Slashdot Mirror
Can Reverse Engineering Help In Stopping Worms?
krozinov writes "The goal of this paper is to try to answer the following three questions:
How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently?
The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."
what happens when they reverse engineer the reverse engineering you did on the virus they originally wrote? if we look into the biological field, fighting viruses only makes them stronger. Not that we shouldn't but the better the anti virus writer becomes, the better the virus writer already is.
-Teiresias
No. Reverse engineering is key in understanding what virus writers are doing TODAY, and how the state of the art is progressing. It is hoped that you will conclude, "these are just a bunch of script kiddies who don't write unique and interesting code," but in reality dissassembling this stuff reveals that the Virus/Worm writing market is getting quite sophisticated. Tracking the advances and giving that information to the white-hats is key.
Wouldn't the first goal be writing applications and operating systems to be more secure than they are now with ordinary common sense designs? You know, like not tying userland software to the OS in incestuous ways?
Simple stuff like that...
Get rid of IE and get rid of Outlook Express and you get rid of 90 percent of the threat.
This would be a plug for Linux, as I use it daily, but there are things that Windows users can do to keep from being screwed every day. If only Mickeysoft helped their users rather than write crap software.
--
BMO
One interesting point of the article -- The Bagle virus seaches the hard drive for email addresses to send itself too. If Outlook, Mozilla Mail, and other email clients used encrypted contact lists, that would prevent a lot these worms from propagating. I hope that's something that email client vendors will look at.
I remember when the RTM worm first appeared (was that '86?) and several Berkeley students stayed up all night decompiling it (this was VAX code so it was a bit more manageable). They posted the source code the next morning with bug fixes, including the critical one that turned the worm from a slow-moving annoyance to a rampaging network-killer...
10 or so years ago I used to do a lot of assy code and Reverse Engineering. Found ways around software keys, etc.
At a company I was working for, somehow someone downloaded a boot-sector virus (BBSes- we didn't have Internet there yet.) My biggest clue came when I tried to just read from a write-protected floppy, and I got "write-protect" errors!!
I forget the virus's name, but it's still detected by current CA, Norton, etc.
Getting to the point: I used "DOS's" "debug" and "Sourcer" to reverse engineer- mostly debug, in script mode, dumped out the reverse assy. listing, and just followed it.
BEWARE! (1) The virus had several do nothing loops which would waste your time and drain your patience.
(2) early in execution the virus would trap INT1- the single-step interrupt, and point it wildly into RAM somewhere, thus crashing your machine when you try to single-step (Trace) in debug! Look at the listing first, find that INT1 trap, and jmp around it.
(3) the thing that started me hating MS: the virus used many undocumented DOS calls!!!! The power to embed and replicate was in DOS!! I'm not kidding. I don't know why that functionality existed in DOS and I forget if it's in my "Undocumented DOS" book. I just remembered being so disgusted (angry maybe) that I determined to move toward *nix, found Linux, and have been very happy ever since (except when people ask me to help with Windoze problems, but that's another issue...)
Happy "Debugging"!!!!
Of course a virus is protected by copyright. It's something that someone created, thus, unless they explicitly gave up their rights, it's fully protected.
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Even by the most conservative count, Linux has a few million users. That's more than enough to support a virus population.
/. would be enough to start a major Linux virus.
Even the old MS-DOS machines had a viable virus population, although the viruses, for the most part, had to be hand transported via floppies to each machine.
With network enabled machines, it should be even easier to spread viruses. And it is. Just look at all of the Windows viruses, worms and trojans that are out there.
If Linux was as un-secure as Windows, a simple link on
I am not really sure the need to reverse engineer virii because most are released to public already. Talented virus writers seldom release their work into the wild but rather simply create them to reveal weaknesses in software. It is then a "script kiddie" who takes the code and releases into the wild. As we all know this is often an effort to simply look cool. This being the case it might be more practical to just pay attention to security sites than to mess with virii that have already screwed people over. The paper does look interesting though.
If you REALLY RTFA, this is about malware / viruses (there is no such word as virii) that require human intervention - the nasty stuff that idiots click on due to simplistic social engineering. This is not about malware that (for example) go in via the RPC hole or other vulnerability.
The POINT is that copycat versions may be caught by looking at how the original works and what it does in general rather than some kind of binary pattern match like the current generation of AV does.
Many of the AV vendors claim that they have code that can detect mutated versions of malware, but in practice they never do.
he script kiddies won't target Linux, since they don't have a clue about it.
For now. I am reminded of Ken Macleod's "Cassini Divsion", where all electronic computer systems have been compromised by the "fast folk". An initial attempt to fight them, using a ship controlled by a different electronic system, succeeds for a bit, but is quickly also taken over, as the viruses mutate enough that even a different operating system is not effective protection.* So, for the sytstem used by the "fast folk" read Windows (all varieties), and for the "other" system read Linux / OS X (IIRC they thought they were safe because the hardware was different)
*They succeeded by using mechanical computers, akin to those in Gibson's "The Difference Engine" (a novel that assumed that Babbage's difference engine was not only built, but mass produced)
"She's furniture with a pulse"
I was always under the impression that viruses are commonly reverse engineered. Doesn't sound like news to me.
Give it up, if you have something mission critical. Don't use windows or internet explorer. Use linux and firefox.
If it's mission critical why the hell are you running a web browser on it anyway?