VB2006: l33t Skillz of the Virus Writer
In the early part of this year, W32.Blackmal.E@mm and OSX.Leap.Areceived near blanket coverage from the technical media.W32.Blackmal.E@mm was a mass-mailing worm with two particular featuresthat ensured it quickly became a focus of attention. When run, the wormwould execute a Web-based php script, which was intended to function asan infection counter. Cue the daily tech-blog updates: "Clock tickingfor Nyxem virus" (Slashdot), "Blackworm worm over 1.8 millioninfestations and climbing" (Sunbelt). Even the fancy animated .gifs ofa counter shot up from 398,000 to 440,000 in seconds (F-Secure). Couplethis with the fact that the worm was programmed to delete files with anumber of common extensions on the third of the next month, and there'sa storm a brewin': "Kama Sutra worm seduces PC users" (cnet),"Countdown for Windows virus" (BBC), "Urgent Alert raised for BlackwormD-Day" (Eweek), "Kama sutra wipeout" (The Register).
OSX.Leap.A was a worm intended for Macintosh OSX. It was intended tospread to iChat contacts and infect recently used executable files onthe system. As the first major OSX threat, and a file infecting IM wormat that, it found itself in the full glare of the media: "Macs nolonger immune to viruses" (MSNBC), "Malicious worm aims to bite Apple"(BBC), "First Mac OS X Malware infects via iChat" (Techweb).
So, what did these two threats have in common? Well, for one, theyboth had critical bugs in key parts of their code that hindered – andin the case of some functionality, completely stopped – their abilityto work as intended. In this paperthat I presented at the recent VB2006 conference, we take a look atbugs in a number of viruses in the wild. We examine the bugs themselvesand what impact they had on the threats’ ability to execute on theirgoals. We also look at what we can learn from these bugs and how it caninfluence what we do when we analyze new samples.