Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Worms Programming Security IT Technology

Can Reverse Engineering Help In Stopping Worms? 187

krozinov writes "The goal of this paper is to try to answer the following three questions: How do you reverse engineer a virus? Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? Can reverse engineering be done more efficiently? The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Beagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Beagle worm, while Appendix B presents the derived source code of the Beagle virus, as a result of this research."
This discussion has been archived. No new comments can be posted.

Can Reverse Engineering Help In Stopping Worms?

Comments Filter:
  • Well (Score:1, Funny)

    by omghi2u ( 808195 )
    Why didn't I think of that:? :P
    • Re:Well (Score:3, Funny)

      by igny ( 716218 )
      Why didn't I think of that:? :P

      Because you didn't have time trying to post the first post?

      • I think this may have something to do with susie! Do you or do you not agree susie has / gets tons of viruses? Seriously, not joking here! Thx.
    • Re:Well (Score:2, Interesting)

      by jsitke ( 461662 )
      I was always under the impression that viruses are commonly reverse engineered. Doesn't sound like news to me.
  • Waste of time (Score:3, Insightful)

    by zerguy ( 831069 ) <nobody@NOsPam.nowhere.gov> on Monday November 15, 2004 @10:52AM (#10820307)
    If I understood the article, they are trying to reverse-engineer worms to find out how they work. Why not just ask the numerous people who were black hats but now work for security firms?
    • Yeah your completely correct as we all now that anyone that writes any good viruses has a good EULA protecting it from reverse engineering. Social engineering usually doesn't encompass the EULA.
    • Re:Waste of time (Score:5, Insightful)

      by mytec ( 686565 ) * on Monday November 15, 2004 @11:03AM (#10820451) Journal

      The virus, worm, trojan field advances, sometimes rapidly. If a new worm arrives that hasn't been seen before how much help can someone be that hasn't written or played the game in a year or longer? I think your question, and I'm not attacking you, is much like asking if forensic science is needed, just ask the murders....

      I think the third question, can reverse-engineering be done more efficiently, is the important one because it will help question #2 significantly.

      • by Anonymous Coward
        Speaking for the murders... no forensic science is not needed.
      • Silence of the Lambs, anyone?
      • You can never reverse engineer a worm faster than some 17 year old pump out a new worm.

        Give it up, if you have something mission critical. Don't use windows or internet explorer. Use linux and firefox.

        • Re:Waste of time (Score:3, Interesting)

          by bdash ( 598142 )
          Give it up, if you have something mission critical. Don't use windows or internet explorer. Use linux and firefox.

          If it's mission critical why the hell are you running a web browser on it anyway?
    • Re:Waste of time (Score:5, Interesting)

      by ajs ( 35943 ) <[ajs] [at] [ajs.com]> on Monday November 15, 2004 @11:04AM (#10820452) Homepage Journal
      No. Reverse engineering is key in understanding what virus writers are doing TODAY, and how the state of the art is progressing. It is hoped that you will conclude, "these are just a bunch of script kiddies who don't write unique and interesting code," but in reality dissassembling this stuff reveals that the Virus/Worm writing market is getting quite sophisticated. Tracking the advances and giving that information to the white-hats is key.

    • Actually, I took the article as a huge set of techniques to isolate and figure out a discovered threat. If there was a virus on their machine that hadn't been caught by current AVS, with a different set of initial steps, one could do this same thing and built a bit signature.

      I look forward to when the authors examine encrypted and polymorphic malware.
  • Reverse Reverse (Score:4, Interesting)

    by teiresias ( 101481 ) on Monday November 15, 2004 @10:52AM (#10820315)
    what happens when they reverse engineer the reverse engineering you did on the virus they originally wrote? if we look into the biological field, fighting viruses only makes them stronger. Not that we shouldn't but the better the anti virus writer becomes, the better the virus writer already is.
    • Well this has happened a few times with reverse engineering.. a new worm or virus in this case comes out... everyone takes it apart and comment on certain bits of the code.

      the creater reads it and releases his now corrected version a few hours later.. or copycats i guess :)

      Through they is a real buzz when a new worm comes out and you can take it apart.. I will never be as fast as any anti-virus venders but still entertaining none the less.

      --
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Monday November 15, 2004 @11:31AM (#10820781)
      what happens when they reverse engineer the reverse engineering you did on the virus they originally wrote? if we look into the biological field, fighting viruses only makes them stronger. Not that we shouldn't but the better the anti virus writer becomes, the better the virus writer already is.
      Hardly. If that were so, then Linux would currently be under attack by the toughest viruses and worms ever seen.

      Viruses and worms exist because security models and implementations have vulnerabilities.

      You see so many Windows viruses and worms because Microsoft's security model has some very basic flaws. Instead of dealing with them, Microsoft relies upon 3rd party anti-virus companies to issue very specific "patches" for each virus that comes out.
      • Hardly. If that were so, then Linux would currently be under attack by the toughest viruses and worms ever seen.

        The point of that would be what? Get some more market share and then we'll talk about whether or not it's worth the effort.
    • by Frater 219 ( 1455 ) on Monday November 15, 2004 @12:10PM (#10821194) Journal
      In the realm of biological viruses and bacteria, there are steps we can take to discourage the evolution of worse and worse plagues. Although computer viruses are designed rather than evolved, some of these may apply to the computer realm as well.

      It's well-known that a parasite that kills its host damages its own chances for survival or reproduction. A germ that doesn't make you sick enough to stay home from work leaves you in able condition to cough that germ all over your coworkers. One that kills you right off has a much decreased chance of spreading to those people ... that is, unless your town is in the habit of leaving corpses lying around.

      If germs in corpses are able to infect the living, then there is much less "incentive" for germs to leave their hosts alive. If, on the other hand, your civilization isolates corpses, especially obviously infectious ones, then being in a corpse becomes a bad replication strategy for a germ.

      This is clearly a way in which human cultural practices affect the evolutionary environment of infectious disease organisms. Under medieval conditions, the Black Plague was pretty darned optimal as a survival strategy. In isolated villages in Congo, the Ebola bacterium can leave messy, nasty corpses lying around and still survive. In places with more effective medical response, that would not be a very effective survival strategy.

      What is the analogy to computer viruses? Right now, large portions of the Net have ridiculously crappy "medical response" to computers that are effectively "killed" (rendered useless) by virus and worm infection. Most commercial ISP networks are, to the unprotected Windows computer, the equivalent of rolling around naked in medical waste. This septic environment, in which dead and dying bodies are left to rot and spread their infections, just promote viruses that completely overwhelm the host.

      Moreover, the average Windows system and user have the equivalent of terrible hygiene practices. Personal hygiene, in the real world, means that you avoid filthy things when you can; you wash when you've come into contact with them; you wash regularly even if you don't think you have filth on you; and you make sure not to mix filth with your food. Public hygiene means that your society keeps filth and corpses away from the food supply, and keeps rotting garbage off the open street. When these practices break down, you get plagues.

      How to prevent this? First, some rudimentary public sanitation would help -- when a system is infected, it must be quarantined and prevented from infecting others. Second, computer users must learn to choose software which has good sanitary practices -- isolating untrusted data ("filth") from the system software ("food") and making sure to clean up those parts of the system that come into contact with the filth.

      Can Windows do this? I don't know. The SP2 firewall settings are an improvement. However, it is still a system with terrible hygiene, since user software which handles filth routinely runs with administrator privileges that have access to the food supply. Ick.

  • better solution? (Score:4, Insightful)

    by Jrod5000 at RPI ( 229934 ) on Monday November 15, 2004 @10:53AM (#10820329)
    perhaps it would be more insightful to study WHY individuals expend so much time and energy writing viruses, worms, etc. in the first place.
    in the future, i suspect this sort of malware will only get worse in terms of technical complexity, but the reason for their creation will probably be roughly the same.

    my $0.02
    • by zerguy ( 831069 ) <nobody@NOsPam.nowhere.gov> on Monday November 15, 2004 @10:57AM (#10820367)
      That's a good idea, but the problem is that there is no way to prevent people from writing malware. The general reasons people create malware are:
      1. For fame
      2. For fun
      3. For profit
      4. They have some sort of grudge
      5. To show off

      These are all basic human instincts, manifested in a bad way. There is really no way to prevent anyone from having any of these desires.
    • To quote the famous computer scientist Meat Loaf - "I ain't in it for the power, I ain't in it for my health, I ain't in it for the glory of anything it all, and I sure ain't in it for the wealth."
    • Yes yes... and why do people troll? If we could only figure out why they do it, we could prevent it, and if we can prevent it, isn't it our own responsibility to do so, so by not doing so we have enabled others to troll... so next time you read a troll, remember you made them do it you lazy society killing miscreant. Insensitive clod is too good of an insult for you.
    • by zx75 ( 304335 ) on Monday November 15, 2004 @11:11AM (#10820542) Homepage
      Some common answers:
      a. Because they can.
      b. To see if they can get away with it.
      c. They believe they can't be caught.
      d. To get attention/gain 'respect'.

      These tend to be recurrent reasons given for a lot of crimes that do not seemingly provide any benefit to the criminal. Grafitti is another, as is petty theft when the person in question is not thieving because of any real desire to have the stolen item or profit from it.
    • On second thought you really could be on to something here. The reason people expend so much time and energy writing viruses is because they have time and energy to expend. So if we forced everyone to work in the mines for 15 hours a day, they would have no energy, and no time. Problem solved.

      On a side note, I doubt anyone from EA writes viruses. [slashdot.org]
    • i always thought this one was an easy one. it provides a challenge. it's not quite like a game but it is. i mean if i were to write one, i'd try to pick something kinda hard and obscure and make it as streamlined and unique as i could. i think most worm/virus writers are in it to be seen now. "my worm just got mentioned on the world news!" it's almost like a contest but ... the prize is seeing your virus/worm/etc as a neon sign on the news and virus information webpages
  • by jmcmunn ( 307798 ) on Monday November 15, 2004 @10:56AM (#10820349)

    It only helps if the people who write future variants are lazy...so I guess yes, it will help with there not being versions A-ZZZ of the bagle virus, but the serious ones are still going to be out there.

    It already takes very little time for them to catch most variants these days. My software (AVG) is usually a day ahead of any of the major news organizations on having the fix for any new virus out there. The new, creative, and dangerous virus are the ones that worry me not the 200th version of netsky that shows up.

    Perhaps the best way to control the spread of virus is to reverse engineer the OS/program that it is targeting...create fixes proactively and don't allow the exploits to be found in the first place. But there's probably a law or two out there that prohibits this kind of stuff, eh?
    • You are correct. But can you imagine the uproar and legal battles that would ensue should anyone try to reverse-engineer, disassemble, or otherwise try to extract source code from Windows? This is exactly why there are no (or hardly any) viruses on Linux.
    • create fixes proactively and don't allow the exploits to be found in the first place. But there's probably a law or two out there that prohibits this kind of stuff, eh?

      Laws against writing secure software? Well yeah, that'd explain quite a lot. ;-)
    • It seems to me that of the thousands of viruses written for windows there must be a good percentage that are fully understood and documented on the major AV manufacturer's websites.

      It doesn't help stop the spread, it doesn't seem essential to detection, at best it makes removal a little more clear-cut.

      Reverse engineering a virus might be an interesting academic challenge, but it's probably not that helpful except at classifying variants.
      • Actually, I think its a good idea to have a group that doesn't make AV software, or operating systems, reverse engineer a virus.

        While I think Symantec, et al, are honest companies, I don't think they are working a way to make viruses obsolete (and themselves obsolete as well). MS is working on adding new features more than security, because you will buy it anway. My experience in life tells me that an educated outsider's opinion, if well researched, can be pretty damn insightful.

        I actually read the repo
    • "don't allow the exploits to be found in the first place"

      You mean do not try to find the problems, or not making any notice of upcoming problems ?

      The later is the better, but it is not really good, because there will always be people who hear about it and exploit it
    • My software (AVG) is usually a day ahead of any of the major news organizations on having the fix for any new virus out there.

      That's because it's the AV companies putting out the press releases about these viruses. It takes the news organizations a day to rework the press release into a 'news item'.
  • by FerretFrottage ( 714136 ) on Monday November 15, 2004 @10:57AM (#10820368)
    I think so Brain...is the virus protected by the DMCA and the other various software laws that prevent reverse engineering? If so, who is really in the wrong here?

    • by Anonymous Coward
      It's OK, as long as they are reverse-engineering it to port it to another platform. ;-)
  • Maybe it'll at least give us viruses (viri?) that consume less system resources. Release more efficient viruses. That will fix everything.
  • by kuwan ( 443684 )
    Now, just wait for the authors of the Beagle virus to slap them down with a lawsuit for reverse engineering their software. Something to the effect of:

    "You have violated the License Agreement of the Beagle virus through your reverse engineering activities. Your publication illustrating how to do this is a clear violation of the DMCA and induces others to also violate their license agreement. Please Cease and Desist all such activities and prepare to see us in court."

    --
    Not free as in effort, but I'm wi [wired.com]
  • by Anonymous Coward on Monday November 15, 2004 @11:08AM (#10820503)
    Virus are not protected by copyright, patents etc.
    Reverse engineering is when you disassemble and recreate a the original source (which they did) -- the easy part. Then, the hard part is to create a set of specifications without referring to the original code or snippets, then handing that over the "wall" to someone who has not been exposed to any of the IP of the original and rewriting the code from scratch ... that is what Compaq, Phoenix, and the others had to do with BIOSs and people emulating Windows, Unix etc had to do, otherwise, they would just be copying from the original and rewriting (trivial in comparison). Let's start using the appropriate terminology.
    • Virus are not protected by copyright, patents etc.

      Is that strictly true? Suppose I write a virus. That in itself isn't illegal, as long as I don't release it in the wild. But it is a creative work, just like any other software, so I automatically get the copyright as its author. Sure, it's unlikely that a virus author is going to sue people for breaching copyright, and there will be various fair-use arguments (dissassembling something for compatibility is allowed; to make a virus compatible with the

    • by Daengbo ( 523424 ) <daengbo AT gmail DOT com> on Monday November 15, 2004 @11:53AM (#10821017) Homepage Journal
      No. What you described is clean-room reverse engineering. Regular old run-of-the-mill reverse engineering means taking the "black box" and figuring out exactly what it does.
    • Of course a virus is protected by copyright. It's something that someone created, thus, unless they explicitly gave up their rights, it's fully protected.
    • Virus are not protected by copyright, patents etc.

      Sure they are. See, a "virus" is a program, and the source code is copyrightable, and patentable as well. Otherwise there'd be no point to the second half of your post, anyone could just use Phoenix BIOS as their own.

      Every virus I've written is copyrighted to me. Now, I don't consider them viruses. Some spyware and anti-virus software will identify them as viruses, because the code will behave in viral like ways such as deleting files and making regis
      • Sure they are. See, a "virus" is a program, and the source code is copyrightable, and patentable as well.

        Maybe I should try to find new ways for viruses to spread, hide themselves, etc., but not write a virus, but patent them. I'm sure a virus writer will not check any patents, and then if some new virus is spread and the one who has written it is caught, I'll sue him for royalties.

        Thinking about it: Given that it's obviously possible to sue someone for just running patent-protected software (think GIF!),

        • Maybe I should try to find new ways for viruses to spread, hide themselves, etc., but not write a virus, but patent them. I'm sure a virus writer will not check any patents, and then if some new virus is spread and the one who has written it is caught, I'll sue him for royalties.

          You'd have to be quick though; find a bug in a MS product, write an exploit and patent it quickly. If you wait too long the virus and previous incarnations will all be prior art.

          Not that the overworked and underclued USPTO *wo
  • by G4from128k ( 686170 ) on Monday November 15, 2004 @11:15AM (#10820592)
    Coming in a packet near you, from the EULA of the future:

    By connecting a computer to the internet, you hereby agree to the terms of this agreement (hereafter referred to as "deal with the devil") for this software (hereafter referred to as "CPU sucking nightmare") ......

    Won't surprise me if virus/trojan/worm/spyware writers use IP law against those that would hope to rid the world of their menace.
    • They'd never be able to; to come out and say "you reverse engineered my virus" would be a confession of having written the virus in the first place, and would probably result in their prosecution. If I were a virus author, I'd keep my head down whilst inwardly laughing, not pop out and say 'I did it'.
  • Well... (Score:4, Interesting)

    by bmo ( 77928 ) on Monday November 15, 2004 @11:15AM (#10820602)
    Wouldn't the first goal be writing applications and operating systems to be more secure than they are now with ordinary common sense designs? You know, like not tying userland software to the OS in incestuous ways?

    Simple stuff like that...

    Get rid of IE and get rid of Outlook Express and you get rid of 90 percent of the threat.

    This would be a plug for Linux, as I use it daily, but there are things that Windows users can do to keep from being screwed every day. If only Mickeysoft helped their users rather than write crap software.

    --
    BMO
    • Been tried, didn't work.

      Didn't stand a chance against applications and operating systems first written to obtain and entrench an air-tight monopoly hold over the entire software industry, rather than a common sense design. You know, like not worrying about quality when there's an opportunity to tie products together and leverage an existing monopoly to destroy the market for a competitors product, leaving only yours.

      Simple stuff like...

      Tying the gui, browser, media player into the operating system and f
  • by shoppa ( 464619 ) on Monday November 15, 2004 @11:15AM (#10820606)
    Viruses/Worms themselves work usually be finding a buffer overflow in an OS or application. They are themselves the result of reverse engineering.

    It would seem a better defense to use whatever reverse engineering tools are available to fix the application. Things like Purify etc. are of some use for many common problems.

    Adding additional/patched code onto a virus/worm sounds like dangerous business to me. Suppose you didn't do everything exactly right, you are now responsible for releasing a new virus into the wild.

  • by EXTomar ( 78739 ) on Monday November 15, 2004 @11:18AM (#10820636)
    To borrow the medical anology, pathology of a virus is important but this alone will not create a "cure". You may understand completely how a virus works but this alone does nothing to hamper it.

    To even be more suscinct, if all it took to stop a virus was to reverse engineer it (ie. pathology), then we'd have things like AIDS, Herpes, etc. beat long ago. We clearly understand how these things spread yet infections still happen. Likewise, we already know a lot how virii spread on Windows and form best practices and yet comprimising still happens.
    • by Anonymous Coward
      Sounds like we need some sort of "anti-virus software" to fight viruses. If only some sort of "anti-virus company" would come forward to produce this "anti-virus software", we'd all be saved.
    • To borrow the medical anology, pathology of a virus is important but this alone will not create a "cure". You may understand completely how a virus works but this alone does nothing to hamper it.

      This breaks down trivially when applied to computer malware. By reverse engineering a computer virus (or other malware) you can tell how it spreads, and exactly what damage it does. By knowing how it spreads you can always avoid becoming infected. By knowing what damage it does you can always remove that damage
  • by Phleg ( 523632 )
    You heard me.
  • by sporty ( 27564 ) on Monday November 15, 2004 @11:19AM (#10820658) Homepage
    A virus exploits something about a system.


    Back in the DOS days, the fact that code on a floppy header or something would get executed on insertion was a problem. Solution, don't bring that into memory for execution.


    Word, at a point, by default, would execute macros on load of a document. Don't bring in code from a document and execute it.


    In outlook, looking at email can cause JS to execute which may have it's own problems due to the implementation of js. Don't execute the JS.


    Don't try and figure out how viruses work. Figure out what they exploit and close them up. Duh.

      • A virus exploits something about a system.

      Yeah, but a lot of modern email viruses just exploit the part of the system between the keyboard and the chair. Unfortunately no-one has worked out how to issue auto-updates for this part of the system...

      • Yeah, but a lot of modern email viruses just exploit the part of the system between the keyboard and the chair. Unfortunately no-one has worked out how to issue auto-updates for this part of the system...

        Auto-updates might not be possible for that component, but certification is.

        Doctors, Lawyers, Drivers, and other trades or tasks are given a license recognised by the government stating that you are qualified for the task in question. Apply the same to computers, and the problem is solved. (Of course,

  • Why RE? (Score:3, Insightful)

    by RAMMS+EIN ( 578166 ) on Monday November 15, 2004 @11:27AM (#10820731) Homepage Journal
    Why reverse-engineer? Most malware is put together by script-kiddies from parts they get from elsewhere, and a lot of information is publicly available. If script-kiddies can get their hands on it, so can you.
  • I've Googled and been unable to tell if the Prescot P4-E has the NX, XD, or whichever acronym anyone would like to use to signify the No eXecute/eXecution Disabled stuff.

    All that I come up with is that stuff "late this year" from Intel will have it, and that AMD64 has it.
  • by Pinkoir ( 666130 ) on Monday November 15, 2004 @11:30AM (#10820763)
    I would like to thank the author of that paper for making it abundantly clear to me that I am not smart enough to operate independently in today's technological environment. I would like to take this opportunity to bow down before my compsci-savvy overlords swear to just mindlessly accept whatever code they produce.

    -Pinkoir
  • by gmuslera ( 3436 ) on Monday November 15, 2004 @11:30AM (#10820765) Homepage Journal
    3 points:
    - knowing how it technically works dont disable the social engineering component, very trivial worms were very sucessful just for that.
    - there are a lot of worms that have the source available in a way or another, from the first ILoveYou worm (well, most .vbs ones are that way) to latests Bagle or Netsky variants, that even have the source attached.
    - Some worms also are maybe simple exploits of software vulnerabilities or weakeness (mostly MS.*, but there are some for other developers and operating systems). What must be understood there is not the worm source, but what it exploit and why that software is used.
  • Instead of figuring out how worms work by reverse-engineering them, we can also get smart, read a security list, figure that most of the problems we have come from using insecure programming languages, and switch. It's not like there aren't better options than C and C++.
  • by krvw ( 259838 ) on Monday November 15, 2004 @11:35AM (#10820821) Homepage
    I've got to be missing something here. Reverse engineering worm/virus code with tools like IDA Pro has been actively done by the anti-virus community for 17+ years. In November 1987 when a virus hit us at Lehigh University (where I worked at the time), a bunch of our students helped out by disassembling the virus and writing a piece of software to prevent it from spreading further.

    And we didn't feel that this was even groundbreaking work back then...

    What am I missing here?

    Cheers,

    Ken van Wyk
    • I think what's missing is an entire generation of programmers. Those of us who got their start up through about the mid-80s (on the original PC, XT and AT) knew the technical ins and outs of both our own code and the OS. The current generation grew up with development environments and application frameworks divorcing them almost completely from how the system really works. It's not that they don't know what's going on "under the hood", it's more that they don't know there is an "under the hood" in the first

  • E-Mail lists (Score:3, Interesting)

    by Andrewkov ( 140579 ) on Monday November 15, 2004 @11:39AM (#10820868)
    One interesting point of the article -- The Bagle virus seaches the hard drive for email addresses to send itself too. If Outlook, Mozilla Mail, and other email clients used encrypted contact lists, that would prevent a lot these worms from propagating. I hope that's something that email client vendors will look at.
    • Re:E-Mail lists (Score:3, Insightful)

      by StormReaver ( 59959 )
      "If Outlook, Mozilla Mail, and other email clients used encrypted contact lists, that would prevent a lot these worms from propagating."

      The email program itself would need to decrypt the list in order to use it. Any 3rd party program which requested email services from the email client (think COM) would need to have an exposed API to call in order to request that service. A virus would only have to call that API to decrypt the list.
    • Better still (and requiring no reprogramming): create a separate contact list with a million random email addresses and never use it yourself. [Either use a separate category, or create an Outlook Express list when you never actually use Outlook Express yourself or a Eudora list if you never actually use Eudora].

      If it gets harvested then it reduces the value of the harvested list (arbitrarily close to zero, if enough people do this).

      If a worm on your own computer tries to use the list then there are all s
  • Reverse-engineering takes time, and can only start when the worm is already out. It's guaranteed to come too late. Switching to secure technologies before the exploit comes is the only way to stay ahead.
  • by ftzdomino ( 555670 ) on Monday November 15, 2004 @11:39AM (#10820880)
    Most worms these days scan IPs to find other exploitable hosts. I always thought we should look for exploits in the worm's scanning engine and then attempt to crash it by responding to its scanning requests with data which would do something like exploit a buffer overflow or off by one attack. These crashing response daemons would be located on systems which don't normally take requests of the service type the worm exploits. That way these would be very unlikely to affect anything legitimate. A worm whose scanning code has been crashed would be unlikely to infect other systems. It's also unlikely that crashing the scanning code would affect other services on the infected machine, limiting the legal liability of such a thing.

    I've had some luck against people scanning web servers for formmail.pl scripts. My formmail.pl sends random data without any CR or LF. One script so far accepted 2gb of data before disconnecting.
  • Been done (Score:5, Interesting)

    by wayne606 ( 211893 ) on Monday November 15, 2004 @11:41AM (#10820901)
    I remember when the RTM worm first appeared (was that '86?) and several Berkeley students stayed up all night decompiling it (this was VAX code so it was a bit more manageable). They posted the source code the next morning with bug fixes, including the critical one that turned the worm from a slow-moving annoyance to a rampaging network-killer...
  • Due to the fact they're written by people, you can't stop them beforehand.

    The best way to stop the current ones, is to analyse their network usage, and block it. I did it last week, and our network is stable and not spewing filth everywhere. :)

  • And release open source worms. Dump the source code to c:\worm on an infected machine. Don't forget a GPL comment in each file and COPYING that explains how you are required to "distribute" the software+source to everyone in your address book, or every machine on the subnet.
    • It will not help AV companies much since they already reverse engineer binaries
    • People will release improved derivitive worms and malicious payloads you don't have to be responsible for.
    • The joy of releasing software under a truly vira
  • by DrDebug ( 10230 ) on Monday November 15, 2004 @12:01PM (#10821106) Journal
    Simple answer: No.

    The worm (or virus) is already out in the wild. Seeing how it works won't stop it.

    But seeing what it exploits might.

    There is a 99 percent chance that the worm/virus will exploit a known hole in the target application/operating system. Nowadays, these exploits have come much, much quicker than in the past. It used to be a few months before a hole was exploited; now it can be just a matter of hours.

    What would impress me is if they reverse-engineer a worm/virus and find that it exploits a hole that was unknown beforehand. Now THAT would show some intelligence on the part of the author (if not any ethics). The 'kiddie-scripters' that mutate the source code from a worm/virus and just hex-edit their initials into it aren't very creative at all; just adolescant vandals who want to make their mark with their brethern vermin in the dark underworld of the Internet.

    It's not that virus/worm authors are anything to be emulated. But you have to respect them. Like you have to respect terrorists. You may lothe them, but you have to respect them.

    However, reverse-engineering IS useful. It is forensics. Someday, maybe soon, the forensics team will be able to catagorize and maybe even identify the author of a virus by the way it is written. Currently, it is helpful in finding those security holes, so they can notify the authors of the program being attacked.

    Let's face it folks. Programming is still more of an art than a science. We imperfect human beings are trying to write perfect code, because the computer does exactly what it is told to do. We humans don't operate at that level very well. So we write imperfect code; something that can be eventually exploited given time and resources of anyone willing. It's gonna happen, whether your code comes from American, Indian, or Ukranian programmers. There are evil people out there, and they are going to check the doorknobs of every program to see if they can get it and cause trouble. Until someone comes up with a source-file hole checker, be prepared for more worms and virii.

    OK, I'm done ranting.

  • I've actually read the article, and wonder if some people are taking a little too seriously...

    While it is a well written and interesting discussion of reverse enginnering a virus, the writers admit they hadn't really done any reverse enginnering before this project at all. Also, how exactly did everything think that Anti-virus writers have been tracking what viruses do and how to kill them? Any major virus is of course disassembled by the antivirus writers so they can decide how to remove it, espically no
  • What this tells virus authors is that their viruses should not only detect that they're running in a virtual machine, but escape from it and take over the real machine.

    Microsoft VM has to do all the wierd code-changing that VMware did, because the x86 can't be completely virtualized. And it has to emulate the I/O devices. There are probably bugs in the VM that can be exploited, most likely in the I/O area. Try wierd DMA operations, and poke around in device address space, until the real machine crashes.

  • by Knx ( 743893 )
    I think one reason why RCE is not done as fast as it potentially could might be that there are just fewer and fewer programmers out there who are able to quickly read, analyse and understand assembly code. Because they're simply not familiar enough with it.

    One obvious but irrefutable idea which arises from this article is that while we're almost all writing in hi-level languages nowadays, the final code is still in assembly. (Ok, that's not quite true for Java and the like, but let's focus on decent fully-
    • I think one reason why RCE is not done as fast as it potentially could might be that there are just fewer and fewer programmers out there who are able to quickly read, analyse and understand assembly code. Because they're simply not familiar enough with it.

      The problem isn't that there are fewer and fewer programmers - it has to do with the fact that it's hard to interpret it in the first place.

      For example, IBM PCs running Dos will access operating system calls by calling an Interrupt. Unless you have a

  • Just curious, why can't a virus be protected by the American DMCA if it has obfuscating techniques making it difficult to understand how it works ? Reverse engineering and publishing the results seems to enable the bypass of the virus protection.

    So OK, a virus is "BAAAAD", while a DRM system, is ... well... "legitimate(?)", but apart from this, is there any legal ground to allow virus reverse-engineering ?
    • As a comparison, here in Oregon it is illegal to wear body armor while committing another crime. It is legal to possess body armor as long as you do not use it for an illegal purpose.

      I would expect a similar application of common sense in this case. The DMCA was conceived (perhaps ill-conceived, but that isn't the point) to protect copyright holders. It was definitely not intended to allow criminals to protect their own illegal behaviors. I really doubt the DMCA would apply in this case.

      And that's not e

      • Ah - but if the writer does get caught, they'll be set for life once they got out of jail. Adobe and California have already asserted that "breaking" ROT13 is a criminal offense... imagine the field day some scumbag lawyer would have with those who "hacked into" and "reversed" some jerk's obfuscated trojan.

        A good trojan that contained an embedded EULA, a trade-secret and a copyright notice would be funny as hell IMO... and I've not seen any exceptions in the DMCA where certain "IP Rights" are waived if th
  • Antivirus vendors usually need 48 hours to dissect a virus and describe most of its internal workings. So, what's the point one might ask.

    Well, this document is a complete primer on how to disassemble an unknown (smallish) program in a sandboxed environment. Anyone who ever wanted to learn this skill should give it a shot. Who knows, you might end up working for an antivirus company soon ;)

    For Lucent however, this was a complete waste of 10 weeks of engineering skill of three people minus the publicity

A right is not what someone gives you; it's what no one can take from you. -- Ramsey Clark

Working...