Skip to content

Page118

Backdoors

A backdoor is a shortcut in a system that allows a user to bypass security checks (such as username/password authentication) to log in. Attackers will often install a backdoor after compromising a system. For example, an attacker gains shell access to a system by exploiting a vulnerability caused by a missing patch. The attacker wants to maintain access (even if the system is patched), so she installs a backdoor to allow future access.

Maintenance hooks are a type of backdoor; they are shortcuts installed by system designers and programmers to allow developers to bypass normal system checks during development, such as requiring users to authenticate. Maintenance hooks become a security issue if they are left in production systems.

Malicious Code (Malware)

Malicious Code or Malware is the generic term for any type of software that attacks an application or system. There are many types of malicious code; viruses, worms, trojans, and logic bombs can cause damage to targeted systems.

Zero-day exploits are malicious code (a threat) for which there is no vendor-supplied patch (meaning there is an unpatched vulnerability).

Computer Viruses

Computer viruses are malware that does not spread automatically: they require a carrier (usually a human). They frequently spread via floppy disk, and (more recently) portable USB (Universal Serial Bus) memory. These devices may be physically carried and inserted into multiple computers.

Types of viruses include:

  • Macro virus: a virus written in macro language (such as Microsoft Office or Microsoft Excel macros)
  • Boot sector virus: a virus that infects the boot sector of a PC, which ensures that the virus loads upon system startup
  • Stealth virus: a virus that hides itself from the OS and other protective software, such as antivirus software
  • Polymorphic virus: a virus that changes its signature upon infection of a new system, attempting to evade signature-based antivirus software
  • Multipartite virus: a virus that spreads via multiple vectors, also called multipart virus

Worms

Worms are malware that self-propagates (spreads independently). The term “worm” was coined by John Brunner in 1975 in the science fiction story The Shockwave Rider. Worms typically cause damage two ways: first by the malicious code they carry; the second type of damage is loss of network availability due to aggressive self-propagation. Worms have caused some of the most devastating network attacks.

The first widespread worm was the Morris worm of 1988, written by Robert Tappan Morris, Jr. Many Internet worms have followed since, including the Blaster worm of 2003, the Sasser worm of 2004, the Conficker worm of 2008+, and many others.

Trojans

A trojan (also called a Trojan horse) is malware that performs two functions: one benign (such as a game) and one malicious. The term derives from the Trojan horse described in Virgil’s poem The Aeneid.

Rootkits

A rootkit is malware that replaces portions of the kernel and/or operating system. A user-mode rootkit operates in ring 3 on most systems, replacing operating system components in “userland.” Commonly rootkitted binaries include the ls or ps commands on Linux/UNIX systems, or dir or tasklist on Microsoft Windows systems.

A kernel-mode rootkit replaces the kernel, or loads malicious loadable kernel modules. Kernel-mode rootkits operate in ring 0 on most operating systems.

Packers

Packers provide runtime compression of executables. The original exe is compressed, and a small executable decompressor is prepended to the exe. Upon execution, the decompressor unpacks the compressed executable machine code and runs it.

Packers are a neutral technology that is used to shrink the size of executables. Many types of malware use packers, which can be used to evade signature-based malware detection. A common packer is UPX (Ultimate Packer for eXecutables), available at https://upx.github.io/.

Logic Bombs

A logic bomb is a malicious program that is triggered when a logical condition is met, such as after a number of transactions have been processed, or on a specific date (also called a time bomb). Malware such as worms often contain logic bombs, behaving in one manner, and then changing tactics on a specific date and time.

Roger Duronio of UBS PaineWebber successfully deployed a logic bomb against his employer after becoming disgruntled due to a dispute over his annual bonus. He installed a logic bomb on 2000 UBS PaineWebber systems, triggered by the date and time of March 4, 2002, at 9:30 AM: “This was the day when 2000 of the company’s servers went down, leaving about 17,000 brokers across the country unable to make trades. Nearly 400 branch offices were affected. Files were deleted. Backups went down within minutes of being run” [29].

Duronio’s code ran the command “/usr/sbin/mrm -r / &” (a UNIX shell command that recursively deletes the root partition, including all files and subdirectories). He was convicted and sentenced to 8 years and 1 month in federal prison.