Forgot your password?
typodupeerror
Security Bug Operating Systems Software Windows

'Stealth' Worm Hinders Sandbox Analysis 461

Posted by timothy
from the analysis-says-your-sandbox-has-cats dept.
Tuxedo Jack writes "The Register reports that the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code. Windows machines, as per the norm, are the only vulnerable ones, and it still requires user intervention to infect. Perhaps future worms will start including this 'bug' in their releases. We can only hope not." It doesn't sound like a bug at all, from the virus writer's perpective.
This discussion has been archived. No new comments can be posted.

'Stealth' Worm Hinders Sandbox Analysis

Comments Filter:
  • Strange (Score:4, Interesting)

    by Metteyya (790458) on Wednesday July 14, 2004 @10:54AM (#9696818)
    I've always heard that it takes a very good programmer to write effective and powerful virus.
    • Re:Strange (Score:5, Insightful)

      by cuzality (696718) on Wednesday July 14, 2004 @10:59AM (#9696879) Journal
      "The greatest trick the Devil ever pulled was convincing the world he didn't exist." --Verbal Kint

      And the greatest trick this guy pulled is making himself look like an ID10T...
    • Re:Strange (Score:3, Funny)

      by Homology (639438)
      I've always heard that it takes a very good programmer to write effective and powerful virus. /I>

      Not on Microsoft Windows, it seems. From the article it's even better if the virus writer is sloppy.

    • Clearly sir, you have never heard of VBA [microsoft.com].

      Empowering amatuers with sysadmin capabilities since 1993!
      Where would you like script kiddies to joyride your computer to today?
    • Re:Strange (Score:3, Interesting)

      by scooby111 (714417)
      That alone is a powerful and elegant argument that some of these virus writers are in the business. I've long suspected that some of the smarter members of the antivirus teams are actually writing worms and viruses.

      Arsonists and firebugs like to watch firemen put out their fires. Is it really a stretch to apply that behavior to digital firestarters?
  • by garcia (6573) * on Wednesday July 14, 2004 @10:54AM (#9696825) Homepage
    They make such bad code knowing that it won't be looked at and hope that the hackers won't be able to find the holes?

    Without the recent access to the source for IE we would never have found out about BMP overflows, etc. Which was just poor and lazy coding.
    • Just wondering: did people really find many bugs/bad coding/etc. in this code? I've only heard of this bmp thing, and that it was only in IE prior to version 6.
    • This is about the fourth time I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist. Is there any documented evidence that this has been used in *any* virus/worm/hacks? And has there actually been more than one bug found (I suspect not, since trolls keep saying "bmp bug! bmp bug! bmp bug!") I don't think so.

      Availability of the source code does not lead to exploits. Anybody with even a moderate amount of experience with software development would know this. If the exploit was e
      • by aardvarkjoe (156801) on Wednesday July 14, 2004 @12:28PM (#9697768)
        This is about the fourth time I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist.
        Er ... don't know about anyone else, but "They make such bad code knowing that it won't be looked at and hope that the hackers won't be able to find the holes?" doesn't sound much like apologism to me. (Doesn't sound much like proper grammar, either, but I suppose that's beside the point.) If anything, the fact that we haven't heard about a rash of new exploits based on it seems to indicate that broken portions of the code aren't as obvious and easy to fix (or exploit) as some parties like to claim.
      • by maximilln (654768) on Wednesday July 14, 2004 @12:52PM (#9698064) Homepage Journal
        The parent is horribly bipolar.

        I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist

        Actually an apologist wouldn't be spouting about the BMP exploit. Rather an apologist would be trying to dismiss it as you do in here:

        Is there any documented evidence that this has been used in *any* virus/worm/hacks?

        There. Now you're being the closed source apologist by saying,"We're sorry about the BMP thing but does it really make a difference?" Since it's been pointed out that the BMP thing was only present in older editions of MSIE (5.5?) it's pretty plausible that the forensic trail of tracking any exploits is long covered, formatted, and reinstalled.

        And has there actually been more than one bug found

        The security industry has its hands full simply processing data on exploits which are submitted. The people who have time to go over that released source code routine by routine, structure by structure, loop by loop, aren't going to tell you about it first. If they're nefarious they're not telling anyone.

        Additionally, did you read this [secunia.com] yesterday? Did you try contacting the authors who published those vulnerabilities? It's quite possible that they came onto those vulns by looking at the source code.

        So sit down and...

        If the exploit was evident by looking at the code, the code writer would probably fix it

        That's a bit shallow minded. Not every programmer who works for MS was a 4.0 overachiever who visualized code loops and logic flow in real time. Very few middle managers were 4.0 overachievers--many got to their position because they were better at social networking than coding networks. By the time the code gets to the upper management it's not being audited line by line. Even 4.0 students aren't always guaranteed overachievers with amazing perceptual abilities. Many 4.0 students know how to stand in line and keep their mouths shut. That's the most assured way to a 4.0.

        Every single exploit is discovered by accident

        I would agree that the majority of exploits are discovered by someone noticing erratic behavior in a program and taking the initiative to dig in deeper. However I know a number of people who take great delight in poring over changelogs and then going back to audit source code when "Bug in <sourcefile.c> fixed." The changelog may have been a roadsign but when sourcefile.c is 1000+ lines it's still a testament to skill to find the bug which was fixed.
  • Mailers? (Score:4, Insightful)

    by Deflagro (187160) on Wednesday July 14, 2004 @10:55AM (#9696830)
    Now just imagine if someone wanted to actually be malicious with this stuff..
    I wonder if a virus with some code to re-partition your drive on a reboot would cause this issue to be taken more seriously.
    I think we're just lucky these writers don't do more with the holes Microsoft gives them.

    • Re:Mailers? (Score:5, Insightful)

      by Tyler Eaves (344284) on Wednesday July 14, 2004 @11:00AM (#9696901)
      The thing with destructive viruses is that they don't tend to spread very far, since by definition they take their host (and thus themselves) out after a few minutes or hours, where as something like Code Red, Nimda, etc,etc, can go for years without being removed.
      • Re:Mailers? (Score:3, Insightful)

        by Deflagro (187160)
        But technically, if someone decided to make the virus malicious and mail itself out first before injecting the damaging code...then you can have a Code Red that kills machines.
        Although, like a poster below, the data changing aspect would be a more annoying bug.

        I'm just saying that MS can be made to look real bad in the eyes of corporations. Mind you, the person responsible for something like that would get the death sentence under Patriot Act or something i'm sure.

        • Re:Mailers? (Score:4, Insightful)

          by (54)T-Dub (642521) <tpaineNO@SPAMgmail.com> on Wednesday July 14, 2004 @11:29AM (#9697192) Journal
          Yes, but the longer a host is infected the more opportunities it has to infect other machines. Especially if the user doesn't know they are infected. Not to mention the "hype" factor of big destructive viruses tends to help quell their outbreak.
          • Re:Mailers? (Score:5, Informative)

            by mrogers (85392) on Wednesday July 14, 2004 @12:21PM (#9697685)
            This paper [icir.org] predicts that a fast-scanning Nimda-like worm launched against a small "hit list" of known vulnerable machines could infect millions of machines in minutes - too fast for any human-mediated response. Such a worm could reach saturation point and begin destroying its hosts before most admins had even noticed what was happening. Even those who noticed would not have time to study the worm's behaviour, let alone analyze its code. Stealth code would therefore be unnecessary, except to make it more difficult for subsequent investigations to identify the source of the worm.

            The hit list technique speeds up the initial phase of infection, which is normally slow and vulnerable to isolated failures. The list is compiled ahead of time by normal vulnerability scanning; the machines on the list are simultaneously infected to start the attack. Each copy of the worm then scans for and infects further vulnerable machines as quickly as possible, dividing the address space at each hop to avoid unnecessary overlaps (some redundancy might be desirable, but completely random scanning would be inefficient). The list can be divided in a topology-aware way to reduce congestion that might otherwise limit the rate of infection.

        • Re:Mailers? (Score:3, Interesting)

          by king-manic (409855)
          Liek natural virii dormancy is required for widespread infection. A dead machine is an early signal somethign is wrong and brigns attention. A dormant virus would not do so. Look at aids and herpes versus ebola. Dormancy helps it spread, virilence is independant.
      • Re:Mailers? (Score:5, Insightful)

        by Lumpy (12016) on Wednesday July 14, 2004 @11:33AM (#9697231) Homepage
        but creating an ebola computer virus would not be hard.

        code red for example if it had a timed payload that X minutes after infection kill the machine and that number of minutes was 3 days in the future it would be able to widely spread and STILL cause the death of the host machines.

        the scaries is the stealth virus that spreads slowly, is silent and act's mostly benign for 90 to 120 days then simply kicks in for a full boat infection/attack+death 4 hours after final activation.

        by the time it was discovered most people would be helpless.
        • Re:Mailers? (Score:5, Interesting)

          by tmasssey (546878) on Wednesday July 14, 2004 @12:13PM (#9697620) Homepage Journal
          You really don't think something like that would be noticed?

          Let's imagine a *really* slowly reproducing virus: one that attempts to infect just a single computer a day. Now, you *could* go even slower, but 1 a day is pretty slow, wouldn't you agree?

          Now, on day 1, there might be only a single packet sent by a single computer. I don't think anyone is going to notice that. But at some point, a large-enough collection of computers will send out these requests, and it will get noticed.

          The question is, how many infected computers do you need before your attack is detected? If it's something like Code Red, a few thousand will get noticed: they spew out too many requests. One a day? It's harder to say. Will someone notice when there are 100,000 attacks a day? 1,000,000? But how long will it take to *get* to 100,000 infected computers? How many attacks will fail? Odds are, most of them will fail: not every IP has an attackable computer...

          In other words, you could easily create a silent attack that doesn't kill anyone. Or a very noisy attack that also kills no one because it's stopped in time. Can you create a somewhat silent attack that infects a large number of people before they find out? Very tricky. It's an almost impossible balance: crash too soon and it doesn't really do anything, wait too long and it'll get caught.

          To me, the better attack would be a *lightning* quick attack. Something like Slammer. According to this [pcmag.com], Slammer was able to attack every vulnerable computer available in 20 minutes. I'm not sure how much I believe this, but I've heard that 15 Million computers were infected in that same 20 minutes. Is 15 Million dead computers enough for you?

          Create a virus that spreads for an hour. Infect 15 million computers. Kill them. Good luck stopping that. The best part is, if you do your job correctly, either build a virus that only remains in memory or have it destroy the local copy of the virus in the process of killing the computer. Not only will the computers be dead, but it'll be *real* hard to figure out what hit you...

          Now that I write that, that is a little scary...

          • Re:Mailers? (Score:3, Interesting)

            by Lumpy (12016)
            actually you have a point there that would work well...

            do a slammer attack, fast as hell infection rate delay only a 3 minutes or so and then roll the dice to speak.

            give computers a 50% chance of dying or simply an immune carrier/spreader.

            that would be even more evil... there is a 50 50 chance that your Pc unce infected will be killed, or it becomes a spreader until it is cured.

            now make the virus morphing. try attack1, infect. if attack1 fails, use attack2 and morph to hide from scanners.

            so you got
          • by rsilvergun (571051) on Wednesday July 14, 2004 @01:46PM (#9698687)
            most people don't fix their computers until they no longer work at all. A virus like this would have little impact on the computer. If it was well hidden enough, it wouldn't get fixed when the person call tech support for other problems either. The key is being quite and unintrusive right up till the end, then you lay waste to the computer.

            Frankly, I'm with the first poster. I good 'ole fashion hard disk reformatter would light some fires out there. I'm tired of seeing people with 5 or 6 viruses, uncountable spyware programs and everthing on their computer broken wanting the damn things fixed without a clean install because they don't know what a file is and have no idea how to back things up.
          • by someone247356 (255644) on Wednesday July 14, 2004 @06:50PM (#9702039)
            Too much flash. Why go for Ebola when Mad Cow would be much more deadly and likely to be mistaken for Alzheimer's.

            That's the problem with viruses these days, too much flash. Either it saturates a network spreading itself, or it quickly kills the host. Either way it brings way too much attention to itself to be truly scary.

            How's this for a thought experiment;

            Write a small, stealthy piece of code that would randomly change a single digit in a single number found in a random Word or Excel etc. file by some small random amount once a day. It propagates by attaching portions of itself to no more than 1 email message/irc chat/telnet/ftp/video conference or other communication application a day. Until all of the pieces are present in memory, all the code does is attach itself to some systems process and look for the rest of itself. When all of it has been received it adds itself to some innocuous systems level process and begins changing values and slowly sending itself out around the world.

            So what good would that do? Well it doesn't draw attention to itself, neither in its mode of operation nor the way it spreads itself. Therefore while it would propagate slowly, no one would ever be looking for it. It's payload could cause great amounts of harm without ever giving the user any reason to think that his computer might be infected. What happens if it's on a pharmacy/hospital computer and it changes the dose of a prescription? Most pharmacies these days use numbers as a prescription ID. 20034978 might be a beneficial prescription while 20034879 could be deadly. We lost a Mars probe because someone didn't convert between feet and meters correctly. What if they did and a virus like this deftly changed it behind their back? A million widgets at $1.24 each is a lot different that a million widgets at $1.98. Building a bridge with a support beam that's 84.539 meters long isn't the same as one of 84.639 meters. You see where this is going don't you. Taken by themselves they look like simple user errors.

            The computer, or user, is diagnosed with Alzheimer's when it's actually infected with Creutzfeldt-Jakob. Machine's get rebuilt, people loose money, or get killed, and no one ever suspects that a very stealthy virus is the root cause of it all.

            That my friends is what I would call truly scary.

            someone247356
    • More damaging. (Score:5, Insightful)

      by khasim (1285) <brandioch.conner@gmail.com> on Wednesday July 14, 2004 @11:02AM (#9696912)
      If the virus randomly changed a few numbers in a few of the Excel spreadsheets it could access.

      Damaging the computer itself is too easy to catch and causes people to take it seriously.

      Changing data has more implications for CORPORATIONS and would take longer to detect.
      • Re:More damaging. (Score:5, Interesting)

        by Anonymous Coward on Wednesday July 14, 2004 @11:42AM (#9697321)
        This comment should be Score:10

        It has been awhile since a virus actually *did* something real bad to screw a user.

        First Gen virii: Wipe hard drives, boot sectors, etc. For the most part, I haven't scene these for awhile...

        Second Gen virii: Zombie annoying spam/dos crap that is annoyingly hard to remove. Slows the computer down but most clueless users probably don't even notice until one of us comes to clean off the 200 or so spyware/spam virus crap they have on thier machine...)

        Next-gen: Random sentence inclusion into all word docs, change #'s in excel sheets, alter contents of address books, random data into access/sql databases.

        That sh*t would be brutal to deal with.

        Its one thing to know you have to restore from backups after a harddrive is wiped, or you just can't seem to shake the virus.

        Its a whole other ballgame when the virus goes undetected for a month and the excel sheets you've been conducting your business with have been screwed with. Yeah, you can restore and recreate a month's worth of work, but how do you account for the decisions you've made with bad data over the course of that month?

        Or even more fun, long documents you produce for meetings or public distribution. Embeded within are names harvested from your address book appended with a few choices words?

        "Our gross margins have increased by 12% this last quarter and Larry Teasdale is teh suck."

        • Re:More damaging. (Score:3, Insightful)

          by ArsenneLupin (766289)
          All this would still be way to tame. Why stop at corrupting data, when you can have way much more fun leaking it?

          Or even more fun, long documents you produce for meetings or public distribution. Embeded within are names harvested from your address book appended with a few choices words?

          Why not scan Word documents for names, and cross-reference those with your address book? As soon as a match is found, mail them said document. John Smith will surely be glad to learn that you intend to announce to him at n

        • Re:More damaging. (Score:5, Insightful)

          by nine-times (778537) <nine.times@gmail.com> on Wednesday July 14, 2004 @12:37PM (#9697872) Homepage
          'Next-gen: Random sentence inclusion into all word docs, change #'s in excel sheets, alter contents of address books, random data into access/sql databases.

          That sh*t would be brutal to deal with.

          Its one thing to know you have to restore from backups after a harddrive is wiped, or you just can't seem to shake the virus.

          Its a whole other ballgame when the virus goes undetected for a month and the excel sheets you've been conducting your business with have been screwed with. Yeah, you can restore and recreate a month's worth of work, but how do you account for the decisions you've made with bad data over the course of that month?'

          You're absolutely right, and I bet most people aren't taking what you're saying seriously enough. Do you know how many businesses keep track of things, even financial data, in just Excel spreadsheets? I mean, NO real paper trail, and even nothing clear to check the numbers against?

          Even when you're talking about corrupting data, it's one thing to delete a random letter from a word document- a spell-check will probably catch it. If a virus added a particular sentence to word documents (the same sentence each time), you can at least find out if the document has been corrupted by searching for that sentence. Even random sentences, which would be much harder to deal with, would be noticable when someone goes to read it. However, shifting individual numbers in an Excel document 10%, up or down, randomly? That could easily go unnoticed for a long time, and even when you go to the backups, how do you know you have retrieved an old enough version to be an uncorrupted version?

          The idea kind of reminds me of the Office Space/Superman III scheme of writing a virus that rounds down to the nearest cent and sends the excess to a bank account.

          • not (Score:5, Interesting)

            by Moderation abuser (184013) on Wednesday July 14, 2004 @01:02PM (#9698182)
            Hmm, scan word docs looking for legalese adding and removing the word "not" at appropriate points.

            should/will/must should/will/must not

            Fairly simple but that alone could cause some interesting effects on contracts etc. I'm sure there are other simple and more effective ways of changing the meaning of sentences which would require the re-reading of them by the authors to guarantee that the meaning is correct.

      • How about a virus that randomly changes == to = in files :)
    • Re:Mailers? (Score:5, Insightful)

      by ites (600337) on Wednesday July 14, 2004 @11:02AM (#9696918) Journal
      Read about the mechanics of disease spread [slashdot.org] with respect to viruses and you'll see why this does not happen.

      Highly damaging viruses don't spread far. Today's virus/work/trojan writers want to capture large numbers of zombie PCs and resell these networks. They aim for control, not damage. It's about money, not vandalism.
      • Counterexample (Score:4, Interesting)

        by Ungrounded Lightning (62228) on Wednesday July 14, 2004 @12:25PM (#9697730) Journal
        Highly damaging viruses don't spread far.

        Unless the damage is delayed and/or random.

        Big counterexample is AIDS:

        - Attacks the immune (i.e. antivirus) system directly.
        - Goes dormant until the infected cell is activated for other purposes.
        - Mutates "rapidly" for a virus (though slowly on reproductive cycle time scales), resulting in mutiple strains from a single infection after a few years.
        - Infects slowly enough that it doesn't create a tight cluster of infected individuals.

        This enables it to spread widely before the occasional activation of the immune system cells carrying it expand its infection in an exponential cascade taking out the doomed host.

        Birthday viruses / easter eggs are a simple mechanism to allow wide spread of computer viruses before they take out their hosts - and the hosts that are down at that time provide a reinfection reservoir. But it's primitive compared to AIDS.

        A highly damaging virus could be made which makes random choices on when to utterly trash its host.

        They aim for control, not damage. It's about money, not vandalism.

        Unfortunately, while there are several criminal enterpises spreading worms/trojans/viruses whose intent is to create DDoS zombies, spam remailers, or keylogger/filters looking for bank account access or other sensitive information, there are still plenty of virus authors chasing other things - including those who will vandalize machines for the fun of it.

        And there are power groups with significant membership whose agendas would be advanced by taking out as much as possible of the IT infrastructure of the world - the more widespread and more lasting the damage, the better for their purposes. A family of worms with AIDS-like properites would serve their interests nicely.

        Finally - while diseases evolve to be relatively benign, they do so randomly (and designed programs often don't do quite what was intended, especially on first release). Sometimes you get one that strikes a balance between spread and damage that results in a massive, widespread dieoff among the host populatin before the combined evolution of the disease and hosts contain its remanents. Classic example: Bubonic Plague.

        So let's not be lulled by analogies to the common cold and childhood diseases. They're the result of a lot of death and misery before the diseases found a stable niche. And while computer viruses share much of the math of disease spread they are designed, not evolved, and can easily have properties rarely seen in nature.
  • Sloppy or devious? (Score:5, Insightful)

    by hcdejong (561314) <hobbes AT xmsnet DOT nl> on Wednesday July 14, 2004 @10:55AM (#9696831)
    From the article: "I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.
    I'm sure it's lost something in the translation. The rest of the article suggests it's by design rather than accident.
    • Perhaps the AV people just like to convince themselves that the virus writers are bad coders, rather than live with the apparent reality that some of them are actually quite good.

      Or maybe I'm to cynical.
      • by afidel (530433)
        No, from what I read the virus has a crappy date detection routine and for some reason the "safe" environment they run tests in causes it to break. Of course when writing a virus you go for lean and mean rather than using the standard bloated OS interface so it's not a bug in the virus so long as it works correctly under a normal environment.
    • Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection...

      A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox"... "I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious"

      Does anybody have a theory (that they can explain in fairly simple terms) as to why it won't run in a sandbox? Wouldn't a windows session in VirtualPc etc. be indisting

  • by pHatidic (163975) on Wednesday July 14, 2004 @10:56AM (#9696848)
    Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection.

    Would that make this worm a 'night crawer'?

    Badum Ching!
  • by tomhudson (43916) <barbara.hudsonNO@SPAMbarbara-hudson.com> on Wednesday July 14, 2004 @10:57AM (#9696854) Journal
    So all you have to do to be safe is make sure you've got a debugger running, and the virus kills itself. I guess that adds new meaning to the term "de-bugger" :-)
  • by magefile (776388) on Wednesday July 14, 2004 @10:57AM (#9696856)
    "You're right, it's pure genius - they couldn't guess we'd do that, because only a frickin' idiot would do that!" - paraphrased from (approximately) 3.14 million movies.
  • by StickMang (568987) * on Wednesday July 14, 2004 @10:57AM (#9696860)
    Maybe this will teach them how to teach outside the (sand)box! Maybe they can harness their synergy with this new paridigm shift into sandbox free thinking.

    Ahh, its 1999 all over again :)
  • geez! (Score:3, Funny)

    by manavendra (688020) on Wednesday July 14, 2004 @10:59AM (#9696876) Homepage Journal
    Just what we wanted - buggy bugs, erm, viruses!

    You know something's wrong with the world, when the malicious software itself is flawed..
  • by ites (600337) on Wednesday July 14, 2004 @10:59AM (#9696877) Journal
    One or the other... devious or sloppy... but surely not both.

    Maybe it's just a sign that malware is evolving along the same rules as organic life: accidental errors get selected for survival value and passed along to following generations.

    Malware that detects and disables attempts to reverse engineer it... ?

    Or perhaps we can read the anti-virus researcher's comments in a totally different light: /tinfoil on

    "Most viruses [which we develop ourselves to stimulate sale of our products and services] have a function to let us easily identify and sandbox them. In this example, the function is broken. So sloppy it's devious [and perhaps intended as a warning that we're not paying our freelance coders enough]." /tinfoil off

    Nah.
    • by shadowcabbit (466253) <cxNO@SPAMthefurryone.net> on Wednesday July 14, 2004 @11:10AM (#9696994) Journal
      One or the other... devious or sloppy... but surely not both.

      Yes, it is both. It's sloppy because whoever wrote this virus forgot to disable the suicide code before releasing it into the wild. The writer obviously would have written this into the virus during development so that he didn't hose his own machine.

      It's devious because now virus writers know that "forgetting" to "fix" their virus pisses off more people in high places, instead of just plain pissing off more people. It wastes resources and diverts attention from bigger threats-- or smaller threats which just get lucky.

      It's a tactic so totally stupid that it borders on brilliance.
      • by Gigahertz (768208) * on Wednesday July 14, 2004 @11:24AM (#9697133)
        Thats one way of looking at it... if you like looking at it the wrong way.

        It was intentional, there is no question of this. It's funny that they're calling the code sloppy, and I wish I had a copy of the virus to see if I can figure out why they're saying this.... but its obviously intentional, but barely genious....

        Too much is being made of it... It's not a new technique outside of viruses, it's been mentioned further up the page, and personally I've dealt with programs that do the same thing, and effort always wins. You find the test traps, and you patch around them. It's not even any harder for them to detect, or add signatures in their virus definitions for, it's only more difficult to analyze what it does, but we know its a virus... so this is a non-news waste of time, the attention brought to it assures that more viruses will come equipped with a debugger check, and likely some virus writer will take the extra effort to make the code SO complicated/long/difficult to trace through (this may be the case with them calling the code sloppy) and a lot of extra $$ will be wasted and probably find its way into the cost of anti-virus software subscriptions....

        It's not as if virus writers are the anti-virus writers bread and butter.... oh wait... yeah they are.
  • Not a worm (Score:5, Informative)

    by goldspider (445116) <ardrake79@@@gmail...com> on Wednesday July 14, 2004 @10:59AM (#9696878) Homepage
    "...and it still requires user intervention to infect."

    Then it's not a worm.

  • How does it do that? (Score:5, Interesting)

    by GillBates0 (664202) on Wednesday July 14, 2004 @10:59AM (#9696885) Homepage Journal
    Maybe this is a trivial question for l33t haxx0rz, but how would a program figure out it was running in a debugger? The register article doesn't explain this. Are the checks limited to a set of debuggers, which probably set a certain environment/variables which can be probed?

    One possible method I would probably use (off the top of my head) is to find out the time elapsed between executing two instructions - the time would be fairly high if the code were being singlestepped to.

    • by JamesO (56897) * on Wednesday July 14, 2004 @11:11AM (#9697014) Homepage
      You hook the int 2 (?) and int 3 during the run, so your code gets called before the debugger's breakpoint handler, amongst other techniques.

      Have a look at this [jhu.edu] paper and be enlightened :)

    • by soundman32 (147936) on Wednesday July 14, 2004 @11:12AM (#9697016) Homepage
      IsDebuggerPresent
      The IsDebuggerPresent function indicates whether the calling process is running under the context of a debugger.
      This function is exported from KERNEL32.DLL.
      BOOL IsDebuggerPresent(VOID)
      Parameters This function has no parameters. Return Value If the current process is running in the context of a debugger, the return value is nonzero. If the current process is not running in the context of a debugger, the return value is zero. Remarks This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior. For example, an application could provide additional information using the OutputDebugString function if it is being debugged.
      • by devphil (51341) on Wednesday July 14, 2004 @11:36AM (#9697252) Homepage
        This function allows an application to determine whether or not it is being debugged, so that it can modify its behavior.

        We call those heisenbugs [catb.org] and they are the bane of a programmer's existence. The whole damn point of a debugger is to replicate the same behavior as normal, not allow the program to choose to exhibit a different behavior.

        "I'm going to look at you more closely now. Please act normal. (But it's your call if you don't.)"

        Yeah, that "surprise inspection" works great everywhere else, why not in programming? Fucking morons...

        I was happier not knowing about this function. soundman32, I shake my fist at thee. :-)

      • I knew it! (Score:5, Funny)

        by Stevyn (691306) on Wednesday July 14, 2004 @11:48AM (#9697386)
        There is still a way to blame microsoft for this!!! I was getting a little worried there.
    • by g0bshiTe (596213) on Wednesday July 14, 2004 @11:12AM (#9697019)
      The virus most likely makes use of the Windows API, in such a case the virus would just have to keep an eye on the memory, when it notices a BREAKPOINT set on a certain API call (which is usually never encountered on a normal computer, unless reversing) the program exits.

      There are tons of CRACKME's (small program written solely for people to crack or bypass) I have seen which look for debuggers and will exit if encountered.
    • by ryants (310088) on Wednesday July 14, 2004 @11:19AM (#9697079)
      There are a couple of ways. Here's one that I took from "Building Secure Software". Debuggers tend to reset the processor instruction cache on every operation. Normally this doesn't happen except when a jump happens. So you can write code that changes instructions that should definitely be in the cache. If we're not running under the debugger, this has no effect, because the change doesn't cause the cache to refresh. Under a debugger, things can break:
      1 cli

      2 jmp lbl1

      lbl1:
      3 mov bx, offset lbl2

      4 move byte ptr cs:[bx], 0C3h

      lbl2:
      5 nop

      6 sti

      ; Continue normal operations here
      Commentary:

      1 Clear interrupt bit, so that code is sure to stay in the cache the entire time

      2 Causes CPU I cache to reload

      3 Store addr of lbl2

      4 Store a RET over the nop at lbl2 (0C3h = RET)

      5 nop to be clobbered only if under debugger

      6 Remove interrupt bit

      Of course you need to be a bit stealthier than this, but this is the basic idea.

      • by julesh (229690)
        1. STI/CLI are priveleged instructions, so cannot be run by a windows process (other than a driver)

        2. This will only stop a debugger in single step. If the user spots what you're doing, they just put a breakpoint after this code and run through the whole section and it works fine.
    • by StillAnonymous (595680) on Wednesday July 14, 2004 @11:32AM (#9697211)
      There are literally dozens of ways to check for the presence of debuggers. Some people have already mentioned some here. Here's a few more:

      Int68:

      MOV AH, 43h
      INT 68h
      CMP AX, 0F386h
      JZ FoundDebugger

      Check for SoftIce(most common/powerful debugger) by using the CreateFileA API to check for the SICE VXDs.

      And an interesting one found in the SafeDisc protection where(if I recall) they use a checksum of the GDT to decrypt a section of code. The debugger modifies this table and will cause the code to crash.
      • by IamTheRealMike (537420) <mike@plan99.net> on Wednesday July 14, 2004 @12:25PM (#9697729) Homepage
        And an interesting one found in the SafeDisc protection where(if I recall) they use a checksum of the GDT to decrypt a section of code. The debugger modifies this table and will cause the code to crash.

        SafeDisc also loads a driver into the kernel which reads the debug register in the CPU. SafeDisc does a whole ton of clever things though, those guys really know their stuff, so I can well believe it hashes the GDT too.

        The most common techniques are checking for SoftIce (a very, very popular kernel level debugger) using a variety of techniques, google for "MeltIce" to see one I patched Wine to work with a few weeks ago, checking the x86 debug register, playing with interrupts, examining a Windows internal structure called the PEB, and so on... lots of devious tricks you can use.

  • Ironic quote (Score:5, Insightful)

    by mabu (178417) * on Wednesday July 14, 2004 @10:59AM (#9696888)
    "I haven't seen such ruses used in a mass mailer in a long time. This piece of code is so sloppy, it's devious," said Mircea Ciubotariu, a researcher at Romanian AV firm BitDefender.

    Considering virus writers are more motivated by being devious than impressing analysts, doesn't it seem inappropriate to assume the coding was "sloppy?"
  • by Anonymous Coward on Wednesday July 14, 2004 @11:00AM (#9696894)
    "This piece of code is so sloppy, it's devious," said Mircea Ciubotariu

    If it's intentional, it's not sloppy...
    If it's not intentional, it's not devious...
  • "HER" code? (Score:4, Funny)

    by md358 (587485) on Wednesday July 14, 2004 @11:00AM (#9696898)
    C'mon, *her* code? Isn't that a bit gratuitous? I mean, we're talking about code here, not a delicious turkey dinner.
  • by captnjameskirk (599714) on Wednesday July 14, 2004 @11:00AM (#9696902)
    1) Contains a "bug", well let's just call it a "feature". 2) Sloppy code, but Hey! it works. Sort of. 3) Run on Windows only. Sounds like every piece of comercial software sold by Microsoft to me.
  • by bfg9000 (726447) on Wednesday July 14, 2004 @11:03AM (#9696929) Homepage Journal
    This piece of code is so sloppy, it's devious

    It shouldn't be hard to find the author, he obviously works at Microsoft.
  • Hack it (Score:3, Insightful)

    by Manip (656104) on Wednesday July 14, 2004 @11:03AM (#9696930)
    It isn't that complicated to find the part of a code that causes a break in execution (end-point). So when it detects the debugger and breaks execution couldn't you reverse engineer it from that point and maybe write a mod (like a game crack) to avoid the debugger detection?

    This would allow the rest of the program to work as normal just without the self-defence code.
  • Code sloppy? (Score:5, Insightful)

    by g0bshiTe (596213) on Wednesday July 14, 2004 @11:04AM (#9696936)
    My guess is that they are so confounded, that by releasing that statement labelling the coding as sloppy they hope to draw the writer out in some way. Seems they are going for his/her ego.

    Because hey no coder legit or illicit wants to be thought of as a sloppy coder.
  • obscurity (Score:5, Funny)

    by double_ooh (779501) on Wednesday July 14, 2004 @11:04AM (#9696938)
    The code is so bad that they can't read it, so it's insecurity through obscurity?
  • Finally! (Score:5, Funny)

    by teamhasnoi (554944) <teamhasnoi@@@yahoo...com> on Wednesday July 14, 2004 @11:08AM (#9696971) Homepage Journal
    Those DMCA violating virus 'terrorists' will be prevented from infringing the copyrights of the poor, disadvantaged virus writers.

    This content author has villified every artist who has ever had their work reverse engineered.

    This is a great day for copyright, authors, and those downtrodden by IP terrorists!

    • Re:Finally! (Score:5, Interesting)

      by Kissing Crimson (197314) <jonesy&crimsonshade,com> on Wednesday July 14, 2004 @11:18AM (#9697064) Homepage
      Mod parent up! This raises an excellent point: don't the AV companies daily violate the DMCA by reverse engineering virus code? If not, how long until somebody puts some kind of copy protection system into a virus and then sues all the AV companies? (I know, copy protection in a virus would be a bit odd, but hey...)
      • Re:Finally! (Score:4, Informative)

        by debrain (29228) on Wednesday July 14, 2004 @01:05PM (#9698212) Journal
        Viruses are not copyright; if they were the author would be admitting to a felony, where 1. s/he cannot benefit, and 2. they cannot claim possession of something illegal, ala. controlled substances. Copyright is, in essence, a form of constructive possession. A virus is like child porn, in that sense. It's worse to claim you own it than to argue for your possessory rights.

        Hope that makes sense. :)
        • Re:Finally! (Score:4, Informative)

          by Alsee (515537) on Wednesday July 14, 2004 @03:33PM (#9699922) Homepage
          Viruses are not copyright; if they were the author would be admitting to a felony

          The first half is absolutely false, and the second half could be false as well. Everything you create is automatically covered by copyright. And it is not a felony to create a virus, only to intend to release it. If you accidentally release it you might get nailed by civil suits (but not criminal ones), and if someone else released your virus without your permission you would not be subject to anything.

          There's a DMCA exemption to decrypt software, but only for interoperability purposes. There is also a DMCA exemption for law enforcement agents. However any non-law-enforcement agent decrypting a virus in an effort to combat it *would* be commiting a felony. The DMCA is seriously fuxored.

          Oh, and I just thought of something else. Commiting a felony by decrypting the virus is still commiting a felony even if the (criminal) author of the virus is unknown.

          -
  • by ItWasThem (458689) on Wednesday July 14, 2004 @11:09AM (#9696984)
    Hopefully this clears up the "Is it sloppy or is it devious?" posts. It is both.

    Number 1 (from the article):
    Atak uses a variety of tactics in its attempts to escape antivirus analysis. Its main trick is to check to see if it's being run in a debugging environment. If so, it exits to avoid detection. The ploy prevents casual perusal of the code by researchers and (potentially) rival virus writers.
    So that part is intentional.

    A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox". A sandbox is a virtual environment commonly used by AV researchers to look at the behaviour of malware in a safe environment.

    So what I think they are saying is that even with it's ability to detect if it's being run in debug mode they would still normally be able to run it in a sandbox. Unfortunately (for the AV companies) there's the second thing. The seemingly unintentional bug that prevents it from working in a virtual environment.
  • by pandrijeczko (588093) on Wednesday July 14, 2004 @11:12AM (#9697017)
    Isn't a "stealth worm" that requires "user intervention" a paradox?
  • by swb (14022) on Wednesday July 14, 2004 @11:13AM (#9697025)
    I'm kind of surprised that AV companies don't use custom VMware-type environments that can be debugged at a level above what the virus or any other processor could detect, or use special hardware/simulators that also can't be detected.

    I'd think this would give them greater granularity and more control over the entire environment than trying to just run in it in a standard debugger.

    • by Chester K (145560) on Wednesday July 14, 2004 @12:14PM (#9697624) Homepage
      I'm kind of surprised that AV companies don't use custom VMware-type environments

      They do, but you can still tell whether your code is running in one of these environments if you're tricky enough. This is exactly the "sandbox" they're referring to.
  • It's New Coke! (Score:3, Insightful)

    by blueZhift (652272) on Wednesday July 14, 2004 @11:15AM (#9697047) Homepage Journal
    This reminds me of the whole New Coke thing years ago. Was it pure genius that Coke managed to sap Pepsi sales with the sweeter more Pepsi-like New Coke while hanging on to loyal customers with the reintroduced Coka Cola Classic, or was it a colossal blunder that they were just lucky enough to escape and still get ahead? Who knows? Unless the virus writer is caught, we may never know. Right now, I guess he or she is saying, "Yeah, I meant to do that!"

    In any case, I guess when it comes to virus writing sloppy coding pays off. And perhaps sloppy != stupid, unless of course you get caught! I suppose the next trick is for someone to release a code obfuscator that produces sloppy looking code.

  • DCMA Violation! (Score:5, Insightful)

    by Anonymous Coward on Wednesday July 14, 2004 @11:17AM (#9697057)
    Hey... If they reverse engineer this thing, won't they be violating the DCMA? I say the virus writer should sue all the anti-virus companies.

    By copying parts of the virus into their virus scanning signatures, perhaps everyone running the anti virus software is also violating the DCMA, I say fire off a few hundred law suits and see what happens.

    (Maybe with thinking like this RIAA will hire me.) ;-)
  • Yeah, 'sloppy'. (Score:3, Interesting)

    by Vengeance (46019) on Wednesday July 14, 2004 @11:18AM (#9697074)
    Uh huh, that's what it was, sloppy coding that leads to one's new virus being very difficult to analyze and fight...
  • by Anonymous Coward on Wednesday July 14, 2004 @11:22AM (#9697111)
    I don't understand... Why are they saying the code is sloppy? It seems to me that what they are doing is intentional. So it's not sloppy in the sense that it is full of mistakes.

    I also don't understand how stopping execution if your product is being debugged equates to "sloppy". It seems to me that a large number of software companies would WANT their software to behave in this way to make reverse engineering and hacking harder?

    In fact, if it is so difficult for antivirus companeis to debug this, when why isn't more software using this technique to make piracy more difficult, and/or hacking network games harder?
  • EULA (Score:5, Funny)

    by Fuzzums (250400) on Wednesday July 14, 2004 @11:24AM (#9697131) Homepage
    A viruswriter should add an EULA to his/her virus.

    - You may execute this virus 'as is'.

    - We accept no claims of any kind of any or all damage done by this piece of software.

    - You are responsible for the consequences of executing this software.

    - You are NOT allowed to disassemble the code (DCMA).

    - etc, etc..
    • Re:EULA (Score:4, Interesting)

      by maxwell demon (590494) on Wednesday July 14, 2004 @12:32PM (#9697801) Journal
      Well, if that virus comes with a click-through EULA, which even explicitly tells about all the damages the virus will do, and have the "user" agree, it would probably give an interesting legal situation: After all, the user explicitly agreed to every single damage the virus does, by clicking the "I agree" button.
  • by dfj225 (587560) on Wednesday July 14, 2004 @11:35AM (#9697245) Homepage Journal
    AV Guy: Man you are really sloppy! Virus Writer: Sloppy like a fox!
  • Nothing new (Score:4, Informative)

    by Anonymous Coward on Wednesday July 14, 2004 @12:04PM (#9697531)
    Viruses which could detect that they are being run in a debugger were common 10 years ago when I used to work for an anti-virus company. For example, One-Half [nai.com] is such a virus.
  • Bug/sandbox? (Score:5, Insightful)

    by julesh (229690) on Wednesday July 14, 2004 @12:15PM (#9697637)
    A possible bug, related to the way Atak checks its activation date, prevents it from being run in a "sandbox"

    Sounds more like a bug in the sandbox to me. A sandbox should be indistinguishable from running on a real non-virtualised computer.
  • by wvitXpert (769356) on Wednesday July 14, 2004 @12:26PM (#9697745)
    Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code.
    Hmmm... let me guess, the virus is written in such sloppy code that it just blends right in with the Windows code? ;^)
  • by Eudial (590661) on Wednesday July 14, 2004 @01:59PM (#9698813)
    Remember the old days of self modifying assembly code?

    (ie:
    instruction purpose
    1-20 alter instruction 21-40
    21-40 alter instruction 1-20, jump to 1
    1-20 do something
    21-40 alter 50-70 and 1-20
    50-70 do something, jump to 1-20)

    All alteration naturally is done in the most tricky of ways.

    Ah, those were the days.
  • by autopr0n (534291) on Wednesday July 14, 2004 @04:19PM (#9700517) Homepage Journal
    It would seem that making a virus hard to debug/analize would be the hallmark of a well-written virus, not a poorly made one.

    I realize that 'easy to exicute' is a design goal of most software writers, but I'd think virus writers would want to focus on other things.
  • vindication (Score:5, Funny)

    by sacrilicious (316896) on Wednesday July 14, 2004 @04:20PM (#9700526) Homepage
    the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code.

    See, this is what I've been trying to tell my boss: I'm not writing sloppy code, I'm trying to prevent people from reverse engineering our product!

    We visionaries are always persecuted.

  • by hardaker (32597) on Wednesday July 14, 2004 @05:30PM (#9701370) Homepage
    Gee... a virus that does things different when in a debugger or emulator? Sounds an aweful lot like a certain version of Turbotax about 2 years back... Do we have a prime suspect yet?

"We learn from history that we learn nothing from history." -- George Bernard Shaw

Working...