Full Disclosure mailing list archives
Re: Unpacking Sasser
From: "Gary E. Miller" <gem () rellim com>
Date: Mon, 3 May 2004 10:20:12 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Lee! On Mon, 3 May 2004, Lee wrote:
I am intrigued by your points of malware understanding the environment I have never seen this before, have you any pointers for me?
Go try to dissasemble some commercial dongle code. THose guys have been counter attacking against debuggers and reverse assemblers for a long time. Here are a few tricks they use: Dynamically modifying code. The code that really gets executed only exists for a brief moment. So the only way to see the real execution is to single step it or dynamically trace capture it. Self modifying code also confuses any debugger that modifies the running code with single step or break instructions instead of using debug registers. Timing checks in the code. Set a timer, do a bit of work, check that the timer has barely moved branch to dummy code if the timer has lasted more than an instant. That handily defeats single stepping or slower means of dynamic trace. Many debuggers subtely change the execution environment. Maybe a normally unused soft irq now points to a new handler. Maybe one of the segment registers or link library bases is not the usual. A few subtle pieces of info like that and the secret code knows to go in to confuse mode. Are these perfect? No, but it was better to piss off a few customers than to let your code get hacked. The list goes on and on. The virus/worm guys have a lot to learn from the dongle guys. RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem () rellim com Tel:+1(541)382-8588 Fax: +1(541)382-8676 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAln9P8KZibdeR3qURAosdAKDbcTDyGue7BtGFJsIw/Uby/nhyNgCgvdgu exiicLAhLnYVd2aOSGi8EZ0= =xZXc -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Unpacking Sasser Tom K (May 02)
- Re: Unpacking Sasser IndianZ (May 02)
- Re: Unpacking Sasser Byron Copeland (May 02)
- Re: Unpacking Sasser Andrew Ruef (May 02)
- Re: Unpacking Sasser - (May 02)
- Re: Unpacking Sasser Lee (May 02)
- Re: Unpacking Sasser Nick FitzGerald (May 02)
- Re: Unpacking Sasser Lee (May 03)
- Determinig VMWare environment (was: Unpacking Sasser) Spiro Trikaliotis (May 03)
- Re: Determinig VMWare environment (was: Unpacking Sasser) Lee (May 03)
- Re: Unpacking Sasser Gary E. Miller (May 03)
- Catching Sasser Shashank Rai (May 04)
- Re: Unpacking Sasser - (May 02)
- Re: Unpacking Sasser IndianZ (May 02)
- <Possible follow-ups>
- RE: Unpacking Sasser Angelaix (May 02)