Fog Creek Software
Discussion Board




Atak: the new generation worm

http://news.zdnet.co.uk/0,39020330,39160285,00.htm

Very interesting worm.

By coincidence, I was doing some research these days on anti-piracy tricks and I've read a lot on how to make your program detect if it is being debugged. But most of the techniques are not efficient on low-level debuggers such as SoftICE. So I am wondering how this worm manages to do this?

GinG
Wednesday, July 14, 2004

http://www.google.com/search?hl=en&ie=UTF-8&q=how+to+detect+if+softice+is+running ... returns http://in.fortunecity.com/skyscraper/browser/12/sicedete.html and so on

Christopher Wells
Wednesday, July 14, 2004

That's just because the virus analyzers have become lazy. The tools to analyze a program in such a way that it cannot be aware have existed for years. Bochs is generally undetectable (it can be detected, e.g., throught the BXVGA interface, but if you want isolation, you'd disable that - you have the source).

Ori Berger
Thursday, July 15, 2004

*  Recent Topics

*  Fog Creek Home