Malicious Code Basics

The following paragraph tries to clean up some of the messsy terminology around malicious programs.
Unfortunately, the language found in most press coverage of computer security incidents is notoriously imprecise, and even the vendors of security software have shown a tendency towards a hyped-up rhetoric better suited to induce fear than clarify.
The distinction of worms and viruses was taken from [Staniford2003].

A virus (plural "viruses" [here's why]) is a malicious program that infects computers by installing itself in a place where it will be regularly executed while the system is running. In order to become effective, viruses require user action, such as clicking on a mail attachment to execute it.

To reproduce, a virus may try to infect (i.e. copy itself into) other programs or documents that allow the inclusion of executable content (such as texts or spreadsheet data containing macros) and wait for them to be transferred to other potential victims and eventually activated, or to mail copies of itself to other users in the hope that they will execute it.

The most typical infection vector for viruses today is email attachments. It provides easy access to millions of inexperienced users. The mail body lends itself well to the social engineering needed to coerce the victims into activating the virus code.
In the days before every household was connected to the internet, viruses travelled on privately shared floppy disks containing infected software, or on improperly screened CD-ROM supplements of computer magazines. Some vendors even distributed viruses with their official installation media by accident.

Since the leading operating system and mail client manufacturer has long preferred ease-of-use and integration over even the most basic security precautions with a stubborn incompetence that is hard not to interpret as outright sabotage, viruses today comprise as much as 40 per cent of the total mail traffic on the internet during heavy outbreaks (MyDoom/Novarg 2004). The damage in bandwidth consumption alone is immeasurable and the network congestion affects even sites with carefully implemented virus protection.

On the upside, these blatant software deficiencies have created a thriving new industry, as third-party anti-virus software is mandatory to connect any Microsoft Windows system to a public network.

A worm is a malicious program similar to a virus, with the notable difference that it does not require any user interaction to spread. Instead, it exploits a programming error in server software or the underlying operating system to infect a machine. This means it requires an appropriate weakness to be present on the target.

Once a target is infected, the worm activates itself and begins to use the network resources of the victim to scan for other potential targets. Since the infection happens automatically, worms spread many orders of magnitude faster than viruses.

Apart from the nuisance and damage from network congestion due to scanning traffic, worms may contain a payload, i.e. perform actions determined by the attacker on the infected hosts. These may include destruction (or worse, subtle alteration) of data, password or data sniffing or the installation of back doors, persistent programs that run stealthily in the background and provide the attacker with remote system access.

Often, the many thousands of infected hosts are used as part of a flood net to launch distributed denial-of-service (dDoS) attacks against third-party sites by simply overloading them with bogus requests. These incidents are very hard to defend against since there is no coherent IP range to block, and the traffic is almost indistiguishable from legitimate usage.

Recently, spammers have been known to use networks of compromised hosts as untraceable (and readily disposable) mail relays.

In this paper, we will use the term worm for the code itself and in a more general way for the worm design. A single active piece of worm code on an infected host (and, for simplicity, the infected host itself) will be referred to as a worm instance.
To emphasize the likeness of worm outbreaks to the proliferation of contagious diseases, we will borrow the medical terms epidemic to denote a locally confined spreading pattern around a clearly defined center, and pandemic for simultaneous occurances of new infections in many distinct places with no obvious origin or locality.

It appears that like so many computer terms, both "virus" and "worm" have their origin in science fiction literature. Refer to [Spafford1988], p.4, for details.

A trojan (short for the "trojan horse" of Greek mythology) is a program that pretends to do something useful, while actually performing malicious actions either openly or surreptitiously in the background.
Apart from its camouflage that encourages people to run it and possibly pass it on to friends, a trojan has no active mechanism for replication.

A popular form of trojan is the dialler, a program causing a user's modem to dial a special phone number belonging to the originator, which produces horrendous costs per minute that will be charged to the victim's phone bill. Most diallers masquerade as access programs to pornographic content.

Hoaxes are chain mails that intentionally spread misinformation, often about computer security issues.

One notorious hoax tried to persuade the readers to perform some action described as security countermeasures (such as deleting files from their disks which allegedly belonged to viruses, but were critical system files instead, effectively talking the victims into maiming their own systems), and to forward the "important security news" to all their email contacts.
Another classic hoax is the heart-breaking story of some child suffering from a terminal disease with a few months to live, and would the readers please send a postcard to the following address with some kind words, this being the last wish of an innocent being wasting away in the prime of its youth - and, yes, please also forward this letter to everyone you know.

While they abuse people's goodwill and create fear and misconceptions, hoaxes have no direct adverse effects on machines, as they do not contain any code.

In order to function, a worm needs to perform a number of tasks:

• infect a target host by exploiting a security flaw to install and run itself there;
• determine other vulnerable hosts to attack next;
• launch attacks on those hosts; and
• optionally, execute its payload on the infected host

These tasks are completely orthogonal, and we will look at approaches to each of them individually with the assumption that actual worms can consist of any combination of these.

At the core of each worm epidemic lies a programming flaw in some server software that enables a remote attacker to gain privileged access to a system.

The most frequent type of flaw is the buffer overflow, where a user-provided data string is stored in a fixed-size memory area without prior length checking. In languages such as C that have no memory management or protection for efficiency reasons, a string of more than the allocated length will cause the program code after the allocated area on the process stack to be overwritten (thus the term stack smashing attack).
In the usual case, this will cause the program to either produce bogus output or crash with a segmentation violation if a pointer address was altered by accident. But if the extraneous data is carefully crafted, it can be used to inject arbitrary code into the running process, inheriting its privileges.

The usual approach is to include the binary equivalent of the C statement execve('/bin/sh', NULL, NULL); (the UNIX system call to execute a command shell) along with appropriate padding and a number of jump instructions to increase the likelihood that the execve() portion will actually be called. (cf. [AlephOne1996] for a detailed discussion of stack smashing techniques.)

Once an appropriate exploit is found, all that's left to do for a worm writer is code an efficient means for the worm to propagate. A number of different approaches are possible:

• try to find hints about other vulnerable hosts on the already infected ones and use those (making it a so-called topological worm, as it explicitly takes advantage of network topology information);
• randomly scan the entire IP address range (a random scanning worm);
• scan the IP address range in a clever way, by giving addresses on the same subnet (which are usually close by) a higher probability (a weighted random scanning worm); or
• carry along a list of vulnerable or potentially vulnerable hosts (a hit list worm)

When targetting, the worm basically has two options.
It can either aim at maximum speed, giving itself away by huge amounts of highly suspicious network traffic, in the hope that it will already have completed its mission by the time countermeasures become effective, or go for stealth, emitting only a few scans in varying intervals, to remain unnoticed long enough to do its job.

When the worm has found a promising target, it will try to launch the exploit. It is customary to send a short probe first to find out whether the target has already been infected by another worm instance. This is especially important when the exploit code is comparably huge, to minimize superflous network traffic.
In cases where the code is small, targetting and attacking can be combined into one step (as seen with the SQL slammer worm [Moore2003], whose exploit consisted of a single UDP packet of some 400 bytes).

Again the tradeoff in conducting the attacks is speed vs. stealth.

After successfully exploiting a flaw, the worm code runs with the security privileges of the compromised process. If the server runs with root (UNIX) or Administrator (Windows) privileges, the attacker effectively owns the machine, but even lesser privileges offer a surprising number of other options besides mere reproduction.

The most common payload is a short piece of code that will deface web sites found on the infected host, usually by adding lines as "L33T CRACKERZ 0WN U" or similar poetic utterances.
Such actions are not considered truly malevolent by many, since they merely show off the fact that a vulnerability was found and abused, and in turn cause it to be fixed before actual damage is done.
However, the loss of credibility for the website owner can be immense if this happens on a business transaction site handling credit card data, or on the front page of a company dealing in cyber security. But then, this embarassment has a very good reason :-D.
Since web site defacements provide the worm author with a public forum for his or her pseudonym and "message", it is the most frequent type of payload.

Things become a lot nastier when important data is wiped out or, worse because likely to go undetected, subtly altered by a worm. This is the network equivalent to indiscriminate vandalism and sabotage in real life, and is not endorsed nor tolerated among the hacker community, who often can be found talking rather enthusiatically about worms for the technical challenges they pose and the cleverness that went into them. Apart from ethical considerations, random destruction is too easy to code and inelegant, and will at best win the author a reputation as a brute and not very intelligent sociopath.
For this reason, vandalizing worms have been rare.

From a worm authors' point of view, the most interesting payload is the back door that remains in effect even after the worm itself has ceased to operate.
A successfully planted back door will grant the attacker complete control over the machine via a concealed communications channel that will not easily be noticed by the legitimate administrator.
Once in place, back doors can be used for further attacks that seem to originate from the unknowing victim, and to abuse the storage and bandwidth resources of the victim for distributed denial-of-service attacks or sharing and distribution of warez, pornography or other unwanted and possibly illegal data.