Slashdot Mirror
Can Reverse Engineering Help In Stopping Worms?
krozinov writes "The goal of this paper is to try to answer the following three questions:
How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently?
The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."
If I understood the article, they are trying to reverse-engineer worms to find out how they work. Why not just ask the numerous people who were black hats but now work for security firms?
**This begins my ever-changing sig
We need a -1 RTFA moderation option!
**This concludes my ever-changing sig
perhaps it would be more insightful to study WHY individuals expend so much time and energy writing viruses, worms, etc. in the first place.
in the future, i suspect this sort of malware will only get worse in terms of technical complexity, but the reason for their creation will probably be roughly the same.
my $0.02
It only helps if the people who write future variants are lazy...so I guess yes, it will help with there not being versions A-ZZZ of the bagle virus, but the serious ones are still going to be out there.
It already takes very little time for them to catch most variants these days. My software (AVG) is usually a day ahead of any of the major news organizations on having the fix for any new virus out there. The new, creative, and dangerous virus are the ones that worry me not the 200th version of netsky that shows up.
Perhaps the best way to control the spread of virus is to reverse engineer the OS/program that it is targeting...create fixes proactively and don't allow the exploits to be found in the first place. But there's probably a law or two out there that prohibits this kind of stuff, eh?
Virus are not protected by copyright, patents etc. ... that is what Compaq, Phoenix, and the others had to do with BIOSs and people emulating Windows, Unix etc had to do, otherwise, they would just be copying from the original and rewriting (trivial in comparison). Let's start using the appropriate terminology.
Reverse engineering is when you disassemble and recreate a the original source (which they did) -- the easy part. Then, the hard part is to create a set of specifications without referring to the original code or snippets, then handing that over the "wall" to someone who has not been exposed to any of the IP of the original and rewriting the code from scratch
It would seem a better defense to use whatever reverse engineering tools are available to fix the application. Things like Purify etc. are of some use for many common problems.
Adding additional/patched code onto a virus/worm sounds like dangerous business to me. Suppose you didn't do everything exactly right, you are now responsible for releasing a new virus into the wild.
To borrow the medical anology, pathology of a virus is important but this alone will not create a "cure". You may understand completely how a virus works but this alone does nothing to hamper it.
To even be more suscinct, if all it took to stop a virus was to reverse engineer it (ie. pathology), then we'd have things like AIDS, Herpes, etc. beat long ago. We clearly understand how these things spread yet infections still happen. Likewise, we already know a lot how virii spread on Windows and form best practices and yet comprimising still happens.
Back in the DOS days, the fact that code on a floppy header or something would get executed on insertion was a problem. Solution, don't bring that into memory for execution.
Word, at a point, by default, would execute macros on load of a document. Don't bring in code from a document and execute it.
In outlook, looking at email can cause JS to execute which may have it's own problems due to the implementation of js. Don't execute the JS.
Don't try and figure out how viruses work. Figure out what they exploit and close them up. Duh.
-
ping -f 255.255.255.255 # if only
Why reverse-engineer? Most malware is put together by script-kiddies from parts they get from elsewhere, and a lot of information is publicly available. If script-kiddies can get their hands on it, so can you.
Please correct me if I got my facts wrong.
Viruses and worms exist because security models and implementations have vulnerabilities.
You see so many Windows viruses and worms because Microsoft's security model has some very basic flaws. Instead of dealing with them, Microsoft relies upon 3rd party anti-virus companies to issue very specific "patches" for each virus that comes out.
I've got to be missing something here. Reverse engineering worm/virus code with tools like IDA Pro has been actively done by the anti-virus community for 17+ years. In November 1987 when a virus hit us at Lehigh University (where I worked at the time), a bunch of our students helped out by disassembling the virus and writing a piece of software to prevent it from spreading further.
And we didn't feel that this was even groundbreaking work back then...
What am I missing here?
Cheers,
Ken van Wyk
Simple answer: No.
The worm (or virus) is already out in the wild. Seeing how it works won't stop it.
But seeing what it exploits might.
There is a 99 percent chance that the worm/virus will exploit a known hole in the target application/operating system. Nowadays, these exploits have come much, much quicker than in the past. It used to be a few months before a hole was exploited; now it can be just a matter of hours.
What would impress me is if they reverse-engineer a worm/virus and find that it exploits a hole that was unknown beforehand. Now THAT would show some intelligence on the part of the author (if not any ethics). The 'kiddie-scripters' that mutate the source code from a worm/virus and just hex-edit their initials into it aren't very creative at all; just adolescant vandals who want to make their mark with their brethern vermin in the dark underworld of the Internet.
It's not that virus/worm authors are anything to be emulated. But you have to respect them. Like you have to respect terrorists. You may lothe them, but you have to respect them.
However, reverse-engineering IS useful. It is forensics. Someday, maybe soon, the forensics team will be able to catagorize and maybe even identify the author of a virus by the way it is written. Currently, it is helpful in finding those security holes, so they can notify the authors of the program being attacked.
Let's face it folks. Programming is still more of an art than a science. We imperfect human beings are trying to write perfect code, because the computer does exactly what it is told to do. We humans don't operate at that level very well. So we write imperfect code; something that can be eventually exploited given time and resources of anyone willing. It's gonna happen, whether your code comes from American, Indian, or Ukranian programmers. There are evil people out there, and they are going to check the doorknobs of every program to see if they can get it and cause trouble. Until someone comes up with a source-file hole checker, be prepared for more worms and virii.
OK, I'm done ranting.
It's well-known that a parasite that kills its host damages its own chances for survival or reproduction. A germ that doesn't make you sick enough to stay home from work leaves you in able condition to cough that germ all over your coworkers. One that kills you right off has a much decreased chance of spreading to those people ... that is, unless your town is in the habit of leaving corpses lying around.
If germs in corpses are able to infect the living, then there is much less "incentive" for germs to leave their hosts alive. If, on the other hand, your civilization isolates corpses, especially obviously infectious ones, then being in a corpse becomes a bad replication strategy for a germ.
This is clearly a way in which human cultural practices affect the evolutionary environment of infectious disease organisms. Under medieval conditions, the Black Plague was pretty darned optimal as a survival strategy. In isolated villages in Congo, the Ebola bacterium can leave messy, nasty corpses lying around and still survive. In places with more effective medical response, that would not be a very effective survival strategy.
What is the analogy to computer viruses? Right now, large portions of the Net have ridiculously crappy "medical response" to computers that are effectively "killed" (rendered useless) by virus and worm infection. Most commercial ISP networks are, to the unprotected Windows computer, the equivalent of rolling around naked in medical waste. This septic environment, in which dead and dying bodies are left to rot and spread their infections, just promote viruses that completely overwhelm the host.
Moreover, the average Windows system and user have the equivalent of terrible hygiene practices. Personal hygiene, in the real world, means that you avoid filthy things when you can; you wash when you've come into contact with them; you wash regularly even if you don't think you have filth on you; and you make sure not to mix filth with your food. Public hygiene means that your society keeps filth and corpses away from the food supply, and keeps rotting garbage off the open street. When these practices break down, you get plagues.
How to prevent this? First, some rudimentary public sanitation would help -- when a system is infected, it must be quarantined and prevented from infecting others. Second, computer users must learn to choose software which has good sanitary practices -- isolating untrusted data ("filth") from the system software ("food") and making sure to clean up those parts of the system that come into contact with the filth.
Can Windows do this? I don't know. The SP2 firewall settings are an improvement. However, it is still a system with terrible hygiene, since user software which handles filth routinely runs with administrator privileges that have access to the food supply. Ick.
"If Outlook, Mozilla Mail, and other email clients used encrypted contact lists, that would prevent a lot these worms from propagating."
The email program itself would need to decrypt the list in order to use it. Any 3rd party program which requested email services from the email client (think COM) would need to have an exposed API to call in order to request that service. A virus would only have to call that API to decrypt the list.
I think one reason why RCE is not done as fast as it potentially could might be that there are just fewer and fewer programmers out there who are able to quickly read, analyse and understand assembly code. Because they're simply not familiar enough with it.
;-p /trolling) So, yes: RCE is usually done from assembly code.
One obvious but irrefutable idea which arises from this article is that while we're almost all writing in hi-level languages nowadays, the final code is still in assembly. (Ok, that's not quite true for Java and the like, but let's focus on decent fully-compiled languages!
Now, how many IT schools are still providing decent assembly courses? The fact is, we don't need to understand assembly nowadays to become a programmer. Most of my co-workers just have no idea what assembly is, or even how a binary number looks like. Incidentally, it does sometimes show up in the way they're writing code in hi-level languages. For instance, they would write "x/4" when I would write "x>>2". But then again, who cares? Today's compilers should optimize that by themself, anyway. Ok, enough digression.
My point is that an efficient RCE requires very specific competences, including but not limited to a very good knowledge in assembly and some months -- or, better, years -- of practice. This last point is important. Assembly coding being wild by nature, I believe it requires much more practice to be able to detect common structures, common tricks, etc. If you've just learned a trick without using it, chances are that you will just miss it in a foreign piece of code. (A "trick" being produced by either a hardcore pirate still directly writing in asm or the compiler used by some script-kiddie.)
And finally, one reason why many white-hats among the virus-fighting-gang actually are former black-hats might be that not enough IT schools are providing a formation which is sucessfully matching the above criteria.
The problem with Slashdot memes is that YOU INSENSITIVE CLOD!