July 15, 2008
Thankfully, the World Wide Web is rapidly outgrowing its English-only, ASCII-based origins to become truly multilingual and multicultural. But as we are coming to realize with increasing clarity, every change to an infrastructure poses new challenges for security, and internationalization is no exception. We have grown used to the vulnerabilities in Unicode character processing and in Unicode domain names. Now Wes Brown has published an interesting article on the internationalization of malware. He points out that more and more malware is being published in non-Latin scripts, and that this poses problems for the analyst:
"In the past, if I ran into a piece of malware that had foreign language strings in them, I could muddle through them if they were a Latin-derived language. Spanish or French, I did not have any issues with. But when it comes to languages that come from an entirely different root such as Chinese or Japanese written in hanzi or kanji, I was losing vital clues."
He points out that the changes that are happening go beyond the technical and linguistic; they are also cultural:
"Anti-cheating rootkits are very common in games released in [China and Japan]. What is considered to be invasive in the North American or European world is acceptable there. These anti-cheating rootkits would hook into the kernel space in a very invasive way, and have the behavioral characteristics of malware such as hooking into the keyboard driver. This made it very difficult from a purely technical standpoint to distinguish them. These kits were attempting to protect the application from being tampered with while running, i.e. to reduce the incidence of bots, or modifications to the presentation layer to allow people to see through walls."
Brown advises up-and-coming malware analysts to become conversant in non-Roman languages, and he concludes with a plea that more anti-malware tools become Unicode-savvy and multilingual.