Jump to content
Tuts 4 You

An In-Depth Analysis of the Bagle Virus

Teddy Rogers

About This File

Today, many anti-virus (AV) scanners primarily detect viruses by looking for simple virus signatures within the file being scanned. The signature of a virus is typically created by disassembling the virus into assembly code, analyzing it, and then selecting those sections of code that seem to be unique to the virus. The binary bits of those unique sections become the signature for the virus. However, this approach can be easily subverted by polymorphic viruses, which change their code (and virus signature) every time they're run. In response, AV vendors implemented heuristics and decryption engines that would run the decryptor/loader code of the binary and peak inside the unencrypted binary to determine if it's a virus. However, the fact is that most viruses are of the "simple" type2 ­ not encrypted or polymorphic, and many of them have many variants that come out afterwards.

We believe that reverse code engineering (RCE) can be used to better analyze viruses and provide us with better techniques to protect against them and their variants. This paper examines the benefits of RCE and how it applies to detecting, preventing, and recovering from a virus. RCE can be defined as analyzing and disassembling a software system in order understand its design, components, and inner-workings. RCE also allows us to see hidden behaviors that cannot be directly observed by running the virus or those actions that have yet to be activated. These benefits can be used to prematurely defeat a virus's future variants by better analyzing the original virus.

User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...