An In-Depth Analysis of the Bagle Virus

Today, many anti-virus (AV) scanners primarily detect viruses by looking for simple virus signatures within the file being scanned. The signature of a virus is typically created by disassembling the virus into assembly code, analyzing it, and then selecting those sections of code that seem to be unique to the virus. The binary bits of those unique sections become the signature for the virus. However, this approach can be easily subverted by polymorphic viruses, which change their code (and virus signature) every time they're run. In response, AV vendors implemented heuristics and decryption engines that would run the decryptor/loader code of the binary and peak inside the unencrypted binary to determine if it's a virus. However, the fact is that most viruses are of the "simple" type2 ­ not encrypted or polymorphic, and many of them have many variants that come out afterwards.

We believe that reverse code engineering (RCE) can be used to better analyze viruses and provide us with better techniques to protect against them and their variants. This paper examines the benefits of RCE and how it applies to detecting, preventing, and recovering from a virus. RCE can be defined as analyzing and disassembling a software system in order understand its design, components, and inner-workings. RCE also allows us to see hidden behaviors that cannot be directly observed by running the virus or those actions that have yet to be activated. These benefits can be used to prematurely defeat a virus's future variants by better analyzing the original virus.