Security Basics mailing list archives
Re: Can Reverse Engineering Help In Stopping Worms?
From: Don Parker <dparker () bridonsecurity com>
Date: Wed, 5 Jan 2005 15:22:19 -0800
Hi Konstantin, I read your paper listed below and quite liked it. Thanks for sharing your analysis and time with us. Viruses though as we know are largely spread the same way time and again. Guarding against these attachements through various means is an effective way imho. User education is another issue altogether. Does reverse engineering a virus help in any way? Absolutely I would say as learning how it was written is always helpful in understanding its behaviour. That being said I am not a programmer by nature, and would rate my skills as novice like. Much like exploit code the virus equivalent is always very much worthy of study. To that end I would think that unlike some, actually writing a virus is an excellent exercise in security. It helps in understanding the enemy is my reasoning. After all why limit yourself to only one side of the fence? To hear anti-virus vendors disingeniously say that this logic is b.s is a load of it in and of itself. One should always strive to learn as much as possible about the threats you face. That included recreating that threat. Anyhow I will wrap up this ramble and hope you find it constructive in some way. Kind regards, Don -------------------------------------------------------------- Don Parker, GCIA GCIH Intrusion Detection & Incident Handling Specialist Bridon Security & Training Services http://www.bridonsecurity.com voice: 1-613-302-2910 -------------------------------------------------------------- On Wed, 5 Jan 2005 17:03 , Konstantin Rozinov <krozinov () gmail com> sent:
I thought I'd announce a paper I wrote a few months ago which may interest some of you. You may have seen it elsewhere. If so, my apologies. The paper is available here: http://rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf The goal of this paper is to try to answer the following three questions: 1. How do you reverse engineer a virus? 2. Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a virus and its future variants? 3. Can reverse engineering be done more efficiently? The paper is organized into five sections and two appendixes. Section 1 is the introduction. Section 2 reviews basic x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a brief introduction to viruses, their history, and their types. Section 4 delves into the Bagle virus disassembly, including describing the techniques and resources used in this process as well as presenting a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A provides a detailed disassembly of the Bagle virus, while Appendix B presents the derived source code of the Bagle virus, as a result of this research. The paper is available here: http://rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf I appreciate all feedback. Thanks, Konstantin Rozinov
Current thread:
- Can Reverse Engineering Help In Stopping Worms? Konstantin Rozinov (Jan 05)
- <Possible follow-ups>
- Re: Can Reverse Engineering Help In Stopping Worms? Don Parker (Jan 06)