JOIN USIn December 2017, a new variant of the trojan malware DNSChanger, which targets routers, was identified. A malware that was prolific in the last decade, the DNSChanger had been dismantled by an FBI takedown in 2012. Typically disseminated via 'malvertising', DNSChanger uses steganography to obfuscate its initial actions. Once infected, the router's DNS (domain name service) records are modified to redirect it to a malicious server.
When software from the malicious server attacks a system, it cannot be trusted anymore because it is now an impostor, yet to be detected and therefore unpredictable in its behaviour. In such cybersecurity crises, one possible defence strategy is to disassemble the malicious software and analyse its characteristics and workings in detail, a process referred to as reverse engineering (RE).
Reverse engineering is superior to other methods of protection, in that it does not only detect or remove the malware, it is also a tool of risk assessment. Malware could be reverse engineered to figure out what makes it tick. An American cybersecurity company, Zeltser Security, says, "repeatable forensics steps should assist members of the defence community in developing a structured approach to understanding the inner workings of malicious software that opens up in a new window."
A malware analyst must create a safe environment to deconstruct the malware, without risk of damage to the operating system if it is activated directly. The analyst can do this by creating a virtual system which is isolated and not connected to the intranet or internet. Analysis through reverse engineering yields two types of data: dynamic analysis and static analysis.
Dynamic analysis indicates the initial intrusion of malware into a system and provides a lens to view how the malware hides and reacts in different conditions differently. This yields valuable insights into the behavioural characteristics of malware that is otherwise inaccessible. Essentially, this provides knowledge of the enemy after it has intruded into home ground.
Static analysis is done through a disassembler, which enables a walk through the malware and examines the adverse impact of each step. It offers insights into how the malware acted and assesses various forms of potential damage, like malware integration into a system process, recording activity, changes to user settings, or tracking of personal information. After identification of the area where the security breach has occurred, steps to mitigate the threat are initiated, the damage is remedied and the system fortified.
Today, reverse engineering is under scrutiny due to laws that surround patents and copyright laws. As a result, there is a legal vacuum with regard to reverse engineering. In such a techno-legal backdrop, is it acceptable for analysts to dissect software that they have not created? To answer that question, it is important to assess exactly what level of reverse engineering is necessary in the war against malware, so that necessary amendments to fill the legal vacuum are made.
Legal minefield
In the existing legal framework, the Electronic Communications Privacy Act (ECPA) prohibits the "interception of electronic communications flowing over a network" unless consent is obtained from the parties that are affected. These laws work in tandem with each other to make reverse engineering a legal minefield.
Also, copyright laws and fair use, which protect software as "intellectual property" compounds the RE challenge - even if the developer does not use the exact code, even learning from it could have legal repercussions as it could be construed as use of trade secrets or violation of non-disclosure contracts.
Although the law that pertains to the use of reverse engineering for cyber security explicitly allows it under the Digital Millennium Copyright Act (DMCA), it does not explain how RE will be protected from copyright law and ECPA. This legal ambiguity inhibits the growth of RE as a defence mechanism.
The US is losing its position of pre-eminence in software development due to such legal restraints imposed on reverse engineering. As Prof Cem Kaner of the Florida Institute of Technology says, "The ban on reverse engi-
neering is just another example; we are shooting the American industry in the head, with little actual benefit for anyone (publisher or engineer) in the US, but plenty of benefit for engineers in all the rest of the world."
US courts in Bowers vs Baystate Technologies laid down laws that are black and white. They prohibit reverse engineering as a whole - "to study or analyse a device, such as a microchip for computers, in order to learn details of design, construction and operation, perhaps to produce a copy or an improved version" is prohibited under this law.
Reverse engineering continues to be tangled in legal prohibitions that constrain cybersecurity professionals from utilising an integral method to gain malware intelligence. This demands urgent action for policy amendments in US law. On the other hand, India which lacks an evolved techno-legal framework, can leapfrog on the back of US experience to be a step ahead of cybercriminals in the future.
(The writer is a Bengaluru-based cyber security professional and ethical hacker)