Slashdot Mirror
Can Reverse Engineering Help In Stopping Worms?
krozinov writes "The goal of this paper is to try to answer the following three questions:
How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently?
The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."
It only helps if the people who write future variants are lazy...so I guess yes, it will help with there not being versions A-ZZZ of the bagle virus, but the serious ones are still going to be out there.
It already takes very little time for them to catch most variants these days. My software (AVG) is usually a day ahead of any of the major news organizations on having the fix for any new virus out there. The new, creative, and dangerous virus are the ones that worry me not the 200th version of netsky that shows up.
Perhaps the best way to control the spread of virus is to reverse engineer the OS/program that it is targeting...create fixes proactively and don't allow the exploits to be found in the first place. But there's probably a law or two out there that prohibits this kind of stuff, eh?
That's a good idea, but the problem is that there is no way to prevent people from writing malware. The general reasons people create malware are:
1. For fame
2. For fun
3. For profit
4. They have some sort of grudge
5. To show off
These are all basic human instincts, manifested in a bad way. There is really no way to prevent anyone from having any of these desires.
**This begins my ever-changing sig
We need a -1 RTFA moderation option!
**This concludes my ever-changing sig
The virus, worm, trojan field advances, sometimes rapidly. If a new worm arrives that hasn't been seen before how much help can someone be that hasn't written or played the game in a year or longer? I think your question, and I'm not attacking you, is much like asking if forensic science is needed, just ask the murders....
I think the third question, can reverse-engineering be done more efficiently, is the important one because it will help question #2 significantly.
No. Reverse engineering is key in understanding what virus writers are doing TODAY, and how the state of the art is progressing. It is hoped that you will conclude, "these are just a bunch of script kiddies who don't write unique and interesting code," but in reality dissassembling this stuff reveals that the Virus/Worm writing market is getting quite sophisticated. Tracking the advances and giving that information to the white-hats is key.
I remember when the RTM worm first appeared (was that '86?) and several Berkeley students stayed up all night decompiling it (this was VAX code so it was a bit more manageable). They posted the source code the next morning with bug fixes, including the critical one that turned the worm from a slow-moving annoyance to a rampaging network-killer...