Members-only Printer-friendly version

Index
Malicious Code
Viruses
Worms
Trojan Horses
Logic Bombs

Malicious Code

Malicious code is a piece of software, also known as malware, which can damage or alter data and programs on a system without permission and notice of the user. The goal of malware varies from gaining unauthorized access to simply disabling a system. Malware is typically delivered through email, but also IRC channels and websites can place malicious code on a system.

Viruses
The most common type of malicious code is a virus. It can infect systems by attaching itself to files and programs. Just like its biological counterpart, it needs a host to infect. A virus is usually a program that needs to be executed by a user before it can do any damage. For example, a virus attached to an email message is usually only harmful when a user opens (executes) the attachment.

Decent anti-virus software should be used both pro-active and re-active to prevent damage by viruses. Since viruses are spread primarily through email, it is important to establish the first line of defense at the corporate email server. That will help prevent viruses from reaching the clients, which is the place where they are most likely executed and spread further. Modern client-side anti-virus software can also actively scan data as it is received though a network connection, in addition to scanning and cleaning viruses after detection. There are many anti-virus products available; the best results are reached when combining more than one product. Anti-virus products use virus definitions, also known as signatures, to identify viruses. Make sure those virus definitions/signatures are up to date; most anti-virus programs allow scheduled automatic updates over the Internet.

Following are some of the main types of viruses:

File Virus - This is the most common type of virus; it attaches itself to executable files such as .EXE and .COM. The file acts as a carrier and when the file is executed or opened, the malicious code executes and the virus spreads to infect other files.

Boot Sector Virus - This type of virus attaches itself to the boot sector of a floppy or hard disk. When the computer boots, the virus will reside in its memory and infect other disks. Modern main boards provide a BIOS option to enable boot sector virus protection, which basically prevents modifications to the boot sector. A variant on this virus is the MBR virus that infects the Master Boot Record.

Multi-partite virus - This type of virus is a combination of other types in this list. The most common type of multi-partite virus is a virus that can infect both the boot sector and files.

Stealth virus - This type of virus attempts to hide itself to avoid detection by anti-virus software. It attempts to misguide services that used to detect the virus. When the infected file or boot sector is scanned by anti-virus software, the virus attempts to return the properties of the original clean version of the file or boot sector.

Polymorphic Virus - This type of virus has the ability to change its signature to avoid detection by anti-virus software. It attempts to trick anti-virus software by slightly modifying its own code when it spreads to other files. A polymorphic virus can modify itself by encrypting or compressing part of its code, for example.

Macro Virus - Macro viruses exploit vulnerabilities inherent to macro languages such as Visual Basic in Microsoft Office. This type of virus is often found in Word documents; when a user opens the document the code, created with a malicious intent, is executed.

Hoax - A hoax isn’t really a virus but it can have damaging results. The most typical example is a fake e-mail message that contains a warning about a new virus and instructions to forward the message to everyone you know. Unfortunately, many people will forward the message to many others who forward them again, and again, and again. Eventually this may lead to a DoS attack situation on mail systems that get flooded with these fake warnings. The best preventive measure against hoaxes is to educate users and to instruct them to forward such messages to an administrator only.

Worms
A worm is similar to a virus but there is one main important difference: a worm doesn’t need to attach itself to a file or program to be reproduced and executed as a virus does. A worm is self-contained, it can replicate itself and infect entire networks. Most worms can be removed from a system by using a decent anti-virus utility.

Trojan Horses
Trojan Horses and Back Doors are essential tools for the serious attacker. They are often used in conjunction to allow the attacker to gain remote control of the target system and/or steal information. A Trojan Horse is a seemingly harmless piece of software that contains malicious code in addition to its own. The malicious code is typically a back door, also known as an illicit server, but it can be a virus, worm or any other kind of code that allows the attacker to do damage. The software is wrapped together with the malicious code into a single file or program. Utilities to create Trojan Horses, so-called wrappers, are widely and publicly available on the Web allowing anyone with a little computer knowledge to create an effective Trojan Horse.

Common ways to spread Trojan Horses are email, IRC, and websites. For example, an attacker may attempt to deceive recipients by adding an extension to a seemingly harmless file, for example openme.gif.exe. When the Trojan Horse is executed, the malicious code will start its devious job. If that job involves planting a back door, it will typically notify the attacker automatically, by e-mail or IRC pager for example. A common use of a back door is a distributed DoS attack, in which an attacker connects to many systems through a back door and use those systems (zombies) in conjunction to flood a target system. Check out our DoS attacks TechNotes for more information.

NetBUS and BackOrrifice are probably the most notorious utilities that create a back door on a target system and are often distributed as Trojan Horses (disguised as a harmless program) . Once an attacker gains access to a target system running one of these tools, he or she could do almost anything on the remote target, from deleting files to listening to microphone input.

Besides the back doors planted by attackers, an administrator can install an intentional back door on a system to be able to remotely administer it. VNC (Virtual Network Computing) is a common example; others are PC Anywhere, and Remote Desktop in Windows XP/2003. If you use any of these intentional back door systems, make sure you use strong password protection and if possible, only connect over encrypted communication lines such as VPNs.

Regular anti-virus software is often not able to detect and eliminate all Trojan Horses and back doors. Several utilities have been created to detect and remove all sorts of malicious code; common examples of such software are SpyBot Search & Destroy and Ad-Aware.

Logic Bombs
A logic bomb is a smart piece of malicious code that executes only when certain conditions are met. For example, an attacker could implement a logic bomb on a public Internet client that will start a key logger only when a user types in user credentials at a website. Other examples are a virus that executes on April Fool’s day (but infected the system long before that date), a format.exe command that is executed only when the user logs on with administrative permissions. In other words, a logic bomb contains a mechanism that is triggered only when a certain event occurs.