Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Reverse Engineering Help In Stopping Worms?

Posted by Hemos on from the yes-but-to-what-extent dept.

krozinov writes "The goal of this paper is to try to answer the following three questions: How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently? The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."

14 of 187 comments (clear)

  1. Reverse Reverse by teiresias · · Score: 4, Interesting

    what happens when they reverse engineer the reverse engineering you did on the virus they originally wrote? if we look into the biological field, fighting viruses only makes them stronger. Not that we shouldn't but the better the anti virus writer becomes, the better the virus writer already is.

    --
    -Teiresias
  2. better solution? by Jrod5000+at+RPI · · Score: 4, Insightful

    perhaps it would be more insightful to study WHY individuals expend so much time and energy writing viruses, worms, etc. in the first place.
    in the future, i suspect this sort of malware will only get worse in terms of technical complexity, but the reason for their creation will probably be roughly the same.

    my $0.02

    1. Re:better solution? by zerguy · · Score: 5, Insightful

      That's a good idea, but the problem is that there is no way to prevent people from writing malware. The general reasons people create malware are:
      1. For fame
      2. For fun
      3. For profit
      4. They have some sort of grudge
      5. To show off

      These are all basic human instincts, manifested in a bad way. There is really no way to prevent anyone from having any of these desires.

      --
      **This begins my ever-changing sig
      We need a -1 RTFA moderation option!
      **This concludes my ever-changing sig
  3. Reverse Engineering a virus... by jmcmunn · · Score: 5, Insightful


    It only helps if the people who write future variants are lazy...so I guess yes, it will help with there not being versions A-ZZZ of the bagle virus, but the serious ones are still going to be out there.

    It already takes very little time for them to catch most variants these days. My software (AVG) is usually a day ahead of any of the major news organizations on having the fix for any new virus out there. The new, creative, and dangerous virus are the ones that worry me not the 200th version of netsky that shows up.

    Perhaps the best way to control the spread of virus is to reverse engineer the OS/program that it is targeting...create fixes proactively and don't allow the exploits to be found in the first place. But there's probably a law or two out there that prohibits this kind of stuff, eh?

  4. Pinky are you thinking what I'm thinking? by FerretFrottage · · Score: 4, Funny

    I think so Brain...is the virus protected by the DMCA and the other various software laws that prevent reverse engineering? If so, who is really in the wrong here?

    --
    "Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
  5. Re:Waste of time by mytec · · Score: 5, Insightful

    The virus, worm, trojan field advances, sometimes rapidly. If a new worm arrives that hasn't been seen before how much help can someone be that hasn't written or played the game in a year or longer? I think your question, and I'm not attacking you, is much like asking if forensic science is needed, just ask the murders....

    I think the third question, can reverse-engineering be done more efficiently, is the important one because it will help question #2 significantly.

  6. Re:Waste of time by ajs · · Score: 5, Interesting

    No. Reverse engineering is key in understanding what virus writers are doing TODAY, and how the state of the art is progressing. It is hoped that you will conclude, "these are just a bunch of script kiddies who don't write unique and interesting code," but in reality dissassembling this stuff reveals that the Virus/Worm writing market is getting quite sophisticated. Tracking the advances and giving that information to the white-hats is key.

  7. What about worm EULAs? by G4from128k · · Score: 4, Funny

    Coming in a packet near you, from the EULA of the future:

    By connecting a computer to the internet, you hereby agree to the terms of this agreement (hereafter referred to as "deal with the devil") for this software (hereafter referred to as "CPU sucking nightmare") ......

    Won't surprise me if virus/trojan/worm/spyware writers use IP law against those that would hope to rid the world of their menace.

    --
    Two wrongs don't make a right, but three lefts do.
  8. Too much indirection by shoppa · · Score: 4, Insightful
    Viruses/Worms themselves work usually be finding a buffer overflow in an OS or application. They are themselves the result of reverse engineering.

    It would seem a better defense to use whatever reverse engineering tools are available to fix the application. Things like Purify etc. are of some use for many common problems.

    Adding additional/patched code onto a virus/worm sounds like dangerous business to me. Suppose you didn't do everything exactly right, you are now responsible for releasing a new virus into the wild.

  9. Understanding The Pathology Is Important But... by EXTomar · · Score: 4, Insightful

    To borrow the medical anology, pathology of a virus is important but this alone will not create a "cure". You may understand completely how a virus works but this alone does nothing to hamper it.

    To even be more suscinct, if all it took to stop a virus was to reverse engineer it (ie. pathology), then we'd have things like AIDS, Herpes, etc. beat long ago. We clearly understand how these things spread yet infections still happen. Likewise, we already know a lot how virii spread on Windows and form best practices and yet comprimising still happens.

  10. Exploit the worm's scanning engine to slow it by ftzdomino · · Score: 4, Informative

    Most worms these days scan IPs to find other exploitable hosts. I always thought we should look for exploits in the worm's scanning engine and then attempt to crash it by responding to its scanning requests with data which would do something like exploit a buffer overflow or off by one attack. These crashing response daemons would be located on systems which don't normally take requests of the service type the worm exploits. That way these would be very unlikely to affect anything legitimate. A worm whose scanning code has been crashed would be unlikely to infect other systems. It's also unlikely that crashing the scanning code would affect other services on the infected machine, limiting the legal liability of such a thing.

    I've had some luck against people scanning web servers for formmail.pl scripts. My formmail.pl sends random data without any CR or LF. One script so far accepted 2gb of data before disconnecting.

  11. Been done by wayne606 · · Score: 5, Interesting

    I remember when the RTM worm first appeared (was that '86?) and several Berkeley students stayed up all night decompiling it (this was VAX code so it was a bit more manageable). They posted the source code the next morning with bug fixes, including the critical one that turned the worm from a slow-moving annoyance to a rampaging network-killer...

  12. Re:This isn't reverse engineering at all! by Daengbo · · Score: 4, Informative

    No. What you described is clean-room reverse engineering. Regular old run-of-the-mill reverse engineering means taking the "black box" and figuring out exactly what it does.

    --
    Put identity in the browser.
  13. Sanitary practices and the evolution of germs by Frater+219 · · Score: 4, Insightful
    In the realm of biological viruses and bacteria, there are steps we can take to discourage the evolution of worse and worse plagues. Although computer viruses are designed rather than evolved, some of these may apply to the computer realm as well.

    It's well-known that a parasite that kills its host damages its own chances for survival or reproduction. A germ that doesn't make you sick enough to stay home from work leaves you in able condition to cough that germ all over your coworkers. One that kills you right off has a much decreased chance of spreading to those people ... that is, unless your town is in the habit of leaving corpses lying around.

    If germs in corpses are able to infect the living, then there is much less "incentive" for germs to leave their hosts alive. If, on the other hand, your civilization isolates corpses, especially obviously infectious ones, then being in a corpse becomes a bad replication strategy for a germ.

    This is clearly a way in which human cultural practices affect the evolutionary environment of infectious disease organisms. Under medieval conditions, the Black Plague was pretty darned optimal as a survival strategy. In isolated villages in Congo, the Ebola bacterium can leave messy, nasty corpses lying around and still survive. In places with more effective medical response, that would not be a very effective survival strategy.

    What is the analogy to computer viruses? Right now, large portions of the Net have ridiculously crappy "medical response" to computers that are effectively "killed" (rendered useless) by virus and worm infection. Most commercial ISP networks are, to the unprotected Windows computer, the equivalent of rolling around naked in medical waste. This septic environment, in which dead and dying bodies are left to rot and spread their infections, just promote viruses that completely overwhelm the host.

    Moreover, the average Windows system and user have the equivalent of terrible hygiene practices. Personal hygiene, in the real world, means that you avoid filthy things when you can; you wash when you've come into contact with them; you wash regularly even if you don't think you have filth on you; and you make sure not to mix filth with your food. Public hygiene means that your society keeps filth and corpses away from the food supply, and keeps rotting garbage off the open street. When these practices break down, you get plagues.

    How to prevent this? First, some rudimentary public sanitation would help -- when a system is infected, it must be quarantined and prevented from infecting others. Second, computer users must learn to choose software which has good sanitary practices -- isolating untrusted data ("filth") from the system software ("food") and making sure to clean up those parts of the system that come into contact with the filth.

    Can Windows do this? I don't know. The SP2 firewall settings are an improvement. However, it is still a system with terrible hygiene, since user software which handles filth routinely runs with administrator privileges that have access to the food supply. Ick.