Malicious Code

Table of contents:

Just as in other chapters, this one starts off by looking at some of the threats. As a CISSP, you will be responsible for identifying risk and vulnerabilities, and then finding ways to minimize the impact that could happen if a threat agent gives rise to a threat that exploits a vulnerability.

Malicious code is a threat. The computer you are using likely has antivirus software loaded on it, to detect and prevent computer viruses, which are one type of malicious code. Many types of malicious code exist, but generally, malicious code can be defined as any program that is specifically written to damage, penetrate, or break a system. This genre of software can include Trojans, denial-of-service tools, remote-access Trojans, logic bombs, viruses, worms, and back doors.

Viruses and Worms

Viruses and worms are nothing new; they have been around since the dawn of the computer era. What has changed through the years is the way in which viruses infect systems. There are three broad categories of propagation:

  • Master boot record infection This form is the oldest of malicious code techniques. It functions by attacking the master boot record of floppy disks or the hard drive. This was effective in the days when everyone passed around floppy disks.
  • File infection A slightly newer form of virus that relies on the user to execute the file. Extensions such as .com and .exe are typically used. Some form of social engineering is usually used to get the user to execute the program.
  • Macro infection The most modern type of virus began appearing in the 1990s. Macro viruses exploit scripting services installed on your computer. Most of you probably remember the "I Love You" virus, a prime example of a macro infector.

Many antivirus programs work by means of file signature. File signature programs examine boot sectors, files, and sections of program code that are known to be vulnerable to viral programs. Although the programs are efficient, they are only as good as their last update. They must be updated regularly to detect the most recent type of computer viruses.

Worms, unlike viruses, require no interaction on the user's part to replicate and spread. One of the worst worms to be released on the Internet was the RTM worm. It was developed by Robert Morris back in 1998 and was meant to be only a proof of concept. Its accidental release brought home the fact that these types of code can do massive damage to the Internet.

Today these are the biggest changes to viruses and worms:

  • The means by which they spread.
  • The new methods of how they attack.
  • The new types of payloads. The payload of some viruses might do nothing more than display a message on your screen at a certain data and time, whereas others could destroy your hard drive.

Nimda A New Type of Worm

Nimda is a good example of how viruses and worms have changed in the last few years. Nimda actually had the capability to infect a computer when infected email was read or even previewed. A user did not have to open an attachment. Nimda also had the capability to modify pages on a web server so that any computer accessing those pages might also become infected.

When Nimda first attacked, it had several ways in which to propagate itself from the web server that had not previously been seen. Nimda sent out random http "Get requests" looking for other unpatched Microsoft web servers to infect. Nimda also scanned the hard drive once every 10 days for email addresses. These addresses were used to send copies of itself to other victims. Nimda used its own internal mail client, making it difficult for individuals to determine who really sent the infected email. If all that isn't enough, Nimda also had the capability to add itself to executable files to spread itself to other victims.

Who created Nimda? Well, that it still unknown. Antivirus experts are left with only a few clues. One of them is in the code. It stated, "Concept Virus (CV) V.5, Copyright(C) 2001 R.P.China." What is known is that Nimda infected at least 1.2 million computers and caused untold monetary damage.


Buffer Overflow

Buffer overflow attacks are used by individuals to gain access to systems or to elevate their privilege. Buffer overflows occur when programmers use unsecured functions or don't enforce limits on buffers. Basically, the programmer is not practicing good coding techniques. If an attacker can find this vulnerable code, he can attempt to inject and run his malicious code on that system. If the original code executed with administrator or root rights, those privileges are granted to the attacker. The end result is that, many times, the attacker will gain a command prompt on the system under attack. When this occurs, the attacker has complete control.

Denial of Service (DoS)

DoS attacks are usually intended to disable or disrupt computer services or resources. Although this sometimes can be accidental, it is most often a deliberate act. DoS attacks are sometimes used in a final act of desperation when an attacker cannot gain access to a system. DoS is also occasionally used in blackmail attempts: "Meet my demands or I will shut down your network." Because specific DoS attacks have been discussed in other chapters, only the names of common attacks are provided in the following list:

  • Smurf
  • Fraggle
  • Teardrop
  • Ping of death
  • Land
  • SYN attack

Distributed Denial of Service (DDoS)

One step above the DoS attack is the DDoS attack. DDoS is similar to DoS, in that the goal of the attack is a disruption of service. However, it is more powerful, in that it uses a large number of previously compromised systems to direct a coordinated attack against the target. These systems, known as zombies, wait until the attacker signals the attack. A DDoS attack can be devastating because of the tremendous amount of traffic generated. DDoS attack tools include these:

  • Trinoo
  • Shaft
  • Tribal Flood Network
  • TFN 2K
  • Stacheldraht

Malformed Input (SQL Injection)

Application developers should never assume that users will input the correct data. A user who is bent on malicious activity will attempt to stretch the protocol or application in an attempt to find possible vulnerabilities. An example is an order quantity field on a web page that accepts negative values. Buyers typically don't order negative quantities of an item. Attackers think outside the box, and so should programmers when developing applications. Parameter problems are best solved by implementing pre-validation and post-validation control.

Databases are a common target of malformed input. An attacker can attempt to insert database or SQL commands to disrupt the normal operation of the database. This could cause the database to become unstable and leak information. This type of attack is known as SQL injection. The attacker searches for web pages in which to insert SQL commands. Attackers use logic such as 1 = 1-- or a single quote, such as ' to test the database for vulnerabilities. Responses such as the one shown in the following code give the attacker the feedback needed to know that the database is vulnerable to attack.

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting

the nvarchar value 'sa_login' to a column of data type int.

/index.asp, line 5

Although knowing the syntax and response used for a database attack is not required exam knowledge, it is useful to know as you attempt to secure your infrastructure. Other security issues that can be tied directly to input validation include these:

  • Client-side validation
  • Cross-site scripting
  • Direct OS commands
  • Path traversal
  • Unicode encoding
  • URL encoding

All of these issues can be addressed by performing proper input validation.


Many of us have dealt with programs such as adware, browser hijackers, surveillance programs, or web bugs. Although spyware programs are nothing new, they continue to grow in virulence and sophistication. There is some debate as to whether these programs are aggressive marketing gone too far or a real invasion of privacy.

Spyware programs are typically installed when the user downloads a free piece of software that contains spyware in the installation package. Vendors justify these programs by declaring that spyware programs allow them to offer their products for free and that if users do not want to install the spyware, they can refrain from installing their programs by opting to purchase a for-pay copy that doesn't include the spyware.

Other spyware programs are less up front about giving you an option to install and might be loaded onto your computer by just visiting a website with a browser that is vulnerable. Spyware programs have become rather advanced. Some have incorporated concepts such as Alternate Data Streams (ADS). This hacker technique allows the spyware distributor to stream one file behind another. A quick search of the drive will find no trace of the offending executable because there is no entry in the File Allocation Table (FAT), where the directory listing of all files is kept. Removing these programs requires one or more specialized tools, such as HijackThis. Other defenses against spyware include changing to an alternate browser, staying current on your patch management, and not downloading or installing adware-supported programs.

Back Doors and Trapdoors

Many times back-door programs are used to access and control a computer. These programs are associated with Trojans and other malicious code that can be used to trick the user into installing them. Once installed, these programs operate on high-order or unused ports to communicate with the attacker. Many of the programs give the attacker complete control of the victim's computer and allow him or her to execute programs, access the Registry, turn on the camera and mic, control the browser, and start and stop applications. Common back-door programs include these:

  • Back Orifice
  • SubSeven
  • NetBus
  • Beast

Trapdoors, unlike back doors, are used by programmers as a secret entry point into a program. These can be used to allow someone to gain functionality to the program without going through the usual security procedures. Programmers find these useful during application development; however, they should be removed before the code is finalized.

Change Detection

One of the ways in which malicious code can be detected is through the use of change-detection software. This software can detect changes to system and configuration files. Most of these programs work by storing a hashing algorithm of the original file in a database. Periodically, the file is rechecked and the hashed values are compared. If the two values do not match, the program can trigger an alert to signal that there might have been a compromise.

Checksums and hashed values are widely used. Most software vendors list the fingerprints of their programs on their websites because this give customers a way to ensure they have the authentic file. Popular programs that perform this function include Tripwire and MD5sum.

The CISSP Cram Sheet

A Note from Series Editor Ed Tittel

About the Author


We Want to Hear from You!



The CISSP Certification Exam

Physical Security

Security-Management Practices

Access-Control Systems and Methodology

System Architecture and Models

Telecommunications and Network Security

Applications and Systems-Development Security

Operations Security

Business Continuity Planning

Law, Investigations, and Ethics


Practice Exam 1

Answers to Practice Exam 1

Practice Exam 2

Answers to Practice Exam 2

CISSP Exam Cram 2
CISSP Exam Cram 2
ISBN: 078973446X
EAN: 2147483647
Year: 2003
Pages: 204
Authors: Michael Gregg © 2008-2020.
If you may any questions please contact us: