Malicious Code
In today's network environment, malicious code (or malware) has become a serious problem. The target is not only the information stored on local computers, but also other resources and computers. As a security professional, part of your responsibility is to recognize malicious code and know how to respond appropriately. This section covers the various types of malicious code you might encounter, including viruses, Trojan horses, logic bombs, and worms.
Viruses
A program or piece of code that runs on your computer without your knowledge is a virus. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. At this point, it attaches to other files, adds its code to the application's code, and continues to spread. Even a simple virus is dangerous because it can use all available resources and bring the system to a halt. Many viruses can replicate themselves across networks and bypass security systems. There are several types of viruses:
Boot-sectorThis type of virus is placed into the first sector of the hard drive so when the computer boots, the virus loads into memory.
PolymorphicThis type of virus can change form each time it is executed. It was developed to avoid detection by antivirus software.
MacroThis type of virus is inserted into a Microsoft Office document and emailed to unsuspecting users.
CAUTION
Viruses have to be executed by some type of action, such as running a program.
Here are some common viruses:
StonedThe Stoned virus was first reported in New Zealand in early 1988. All known variants are capable of infecting the hard disk Master Boot Record (MBR), and some may damage directories or the File Allocation Table (FAT). It is transmitted via floppy from one computer system to another.
MichelangeloMichelangelo is a Master Boot Record virus. It is based on the Stoned virus, although it is different in its behavior. The Michelangelo virus erases the contents of the infected drive on March 6th (the birth date of the virus' namesake) of the current year.
MelissaMelissa first appeared in March 1999. It is a macro virus that is received by email and is embedded in a Microsoft Word document. When the recipient of the email opens the document, the virus sends email to the first 50 addresses in the victim's address book and attaches itself to each email.
I Love YouA variant of the Melissa virus that emails itself to all addresses in the address book. It also infects the Normal.dot template in Microsoft Word, causing all new documents created to be infected as well.
The viruses listed are a very small number of the total population of computer viruses. Viruses are growing at an alarming rate, and newer ones do more damage as virus writers get more sophisticated. In any case, viruses cost you money due to the time it takes to clean the software and recover lost data.
Virus Hoaxes
A virus hoax uses system resources and consumes users' time. Many times, they come in the form of a chain letter bragging of free money. There also have been hoaxes sent telling users to delete files from their systems or informing them a certain program has a logic bomb. If there is any doubt as to whether the virus threat is real, you should do a little investigative work. Many good Web sites list these hoaxes. Check out the following sites for more virus information:
Symantec's Antivirus Web sitehttp://www.symantec.com/avcenter/ index.html
McAfee Security Antivirus Web sitehttp://vil.mcafee.com/
Sophos Antivirus Web sitehttp://www.sophos.com/
Trojan Horses
Trojan horses are programs disguised as useful applications. Trojan horses do not replicate themselves like viruses but they can be just as destructive. Code is hidden inside the application that can attack your system directly or allow the system to be compromised by the code's originator. The Trojan horse is typically hidden so its ability to spread is dependent on the popularity of the software and a user's willingness to download and install the software.
Some Trojan horses include the following:
Acid RainThis is an old DOS Trojan horse that, when run, deletes system files, renames folders, and creates many empty folders.
Trojan.W32.NukerThis is a Trojan horse designed to function as a denial of service (DoS) attack against a workstation connected to the Internet.
SimpsonsThe user is tricked into running a file that deletes files on selected drives via an extracted BAT file. This Trojan horse uses the program deltree.exe found on Windows 9X systems.
As with viruses, Trojan horses can do a significant amount of damage to a system or network of systems.
Logic Bombs
A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or a period of time goes by. For example, a programmer might create a logic bomb to delete all his code from the server on a future date, most likely after he has left the company. In several cases recently, ex-employees have been prosecuted for their role in this type of destruction. During software development, it is a good idea to bring in a consultant to evaluate the code to keep logic bombs from being inserted. Although this is a preventative measure, it will not guarantee a logic bomb won't be inserted after the programming has been completed.
Worms
Worms are similar in function and behavior to a virus, Trojan horse, or logic bomb, with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. This process repeats with no user intervention. After the worm is running on a system, it checks for Internet connectivity. If it exists, the worm then tries to replicate from one system to the next.
Some examples of worms include the following:
MorrisThis is probably the most famous worm of all. It took advantage of a Sendmail vulnerability and shut down the entire Internet in 1988.
BadtransThis mass-mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. It also drops a remote access Trojan horse.
NimdaThis worm virus infects using several methods, including mass mailing, network share propagation, and several Microsoft vulnerabilities. Its name is admin spelled backward.
Code RedA buffer overflow exploit is used to spread this worm. This threat only affects Web servers running Microsoft Windows 2000.
Many variants exist to each of these worms. Many times they are quite difficult to remove, so antivirus companies have downloadable tools available to remove them.
CAUTION
A worm is similar to a virus or Trojan horse, except that it replicates by itself, without any user interaction.
You can take several steps to protect your network from malicious code:
Install antivirus software and update the files on a regular basis. Antivirus software doesn't do a company any good if it is not updated often.
Only open attachments sent to you by people you know. Many viruses infect user address books, so even if you know who the attachment is from, be sure to scan it before you open it.
Do not use any type of removable media from another user without first scanning the disk.
Perform backups on a daily basis.
Install firewalls or intrusion-prevention systems on client machines.
Subscribe to newsgroups and check antivirus Web sites on a regular basis.