Full Disclosure mailing list archives

Re: Unpacking Sasser

From: "Gary E. Miller" <gem () rellim com>
Date: Mon, 3 May 2004 10:20:12 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Lee!

On Mon, 3 May 2004, Lee wrote:

I am intrigued by your points of malware understanding the environment
I have never seen this before, have you any pointers for me?


Go try to dissasemble some commercial dongle code.  THose guys have been
counter attacking against debuggers and reverse assemblers for a long
time.  Here are a few tricks they use:

Dynamically modifying code.  The code that really gets executed only
exists for a brief moment.  So the only way to see the real execution is
to single step it or dynamically trace capture it. Self modifying code
also confuses any debugger that modifies the running code with single step
or break instructions instead of using debug registers.

Timing checks in the code.  Set a timer, do a bit of work, check that
the timer has barely moved branch to dummy code if the timer has lasted
more than an instant.  That handily defeats single stepping or slower
means of dynamic trace.

Many debuggers subtely change the execution environment.  Maybe a
normally unused soft irq now points to a new handler.  Maybe one of
the segment registers or link library bases is not the usual.  A few
subtle pieces of info like that and the secret code knows to go in to
confuse mode.

Are these perfect?  No, but it was better to piss off a few customers
than to let your code get hacked.

The list goes on and on.  The virus/worm guys have a lot to learn from
the dongle guys.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAln9P8KZibdeR3qURAosdAKDbcTDyGue7BtGFJsIw/Uby/nhyNgCgvdgu
exiicLAhLnYVd2aOSGi8EZ0=
=xZXc
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Unpacking Sasser Tom K (May 02)
- Re: Unpacking Sasser IndianZ (May 02)
  - Re: Unpacking Sasser Byron Copeland (May 02)
- Re: Unpacking Sasser Andrew Ruef (May 02)
  - Re: Unpacking Sasser - (May 02)
    - Re: Unpacking Sasser Lee (May 02)
    - Re: Unpacking Sasser Nick FitzGerald (May 02)
    - Re: Unpacking Sasser Lee (May 03)
    - Determinig VMWare environment (was: Unpacking Sasser) Spiro Trikaliotis (May 03)
    - Re: Determinig VMWare environment (was: Unpacking Sasser) Lee (May 03)
    - Re: Unpacking Sasser Gary E. Miller (May 03)
    - Catching Sasser Shashank Rai (May 04)
- <Possible follow-ups>
- RE: Unpacking Sasser Angelaix (May 02)