如何识别恶意源代码? [英] How to recognize malicious source code?
问题描述
请注意!创建间谍软件,计算机病毒和类似的内容在您生活中可能是非法的,几乎每个人都被认为是非常不道德的。然而,我还需要提出这一点,提高对创建它的容易程度的认识。在W32 / Induc-A被这个世界引入了一个讨厌的方式传播一个人之后,我问道。所以我想知道如何创建一个病毒,所以我将来能够识别它们。
BE AWARE! Creating spyware, computer viruses and similar nasties can be illegal where you live and is considered extremely unethical by almost everyone. Still, I need to ask this to raise awareness about how easy it is to create one. I am asking this after the W32/Induc-A was introduced to this world by someone who came up with a nasty way to spread one. So I want to know how a virus can be created so I will be able to recognise them in the future!
最近一个新病毒被发现,通过替换开发人员的库代码副本来传播。实际上,通过源代码Delphi 4到7.发生了什么事情是,在野外有一个病毒,它会在计算机上搜索一个名为SYSCONST.PAS的文件,它将自己添加为源代码。该文件恰好是Delphi的运行时库的源文件。 (这个运行时源代码可用于Delphi开发人员。)因此,在被感染后,程序员会创建大量新版本的病毒,甚至不知道它。由于病毒扫描器有时会产生误报,因此许多开发人员可能会决定忽略扫描仪的警告,甚至在构建项目时甚至禁用扫描仪。为了使情况变得更糟,他们的项目甚至可能触发他们的客户的扫描仪,所以这些程序员很可能不会检查他们的源代码,但只会试图愚弄扫描仪。也就是说,如果病毒扫描程序甚至能够识别病毒,那不太可能。因此,我们的软件开发人员可能会在不知道我们在做什么的情况下创建病毒!
Recently a new virus was discovered which spreads itself by replacing the developers' copies of library code. Actually, through the source code of Delphi 4 through 7. What happened is that there's a virus in the wild which searches the computer for a file called SYSCONST.PAS, to which it will add itself as source code. This file happens to be a source file for the runtime libraries of Delphi. (This runtime source code is available for Delphi developers.) As a result, after being infected a programmer would create lots of new versions of this virus without even knowing it. Since virus scanners sometimes generate false positives many developers might thus decide to ignore the warnings of the scanner and maybe they'll even disable their scanner while building their project. To make it worse, their project might even trigger the scanners of their customers so it's likely that those programmers won't check their source code but will just try to fool the scanner somehow. That is, if a virus scanner is even able to recognise the virus, which isn't very likely. Thus, we software developers might be creating viruses without realizing what we're doing!
那么如何创建病毒?简单:让您的源代码感染病毒,你完成了!
So, how to create a virus? Simple: get your source code infected by a virus and you're done!
好的,所以Delphi 4到7的源代码可能会被感染。所有Delphi开发人员,请检查您的源文件!这个案例只是一个概念证明,显然可以非常成功。此外,大多数病毒扫描程序不会检查源代码,而只关注可执行文件。
Okay, so the source code of Delphi 4 through 7 might be infected. All Delphi developers, please check your source files! The case is just a proof-of-concept and apparently it can be very successful. Besides, most virus scanners won't check source code but just focus on executables. This virus could stay undetected for quite a while.
这种病毒也是成功的,因为它滥用了源代码。 Delphi是一个商业项目,源代码可用。但谁确定这些黑客不会以类似的方式攻击开源项目?有很多开放源码的项目在那里,谁来检查它们,确保他们都以一个体面的方式行事?如果有人正在检查代码,他能否识别出是否有恶意代码?
This virus also was successful because it misused source code. Delphi is a commercial project and the source code is available. But who is sure that these hackers won't be attacking open-source projects in similar ways? There are lots of open-source projects out there and who is going to check them all making sure they're all behaving in a decent way? And if someone is checking the code, will he be able to recognise if something is malicious code?
为确保我们能够识别恶意源代码,我要问:如何创建病毒?如何识别将创建病毒的代码?大多数恶意软件想要做什么?
有关Delphi运行时源代码的讨论,关于这个代码是开源的。从他们开始使用Kylix支持Linux的那一刻起,Borland就使用了双重许可证的源代码。因此,源代码具有声明的GPL符号,表示库是否被编译为GPL代码。作为GPL,源代码将是开源的。这也恰好是受病毒攻击的源版本。无论如何,为避免这里的讨论,我已经在这里询问了 ,所以我们可以更多地关注病毒问题,而不是在Delphi上。基本上,我们正在谈论一个攻击源代码的病毒。从技术上讲,所有的源代码都可能面临风险,但开源代码是可能的候选者,因为黑客知道它的结构,并且可以定位那些很少被修改的文件,因此很少被检查。 (如果他们可以进入CVS系统,他们甚至可以擦除修改的痕迹,所以没有人会注意到修改!)
So, to make sure we can recognize malicious source code, I have to ask: How do I create a virus? How do I recognise the code that will create a virus? What is it that most malware will want to do?
There is a bit of discussion about the Delphi runtime source code, about this code being open-source or not. Borland uses a dual-license for their source code from the moment when they started to support Linux with Kylix. As a result, the source code has a "GPL" symbol declared which indicates if the libraries are compiled as GPL code or not. As GPL, the source code would be open-source. This also happens to be the source version that was attacked by the virus. Anyway, to avoid discussions here, I've asked this question here so we can focus more on the virus problem and less on Delphi. Basically, we're talking about a virus that attacks source code. Technically, all source code could be at risk but open source code is a likely candidate since hackers know it's structure and can target those files that are rarely modified, thus rarely checked. (And if they can hack their way into a CVS system, they could even erase the traces of their modifications, thus no one might notice the modiifications!)
推荐答案
虽然这并没有真正回答你的问题,但我认为一个非常有趣的文章是信任信任反思。它提出了一个令人着迷的观点,即使您的源代码没有缺陷(病毒,木马等),如果您的编译器有缺陷,您仍然可能会生成有缺陷的可执行文件。即使您从干净的源代码重建编译器,您仍然可以有同样的问题。
While this does not really answer your question, I think a really interesting paper to read is Reflections on Trusting Trust by Ken Thompson. It raises a fascinating point that even if your source code is free of defects (viruses, trojans, etc.), you might still be producing defective executables if your compiler is defective. And even if you rebuild the compiler from clean source code, you can still have the same problem.
除非您使用自己的微芯片从头构建计算机手工组装您自己的BIOS,编写自己的操作系统,编译器和软件,您必须在某个地方绘制线,并且信任,您正在构建系统的硬件和软件是正确的。
Unless you're building your computer from the ground up with your own microchips, hand-assembling your own BIOS, writing your own operating system, compiler, and software, you have to draw the line somewhere and trust that the hardware and software upon which you're building your systems are correct.
这篇关于如何识别恶意源代码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
