crafted malicious program running on many systems, he or she can start
utilizing these systems for extra computing power or extra network
bandwidth.
Information Theft Finally, malicious programs can easily be used for
information theft. Once a malicious program penetrates into a host, it
becomes exceedingly easy to steal files and personal information from
that system. If you are wondering where a malicious program would send
such valuable information without immediately exposing the attacker,
the answer is that it would usually send it to another infected machine,
from which the attacker could retrieve it without leaving any trace.Malware Vulnerability
Malware suffers from the same basic problem as copy protection technologies—
they run on untrusted platforms and are therefore vulnerable to reversing. The
logic and functionality that resides in a malicious program are essentially
exposed for all to see. No encryption-based approach can address this problem
because it is always going to have to remain possible for the system’s CPU to
decrypt and access any code or data in the program. Once the code is decrypted,
it is going to be possible for malware researchers to analyze its code and behav-
ior—there is no easy way to get around this problem.
There are many ways to hide malicious software, some aimed at hiding it
from end users, while others aim at hindering the process of reversing the pro-
gram so that it survives longer in the wild. Hiding the program can be as sim-
ple as naming it in a way that would make end users think it is benign, or even
embedding it in some operating system component, so that it becomes com-
pletely invisible to the end user.
Once the existence of a malicious program is detected, malware researchers
are going to start analyzing and dissecting it. Most of this work revolves around
conventional code reversing, but it also frequently relies on system tools such as
network- and file-monitoring programs that expose the program’s activities
without forcing researchers to inspect the code manually. Still, the most power-
ful analysis method remains code-level analysis, and malware authors some-
times attempt to hinder this process by use of antireversing techniques. These
are techniques that attempt to scramble and complicate the code in ways that
prolong the analysis process. It is important to keep in mind that most of the
techniques in this realm are quite limited and can only strive to complicate the
process somewhat, but never to actually prevent it. Chapter 10 discusses these
antireversing techniques in detail.
Reversing Malware 281