Malicious Code

One of the tools in the hacker's arsenal is the use of malicious code. Of course, software algorithms are not inherently either bad or good; they are only tools that can be used either constructively or destructively. However, there are some types of programs that are often utilized by hackers.

Logic Bomb

A logic bomb is a program that lies dormant until it is activated. It can be activated by anything that the computer system can detect. Often it is time-based (a time bomb), or based on the presence or absence of some data, such as when a programmer's name is no longer in the payroll file. This trigger can be almost anything. Once activated, the logic bomb will "deliver its payload." This payload is any type of destructive software, which can consume resources or delete files. This destruction can be widespread or focused at specific individuals. With computers now in control of so many physical systems, the attack could actually become a physical attack.

Logic bombs usually have to be in the system; that is, they are a running process, even if they are in a wait queue. Be aware of any process that has been running on your system for a long time but has used no CPU resources.

^[37] "Former Computer Network Administrator at New Jersey High-Tech Firm Sentenced to 41 Months for Unleashing $10 Million Computer 'Time Bomb'," U.S. Department of Justice Press Release, 26 February 2002.

Parasite

A parasite is a piece of code that is added to an existing program and draws information from the original program. It is used to gather information for which the hacker may not have privileges. By its definition it is a covert, nondestructive program. It may use a virus to spread around a system.

When a parasite is added to a piece of software, some of the attributes of that program will be changed. These attributes include the program's size , its timestamp, its permissions, ownership, and its checksum, which is an algorithmic summation of all the information in the file. If you inventory this information for all the programs on your system when you know your system is clean, you will be able to tell if any of the programs have been altered . This requires running a program to build your original inventory and periodically rerunning this program to spot any differences.

Trojan Horse

A Trojan horse is a program that looks like a useful program that has an alternate agenda. How does a hacker plant a Trojan horse? This generally requires social engineering. That is, the hacker will need to advertise the existence of the Trojan horse so people will run it. The best Trojan horses will do what they advertise to do as well as the covert action.

There are a number of ways Trojan horses can be introduced. They can be introduced as games , usually under development, so that anything that acts flaky is just a bug, or as utilities. Utilities are especially effective since they are more likely to be run by someone with privileges.

Beware of geeks bearing gifts. It is a clich , but if something sounds too good to be true, it is. You should not load any unofficial software or any software from an unofficial source without minimally validating the software on a safe quarantine system. Software policy should cover acceptable software sources and validate procedures.

It has been shown that postscript files can contain Trojan horses. The postscript language has the ability to do file input/output (I/O). When all you do with postscript is send it to a printer, these commands have no value. However, if you view them online, these commands can access anything you have permission to access.

Even documentation has been targeted with Trojan horses. If the document has to be processed , either with UNIX text processing commands or in a word processor that supports macros, there is the possibility of inserting code that can have an alternate objective.

Virus

A virus is a program that infects another program by replicating itself into the host program. Considered by itself, the virus has three phases: the infection phase, where the host is infected from a previously existing virus; the activation phase, where this new copy is triggered to find another host to infect ; the replication phase, where the virus finds a suitable host and copies itself to the host. Most viruses are destructive, carrying a logic bomb with them, which is separately activated to deliver its payload. However, some viruses do not; they merely replicate consuming resources. These are referred to as bacteria, or rabbits.

Historically, viruses have been primarily targeted at PCs. But, as systems become more and more standard, they will become more prevalent on larger systems as well. Viruses are transported from one system to another by being in a file that is moved from one system to another.

^[38] Middleton, James, "Major viruses cost industry $13bn in 2001," Computing , 10 January 2002.

Software from unauthorized sources can lead to many security issues. The security policy should clearly state the company's position on what are appropriate sources of software and what the process is to put the software onto the system. This should include both a reference to your "approved software list" which should contain details on the process to obtain software that is on the list and software that is not, and a reference to documentation detailing any corporate license agreements that the company may have.

If you are in an environment where the use of "freeware" is prevalent, or people regularly bring software onto your system, you are at greater risk of virus infection. You may want to create a quarantine system. A quarantine system is a system on which any incoming software must live for a period of time so it can be checked for viruses and validated for proper software behavior. This can also detect Trojan horses and spoofs. Virus detection is much the same as detecting parasites. You should petition your software suppliers to supply the size and cryptographic checksum information with all of their software, so you can be sure that you have a clean system.

Worms

A worm is a program that is used as a transport mechanism for other programs. It utilizes the network to spread programs from one system to another. It will utilize a flaw in a network transport, such as network mail or remote process execution, to get its package from one system to another. The worm has three basic processes. First, it will search for a receptive system. Second, it will establish a connection to that system. Finally, it will transport its program to the remote system and execute the program. This program may contain a worm itself so it can spread further, or it may be any other type of malicious code.

^[39] "Major Investigations: 911 Virus," National Infrastructure Protection Center .