Hackers Serving Rootkits with Bagles

Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."

The evolving virus

[ndogg]

I keep waiting for a virus based on genetic algorithms. I'm certain that it's only a matter of time.

[Off topic] It's not a worm!

[january]

It definitely isn't, trust me. I'm a ...biologist.

I mean the picture, of course: http://images.slashdot.org/topics/topicworms.gif [slashdot.org] -- it is an insect larva, not a worm. To be more specific -- probably a butterfly caterpillar.

You want to see a worm? Here -> http://www.desc.med.vu.nl/NL-taxi/ICE/C_elegans1.j pg [med.vu.nl] is a nice picture of C.elegans, The Model Worm (r).

January

Re:The evolving virus

[january]

Agree. This will be a breakthrough, and if anything is a mystery -- then the question, why it hasn't already happened.

Evolving computer programs -- not simple genetic algorithms, but programs that actually "thrive" on CPU time and memory, and compete for these resources -- have been already used to experimentally investigate evolution. Note that there is a serious difference between a genetic algorithm and a truly evolving program. In the former case, the fitness function is precisely defined by the programmer. In the latter, the fitness is just what it is in living organisms -- ability to pass on the genes, or code.

Check out the web page -- http://www.msu.edu/~lenski/ [msu.edu] -- of Richard Lenski, experimental evolutionist (bacteria in a test tube + computer), you will find a nice article on in silicio evolution on his web page. The guy has 4 Nature and 2 Science publications only on the topic of digital evolution.

January

j.

Re:The evolving virus

[aug24]

The thing about genetic algorithms to date is that they have only been permitted to evolve within parameters. Evolving better weightings for poker playing bots for example. This is a highly successful technique, analogous to the way the human brain sets itself up - highly structured programming (physical brain) with variable parameters (experience).

If you allow the code itself to evolve (typically achieved with Lisp or similar cos of the convenient tree structure of the code) then the likelihood is that you can write a better program than will evolve anyway, because so many of the evolved programs are utterly useless. This, of course, is the argument for Intelligent Design, except that the planet really does have unlimited time, and there aren't anti-virus companies constantly trying to sterilise the planet (as far as we know! ;-)

Finally, most genetic algorithms require 'sex' type recombination to (randomly and hopefully) whittle away the useless code that has accumulated. This might be a little hard to implement in a cloaking virus - the one thing they don't want is to have any kind of signal that they are there!

All in all, I'll be surprised to see a truly genetic algorithm virus ever. The closest we might see are self tuning ones - eg ones that spot the user is using the machine and back off their spamming activities so that they aren't obvious.

J.

I blogged Ubuntu LiveCD to explain to noobies

[ScrewTivo]

I got so tired of explaining it over and over. Ultimate Spyware/Virus Blocker [blogspot.com]. If you think there is something I need to add or remove then please leave a comment.

My friend is opening up a coffee shop that will have an ap. I will make some copies of Ubuntu for the customers to use.

Now where do I find a dentist for the rootkit I received when I didn't take my own advice :)

Re:How to tell if you are a linux fanatic.

[HaydnH]

I can't believe you responded to that! Although it did make me laugh... most of the points were hilarious, especially about "no databases for linux as powerfull as MS Access"! I'd love to know what people like Oracle & Sun(PostgreSQL) would say about that.

Re:The evolving virus

[Anonymous Coward]

viruses are already a form of genetic algorithm. A slowly evolving (well kind of slow at least) GA. think about it, all the components are there. The mechanism is the script kiddie. The environment is our computers. The virus codes are all mostly the same (same genes), new ones are created through cut and paste (crossover) and occasionally a new radically more effective one comes out and quickly the entire population moves to this newer, more effective (better fitness) code.

we're all part of a giant experiment!

Re:The evolving virus

[zerocool^]

If you're talking polymorphic characteristics (in viruses or animals), the phrase you're looking for is Heterozygous Advantage [wikipedia.org]. Yes, I do live with a woman who is going to vet school and who has a degree in animal science.

In computer terms, it's going to be hard for random code variations to produce a useful new code segment on their own, for exactly the reasons you describe - there needs to be "sex", or a merging of two codebases, in order to produce surrogate code.

In terms of animals, however, if I may step on my pro-evolution soapbox... This is what all those people at the Institute for Creation Research and Answers in Genesis never talk about. The natural tendancy in animals (at least, and probably in other kingdoms) is for the offspring of a non-homogonous pairing to be *better* than either of the parents. No joke, this is the way it works. Not all the time, but more often than not.

For example, my wife is pretty firmly against the homogonization of the beef industry onto black angus for meat and holstein for milk. The reason being, if you breed nothing but black angus to black angus, you're going to get black angus, which is good, but it will never get better than its parents. If you're breeding black angus and charolais, however, the genetic tendancy is that the offspring most of the time will posess the best characteristics of both parents (breeding and birthing ease with black angus, better meat with charolais).

Anyway, I have to go fix a dead UPS.

~Will

Re:Mmmmm... bagels!

[thefranktate]

You should read the book "Golf is a Four Letter Word". It starts out with the author describing his addiction to golf, how it ruined his life, and how he was finally able to give it up. Then starts the sad part - though he has given up the game, his albatross is the need to write poems, limericks, and other wordplays all about golf. It's really, truly sad. And I think you could empathize with the guy :)

Re:The evolving virus

[aug24]

Thanks for that, interesting.

I'd propose a small correction to what you say: the natural tendency of sexual reproduction is to produce creatures that are either (a)inviable, which typically miscarry or (b) similar or (c) better. This would be analogous to receiving two lots of bad code, one of each, or two lots of good code respectively.

AIUI a surprising number of the offspring of higher animals 'spontaneously' abort without the parent necessarily even knowing about it.

Cheers,
Justin.

Re:The evolving virus

[Anonymous Coward]

The secret is to design a 'language' to write viruses in that makes it almost impossible to write a non-runnable program.

With biological organisms, many genes are copies of existing genes that have been modified over time. One of the fundamental mutation operations is the duplication of a region of dna, which can contain one or more genes. Since having two copies of a gene is not (usually) harmful, this avoids having to evolve new genes from scratch.

So if the virus mutates the registry key that's hidden, write the language such that the registry key used for storing the virus changes in the same mutation.