such a thing.

I've had some luck against people scanning web servers for formmail.pl scripts. My formmail.pl sends random data without any CR or LF. One script so far accepted 2gb of data before disconnecting.

Re:This isn't reverse engineering at all!

[Daengbo]

No. What you described is clean-room reverse engineering. Regular old run-of-the-mill reverse engineering means taking the "black box" and figuring out exactly what it does.