views:

886

answers:

6

BE AWARE! Creating spyware, computer viruses and similar nasties can be illegal where you live and is considered extremely unethical by almost everyone. Still, I need to ask this to raise awareness about how easy it is to create one. I am asking this after the W32/Induc-A was introduced to this world by someone who came up with a nasty way to spread one. So I want to know how a virus can be created so I will be able to recognise them in the future!

Recently a new virus was discovered which spreads itself by replacing the developers' copies of library code. Actually, through the source code of Delphi 4 through 7. What happened is that there's a virus in the wild which searches the computer for a file called SYSCONST.PAS, to which it will add itself as source code. This file happens to be a source file for the runtime libraries of Delphi. (This runtime source code is available for Delphi developers.) As a result, after being infected a programmer would create lots of new versions of this virus without even knowing it. Since virus scanners sometimes generate false positives many developers might thus decide to ignore the warnings of the scanner and maybe they'll even disable their scanner while building their project. To make it worse, their project might even trigger the scanners of their customers so it's likely that those programmers won't check their source code but will just try to fool the scanner somehow. That is, if a virus scanner is even able to recognise the virus, which isn't very likely. Thus, we software developers might be creating viruses without realizing what we're doing!

So, how to create a virus? Simple: get your source code infected by a virus and you're done!

Okay, so the source code of Delphi 4 through 7 might be infected. All Delphi developers, please check your source files! The case is just a proof-of-concept and apparently it can be very successful. Besides, most virus scanners won't check source code but just focus on executables. This virus could stay undetected for quite a while.

This virus also was successful because it misused source code. Delphi is a commercial project and the source code is available. But who is sure that these hackers won't be attacking open-source projects in similar ways? There are lots of open-source projects out there and who is going to check them all making sure they're all behaving in a decent way? And if someone is checking the code, will he be able to recognise if something is malicious code?

So, to make sure we can recognize malicious source code, I have to ask: How do I create a virus? How do I recognise the code that will create a virus? What is it that most malware will want to do?


There is a bit of discussion about the Delphi runtime source code, about this code being open-source or not. Borland uses a dual-license for their source code from the moment when they started to support Linux with Kylix. As a result, the source code has a "GPL" symbol declared which indicates if the libraries are compiled as GPL code or not. As GPL, the source code would be open-source. This also happens to be the source version that was attacked by the virus. Anyway, to avoid discussions here, I've asked this question here so we can focus more on the virus problem and less on Delphi. Basically, we're talking about a virus that attacks source code. Technically, all source code could be at risk but open source code is a likely candidate since hackers know it's structure and can target those files that are rarely modified, thus rarely checked. (And if they can hack their way into a CVS system, they could even erase the traces of their modifications, thus no one might notice the modiifications!)

+2  A: 

If you really want to learn, and are willing to put in the time, your time is probably better spent on google to find then participate in a greyhat community. this topic is highly complex.

if your question is as simple as "what's an easy way to recognize a virus from its source code", well, it probably won't be easy, because there's infinite ways to go about it.

Dustin Getz
But what about recognising their behaviour in some generic way? For example, recognisable patterns in the code? At least, recognisable for us, humans.
Workshop Alex
It follows, though, that virus design would change to avoid detection.
Argalatyr
I recently read a book about the "Myths of Security". Basically, it said that viruses are becoming hard to detect not because they're new, but because they're able to modify themselves by e.g. using encryption and packing techniques. A virus that infects open-source code would also be difficult to detect simply because it becomes part of many other applications. The biggest problem it has, though, it that it has a signature that can be recognised, though.
Workshop Alex
I've seen it be as simple as "=" instead of "==" in a C program. It can be impossible to tell the difference between a typo and a deliberate security hole. In the end, that's what you really want, anyway: to all identify security issues, not just deliberate security issues.
Alec
+6  A: 

While this does not really answer your question, I think a really interesting paper to read is Reflections on Trusting Trust by Ken Thompson. It raises a fascinating point that even if your source code is free of defects (viruses, trojans, etc.), you might still be producing defective executables if your compiler is defective. And even if you rebuild the compiler from clean source code, you can still have the same problem.

Unless you're building your computer from the ground up with your own microchips, hand-assembling your own BIOS, writing your own operating system, compiler, and software, you have to draw the line somewhere and trust that the hardware and software upon which you're building your systems are correct.

Adam Rosenfield
Well, trust is what counts. But as it is, some hacker decided to infect an open-source project at the source! This will be copied by many other hackers who will attempt to infect more open-source code, where possible. So, first of all I want to create awareness. And also, I want useful tips on how to recognise these malicious code snippets.
Workshop Alex
Thanks for the link to KT's article. I never knew he got into those topics.
lkessler
In the end, a very useful resource to start with! :-)
Workshop Alex
+4  A: 

You could check for the Evil Bit on incoming packets... http://en.wikipedia.org/wiki/Evil%5Fbit

forgot my open id login
+4  A: 

If you want to recognize malware, you must know how it works. This means researching malware and aquirering the skill to produce malware.

  • search for 29A - they wrote papers on virus
  • read about rootkits (there are even books on it)
  • read about reverse engineering
  • read source code of malware - there's plenty of it in the web.
  • learn assembler
  • learn about your OS
  • reverse the os-kernel
  • get clam-av, check the source

I won't provide links here. They are easily found though.

Tobias Langner
+2  A: 
lkessler
We also need to understand it so we can recognize it in other people's work! With closed source, there's the risk from co-workers adding malicious code but those risks are reasonably wel limited and easier to trace than hacks in source code that's available for many people, like open source and the runtime source of Delphi. (And to be honest, Delphi is real popular amongst hackers.)
Workshop Alex
+1  A: 

There is no difference between malicious code and an unintentional security bug.

You might as well be asking "How can I write a useful program that has no bugs and is impossible to exploit".

As we all learn in CS its impossible to even write debuggers to catch infinite loops let alone intelligent malevolence.

My advice for security conscious applications is an ex(p|t)ensive code review and use of commercially available static analysis software.

Einstein
Yes, there is! Security bugs are hidden for everyone. Malicious code is known by at leaso one person after it's added, thus the abuse of this code will start sooner. While security bugs are bad, malicious code is worse since they're going to be misused from the moment of creation. Besides, malicious code can occur in any source file. Thus, they can even be exploited by applications that have nothing to do with security.
Workshop Alex
If my intent wasn't clear I'm sorry. My response was intended to be couched in the context of discovery of malicious code and was not intended to address exploitation.
Einstein