Can Reverse Engineering Help In Stopping Worms?
krozinov writes "The goal of this paper is to try to answer the following three questions:
How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently?
The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."
what happens when they reverse engineer the reverse engineering you did on the virus they originally wrote? if we look into the biological field, fighting viruses only makes them stronger. Not that we shouldn't but the better the anti virus writer becomes, the better the virus writer already is.
-Teiresias
No. Reverse engineering is key in understanding what virus writers are doing TODAY, and how the state of the art is progressing. It is hoped that you will conclude, "these are just a bunch of script kiddies who don't write unique and interesting code," but in reality dissassembling this stuff reveals that the Virus/Worm writing market is getting quite sophisticated. Tracking the advances and giving that information to the white-hats is key.
Wouldn't the first goal be writing applications and operating systems to be more secure than they are now with ordinary common sense designs? You know, like not tying userland software to the OS in incestuous ways?
Simple stuff like that...
Get rid of IE and get rid of Outlook Express and you get rid of 90 percent of the threat.
This would be a plug for Linux, as I use it daily, but there are things that Windows users can do to keep from being screwed every day. If only Mickeysoft helped their users rather than write crap software.
--
BMO
I remember when the RTM worm first appeared (was that '86?) and several Berkeley students stayed up all night decompiling it (this was VAX code so it was a bit more manageable). They posted the source code the next morning with bug fixes, including the critical one that turned the worm from a slow-moving annoyance to a rampaging network-killer...
Even by the most conservative count, Linux has a few million users. That's more than enough to support a virus population.
/. would be enough to start a major Linux virus.
Even the old MS-DOS machines had a viable virus population, although the viruses, for the most part, had to be hand transported via floppies to each machine.
With network enabled machines, it should be even easier to spread viruses. And it is. Just look at all of the Windows viruses, worms and trojans that are out there.
If Linux was as un-secure as Windows, a simple link on