Reverse engineering techniques allow security experts to decompile malware to discover what it’s doing. Unfortunately, criminals often use techniques to make it more difficult for the security experts to reverse engineer some types of malware. This is important to know if you’re planning to take certification exam such as Security+.
As an example, see if you answer this sample Security+ practice test question.
Q. Which of the following types of malware is the MOST difficult to reverse engineer?
A. Logic bomb
B. Trojan
C. Armored virus
D. Ransomware
Can you answer the question? More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
You might hear people use the term virus to describe all types of malware, but that isn’t accurate. A virus is a specific type of malware, and malware includes many other types of malicious software, including worms, logic bombs, Trojans, ransomware, rootkits, spyware, and more.
Malware is not software that you would knowingly purchase or download and install. Instead, it is installed onto your system through devious means. Infected systems give various symptoms, such as running slower, starting unknown processes, sending out email without user action, random reboots, and more.
Viruses
A virus is a set of malicious code that attaches itself to a host application. The host application must be executed to run, and the malicious code executes when the host application is executed. The virus tries to replicate by finding other host applications to infect with the malicious code. At some point, the virus activates and delivers its payload.
Typically, the payload of a virus is damaging. It may delete files, cause random reboots, join the computer to a botnet, or enable backdoors that attackers can use to access systems remotely. Some older viruses merely displayed a message at some point, such as “Legalize Marijuana!” Most viruses won’t cause damage immediately. Instead, they give the virus time to replicate first.
A user will often execute the virus (though unknowingly), but other times, an operating system will automatically execute it after user interaction. For example, when a user plugs in an infected USB drive, the system can execute the virus infecting the system. Note that not all malware needs user interaction to run. As an example, worms are self-replicating and do not need user interaction.
Operation Buckshot Yankee
William Lynn, a U.S. Deputy Secretary of Defense, wrote an article in the Foreign Affairs magazine that demonstrates the risk from USB drives. He indicated that this incident marked a turning point in the U.S. cyber defense strategy.
In 2008, the U.S. military suffered a significant data breach that they traced back to a USB flash drive. Apparently, a foreign intelligence agency developed malware and installed it on a USB drive. Someone, though no one seems to be saying who, inserted the USB drive into a military laptop somewhere in the Middle East. The malware quickly infected the system.
The malware continued to operate silently on the mobile system and ultimately infected the U.S. Central Command’s network, including both classified and unclassified systems. Reports indicate that attackers were able to transfer data from the network to foreign servers. Ultimately, the U.S. military discovered the malware and launched Operation Buckshot Yankee. They cleaned the virus off all systems and investigated the incident. It is clear that this was a major incident, even though it started from malware on a single USB drive.
I was working on a U.S. base in 2008 when a new rule came out that banned the use of all removable USB flash drives. There was no mention of Operation Buckshot Yankee at the time, but it was clear that they were serious about enforcing the rule. I know of one contractor who ignored the rule, plugged in a USB flash drive, and had an opportunity to upgrade his résumé the next day. He was fired.
Armored Virus
When antivirus (AV) researchers discover a new virus, they typically attempt to reverse engineer the code. Application developers first write applications in a computer language, such as C, C++, and C#. Although these have specific syntax rules, they are easy to read by people who know the language. Developers then compile the code into an executable application. Reverse engineering code is the process of decompiling the executable application and analyzing the code to discover what it does.
Armored viruses use various techniques to make the reverse engineering process more difficult for the AV researchers. Some methods used by armored viruses are:
- Complex code. Some armored viruses use confusing code specifically designed to mask what the virus is actually trying to do.
- Encryption. Some compilers encrypt the code with the virus, making it more difficult to decompile. This code must first be decrypted before it can be decompiled.
- Hiding. Some viruses attempt to hide their actual location by tricking AV software into thinking the file is located somewhere else.
Remember this
An armored virus uses one or more techniques to make it difficult to reverse engineer. Common techniques include using complex code, using encryption, or hiding the location.
Q. Which of the following types of malware is the MOST difficult to reverse engineer?
A. Logic bomb
B. Trojan
C. Armored virus
D. Ransomware
Answer is C. An armored virus uses one or more techniques to make it difficult for antivirus researchers to reverse engineer it.
A logic bomb executes in response to an event, but it is often implemented with simple code.
A Trojan appears to be something beneficial, but it includes a malicious component.
Ransomware takes control of a user’s system or data and then demands payment as ransom.
You may also want to view the blog post about Identifying Malware Threats.