Computer Infections – Definitions, Vulnerabilities and Prevention Assistance
Computer Infections – Definitions, Vulnerabilities and Prevention Assistance.
How would you feel if the FBI came knocking at your door at 11:00 pm with a search warrant? Why would they bother little ole me you might ask? As they are carting off your computer, and every piece of equipment and software that is related thereto, you inquire of them: what’s up? And your local neighborhood friendly agent replies, “your computer is a hop being used for credit card fraud and the selling of child pornography. “
Although I took some liberties with the scenario in the previous paragraph, it is not that far fetched and might have happened to someone you know. However, one thing I do know is lately it seems that the good guys are getting hammered by computer infections and attacks more frequently than before. Not only is it coming from the script kiddie that on his own couldn’t write and compile the most simplistic of all “C” programs. But more and more we are seeing folks complaining about Browser Hijacks, Trojans, the Bot-gone-bad, Spam, Cookies, Spyware, Adware, new Viruses and Worms, and of course the mutant versions of the previous strains. So I thought maybe it's time to create a list of the most common of them with a description of those computer infections and attacks of destruction that our adversaries are employing. Additionally, how much help would the list be if I didn’t provide some of the vulnerabilities that are exploited and provide some preventative measures?
MALWARE: As the name implies, these are generally undesirable, unfriendly, unsolicited - in that the users didn’t request them! And unfortunately, they may not even initially be aware of their presence. In the earlier years “Malware” generally only applied to Trojans, Viruses, and Worms. However because of the maliciousness of these other forms of attacks, we might as well group them all under the same definition.
Top of the list is the MALICIOUS COOKIE. When you visit a web site, if your browser is set to accept Cookies, they may be downloaded onto your computer. Originally Cookies were small friendly programs that were designed to assist you with websites. They were stored in the “Cookie Folder” thus the name Cookie.
In existence today, there are still useful cookies that assist you in your Internet Surfing, and of course there are Malicious Cookies. The latter are the ones we need to be concerned about. They can be very specific about their target, conduct a broad sweep, or a random sample. Many of them possess devious intentions which may include: tracking your surfing habits to assist the Spammers in determining which ads to send you, verifying whether your email account is active so they can send you more Spam, and so forth. Unfortunately it does get worse than just Spam. Some sophisticated Malicious Cookies actually contain Spyware. that may allow the deviants to access your computer and all of your files. Regardless, the overall goal of the Malicious Cookie is to covertly take advantage of you.
Some would say, “Not So” it’s only a Cookie aren’t they just text files? For the Nay-Sayers:
CERT® Coordination Center
Additionally, there are other known vulnerabilities with browsers. The name of the first browser we think of in this case is usually Internet Explorer (MS Security Bulletin MS01-055 is one such). I deliberately left out the details to illustrate that it is no longer the only target and that other well known browsers have vulnerabilities. With just a little help from: www.google.com it was easy to find some other browsers vulnerabilities.
What might happen if my web browser is exposed to a malicious script? Among the possibilities are capturing your password and other information you believe is protected. You should also be concerned because malicious scripts can be used to expose restricted parts of your organization's local network (such as their intranet) to attackers who are on the Internet. Attackers may also be able to use malicious scripts to infect cookies with copies of themselves. If the infected cookie is sent back to a vulnerable web site and passed back to your browser, the malicious script may start running again. Note: This is not a vulnerability in web cookies; rather, a malicious script takes advantage of the functionality of cookies.
M-124: Konqueror Secure Cookie Vulnerability
[KDE Security Advisory]
September 11, 2002 20:00 GMT
PROBLEM: Konqueror fails to detect the "secure" flag in HTTP cookies and as a result may send secure cookies back to the originating site over an unencrypted network connection.
PLATFORM: Konqueror in KDE 3.0, KDE 3.0.1 and KDE 3.0.2.
DAMAGE: Sessions could be hijacked or accounts compromised.
SOLUTION: Upgrade to KDE 3.0.3 or apply patch.
Netscape Navigator Cookie Vulnerability
Executive Summary: Malicious Web site operators can view cookie information on a client's computer. Cookies are small data files used by many Web sites to track user visits, preferences and identity. If a cookie is readable, it can be used to impersonate the rightful owner of that cookie on a Web site.
Netscape urges all users of Navigator 6 through 6.2 to upgrade to version 6.2.1
Mozilla users should upgrade to version 0.9.7 (bottom of the page)
ADWARE: In our world we have come to acknowledge some advertising as a necessity to keep an activity up and running. Obviously the sponsor wants his due and maybe rightfully so. Well, Adware goes beyond any reasonableness that we have come to expect. It is usually an additional program that is downloaded and installed concurrently with a freeware or shareware program. In some predetermined manner differing ads will appear and disappear. This annoyance is really bothersome if the ads continue to pop-up when you are not running that particular program any longer. Who wants to keep closing all the banners?
SPAM: Spam is a flooding or a saturation of advertisements (just blindly sending it to everyone they can using mass mailing bots) etc., most commonly found in your email. The objective is to have you do something or to get something from you. In most cases, they want your hard earned money! Although annoying as can be, as of yet, not much harm will most likely come to your computer as a result of normal Spam if you just delete it without opening it. However, if you open one of them, or click on the box that says something to the effect, “Click here to stop receiving this ad”, you have just let them know that they have found a live host on the other end of that particular email address. After that, you can anticipate receiving additional Spam. Why do they send Spam in such quantities? The answer is really simple. If I send 1,000,000 of them out and the item I’m selling only costs $12.00, and 99% of the folks do not respond but 1% bought the item, I just made $120,000, thus the motivation. How do they do it? The Spammer usually opens temporary email accounts, sends his junk and then quickly cancels the account.
What can I do about Spam? Complain to your ISP and set your Mail Client Filters up to only accept known email addresses that you enter. Another interesting option that I found was to complain to the IRS about the character. Needless to say, if he’s not on the up and up, his fines could be pretty stiff.
BROWSER HIJACKS: A Browser hijack assault is completed by programs designed to take charge of your browser and redirect the user to pornographic websites. All efforts to change your browser’s homepage back are usually in vain. A well-known hijacker is CoolWebSearch (or CWS). Once it has infected a computer, in addition to the affects listed above, it makes changes to your registry and can also generate undesirable pop-ups. Unpatched IE browsers are most vulnerable, however, Netscape and Mozilla attacks are starting to emerge as well. How do you get hijacked? Normally it is by visiting a questionable website, but you can also become infected by receiving and opening email from those sites (some of the spam that is starting to litter our accounts as well). Unpatched mail clients are also vulnerable to this attack.
A TROJAN HORSE or more commonly called a “Trojan”, is a program that contains malicious code that is hidden within what would appear as a normal useful program An obvious type of the Helena of Troy story. Trojans do not generally copy/replicate themselves though. Rather their damage is caused when the program is run. A common casualty is the erasing/formatting of ones hard disk. They may execute immediately upon downloading or sit idly until another event transpires. Such as: rebooting your computer or using another common program. This is usually accomplished by modifying the Registry or another Startup File.
There are generally three different types of Trojans. They are: a Local Access Trojan, a Vandalism Trojan, and the Remote Access Trojan (the deviant’s best friend). Unfortunately the source code for almost every Trojan is floating around on the Internet. And just like a human viral infection the Trojans are continually mutated. The most common reason is to avoid detection.
The Trojans in use today may be found employing the full spectrum of port numbers. The higher port numbers have been most commonly used for inserting backdoors for remote access and are usually accessed through the Internet, dial-up, network, and so on. The lower port numbers are used for stealing user information such as passwords and user identification. The Trojan may also employ the service directly related to the lower ports. Such as telnet, etc.
Am I vulnerable to a Trojan Horse? Try as hard as we may to create the “Nothing Goes Out and Nothing Gets in Environment”, the reality is that our computers and networks rely on services used by ports. And although we close as many of them as we can by limiting the services we provide, some services/ports will be left open out of necessity.
To complete a successful attack the deviant must exploit a weakness, either a human weakness or a computer security weakness, to install and run a Trojan. That could be as easy as downloading a game, opening an email attachment, or visit a web page. A common method used with email attachments is called padding the file name. This is done to hide the .exe file suffix. One example using an attachment named MyDocument would be:
The file name is therefore to long and you wouldn’t see the .exe suffice. Additionally they may be deployed by Instant Messaging files or picture exchanges, borrowed floppies/CDs, and exploiting flaws in web browsers.
VIRUS: Computer code that hitches a ride on real programs, documents, etc. Similar to it’s biological counterpart that infects the “ugly bag of mostly water” humans (Old Star Trek series). Of itself, it can’t do any harm. It requires a host to survive and is transmitted from one unit to another. A computer virus duplicates itself by using the host’s programs and it usually carries a “payload” that causes some type of damage at a specified time. There are over 70,000 known Viruses and they are categorized by their malicious activity. The categories are: Boot Sector Viruses, File Infection Viruses, Partition Sector Viruses, Multi-Partite Viruses, Macro Viruses, and Polymorphic Viruses. The degree of damage is based on what type of virus it is and the objectives of the dark side. Normally, three stages make up the life of a computer virus.
When the computer first catches the virus, the virus is considered “activated”. The most common ways, in which to become infected with a virus is through a floppy disk that is carrying the virus, an email attachment from what appears to be a friend or a subject of interest, and warez (pirated software).
After the infestation has begun, the next stage starts as the virus attempts to “duplicate” itself. The goal here is to infect as many additional computers as it can. A classic manner in which this transpires is through the address books on our email programs. The virus sends itself to every name listed therein.
The most common final dastardly deed the virus will attempt to complete is to “dump its payload” at a specified time. That does not necessarily mean an actual period of time according to a clock or a date. Rather it may well be your next reboot of your computer or the next time you try to defrag your hard drive, etc.
WORM: A worm differs from a virus in that the worm does not require a host (program or document, etc.) to infect a computer. It is a self-contained, self-compiling program that copies itself. It thrives in a computer network environment. Generally it searches for a known exploit/vulnerability in a particular operating system or software on one workstation, clones itself onto that machine, then searches the Network or even the Internet for it’s next victim. It may have different objectives including allowing someone to check out the contents of your hard disk.
Misconfiguration of systems and software contributes to our vulnerabilities and is the most common cause of all successful firewall penetrations.
User Misbehavior is another well-known cause of computer infections. Malware cannot just spontaneously appear on a hard disk like pimples on teenagers. Although maybe not intentionally, someone in some manner must do something that installs the malware. Examples have been previously provided but we may also include: using ICQ, AIM, sharing floppies, etc., on the work and home computer.
**Educate/Discipline users as appropriate.
**Have Firewalls in place. What were the most popular recommended by AO members?
Hardware: Pix, Linksys router (nat), Sonicwall.
*nix: IPTables and Smoothwall.
Windows Compatibles: Zone Alarm (Free & Pro), Outpost (*Really favored 2002-2003), Sygate (*More recently favored 2003-2004), Tiny (*Really popular 2002), Kerio (*More popular 2003-2004)
**Stop malware before it can infect by installing a good Antivirus Program, Spybot/Adware Detection and Cleaning Program(s), have a Registry Monitoring Program installed to immediately detect any changes to the registry, and have Trojan removal software available. Some include: the Cleaner and TDS-3.
**Keep all your software and utilities properly patched and updated.
** Exercise prudent judgment regarding your surfing habits and create a layered defense. There are many outstanding threads in AO that discuss the topic of computer security and how to set up your defenses.
Just a few closing reminders: if you visit sites that are questionable don’t expect to slip out of there unscathed. If you open an email attachment from an unknown source, without scanning it for viruses first, you may well infect your computer. If you download programs from sites that do not have proper certificates or are not reputable, don’t be surprised at what may happen. The dark side is full of characters that like to wreak havoc and many of them produce sophisticated code that can and will avoid initial detection regardless of all of our efforts. Just as quickly as patches/updates can be produced the other side is creating and mutating code.
Most current information obtained with: www.google.com
-Steal This Computer Book 2, by Wallace Wang.
-Secrets of Computer Espionage, by Joel McNamara.
-Hack Attacks Revealed, by John Chirillo.
-Hacking Exposed – Network Security Secrets and Solutions, by Stuart McClure, Joel Scambray, and George Kurtz.