Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Malicious Codes in Depth


{LANG_NAVORIGIN} Malicious Code
Mohammad Heidari 11/29/2004



Dedicated to my Grand Master - Hemmatabadi – The fine man Who left me too soon, He is truly missed.

The art of war teaches us to rely not on the likelihood of the enemy’s not coming but on our own readiness to receive him, not on the chance of he is not attacking, but rather on the fact that we have made our position unassailable.
- "The Art of War" – Sun Tzu



Abstract



Malicious code refers to a broad category of software threats to your network and systems. Perhaps the most sophisticated types of threats to computer systems are presented by malicious codes that exploit vulnerabilities in computer systems. Any code which modifies or destroys data, steals data , allows unauthorized access Exploits or damage a system, and does something that user did not intend to do, is called malicious code. This paper will briefly introduce you to the various types of malicious code you will encounter, including Viruses, Trojan horses, Logic bombs and Worms.


Taxonomy of malicious Code



A computer program is a sequence of symbols that are caucused to achieve a desired functionality; the program is termed malicious when their sequences of instructions are used to intentionally cause adverse affects to the system. In the other words we can’t call any “bug” as a Malicious Code. Malicious codes are also called programmed threats. The following figure provides an overall taxonomy of Malicious Code.

Figure 1 Malicious Code Taxonomy

Malicious Code Taxonomy

Taxonomy is a system of classification allowing one to uniquely identify something. As presented in the above figure, threats can be divided into two categories: You must also differentiate between these software threats that do not replicate and these that do. (Replication is a process that a code reproduces or duplicates itself.)The former are fragments of programs that are to be activated when the host program is invoked to perform a specific function , the latter consist of either a program fragment or an independent program (worm , zombie ) that when executed may produce one or more copies of itself to be activated later on the same system or some other system . In the following, I briefly survey each at these parts of malicious software.


Trap doors



defined - 1.syn.Back doors a bad thing. 2. A Trap door function is one which is easy to compute but very difficult to compute the inverse of [Jargon Dictionary]
A trap door is a secret entry point into a program that allows someone that is aware at the trap door to gain access without going through the usual security access procedure. In many cases attacks using trap doors can give a great degree of access to the application, important data, or given the hosting system. Trap doors have been used legitimately by programmers to debug and test programs, some of the legitimate reasons for trap doors are:
  1. Intentionally leaves them for testing, and make testing easier.

  2. Intentionally leaves them for covert means of access. In the other words, allows access in event of errors.

  3. Intentionally leaves them for fixing bugs.
But they may use illegitimately, to provide future, illegal access. Trap doors become threats when they are used by unscrupulous programmers to gain unauthorized access.

Back door is another name for a trap door, back doors provide immediate access to a system by passing employed authentication and security protocols, Attackers can use back doors to bypass security control and gain control at a system without time consuming hacking.


Logic Bombs



defined - The logic bomb is code embedded in some legitimate program that execute when a certain predefined events occurs, these codes surreptitiously inserted into an application or operating system that causes it to perform some destructive or security – compromising activity whenever specified conditions are met [Jargon Dictionary]

A bomb may sent a note to an attacker when a user is logged on to the internet and is using an specific program such as a word processor, this message informs the attacker that the user is ready for an attack, figure 2 shows a logic bomb in operation .Notice that this bomb dose not actually begin the attack but tells the attacker that the victim has met needed state for an attack to begin.

Figure 2 Logic Bombs

Logic Bombs

  1. Attacker implants logic bomb
  2. Victim reports installation
  3. Attacker sends attack message
  4. Victim dose as logic bomb installation
Examples of conditions that can be used as triggers for a logic bomb are the presence or absence at certain files, a particular day of the week or date, or a particular user running the application. One triggered a bomb may alter or delete data or entire files, cause a machine half or do some other damage.


Trojan Horses



defined - A malicious, security –breaking program that is disguised as something benign, such as directory lister, archiver, game, or (in one notorious 1990 case on Mac) a program to find and destroy viruses!" [Jargon Dictionary]

A Trojan horse is a useful, or apparently useful program or command procedure containing hidden code that when invoked performs some unwanted or harmful function. Trojan Horses can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, to gain access to the files of another user on a shared system, a user could create a Trojan Horse program that when executed, changed the invoking user’s file permissions so that the file are readable by any user, the another example of Trojan horse program is a compiler that has been modified to insert additional code into certain programs as they are compiled such as a system login program, the code creates a trap door in the login program that permits the author to log on to the system using a special password. Another common motivation for the Trojan horse is data destruction.
The program appears to be performing a useful function but it may also be quietly deleting the victim’s files.


Zombie



A zombie is a program that secretly takes over another internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie’s creator. Zombies are used in Denial of service attacks, typically against targeted web sites. The zombie is planted on hundreds of computers belonging to unsuspecting third parties and then used to overwhelm the target website by launching on overwhelming onslaught of internet traffic.




More Malicious Code tutorials and guides













E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
22651 Views
4.41/5 Rating
41 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact