How to recognize malicious source code?

| | August 7, 2015

BE AWARE! Creating spyware, computer viruses and similar nasties can be illegal where you live and is considered extremely unethical by almost everyone. Still, I need to ask this to raise awareness about how easy it is to create one. I am asking this after the W32/Induc-A was introduced to this world by someone who came up with a nasty way to spread one. So I want to know how a virus can be created so I will be able to recognise them in the future!

Recently a new virus was discovered which spreads itself by replacing the developers’ copies of library code. Actually, through the source code of Delphi 4 through 7. What happened is that there’s a virus in the wild which searches the computer for a file called SYSCONST.PAS, to which it will add itself as source code. This file happens to be a source file for the runtime libraries of Delphi. (This runtime source code is available for Delphi developers.) As a result, after being infected a programmer would create lots of new versions of this virus without even knowing it. Since virus scanners sometimes generate false positives many developers might thus decide to ignore the warnings of the scanner and maybe they’ll even disable their scanner while building their project. To make it worse, their project might even trigger the scanners of their customers so it’s likely that those programmers won’t check their source code but will just try to fool the scanner somehow. That is, if a virus scanner is even able to recognise the virus, which isn’t very likely. Thus, we software developers might be creating viruses without realizing what we’re doing!

So, how to create a virus? Simple: get your source code infected by a virus and you’re done!

Okay, so the source code of Delphi 4 through 7 might be infected. All Delphi developers, please check your source files! The case is just a proof-of-concept and apparently it can be very successful. Besides, most virus scanners won’t check source code but just focus on executables. This virus could stay undetected for quite a while.

This virus also was successful because it misused source code. Delphi is a commercial project and the source code is available. But who is sure that these hackers won’t be attacking open-source projects in similar ways? There are lots of open-source projects out there and who is going to check them all making sure they’re all behaving in a decent way? And if someone is checking the code, will he be able to recognise if something is malicious code?

So, to make sure we can recognize malicious source code, I have to ask: How do I create a virus? How do I recognise the code that will create a virus? What is it that most malware will want to do?

There is a bit of discussion about the Delphi runtime source code, about this code being open-source or not. Borland uses a dual-license for their source code from the moment when they started to support Linux with Kylix. As a result, the source code has a “GPL” symbol declared which indicates if the libraries are compiled as GPL code or not. As GPL, the source code would be open-source. This also happens to be the source version that was attacked by the virus. Anyway, to avoid discussions here, I’ve asked this question here so we can focus more on the virus problem and less on Delphi. Basically, we’re talking about a virus that attacks source code. Technically, all source code could be at risk but open source code is a likely candidate since hackers know it’s structure and can target those files that are rarely modified, thus rarely checked. (And if they can hack their way into a CVS system, they could even erase the traces of their modifications, thus no one might notice the modiifications!)

6 Responses to “How to recognize malicious source code?”

  1. There is no difference between malicious code and an unintentional security bug.

    You might as well be asking “How can I write a useful program that has no bugs and is impossible to exploit”.

    As we all learn in CS its impossible to even write debuggers to catch infinite loops let alone intelligent malevolence.

    My advice for security conscious applications is an ex(p|t)ensive code review and use of commercially available static analysis software.

  2. You ask “What is it that most malware will want to do?”.

    An excellent source for this sort of information is The Hacker Quarterly, which is so mainstream, you may find it at your local bookstore, or you can subscribe online to get it mailed to you.

    It was started to help hackers and phreakers share information. It is still very popular with hackers today and is considered by many to be controversial in nature.

    Cover of The Hacker Quarterly, Summer 2009 issue

    Contents of the Current Issue include:

    • Not The Enemy
    • Regaining Privacy in a Digital World
    • The Security-Conscious Uncle
    • Why the “No-Fly List” is a Fraud
    • Finding Information in the Library of Congress
    • Hacking the DI-524 Interface
    • Simple How-to on Wireless and Windows Cracking
    • If You Can’t Stand the Heat, Hack the Computers!
    • Security: Truth Versus Fiction
    • Hacking the Beamz
    • iTunes Stored Credit Card Vulnerability
    • Zipcar’s Information Infrastructure
    • The How and Why of Hacking the U.N.
    • Listen to Radio Hackers!
    • Abusing Metadata
    • Verizon FIOS Wireless Insecurities
    • Using Network Recon to Solve a Problem
    • Suing Telemarketers for Fun and Profit

    There is also an excellent series of articles on Hacking at Wikipedia and on Computer Viruses.

    … And yes, it is important for programmers to understand how hacking and code breaking works, so they can do the best they can to circumvent it in their programs.

  3. Tobias Langner on November 30, -0001 @ 12:00 AM

    If you want to recognize malware, you must know how it works. This means researching malware and aquirering the skill to produce malware.

    • search for 29A – they wrote papers on virus
    • read about rootkits (there are even books on it)
    • read about reverse engineering
    • read source code of malware – there’s plenty of it in the web.
    • learn assembler
    • learn about your OS
    • reverse the os-kernel
    • get clam-av, check the source

    I won’t provide links here. They are easily found though.

  4. forgot my open id login on November 30, -0001 @ 12:00 AM

    You could check for the Evil Bit on incoming packets…

  5. Adam Rosenfield on November 30, -0001 @ 12:00 AM

    While this does not really answer your question, I think a really interesting paper to read is Reflections on Trusting Trust by Ken Thompson. It raises a fascinating point that even if your source code is free of defects (viruses, trojans, etc.), you might still be producing defective executables if your compiler is defective. And even if you rebuild the compiler from clean source code, you can still have the same problem.

    Unless you’re building your computer from the ground up with your own microchips, hand-assembling your own BIOS, writing your own operating system, compiler, and software, you have to draw the line somewhere and trust that the hardware and software upon which you’re building your systems are correct.

  6. If you really want to learn, and are willing to put in the time, your time is probably better spent on google to find then participate in a greyhat community. this topic is highly complex.

    if your question is as simple as “what’s an easy way to recognize a virus from its source code”, well, it probably won’t be easy, because there’s infinite ways to go about it.

Leave a Reply