Common Malicious Code Behavior

Once a form of malicious code has successfully infected a victim system, it can perform a number of actions to avoid eradication, further propagate, and perform other insidious activities. The actions performed by today's threats transcend all of the malicious code types. Whereas historically, worms spread, Trojans left backdoors, and spyware monitored system behavior, it is quite common today to see threats encompassing multiples of these traits.

Some of the most frequently seen activities are discussed here, with examples of how their impact is being minimized either by the industry, or by steps that can be taken within your organization.

Process Termination

One common action performed by malicious code is to eliminate other software that may interfere with the malicious code itself. This involves the termination of other processes, such as other malicious code that may ultimately become a threat to it and attempt to terminate it. This act has caused rivalries among worm authors in the past, causing them to attempt to subvert and take control of computers infected with competing worms, and embedding verbal obscenities targeted toward each other within their worms.

In addition to the termination of competing worm processes, many worms today also attempt to disable both anti-virus and personal firewall software once they have infected a system. New variants rely on the latency inherent in the anti-virus industry to infect a system before a new definition becomes available. By killing the associated software the worm renders the system unable to retrieve new anti-virus definitions in the future. By disabling personal firewall software worms are able to accept incoming connections on ports that they may have opened in order to accept incoming commands from the worm author, as well as to establish outgoing connections at will.

To avoid unauthorized process termination, anti-virus and personal firewall solutions have taken measures to protect their processes from termination by intercepting this type of activity.

Mutex Creation

A common mechanism that is used by worms to prevent them from infecting the same system twice is to create a mutex. A mutex is an operating system object used primarily to allow multiple threads or processes to share a system resource. It is also used by worms to indicate that a system has already been infected. For example, the MyDoom.T variant creates a mutex called "WWWdefacedWWW" to prevent it from infecting the same system twice. Worms that attempt to prevent competing worms from infecting a system will therefore create the appropriate mutex names associated with those worms.

Modification of a System's Hosts File

Worms will modify the system's hosts file in an attempt to redirect outgoing connections for a particular domain to an alternate site. The system's hosts file is a local hostname-to-IP address mapping that is referenced prior to performing a traditional DNS lookup. It contains entries such as:

 127.0.0.1          localhost 192.168.1.43       finance-server 192.168.1.44       hr-server 

In practice, malicious code authors have had two goals when adding or overwriting entries in this file.

The first has been to disable the automated update mechanisms present within most of today's security applications from connecting to the appropriate update site. This has been done by simply adding an entry for the appropriate update site to the hosts file, effectively directing any connections to an invalid update site.

The second has been to redirect common search, advertising, or e-commerce domains to an alternate site. In such a scenario it can effectively be used to perform phishing attacks in order to obtain identity or financial information from unsuspecting users. This can be accomplished by directing the victim to a false web site appearing as the legitimate financial institution, but hosted at the malicious IP address added to the hosts file.

In practice, most organizations (and consumers) do not use this file, and rather rely entirely on the Domain Name System for name resolution. As such, it is completely feasible to set the permissions on this file such that it cannot be modified or written to. If malicious code does infect your computer, however, it is important to remember that if it has Administrator permissions, it will also be able to reset these permissions back.

Opening a Backdoor

Once on a system, one of the actions that may be performed by malicious code today is to open an actively listening network port on which to accept incoming connections. This port can be used for a variety of purposes, either by the threat's authors to return at a later time, or by other malicious code attempting to leverage this backdoor.

These backdoors serve a number of purposes. In some instances they serve as control channels whereby the author can initiate commands to launch a distributed denial-of-service (DDoS) attack, cause the threat to spread further, or retrieve information from an infected system. A backdoor can provide full unrestricted remote access to an infected system, providing an attacker with the same control given to a user present at the console.

In others they provide a proxy capability whereby other network connections can be relayed through the victim's computer, thereby masking the origin of the attacker. This has become the method of choice for the transmission of spam and phishing e-mail on the Internet. As the majority of conventional open e-mail relays have been locked down, miscreants have moved towards using massive networks of infected computers to relay their messages.

Backdoor connections can also be used to upgrade preexisting malicious code or transmit new malicious code to an infected system. One well-known worm, MyDoom.A, opened a backdoor on TCP port 3127, and was quickly followed by a new threat, DoomJuice, that infected victims through this backdoor. Another well-known worm, CodeRed, also left a backdoor, providing attackers and subsequent threats with an entry point into infected systems.

While the backdoors witnessed to date have been somewhat simplistic in nature, using unauthenticated (or easily broken) communication mechanisms, this is likely to change in the future given the rivalry between malicious code authors.

Installation of Other Malicious Code

It has been an increasingly common occurrence to see malicious code of one type carry along with it, and install, another type of malicious code. This has been seen among worms, which may carry spyware or a Trojan as a payload that is installed after a victim has become infected.

By carrying along additional payloads, worms can perform a multitude of functions. In many cases, the payload is malicious code that has already been identified previously. One surprising payload seen in the DoomJuice worm was the source code for a previous worm, MyDoom.A. In all of these cases, a worm is being used as the transport mechanism to carry another, more insidious payload. This is likely a trend we will see continue as the lines between the aforementioned threats continue to gray.



Extreme Exploits. Advanced Defenses Against Hardcore Hacks
Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
ISBN: 0072259558
EAN: 2147483647
Year: 2005
Pages: 120

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net