why do most bots/worms/malware use sockets instead of portable libraries?
why do most bots/worms/malware use sockets(winsock/berkeley sockets) instead of portable network libraries like boost.asio? Is there an advantage to using the native OS API?
Yes.
- language independence
- code size
- possibly reduced complexity as you don't care about the general case
- efficiency, you're able to take advantage to platform specific features
- language independence
- code size
- possibly reduced complexity as you don't care about the general case
- efficiency, you're able to take advantage to platform specific features
Last edited on
To expand on kbw's response a bit: there is no reason to use portable code. Virtually all malware will target vulnerabilities on a specific platform.
sorry for bumping this thread but I have a few more questions,
the third point by kbw:
possibly reduced complexity as you don't care about the general case
Q1) Could you elaborate more on that? Do you mean that the malware writers don't really need to handle all error cases or functions required of a given protocol, just the ones that achieve their ends?
Q2) My lecturer told me that using libraries would increase the detectability of malware as compared to using the API but he did not explain much, any idea why is this so?
the third point by kbw:
possibly reduced complexity as you don't care about the general case
Q1) Could you elaborate more on that? Do you mean that the malware writers don't really need to handle all error cases or functions required of a given protocol, just the ones that achieve their ends?
Q2) My lecturer told me that using libraries would increase the detectability of malware as compared to using the API but he did not explain much, any idea why is this so?
Q1:
No one's likely to write a platform independent exploit right? Presumably different environments are hacked in different ways. As such, there's no point in thinking how to do something in general way, just how it needs to be done in the specific environment.
Q2:
A library has a signature. Think about the implications.
No one's likely to write a platform independent exploit right? Presumably different environments are hacked in different ways. As such, there's no point in thinking how to do something in general way, just how it needs to be done in the specific environment.
Q2:
A library has a signature. Think about the implications.
When you mean signature, do you mean binary sequences that could easily be identified by the AV vendors?
If that is the case, couldn't polymorphism hide it?
If that is the case, couldn't polymorphism hide it?
Polymorphism has nothing to do with the binary. It's an OO technique. But yes, AV vendors.
Polymorphism has nothing to do with the binary. It's an OO technique. But yes, AV vendors. |
When I say polymorphism I mean polymorphic code, i.e. encryption of malware, I'm not referring virtual methods...
http://en.wikipedia.org/wiki/Polymorphic_code
So with polymorphic code, aren't the binary sequences of the malware including the libraries concealed?
Yes, there are methods you could use; but AV's are pretty smart at determining digital signatures and flagging applications that modify their signature.
Topic archived. No new replies allowed.