What is Malicious Code? Is it Something I Really Need to Worry About?

  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |

Malicious code is program code specifically written for a malicious purpose (rather than code written for a legitimate purpose, which a cracker figured out how to misuse). For example, you would call a piece of code malicious if it deliberately did something like:

  • Delete files on your disk, or reformat your disk, without the user’s knowledge
  • Report the contents of your email address book to a web server collecting email addresses for a spammer
  • Display “Ha ha, you’ve been rooted!” and other such messages on your computer
  • Replace certain system files with other files, causing programs to malfunction
  • Capture your network password and email it to joe@cracker.com

Virus

A virus is a program that attaches itself to a host file and replicates itself on a system. Usually when run, unbeknownst to the user, a virus performs some action that is either malicious or simply annoying. For example, a virus may delete or modify system files, or just produce a joke message on the user’s screen.

 A virus is an infection causing an illness.  A computer virus is malicious code or program code that embeds itself into other programs.  These “infected” programs when ran by the user can spread to other programs cause the “illness” to grow.  Viruses can infect any type of executable code and in most cases has to limit to where they can be found or infect.  They can infect anything from e-mails, macros, boot sectors on your hard drive, USB drives, and most commonly in past to a floppy which are now themselves becoming a thing of the past.

Viruses can change much like a mutating biological virus of the human form can.  Medicine used on humans would be comparable a utility called a virus scanner.  The virus scanner, should you not have one you might want to get one fast, when ran will scan your files for the illness.  These virus scanners also know as antivirus programs, if kept up to date in most cases not all but in most cases, will locate the infected files and with your permission will attempt to clean or quarantine the infect files.

  • Wise Users Are Paranoid
    • Instruct users to check with the system administrator before opening an unfamiliar type of email attachment, any attachment they did not expect to receive, and any attachment from a user they do not know, as it could contain a virus. (Companies spent hundreds of thousands of dollars removing the ILOVEYOU virus from computers, when thousands of users opened a “Love Letter For You” that claimed to be from a familiar user. You see, it looked “just plausible enough,” and it’s those “just plausible enough” lies that are the most believable.)

Viruses move from computer to computer by some user’s actions, rather than spreading automatically across a network. A virus typically gets into a system from an external source, such as a floppy disk containing software given to you by an office-mate, a file on a network share being copied onto your system and then executed to install it or “just see what it does,” an email message sent to you by a friend containing a file that claims to be a greeting card (to get you to open it), or software that you download from the web or install from a very unlucky vendor’s CD distribution (the latter really has happened ).

The possibility of transmitting a virus by email is why many email systems feature virus scanning for in-bound email, trying to limit the number of ways known viruses can enter a network.

Over the years, the IT world has seen several different kinds of viruses, including:

  1. Boot sector viruses which place their code in the hard disk’s boot sector, which is loaded every time the machine powers on
  2. File infector viruses which attach themselves to legitimate executable programs, causing the virus to run each time one of those programs is launched
  3. Script viruses which, like file infectors, attach themselves to existing legitimate programs (in this case, scripts like DOS batch files or VBScript or java script batch files), causing the virus to run each time the infected script is launched
  4. Macro viruses that are embedded in files such as word processing documents and spreadsheets whose environments (such as Microsoft Word) support “macro” programming in documents to customize Word’s behavior when the document is open. These viruses are often attached to initialization macros that run whenever the document is opened, so that the user is not aware that they are “running” anything.

Numerous measures can be taken to prevent, contain and perform damage control on virus infections on your network, enforcing a policy all users must run anti-virus software on their workstations.  Common packages are Symantec Antivirus, McAffee Virus Scan and Grisoft AVG Antivirus

  • Virus-scanning all incoming email automatically, to guard against attachments that contain viruses being received and then opened or run by users
  • Require users to use software which does not include macro capability, or require users to save files in formats not supporting macros (for example, Microsoft Word can save files in .rtf format, which doesn’t support macros, as well as in .doc format)
  • Change PC boot sequence in CMOS to always try to boot from the hard disk first, so that a floppy carrying a boot sector virus won’t infect a workstation’s boot sector (and thus infect that PC)
  • Set email clients to not automatically open attachments of certain types (like .EXE)

Heed this advice and practice safe computing.  After all do you really want to try and explain why you lost an important document, spreadsheet, presentation or even family photos?

 

  • For your own protection install an antivirus program and continue to update… update… update… update your antivirus definitions.

Worm

WORMS!  Daddy those things are icky!” as my daughter Pamela said.  No we’re not talking about that kind of worm.

A worm is a virus, usually containing malicious code, which can replicate itself and propagate across a network. Unlike a Trojan horse or many viruses, it does not have to attach itself to other “host” programs.

Worms are similar in nature to viruses. Both can consume resources and replicate themselves. The difference between a worm and a virus is that a worm can replicate itself across a network and consume resources, and it does not need to attach itself to other “host” programs. Rather, it is capable of distributing and launching itself on its own, with no inadvertent “assistance” required from users whose computers are being infected.

  • For your own protection install an antivirus program and continue to update… update… update… update your antivirus definitions.

Trojan

Not the mythical wooden “war trophy” horse left behind after the Greeks “retreated” from Troy.  But, just as alarming issue just the same.

A Trojan horse is a type of malicious code that appears to the user to be a legitimate program (or data file – even Word .doc files can contain Trojan horse code in the form of macros), but includes hidden functions designed to perform malicious actions.

This one should tie tightly, at least in your mind, to social engineering. A Trojan horse pretends to be something useful or interesting, yet, is really a virus or other malicious code whose writer decided the best way to distribute it would be to include it in a program that claims to do something useful. Unlike a regular virus, a Trojan horse is attached to a particular executable, and typically isn’t capable of replicating and attaching itself to other files on your system.

Typically the Trojan horse relies on gaining users’ interests with something that sounds fun or curious. Sometimes they masquerade as some sort of data file where a user is asking for help. Because Trojan horses appear to be legitimate code, but have hidden functions designed to do nasty things, they are difficult to detect with an Intrusion Detection System (IDS).

As with viruses, prevention of Trojan horses on your system will largely be accomplished via anti-virus software and educating users not to open mysterious attachments.

  • For your own protection install an antivirus program and continue to update… update… update… update your antivirus definitions.  You can only lead the horse to the water!

 Logic bomb

A logic bomb is a piece of malicious code that is designed to not “fire” the malicious functionality until triggered by a certain event or process.

An example of a logic bomb in a virus would be the Michelangelo virus. More commonly, upset employees, triggering some malicious functionality at some date in the future, may insert logic bombs into in-house programs.

A logic bomb is a virus of some ilk with a time delay fuse. The most famous virus with a fuse was Michelangelo in 1992. More practically speaking, a really upset employee is more of a danger.  They could install a program set to do something malicious at a later date, and then quit (or work their last day, if they were laid off), leaving the system to automatically fire off the malicious code days, weeks, or even months after they lost their access to the company’s computers. For that matter, this could also happen while they are still employed (but taking a vacation day, be in an all-day meeting, etc. – i.e., in a place in which they had an “alibi”), when the logic bomb “goes off”.

To guard against this occurring, it’s useful to have multiple programmers looking at the same set of code and for change control processes to be in effect, requiring that someone other than the program’s creator be assigned the responsibility to put any code into production. As we’ll see later in the cryptography section, a useful tactic in helping keep a system from being abused is to require that multiple people be involved in activities that lend themselves to abuse, such as installation of programs on in-house production (or client) systems.

Privilege Escalation

This act allows users with restricted or lower account rights to access a system, application, resource or document in which their current privileges would normally prevent or would be denied them access.  There are two forms privilege escalation they are vertical and horizontal.

Examples of a vertical privilege escalation would be an action could be seen if an administrator left their system unlocked and/or open, someone could be walking by see the system open for use.  Then would walk over to the system change their current account rights granting them rights they were never intended to have. Another example would be a bug or system flaw in a program which would be exploited to elevate rights higher than originally intended by software developers’.  This would be hacking a Windows service that uses a Local System account in order for a user with lower rights to be able to grant themselves higher rights.

Websites and web applications are commonly hacked by examples of horizontal privilege escalation.  Cross-site scripting, which will be explained later a.k.a. XSS, session fixation, or simple passwords being used are the most common forms of this activity. 

As I personally witnessed in a local seminar, thanks to a Microsoft IE 8 demonstration, a valid website you access on a regular basis has a login page, you log into the your account as normal only to have your user name and password information taken by a hacker.

Spyware

Would this be the latest fashion for a spy?  I think not!  Spyware is a malicious computer program designed to track activities, intercept or take control of a computer without the user’s permission.  Spyware has evolved from its simple beginning of monitoring a user’s activity to presently causing loss of use of the Internet, making modifications to computer settings, to even more annoying sending you to websites that can you lead to a viruses attack.

 How did you get spyware?

Well, many different ways including but not limited to accessing websites with this malicious code designed to attack you, file sharing sites or sharing files with an infected friend or co-worker and the worst way of all from a valid vendor that just happened to be infected as well.

There are ways to prevent, well more like limit the amount, spyware:

  1. Update your software, in case you have missed the earlier warnings!  This would be for all your software not your antispyware.  It should include your operation system as well.
  2. Add or turn on a firewall, some operating system come with a firewall or you can download one.
  3. Raise the security levels of your browser to limit attacks
  4. Download and surf responsibly, don’t download or go to the sites that place you at risk!

So there really was something to the anti-copyright infringement campaign!  “Don’t Copy That Floppy” which now days would be a CD-ROM, DVD or a simple download was that just might help us today to prevent the spread of spyware. 

Spam

The ever popular e-mail of subjects you always wanted to know and from sources you’ve never met.  How many times have you seen this famous person has an exposed body part or “enlargement” e-mail messages?  You have just won the lottery!!  Only to open the message and find that it is not true at all.  After all we all play the lottery in foreign countries.

Should someone’s mailbox be attacked by massive amounts of spam it would be possible for them to reach surpass their mailbox limit, thus ligament mail might not be delivered.  However, some could have a valid use that is why we still get them.  So you tell yourself… Not knowing the sender always beware!

Spamming continues daily, to the point that yes even our US government has passed a Can Spam Act which was effective January 1, 2003.  Do not let the name fool you, the Can Spam Act does not mean that you’re allowed to get spam but just the opposite.  This Act or law was to serve the same propose as the National Do Not Call List, so this was to help to limit the amount of spam that you receive.

For this reason blacklists have been created and maintained on a daily basis.  These blacklists used in conjunction with other tools may prevent some mail from making it to the client’s mailbox.  Popular personal mail systems have given their users the ability to add an unwanted sender to a blacklist.  The bad part is no guarantee that a valid sender may be blocked by mistake.

Chain letters and spam messages are such a waste of time and resources.  Open mail relays as well as open proxy servers are favorite targets of spammers for their exploits.  One way is to use SMTP, via port 25, to forward mail from on server to another.

How did they get my e-mail address?  You, a family member, a friend or anyone that has an e-mail from is how they got your e-mail address.  Someone signed up for an e-mail from a site.  From that site their address was sold or hacked attacking them or you.  Once the spammer has attacked you or whomever, the attack can grab your e-mail contact and continue to attack those people in your list.  Or even more fun, you received an e-mail see that you could “Opt-out” or “unsubscribe” as not to get further messages from a site only to validate your e-mail address for that attacker.  Then the Spammer has your address which he tells a friend, they tell a friend and so on.

Spam over time has evolved which means to has grown into more than just advertisements.  Instead of just advertisements now spam can have a viruses attached to the message.  If that isn’t enough your system can be taken over.  Yes!  Spammers a PC into Zombie system, then building with another and another until they have a vast “army” of Zombies making themselves a massive network of Zombies across the globe.  That network of Zombies then further grows and assimilates others and joins them on the attacks.  These Zombie networks are called Botnets which will be discussed in more detail later.

Protection from spam

  1. Common sense
  2. Install anti-spam software
  3. Continue to monitor and update your software
  4. E-mail filtering
  5. Use of a spamtrap
  • For your own protection install an anti-spam program and continue to update… update… update… update your definitions.  Come on!  No REALLY update your software!

 Adware

Adware much like all the other malware or malicious code that you have read so far, installed without the knowledge of the user.  Some would say that adware and spyware are the same.  They are very close to one another, adware tracks the user’s behavior and will popup or display targeted websites.  Sadly enough, some new “off the shelf” applications have been known to install adware.  Gee Thanks!

Danger!  Danger!  There are those “helpful” tools out there that will help but at a price!  Some tools claim to assist you in locating or search for a site.  “Help” you get that expensive software for nothing!  This is not a late night TV advertisement.

Not all anti-virus programs have adware protection but there are some not that are starting to bundle protection from adware into their packages.

For detection and removal of adware a key thing to remember is that it has been found that depending on the level of infection that just one removal tool may not be enough.  Lavasoft the maker of the ever popular Ad-Aware as well as Sunbelt Software is the maker of Counterspy and Vipre are just a couple that are on the market.  Past experience has proven that the use of “two heads are better than one!”  Just not at the same time.  It would not be recommended to have both scanning a system only to have them collide trying to scan the same file at once.

  • For your own protection install an adware program and continue to update… update… update… update your definitions.  Are you getting the hint?

There are other ways to help stop installations of unwanted malware software.  Simple searches can provide you assistance and save you time.  You can install a pop-up blocker, before you download that “FREE” software research it see if other people have used it and reported back if they got attacked by it. 

Let’s say you click on a link which takes you to a website that you have never been before.  As you look over this new website.  There is a warning that has just popped up.  This warning is requesting to install something.  Your options are to click one of the following buttons Yes, No, or More Info.  Which one do you click?  Be smart unless you really think you’re 100% safe from an attack.  Check out the site in more detail and see if the software to be installed could be valid.  Maybe the site requires a newer version of a plug-in than which you already have installed.  Sure!  I would allow that to install.  Don’t be gullible!  Unless you know the plug-in or maker of the software do not click the YES button.

 Rootkits

A Rootkits are no a collection of roots of maple tree or any other leaf bearing tree.  They are a program or a collection of many programs that take control of a system.  The term “root” in UNIX is the same as the Administrator in Windows.  Rootkits hide in the many different processes that are already running on a system.

As with most malware there are different types of Rootkits and they are:

  1. Application level - replaces regular application binaries with fakes like a Trojan.
  2. Firmware - hides in the firmware of a device.  Creating a permanent piece of malware until you find the infected device.
  3. Kernel level - code that masks itself within a device driver or OS kernel in some fashion.
  4. Library level - installed by updating applications or Service Packs attacking library code such as in Windows a library would be a DLL file.
  5. Virtualized sounds like fun, it will create a virtual machine once loaded into memory

 

Nasty bugs these are!  Some can be detected by their signature many however are not.  Detection in most cases with these bugs is found by just knowing the normal behavior of a system.  The client will notice strange and or bizarre actions of the computer.  They try scanning their system, which they may find something but the bizarre actions just return.  Acting like a virus, spyware or adware but the client may not be able to remove this malicious code.

As for removal of Rootkits, products are starting to hit the market but most professionals will in most cases and of course for your safety reload the system from scratch.  Which if the client is prepared for something of this nature they will have a complete and tested backup of their system.  We all know every client is just not that prepared.  Even after being attacked, some will never learn.  After all, that is why we’re the professionals that we are.  We’re called to come into their environment and save the day for them.

Botnets

Botnets as mentioned in the earlier section covering spam are a collection or network of Zombie computers that have been infected with malware.  ‘Bot’ is short for robot(s) and ‘Net’ is short for network(s), putting them together as Botnets.

 

These armies of infected computers are controlled by a hacker and are assigned to perform automated tasks working to assimilate other computers with viruses, spyware, adware or any other type of malicious software.

As with all of the other previously mentioned security threats detection is possible as well as removal of these parasites.  Detection is in a noticeable decline in computer performance.  Removal comes in many different forms as does with the removal of viruses, spyware and adware.  Following those same steps as mentioned in prior sections you will be able to heal the computer.

Now I would like to personally thank Sunbelt Software!  While doing research on this topic I of course did silly things like ignore warning messages of possible sites that may have malicious code.

In doing so I was attacked and was having one heck of a time getting rid of the infection.  It was so bad I could not believe that I has done this to myself!

Sure other people have used my computer and have infected my system before.  But, wasn't a big deal to me.  However, this attack was stronger then others in the past and I was really having a hard time removing this infection.

I have antivirus, popup blockers, anti-spyware and other programs running to protect me.  But, just when you think your bigger and badder then they are... you get to take a big bite of humble pie!  Nothing in life is 100%!

Sunbelt Software saves the day!  As I have told others in the past if you can not get rid of something and thinking about re-formatting your system, give CounterSpy a try.

I'm here to tell you.  I could not load a page on my desktop to even see a single dot on the page.  I jumped over to my laptop went to Sunbelt's site, found they have a new package called VIPRE so I downloaded it to my laptop.  Then put VIPRE on CD-ROM took it to my desktop and was able to install it without any problems.

I was even able through VIPRE to get the latest updates then start deep scanning my system.  Within a very short time I was getting alerts of this program wants to do this or that program is trying this of course I block all of these actions.

VIPRE has protect from antivirus and Spyware protection.  My hat goes of to Sunbelt Software!!  The makers of CounterSpy and now VIPRE.

Rate this Article:
  • Article Word Count: 3886
  • |
  • Total Views: 610
  • |
  • permalink
  • Print Article |
  • Send to a Friend |
  • |
  • Add to Google |
>