confusion for human reversers that attempt to analyze the metamorphic
program.
Function Order The order in which functions are stored in the module
matters very little to the program at runtime, and randomizing it can
make the program somewhat more difficult to identify.
To summarize, by combining all of the previously mentioned techniques
(and possibly a few others), metamorphic engines can create some truly flexi-
ble malware that can be very difficult to locate and identify.
Establishing a Secure Environment
The remainder of this chapter is dedicated to describe a reversing session of an
actual malicious program. I’ve intentionally made the discussion quite detailed,
so that readers who aren’t properly set up to try this at home won’t have to. I
would only recommend that you try this out if you can allocate a dedicated
machine that is not connected to any network, either local or the Internet. It is
also possible to use a virtual machine product such as Microsoft Virtual PC or
VMWare Workstation, but you must make sure the virtual machine is com-
pletely detached from the host and from the Internet. If your virtual machine is
connected to a network, make sure that network is connected to neither the
Internet nor the host.
If you need to transfer any executables (such as the malicious program
itself) from your primary system into the test system you should use a record-
able CD or DVD, just to make sure the malicious program can’t replicate itself
into that disc and infect other systems. Also, when you store the malicious pro-
gram on your hard drive or on a recordable CD, it might be wise to rename it
with a nonexecutable extension, so that it doesn’t get accidentally launched.
The Backdoor.Hacarmy.D dissected in the following pages can be down-
loaded at this book’s Web site at http://www.wiley.com/go/eeilam.
The Backdoor.Hacarmy.D
The Trojan/Backdoor.Hacarmy.D is the program I’ve chosen as our malware
case study. It is relatively simple malware that is reasonably easy to reverse,
and most importantly, it lacks any automated self-replication mechanisms.
This is important because it means that there is no risk of this program spread-
ing further because of your attempts to study it. Keep in mind that this is no
reason to skimp on the security measures I discussed in the previous section.
This is still a malicious program, and as such it should be treated with respect.
Reversing Malware 285