REVERSE CODE ENGINEERING: AN IN-DEPTH ANALYSIS OF THE BAGLE VIRUS
hi
this is nice tutor about REVERSE CODE ENGINEERING.
Today, many anti-virus (AV) scanners primarily detect viruses by looking for simple virus signatures
within the file being scanned. The signature of a virus is typically created by disassembling the virus into
assembly code, analyzing it, and then selecting those sections of code that seem to be unique to the virus.
The binary bits of those unique sections become the signature for the virus. However, this approach can
be easily subverted by polymorphic viruses, which change their code (and virus signature) every time
they’re run. In response, AV vendors implemented heuristics and decryption engines that would run the
decryptor/loader code of the binary and peak inside the unencrypted binary to determine if it’s a virus.
2
However, the fact is that most viruses are of the “simple” type – not encrypted or polymorphic, and many
of them have many variants that come out afterwards.
We believe that reverse code engineering (RCE) can be used to better analyze viruses and provide us with
better techniques to protect against them and their variants. This paper examines the benefits of RCE and
how it applies to detecting, preventing, and recovering from a virus. RCE can be defined as analyzing and
disassembling a software system in order understand its design, components, and inner-workings. RCE
also allows us to see hidden behaviors that cannot be directly observed by running the virus or those
actions that have yet to be activated. These benefits can be used to prematurely defeat a virus’s future
variants by better analyzing the original virus.
The goal of this project is to try to answer the following three questions:
1. How do you reverse engineer a virus?
2. Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a
virus and its future variants?
3. Can reverse engineering be done more efficiently?
The virus we chose to examine in this paper is known as Bagle (also known as Beagle). The reasons for
this will become evident in Section 4.1. Although Bagle is often classified as a worm by AV vendors, we
refer to it as a virus because it requires human intervention (it’s activated only by the user) to continue its
propagation. However, it has characteristics of a worm as well; including the ability to spread to other
computers and not needing a host file to attach to. In the end, it doesn’t matter whether it is referred to
3
as a virus or a worm or just malware .
The remainder of this paper is organized into four sections and two appendixes. Section 2 reviews basic
x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a
brief introduction to viruses, their history, and their types. Section 4 delves into the Bagle virus
disassembly, including describing the techniques and resources used in this process as well as presenting
a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A
provides a detailed disassembly of the Bagle virus, while Appendix B presents the derived source code of
the Bagle virus, as a result of this research.
within the file being scanned. The signature of a virus is typically created by disassembling the virus into
assembly code, analyzing it, and then selecting those sections of code that seem to be unique to the virus.
The binary bits of those unique sections become the signature for the virus. However, this approach can
be easily subverted by polymorphic viruses, which change their code (and virus signature) every time
they’re run. In response, AV vendors implemented heuristics and decryption engines that would run the
decryptor/loader code of the binary and peak inside the unencrypted binary to determine if it’s a virus.
2
However, the fact is that most viruses are of the “simple” type – not encrypted or polymorphic, and many
of them have many variants that come out afterwards.
We believe that reverse code engineering (RCE) can be used to better analyze viruses and provide us with
better techniques to protect against them and their variants. This paper examines the benefits of RCE and
how it applies to detecting, preventing, and recovering from a virus. RCE can be defined as analyzing and
disassembling a software system in order understand its design, components, and inner-workings. RCE
also allows us to see hidden behaviors that cannot be directly observed by running the virus or those
actions that have yet to be activated. These benefits can be used to prematurely defeat a virus’s future
variants by better analyzing the original virus.
The goal of this project is to try to answer the following three questions:
1. How do you reverse engineer a virus?
2. Can reverse engineering a virus lead to better ways of detecting, preventing, and recovering from a
virus and its future variants?
3. Can reverse engineering be done more efficiently?
The virus we chose to examine in this paper is known as Bagle (also known as Beagle). The reasons for
this will become evident in Section 4.1. Although Bagle is often classified as a worm by AV vendors, we
refer to it as a virus because it requires human intervention (it’s activated only by the user) to continue its
propagation. However, it has characteristics of a worm as well; including the ability to spread to other
computers and not needing a host file to attach to. In the end, it doesn’t matter whether it is referred to
3
as a virus or a worm or just malware .
The remainder of this paper is organized into four sections and two appendixes. Section 2 reviews basic
x86 concepts, including registers, assembly, runtime data structures, and the stack. Section 3 gives a
brief introduction to viruses, their history, and their types. Section 4 delves into the Bagle virus
disassembly, including describing the techniques and resources used in this process as well as presenting
a high level functional flow of the virus. Section 5 presents the conclusions of this research. Appendix A
provides a detailed disassembly of the Bagle virus, while Appendix B presents the derived source code of
the Bagle virus, as a result of this research.
………
link:
