Malicious Code

Notes

• One from the previous section: Back Doors
  • Undocumented access point
  • This may not be malicious
  • It just might be a way to improve/speed up debugging
    • The "Bennett" pass in game classes
  • Or it might be a joke
    • Easter Eggs
  • Both of these can lead to cyber problems.
  • And should be caught in code review, or prohibited
  • But the authors suggest these might be added after development
    • By the debuggers or maintenance
    • And so might not be caught
• MALWARE
  • MALicious softWARE
  • Viruses, Trojan Horses, Worms
  • Code deliberately written to cause problems.
• A virus is a program that can replicate itself and pass on malicious code.
  • This is named after biological viruses
  • They are code sections, not programs, they can not stand on their own.
  • These programs are called host programs.
  • They tend to make copies of themselves in another program.
  • von Neumann proposed self replicating code in the 1949
  • The first virus appeared on the net sometime in the early 1970s
  • Viruses can spread any way, but usually by embedding themselves in files.
• The Melissa Virus
  • In 1999
  • Was a Word Document virus
  • The infected document had VB script code
    • Would copy itself into the default Word template when the document was opened (thus infecting new documents)
    • Go through the Outlook address book and send copies of infected documents to the first 50 names.
    • And would insert text into open word documents
  • This slowed email
  • And infected an estimated 100,000 accounts.
• A worm is a program that moves from computer to computer through the network.
  • This is a stand alone program.
  • It will usually make new copies which get sent to other computers.
  • Worms were introduced in the 1960s with the advent of local networks
  • But the Morris Worm was of huge impact
    • It exploited a bug in the program that transfers mail (sendmail)
    • And a buffer overflow in another program (finger)
    • And a password attack
    • And trust based programs rsh and rexec
  • The Morris Worm
    • Start with a user on system A
    • It would rename itself to "sh" the equivalent of bash to attempt to hide.
    • It would attack other machines through the finger command
      • finger user@machine
      • Would provide information about the given user on the given machine.
      • finger junkbad code
      • finger had a buffer overflow so the bad code would be written to the stack then executed
      • finger was run as root
      • So a copy of the worm was transmitted to a new system running as root
    • Or look at the .rhosts file for the user
      • This was equivalent to the .ssh/known_hosts, but more permissive
      • The work could execute either rsh or rexec to start instances on the remote machine as the user.
    • Once on a machine, it attempted to crack passwords of other users based on a dictionary attack.
    • Sendmail propagation was available too.
  • This worm
    • Worked as a DOS attack, too many processes
    • And heavy network traffic
  • It was an experiment gone wrong
  • But it shocked the network community
  • And the author was convicted, but is now an MIT professor
• A bot is a program installed on a computer that can act as a client, such as a web client
  • Frequently used for DOS attacks
  • But could be used to collect information (email addresses, contacts, ...)
• A Trojan horse is malicious code that serves a (useful) primary purpose but also a (malicious) secondary purpose
  • We have potentially created these with the MD5 Hash lab.