me.code.write.good.pdf

(958 KB) Pobierz
Layout 3
Me code write good:
The l33t skillz of the
virus writer.
John Canavan
Symantec Security Response, Dublin
Originally published by Virus Bulletin Conference, October 2006. Copyright held by Virus Bulletin, Ltd.,
but is made available courtesy of Virus Bulletin. For more information on Virus Bulletin, please visit
http://virusbtn.com/
224820925.002.png 224820925.003.png 224820925.004.png 224820925.005.png 224820925.001.png
 
White Paper: Symantec Security Response
Me code write good:
The l33t skillz of the virus writer.
Contents
3
Me code write good: The l33t skillz of the virus writer.
Abstract
Viruses and worms pose some of the most formidable threats in the modern computer security land-
scape. With some virus writers on the bleeding edge of technology, making use of 0-day exploits and
innovative techniques to circumvent system security features.
However, for every Blaster, there’s a worm that repeatedly attempts to infect the same machine. For
every 100,000 node botnet Spybot infection there’s 20 variants that fail to get as far as even connect-
ing to an IRC server. For every Netsky, there’s an intended mass mailer that crashes before it sends a
single copy of itself out.
From exploitable vulnerabilities in their code to incomprehensible goofs there’s no shortage of evi-
dence that a large proportion of virus writers aren’t quite as capable as they would like others to
think. This paper will take a look at the legacy of these slightly less than expert level virus writers,
and examine the threat they continue to pose.
Introduction
Bugs in software code are nothing new. From the early days of computing, bugs have been found in
programs from all areas of technology.
In July 1962 a bug in the flight software for the Mariner 1 space probe caused the rocket to divert
from its intended path after launch. Veering off course and heading for a crash in the North Atlantic
shipping lanes, the Range Safety Officer destroys the rocket. Afterwards, an investigation discovered
an error had occurred when an equation was being transcribed by hand in the specification for the
guidance program. 1
A race condition in the controlling software for the Therac-25 radiation therapy machine was respon-
sible for giving patients massive overdoses of radiation. Between 1985 and 1987 at least 5 patients
died as a direct cause. Amongst other things, there was no check in place to prevent the electron-
beam from operating in its high-energy mode without the target in place. 2
In August 2003, a massive power blackout affected the north-eastern coast of the United States.
Fearing a terrorist attack, many fled cities in search of safety. What actually happened? It was discov-
ered that a bug in the energy management software used by the utility company was triggered by a
unique combination of events and alarm conditions on the equipment it was monitoring. When a
backup server kicked in, it also failed, unable to handle the accumulation of unprocessed events that
had queued up since the main system's failure. Because the system failed silently, energy company
operators were unaware that they were looking at outdated information on the status of their portion
of the power grid for over an hour, according to the report from the U.S.-Canadian task force investi-
gating the blackout 3 . The power outage that followed plunged the millions into darkness and caused a
significant degree of panic, receiving worldwide blanket media coverage.
4
Me code write good: The l33t skillz of the virus writer.
BugsinViruses
Given that these major errors can occur in even the most thoroughly tested professionally written
code, it’s not surprising that computer viruses have their fair share of malfunctions and buggy code.
Typically written by amateur fanatics, hacked together by script kiddies or as a form of experimenta-
tion by overly-curious fledgling coders, viruses rarely undergo any sort of stringent testing before
their release into the wild. It is not uncommon to find threats with bugs in their code, indeed some of
the most high profile and prevalent threats in recent years have had bugs.
And so with that in mind we can take a look at some case studies of bugs in viruses, from simple
mathematical errors, to those that cause key functionality to misfire. We will analyze how they affect-
ed the spread of the virus, what effect, if any, they had on the payload, and most importantly what
impact they had on infected systems and networks. We will examine what lessons can be learned by
the virus analysts in looking back at these threats; areas where bugs are common; how analysts can
pinpoint them in a more timely manner and get that information back to their customers as soon as
possible.
In each example, we will take a brief look at the background of the virus, and the intentions of the
virus writer by way of a short analysis of the threat’s main functions. We will then study the key
bugs in the code that hamper functionality, and take note of how these bugs affected the impact the
threat had in the wild.
The Morris Worm
Having examined two of the more recent and high-profile threats affected by buggy code, we will now
take a look at what is widely renowned as the first blended threat Internet worm.
On the evening of November 2nd, 1988 the Internet came under attack from the Morris Worm. Taking
advantage of flaws in fingerd/gets and sendmail in BSD-derived versions of UNIX, the worm spread
quickly, causing confusion and consternation of system administrators and users as they discovered
that their systems had been compromised. This frustration quickly grew as systems became over-
loaded with running processes as they became repeatedly infected. As time went on, many machines
surrendered to the crippling load and failed completely as their swap space or process tables were
exhausted. 4
As the first threat of its kind, response was initially slow, but within 12 hours the Research Group at
Berkeley had developed a temporary solution to halt its spread. Patches for the vulnerabilities that
the worm exploited as an infection vector were posted the next day, and the situation was under con-
trol.
5

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin