Malicious code is a piece of software, also
known as malware, which can damage or alter data
and programs on a system without permission and notice of
the user. The goal of malware varies from gaining unauthorized
access to simply disabling a system. Malware is typically
delivered through email, but also IRC channels and websites
can place malicious code on a system.
The most common type of malicious code is a virus. It can
infect systems by attaching itself to files and programs.
Just like its biological counterpart, it needs a host to infect.
A virus is usually a program that needs to be executed by
a user before it can do any damage. For example, a virus attached
to an email message is usually only harmful when a user opens
(executes) the attachment.
Decent anti-virus software should be used
both pro-active and re-active to prevent damage by viruses.
Since viruses are spread primarily through email, it is important
to establish the first line of defense at the corporate email
server. That will help prevent viruses from reaching the clients,
which is the place where they are most likely executed and
spread further. Modern client-side anti-virus software can
also actively scan data as it is received though a network
connection, in addition to scanning and cleaning viruses after
detection. There are many anti-virus products available; the
best results are reached when combining more than one product.
Anti-virus products use virus definitions, also known as signatures,
to identify viruses. Make sure those virus definitions/signatures
are up to date; most anti-virus programs allow scheduled automatic
updates over the Internet.
Following are some of the main types of viruses:
File Virus - This is the most common
type of virus; it attaches itself to executable files such
as .EXE and .COM. The file acts as a carrier and when the
file is executed or opened, the malicious code executes and
the virus spreads to infect other files.
Boot Sector Virus - This type of virus attaches
itself to the boot sector of a floppy or hard disk. When the
computer boots, the virus will reside in its memory and infect
other disks. Modern main boards provide a BIOS option to enable
boot sector virus protection, which basically prevents modifications
to the boot sector. A variant on this virus is the MBR virus
that infects the Master Boot Record.
Multi-partite virus - This type
of virus is a combination of other types in this list. The
most common type of multi-partite virus is a virus that can
infect both the boot sector and files.
Stealth virus - This type of virus
attempts to hide itself to avoid detection by anti-virus software.
It attempts to misguide services that used to detect the virus.
When the infected file or boot sector is scanned by anti-virus
software, the virus attempts to return the properties of the
original clean version of the file or boot sector.
Polymorphic Virus - This type of
virus has the ability to change its signature to avoid detection
by anti-virus software. It attempts to trick anti-virus software
by slightly modifying its own code when it spreads to other
files. A polymorphic virus can modify itself by encrypting
or compressing part of its code, for example.
Macro Virus - Macro viruses exploit
vulnerabilities inherent to macro languages such as Visual
Basic in Microsoft Office. This type of virus is often found
in Word documents; when a user opens the document the code,
created with a malicious intent, is executed.
Hoax - A
hoax isn’t really a virus but it can have damaging results.
The most typical example is a fake e-mail message that contains
a warning about a new virus and instructions to forward the
message to everyone you know. Unfortunately, many people will
forward the message to many others who forward them again,
and again, and again. Eventually this may lead to a DoS attack
situation on mail systems that get flooded with these fake
warnings. The best preventive measure against hoaxes is to
educate users and to instruct them to forward such messages
to an administrator only.
A worm is similar to a virus but there is one main important
difference: a worm doesn’t need to attach itself to
a file or program to be reproduced and executed as a virus
does. A worm is self-contained, it can replicate itself and
infect entire networks. Most worms can be removed from a system
by using a decent anti-virus utility.
Trojans and backdoors are essential tools for the serious
attacker. They are often used in conjunction to allow the
attacker to gain remote control of the target system and/or
steal information. A trojan is a seemingly harmless
piece of software that contains malicious code in addition
to its own. The malicious code is typically a back door, also
known as an illicit server, but it can be a virus, worm or
any other kind of code that allows the attacker to do damage.
The software is wrapped together with the malicious code into
a single file or program. Utilities to create trojans,
so-called wrappers, are widely and publicly available on the
Web allowing anyone with a little computer knowledge to create
an effective trojan.
Common ways to spread trojans are email,
IRC, and websites. For example, an attacker may attempt to
deceive recipients by adding an extension to a seemingly harmless
file, for example openme.gif.exe. When the trojan is
executed, the malicious code will start its devious job. If
that job involves planting a back door, it will typically
notify the attacker automatically, by e-mail or IRC pager
for example. A common use of a back door is a distributed
DoS attack, in which an attacker connects to many systems
through a back door and use those systems (zombies) in conjunction
to flood a target system. Check out our DoS attacks TechNotes
for more information.
NetBUS and BackOrrifice
are probably the most notorious utilities that create a back
door on a target system and are often distributed as trojans (disguised as a harmless program). Once an attacker
gains access to a target system running one of these tools,
he or she could do almost anything on the remote target, from
deleting files to listening to microphone input.
Besides the back doors planted by attackers,
an administrator can install an intentional back door on a
system to be able to remotely administer it. VNC (Virtual
Network Computing) is a common example; others are PC
Anywhere, and Remote Desktop in Windows XP/2003.
If you use any of these intentional back door systems, make
sure you use strong password protection and if possible, only
connect over encrypted communication lines such as VPNs.
Regular anti-virus software is often not
able to detect and eliminate all trojans and back doors.
Several utilities have been created to detect and remove all
sorts of malicious code; common examples of such software
are SpyBot Search & Destroy and Ad-Aware.
A logic bomb is a smart piece of malicious code that executes
only when certain conditions are met. For example, an attacker
could implement a logic bomb on a public Internet client that
will start a key logger only when a user types in user credentials
at a website. Other examples are a virus that executes on
April Fool’s day (but infected the system long before
that date), a format.exe command that is executed only when
the user logs on with administrative permissions. In other
words, a logic bomb contains a mechanism that is triggered
only when a certain event occurs.