Malicious code is a piece of software, also known
as malware, which can damage or alter data and programs
on a system without permission and notice of the user. The goal
of malware varies from gaining unauthorized access to simply disabling
a system. Malware is typically delivered through email, but also
IRC channels and websites can place malicious code on a system.
The most common type of malicious code is a virus. It can infect
systems by attaching itself to files and programs. Just like its
biological counterpart, it needs a host to infect. A virus is usually
a program that needs to be executed by a user before it can do any
damage. For example, a virus attached to an email message is usually
only harmful when a user opens (executes) the attachment.
Decent anti-virus software should be used both
pro-active and re-active to prevent damage by viruses. Since viruses
are spread primarily through email, it is important to establish
the first line of defense at the corporate email server. That will
help prevent viruses from reaching the clients, which is the place
where they are most likely executed and spread further. Modern client-side
anti-virus software can also actively scan data as it is received
though a network connection, in addition to scanning and cleaning
viruses after detection. There are many anti-virus products available;
the best results are reached when combining more than one product.
Anti-virus products use virus definitions, also known as signatures,
to identify viruses. Make sure those virus definitions/signatures
are up to date; most anti-virus programs allow scheduled automatic
updates over the Internet.
Following are some of the main types of viruses:
File Virus - This is the most common type
of virus; it attaches itself to executable files such as .EXE and
.COM. The file acts as a carrier and when the file is executed or
opened, the malicious code executes and the virus spreads to infect
Boot Sector Virus - This type of virus attaches
itself to the boot sector of a floppy or hard disk. When the computer
boots, the virus will reside in its memory and infect other disks.
Modern main boards provide a BIOS option to enable boot sector virus
protection, which basically prevents modifications to the boot sector.
A variant on this virus is the MBR virus that infects the Master
Multi-partite virus - This type of virus
is a combination of other types in this list. The most common type
of multi-partite virus is a virus that can infect both the boot
sector and files.
Stealth virus - This type of virus attempts
to hide itself to avoid detection by anti-virus software. It attempts
to misguide services that used to detect the virus. When the infected
file or boot sector is scanned by anti-virus software, the virus
attempts to return the properties of the original clean version
of the file or boot sector.
Polymorphic Virus - This type of virus
has the ability to change its signature to avoid detection by anti-virus
software. It attempts to trick anti-virus software by slightly modifying
its own code when it spreads to other files. A polymorphic virus
can modify itself by encrypting or compressing part of its code,
Macro Virus - Macro viruses exploit vulnerabilities
inherent to macro languages such as Visual Basic in Microsoft Office.
This type of virus is often found in Word documents; when a user
opens the document the code, created with a malicious intent, is
Hoax - A hoax isn’t
really a virus but it can have damaging results. The most typical
example is a fake e-mail message that contains a warning about a
new virus and instructions to forward the message to everyone you
know. Unfortunately, many people will forward the message to many
others who forward them again, and again, and again. Eventually
this may lead to a DoS attack situation on mail systems that get
flooded with these fake warnings. The best preventive measure against
hoaxes is to educate users and to instruct them to forward such
messages to an administrator only.
A worm is similar to a virus but there is one main important difference:
a worm doesn’t need to attach itself to a file or program
to be reproduced and executed as a virus does. A worm is self-contained,
it can replicate itself and infect entire networks. Most worms can
be removed from a system by using a decent anti-virus utility.
Trojans and backdoors are essential tools for the serious
attacker. They are often used in conjunction to allow the attacker
to gain remote control of the target system and/or steal information.
A Trojan is a seemingly harmless piece of software that contains
malicious code in addition to its own. The malicious code is typically
a back door, also known as an illicit server, but it can be a virus,
worm or any other kind of code that allows the attacker to do damage.
The software is wrapped together with the malicious code into a
single file or program. Utilities to create Trojans, so-called
wrappers, are widely and publicly available on the Web allowing
anyone with a little computer knowledge to create an effective trojan.
Common ways to spread Trojans are email,
IRC, and websites. For example, an attacker may attempt to deceive
recipients by adding an extension to a seemingly harmless file,
for example openme.gif.exe. When the Trojan is executed, the
malicious code will start its devious job. If that job involves
planting a back door, it will typically notify the attacker automatically,
by e-mail or IRC pager for example. A common use of a back door
is a distributed DoS attack, in which an attacker connects to many
systems through a back door and use those systems (zombies) in conjunction
to flood a target system. Check out our DoS attacks TechNotes for
NetBUS and BackOrrifice are probably
the most notorious utilities that create a back door on a target
system and are often distributed as Trojan (disguised as
a harmless program) . Once an attacker gains access to a target
system running one of these tools, he or she could do almost anything
on the remote target, from deleting files to listening to microphone
Besides the back doors planted by attackers, an
administrator can install an intentional back door on a system to
be able to remotely administer it. VNC (Virtual Network Computing)
is a common example; others are PC Anywhere, and Remote
Desktop in Windows XP/2003. If you use any of these intentional
back door systems, make sure you use strong password protection
and if possible, only connect over encrypted communication lines
such as VPNs.
Regular anti-virus software is often not able to
detect and eliminate all Trojan and back doors. Several utilities
have been created to detect and remove all sorts of malicious code;
common examples of such software are SpyBot Search & Destroy
A logic bomb is a smart piece of malicious code that executes only
when certain conditions are met. For example, an attacker could
implement a logic bomb on a public Internet client that will start
a key logger only when a user types in user credentials at a website.
Other examples are a virus that executes on April Fool’s day
(but infected the system long before that date), a format.exe command
that is executed only when the user logs on with administrative
permissions. In other words, a logic bomb contains a mechanism that
is triggered only when a certain event occurs.