Re: Can Reverse Engineering Help In Stopping Worms?

[Don Parker <dparker () bridonsecurity com>]

Hi Konstantin,

I read your paper listed below and quite liked it. Thanks for sharing your
analysis and time with us. Viruses though as we know are largely spread the same
way time and again. Guarding against these attachements through various means is
an effective way imho. User education is another issue altogether.

Does reverse engineering a virus help in any way? Absolutely I would say as
learning how it was written is always helpful in understanding its behaviour.
That being said I am not a programmer by nature, and would rate my skills as
novice like. Much like exploit code the virus equivalent is always very much
worthy of study. To that end I would think that unlike some, actually writing a
virus is an excellent exercise in security. It helps in understanding the enemy
is my reasoning. After all why limit yourself to only one side of the fence? 

To hear anti-virus vendors disingeniously say that this logic is b.s is a load of
it in and of itself. One should always strive to learn as much as possible about
the threats you face. That included recreating that threat. Anyhow I will wrap up
this ramble and hope you find it constructive in some way. 

Kind regards,

Don

--------------------------------------------------------------
Don Parker, GCIA GCIH
Intrusion Detection & Incident Handling Specialist
Bridon Security & Training Services
http://www.bridonsecurity.com
voice: 1-613-302-2910
--------------------------------------------------------------

On Wed, 5 Jan 2005 17:03 , Konstantin Rozinov <krozinov () gmail com> sent:

> I thought I'd announce a paper I wrote a few months ago which may
> interest some of you. You may have seen it elsewhere.  If so, my
> apologies.
>
> The paper is available here:
> http://rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf
>
> The goal of this paper is to try to answer the following three questions: 
> 1. How do you reverse engineer a virus?
> 2. Can reverse engineering a virus lead to better ways of detecting,
> preventing, and recovering from a virus and its future variants?
> 3. Can reverse engineering be done more efficiently? 
>
> The paper is organized into five sections and two appendixes. Section
> 1 is the introduction. Section 2 reviews basic x86 concepts, including
> registers, assembly, runtime data structures, and the stack. Section 3
> gives a brief introduction to viruses, their history, and their types.
> Section 4 delves into the Bagle virus disassembly, including
> describing the techniques and resources used in this process as well
> as presenting a high level functional flow of the virus. Section 5
> presents the conclusions of this research. Appendix A provides a
> detailed disassembly of the Bagle virus, while Appendix B presents the
> derived source code of the Bagle virus, as a result of this research.
>
> The paper is available here:
> http://rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf
>
> I appreciate all feedback.
>
> Thanks,
> Konstantin Rozinov