'Stealth' Worm Hinders Sandbox Analysis 461
Tuxedo Jack writes "The Register reports that the new Atak worm cannot be analyzed or debugged by antivirus companies without quite a bit of work, due to the author being sloppy with his or her code. Windows machines, as per the norm, are the only vulnerable ones, and it still requires user intervention to infect. Perhaps future worms will start including this 'bug' in their releases. We can only hope not." It doesn't sound like a bug at all, from the virus writer's perpective.
so is this what MSFT does? (Score:4, Insightful)
Without the recent access to the source for IE we would never have found out about BMP overflows, etc. Which was just poor and lazy coding.
Mailers? (Score:4, Insightful)
I wonder if a virus with some code to re-partition your drive on a reboot would cause this issue to be taken more seriously.
I think we're just lucky these writers don't do more with the holes Microsoft gives them.
Sloppy or devious? (Score:5, Insightful)
I'm sure it's lost something in the translation. The rest of the article suggests it's by design rather than accident.
Hex it? (Score:1, Insightful)
Re:Strange (Score:5, Insightful)
And the greatest trick this guy pulled is making himself look like an ID10T...
Ironic quote (Score:5, Insightful)
Considering virus writers are more motivated by being devious than impressing analysts, doesn't it seem inappropriate to assume the coding was "sloppy?"
what is it gonna be? (Score:3, Insightful)
If it's intentional, it's not sloppy...
If it's not intentional, it's not devious...
Re:Mailers? (Score:5, Insightful)
More damaging. (Score:5, Insightful)
Damaging the computer itself is too easy to catch and causes people to take it seriously.
Changing data has more implications for CORPORATIONS and would take longer to detect.
Re:Mailers? (Score:5, Insightful)
Highly damaging viruses don't spread far. Today's virus/work/trojan writers want to capture large numbers of zombie PCs and resell these networks. They aim for control, not damage. It's about money, not vandalism.
Hack it (Score:3, Insightful)
This would allow the rest of the program to work as normal just without the self-defence code.
Code sloppy? (Score:5, Insightful)
Because hey no coder legit or illicit wants to be thought of as a sloppy coder.
Re:Hex it? (Score:5, Insightful)
Not really. It's kinda like looking at that blueprints to a race car. Even if you know every little bit of the thing, you don't really understand what it does or how it does it until you can take it out on the test track.
Besides, looking at compiled code in a hex editor is kinda like looking at a jpeg in a hex editor. Maybe you see some interesting patterns, but it's tough to get the big picture.
BTW, yes, it is bad analogy week here on Slashdot. Didn't you get the memo?
Re:Hex it? (Score:5, Insightful)
I did things like this years ago when fiddling around with a copy protection scheme. (Remember those days?) Trivial, really
If you really step through the code with a debugger, you can see the tests and traps (if you know what to look for) and avoid them. But that's tedious, to say the least.
Obviously somebody at the virus scanner companies couldn't be bothered, and was impressed with or surprised by a lousy "debugger bit test".
Re:AV software particularly effective? (Score:2, Insightful)
Re:"So sloppy it's devious"? (Score:4, Insightful)
Yes, it is both. It's sloppy because whoever wrote this virus forgot to disable the suicide code before releasing it into the wild. The writer obviously would have written this into the virus during development so that he didn't hose his own machine.
It's devious because now virus writers know that "forgetting" to "fix" their virus pisses off more people in high places, instead of just plain pissing off more people. It wastes resources and diverts attention from bigger threats-- or smaller threats which just get lucky.
It's a tactic so totally stupid that it borders on brilliance.
Custom VMWare environment or hardware? (Score:5, Insightful)
I'd think this would give them greater granularity and more control over the entire environment than trying to just run in it in a standard debugger.
It's New Coke! (Score:3, Insightful)
In any case, I guess when it comes to virus writing sloppy coding pays off. And perhaps sloppy != stupid, unless of course you get caught! I suppose the next trick is for someone to release a code obfuscator that produces sloppy looking code.
DCMA Violation! (Score:5, Insightful)
By copying parts of the virus into their virus scanning signatures, perhaps everyone running the anti virus software is also violating the DCMA, I say fire off a few hundred law suits and see what happens.
(Maybe with thinking like this RIAA will hire me.)
Re:Mailers? (Score:3, Insightful)
Although, like a poster below, the data changing aspect would be a more annoying bug.
I'm just saying that MS can be made to look real bad in the eyes of corporations. Mind you, the person responsible for something like that would get the death sentence under Patriot Act or something i'm sure.
How does this equate to sloppy? (Score:5, Insightful)
I also don't understand how stopping execution if your product is being debugged equates to "sloppy". It seems to me that a large number of software companies would WANT their software to behave in this way to make reverse engineering and hacking harder?
In fact, if it is so difficult for antivirus companeis to debug this, when why isn't more software using this technique to make piracy more difficult, and/or hacking network games harder?
Re:Strange (Score:1, Insightful)
Re:Mailers? (Score:4, Insightful)
Re:Mailers? (Score:5, Insightful)
code red for example if it had a timed payload that X minutes after infection kill the machine and that number of minutes was 3 days in the future it would be able to widely spread and STILL cause the death of the host machines.
the scaries is the stealth virus that spreads slowly, is silent and act's mostly benign for 90 to 120 days then simply kicks in for a full boat infection/attack+death 4 hours after final activation.
by the time it was discovered most people would be helpless.
Dear me, how remarkably fucking stupid. (Score:5, Insightful)
We call those heisenbugs [catb.org] and they are the bane of a programmer's existence. The whole damn point of a debugger is to replicate the same behavior as normal, not allow the program to choose to exhibit a different behavior.
"I'm going to look at you more closely now. Please act normal. (But it's your call if you don't.)"
Yeah, that "surprise inspection" works great everywhere else, why not in programming? Fucking morons...
I was happier not knowing about this function. soundman32, I shake my fist at thee. :-)
Re:More damaging. (Score:3, Insightful)
Or even more fun, long documents you produce for meetings or public distribution. Embeded within are names harvested from your address book appended with a few choices words?
Why not scan Word documents for names, and cross-reference those with your address book? As soon as a match is found, mail them said document. John Smith will surely be glad to learn that you intend to announce to him at next week's meeting that you'll fire him. Or ACME-soft will be pleased to learn that you are so dissatified with their service that you are shopping for a competitor ;-) But fore-warned is fore-armed.
Endless fun!
Re:so is this what MSFT does? (Score:3, Insightful)
Availability of the source code does not lead to exploits. Anybody with even a moderate amount of experience with software development would know this. If the exploit was evident by looking at the code, the code writer would probably fix it. Every single exploit is discovered by accident, put in a "bug report", and the code writer has to spend a huge amount of time figuring out exactly how his code, which looks just fine, is producing the unwanted behavior. The discovery of unwanted behavior is exactly equal in both open and closed source.
In fact the advantage of open source is not that it has fewer bugs, but that when such unwanted behavior is discovered by accident, a huge number of people will try to fix it. Even people who get it wrong will produce modified versions that are less likely to be attacked by a virus.
Re:How does this equate to sloppy? (Score:2, Insightful)
The reference to sloppy code is only is only made in the following quote from the article:
As another poster suggested, perhaps something got lost in the translation.
While this may make the virus a little harder to analyze, I don't see how it would slow the anti-virus companies down much. Anti-virus researchers would simply need to change the code, disabling the section that checks to see if a debugger is attached. This is likely a simple matter of disassembling the code and changing the appropriate jump statement.
Bug/sandbox? (Score:5, Insightful)
Sounds more like a bug in the sandbox to me. A sandbox should be indistinguishable from running on a real non-virtualised computer.
Re:You're missing the point (Score:3, Insightful)
OTOH, you have a group of largely unknown people writing viruses, and a group of people who profit off of their bad behavior. Besides, even if the AV companies didn't have a symbiotic relationship with the writers, why spark an arms race?
Re:so is this what MSFT does? (Score:4, Insightful)
Re:More damaging. (Score:5, Insightful)
That sh*t would be brutal to deal with.
Its one thing to know you have to restore from backups after a harddrive is wiped, or you just can't seem to shake the virus.
Its a whole other ballgame when the virus goes undetected for a month and the excel sheets you've been conducting your business with have been screwed with. Yeah, you can restore and recreate a month's worth of work, but how do you account for the decisions you've made with bad data over the course of that month?'
You're absolutely right, and I bet most people aren't taking what you're saying seriously enough. Do you know how many businesses keep track of things, even financial data, in just Excel spreadsheets? I mean, NO real paper trail, and even nothing clear to check the numbers against?
Even when you're talking about corrupting data, it's one thing to delete a random letter from a word document- a spell-check will probably catch it. If a virus added a particular sentence to word documents (the same sentence each time), you can at least find out if the document has been corrupted by searching for that sentence. Even random sentences, which would be much harder to deal with, would be noticable when someone goes to read it. However, shifting individual numbers in an Excel document 10%, up or down, randomly? That could easily go unnoticed for a long time, and even when you go to the backups, how do you know you have retrieved an old enough version to be an uncorrupted version?
The idea kind of reminds me of the Office Space/Superman III scheme of writing a virus that rounds down to the nearest cent and sends the excess to a bank account.
Re:More damaging. (Score:2, Insightful)
This is called "cryptovirology" and here [amazon.com] is a really interesting book about it.
Re:so is this what MSFT does? (Score:5, Insightful)
I have heard the "BMP thing" being spouted by a Microsoft / closed-source apologist
Actually an apologist wouldn't be spouting about the BMP exploit. Rather an apologist would be trying to dismiss it as you do in here:
Is there any documented evidence that this has been used in *any* virus/worm/hacks?
There. Now you're being the closed source apologist by saying,"We're sorry about the BMP thing but does it really make a difference?" Since it's been pointed out that the BMP thing was only present in older editions of MSIE (5.5?) it's pretty plausible that the forensic trail of tracking any exploits is long covered, formatted, and reinstalled.
And has there actually been more than one bug found
The security industry has its hands full simply processing data on exploits which are submitted. The people who have time to go over that released source code routine by routine, structure by structure, loop by loop, aren't going to tell you about it first. If they're nefarious they're not telling anyone.
Additionally, did you read this [secunia.com] yesterday? Did you try contacting the authors who published those vulnerabilities? It's quite possible that they came onto those vulns by looking at the source code.
So sit down and...
If the exploit was evident by looking at the code, the code writer would probably fix it
That's a bit shallow minded. Not every programmer who works for MS was a 4.0 overachiever who visualized code loops and logic flow in real time. Very few middle managers were 4.0 overachievers--many got to their position because they were better at social networking than coding networks. By the time the code gets to the upper management it's not being audited line by line. Even 4.0 students aren't always guaranteed overachievers with amazing perceptual abilities. Many 4.0 students know how to stand in line and keep their mouths shut. That's the most assured way to a 4.0.
Every single exploit is discovered by accident
I would agree that the majority of exploits are discovered by someone noticing erratic behavior in a program and taking the initiative to dig in deeper. However I know a number of people who take great delight in poring over changelogs and then going back to audit source code when "Bug in <sourcefile.c> fixed." The changelog may have been a roadsign but when sourcefile.c is 1000+ lines it's still a testament to skill to find the bug which was fixed.
You're assuming people would fix it... (Score:5, Insightful)
Frankly, I'm with the first poster. I good 'ole fashion hard disk reformatter would light some fires out there. I'm tired of seeing people with 5 or 6 viruses, uncountable spyware programs and everthing on their computer broken wanting the damn things fixed without a clean install because they don't know what a file is and have no idea how to back things up.
Re:Mailers? (Score:3, Insightful)
Critical mass for infection is harder to reach if your lethal. The virus writter would have to predict reactive patterns and behavior in the wild. Hard. A lethal virii would have a shorter window. If it had a syncranized dormancy and waited till critical mass, then maybe. But you have to balance more time to get caught vs more time to spread.
What a bizzare statement (Score:4, Insightful)
I realize that 'easy to exicute' is a design goal of most software writers, but I'd think virus writers would want to focus on other things.
Re:Custom VMWare environment or hardware? (Score:3, Insightful)
I assume Intel and AMD must already have almost exactly this sort of hardware available for development work.
I guess the virus could then try to look to peripheral hardware for timing information, like video cards and harddrives. On one hand it would be a major pain for an AV company to accurately virtualize the timing in peripherals, but on the other hand the virus writer is facing unknown peripherals connected to an unknown system with wildly variable timings.
-
So all I need is a debugger running? (Score:1, Insightful)
Re:Finally! (Score:3, Insightful)
This exception permits circumvention of access control measures, and the development of technological means for such circumvention, for the purpose of testing the security of a computer, computer system or computer network, with the authorization of its owner or operator.