Comuna 13 La comuna trece se encuentra ubicada en el extremo suroccidental de la ciudad, limita al nororiente con la comuna doce, está constituida, conforme datos

Chapter 4 nature of IM increases the threat from worms, viruses, and other malicious software (a.k.a., malware). Most e-mail users are aware that opening an exe- cutable file (.exe) from an unknown source is a danger, but many don’t know what an IM threat looks like. IM malware can be carried in a URL from somebody in your buddy list, and users are much more likely to click on URLs embedded in IM messages or accept files without knowing they are actually accepting them. As IM interconnectivity spreads and it becomes easier to communicate between multiple IM systems, such as MSN Messenger, Yahoo! Instant Messaging, and AOL Instant Messaging, so will the threat of malware jumping from one system to another increase.

From 2002 to 2003, worms and viruses that spread via IM and peer-to- peer networks increased 400 percent, according to Symantec’s Internet Security Threat Report [4]. Threats such as the the Jitux.A and Bizex worms are targeting MSN Messenger and ICQ, respectively. Jitux.A can spread itself by tapping users’ IM contacts, but Bizex has more malicious intent: it sends a link to a Web site that will scan your PC for data regarding elec- tronic payments and finances. The site was quickly shut down once the worm was discovered, but no one is sure how much data was collected before the shutdown occurred [5].

4.3

What Is Malware?

Malware (short for malicious software) is any program or file that is harm- ful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission. Malware should not be con- fused with defective software that is intended for a legitimate purpose but has errors or bugs. Some of the more notable things that malware can do include the ability to corrupt files, alter or delete data, distribute confiden- tial data, disable hardware, deny legitimate user access, and cause a hard drive to crash. Frequently, malware is also designed to send itself from your e-mail account to all the friends and colleagues in your address book. The results of a malware infection include wasted resources, compromised sys- tems, lack of regulatory compliance, lost or stolen data, and the loss of user and client confidence. Malware can be classified based on how it is exe- cuted, how it spreads, and/or what it does. Common classifications of mal- ware include viruses, worms, wabbits, Trojan horses, spyware, browser hijackers, blended threats, backdoors, exploits, and rootkits. Each will be briefly described in the following text.

88 4.3 What Is Malware?

4.3.1

Viruses

Viruses self-replicate within computers and across networks and alter files or data. They usually require some action on the user’s part to start, most often just clicking an executable file attachment on an e-mail (although embedded programming in an e-mail message can execute a virus pro- gram). Typically, people think that the file came to them from a trusted source or is something they want to see. Not every program that copies itself is a virus or worm; for instance, backup software may copy itself to other media as part of a system backup. Viruses have utilized many types and kinds of hosts as they have evolved. Common targets are executable files that are part of application programs, documents that can contain macroscripts, and the boot sectors of floppy disks. In the case of executable files, the infection routine of the virus works such that when the host code is executed, the viral code also gets executed. Normally, the host program keeps functioning after it is infected by the virus. Some viruses overwrite other programs with copies of themselves. Viruses spread across computers when the software or document they attached themselves to is transferred from one computer to another. The difference between a virus and a worm is that a worm operates more or less independently of other files, whereas a virus depends on one or more hosts to spread itself.

4.3.2

Worms

Worms are a virus variant that can infect a computer without any user interaction. Computer worms are similar to viruses but are stand-alone software and as such do not require host files (or other types of host code) in order to spread themselves. A worm does not alter files, but resides in active memory and duplicates itself. Worms modify their host operating system to the extent that they are started as part of the boot process. To spread, worms either exploit some vulnerability of the target system or use some form of social engineering to trick users into executing them. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncon- trolled replication consumes system resources, slowing or halting other tasks.

4.3.3

Wabbits

Another type of self-replicating malware is the wabbit. Unlike viruses, wab- bits do not infect host programs or documents. Unlike worms, wabbits do

4.3 What Is Malware? 89

Chapter 4 not use network functionality in order to spread to other computers. Wab- bits can be programmed to have (sometimes malicious) side effects in addi- tion to the direct consequences of their quick self-replication. An example

of a simple wabbit is a fork bomb (Figure 4.2). The fork bomb is a form of

denial-of-service attack against a computer system that uses the fork func- tion. It relies on the assumption that the number of programs and processes that may be simultaneously executed on a computer has a limit. A large number of processes will be created rapidly by the fork bomb in order to saturate the available space in the list of processes kept by the computer’s operating system. The effect is devastating—no new programs can be started and the system becomes much more difficult, or even impossible, to use, because the CPU is simply overwhelmed. It can be written in one line of C source code or in a UNIX shell on any UNIX system (Figure 4.2). A fork bomb literally explodes and sucks up all available system resources by recursively spawning copies of itself (using the UNIX system call fork(2)). Eventually, it eats all the process table entries and effectively wedges the sys- tem into a locked-up state. Fortunately, fork bombs are relatively easy to spot and kill, so creating one deliberately seldom accomplishes more than to bring the just wrath of the gods down upon the perpetrator.

4.3.4

Trojan Horses

A Trojan horse program is software disguised as legitimate software contain- ing malicious coding hidden within innocuous programming or data in Figure 4.2

Fork bombs, easily coded in C, are a special type of wabbit.

90 4.3 What Is Malware?

such a way that it can get control and wreak its chosen form of havoc on a system. An example would be code that would ruin the file allocation table on your hard disk. A Trojan horse can be deliberately attached to otherwise useful software by a programmer, or it can be spread by tricking users into believing that it is useful. Some Trojan horses (called droppers) can spread or activate other malware, such as viruses. Basically, a dropper is just what the name implies: a program designed to run and install (or “drop”) a virus onto your system. The program itself is not infected, nor is it a virus because it does not replicate. So, technically, a dropper should be consid- ered a Trojan horse. Often, because the virus is hidden in the program code, a scanner will not detect the danger until after the code is dropped onto your system. It is technically possible to write a virus that also drops other viruses onto the victim’s system, and several have been tried. Most are very buggy, however. It’s a technical point, but there is a class of dropper that only infects the computer’s memory, not the disk. These are given the name “injector” by some virus researchers. Fortunately, because of technical diffi- culties, droppers are hard to program and therefore are rarely distributed. In contrast to viruses or worms, Trojan horses cannot replicate themselves and may be widely redistributed in conjunction with a virus.

4.3.5

Spyware

Spyware is software that secretly collects and sends targeted information (such as browsing patterns or credit card numbers) about users to advertis- ers or other interested parties. The spyware products usually work and spread like Trojan horses. The category of spyware is sometimes taken to include adware of the less-than-forthcoming sort. Adware, which usually includes spyware components, can also be considered malware. Although not malicious in intent, nonmalicious spyware such as adware is often installed without your consent and even without your knowledge, as a drive-by download or as the result of clicking some option in a deceptive pop-up window.

4.3.6

Browser Hijackers

Browser hijackers are programs that alter your computer’s browser settings so that you are redirected to Web sites you did not intend to visit. For example, browser hijackers can alter default home pages and search pages to those of their customers who pay for that service because of the traffic it generates. They can add bookmarks for pornographic Web sites to the users’ own bookmark collections. When the browser finds its way to one of these por-

4.3 What Is Malware? 91

Chapter 4 nographic sites, the browser is directed to begin generating pornographic pop-up windows faster than the user can click them shut. Often, hijackers will redirect users to pornographic sites when they inadvertently mistype or misspell a URL or enter a URL without the http://www. preface.

4.3.7

Blended Threats

Blended threats are becoming increasingly common, blurring the distinc- tion between different types of malware. Blended threats combine charac- teristics of more than one type of malware to maximize the damage they cause and to increase the speed at which they spread. Blended threats are seen by security professionals as perhaps the single most dangerous threat they must be prepared to contend with in the treacherous computing envi- ronments of today. Though the term is new, “blended” security threats are not. These types of threats target several areas of network vulnerability simultaneously. What is new and unique, however, is what the malicious code within them is doing. In a blended threat, malicious code can take many forms and can attack your enterprise in a number of different ways. It can also do more than one kind of damage while it’s in your system. You might, for example, find a piece of malicious code that can attack your company’s computers through e-mail attachments, infected Web sites, or even through direct attacks on your routers and servers. Once inside your firewall, these threats can spread through everything from shared disks to internal Web servers. And they can spread to the rest of the world through e-mail/IM and file transfers.

4.3.8

Backdoors

A backdoor is a method of bypassing normal authentication or obtaining unauthorized remote access to a computer while remaining hidden to casual inspection. The backdoor may take the form of an installed pro- gram (e.g., a Trojan horse) or could be a modification to a legitimate pro- gram. Based on how they work and spread, there are two types of backdoors. The first type works much like a Trojan horse, because they are manually inserted into another piece of software, executed via their host software, and spread by their host software being installed. The second type works more like a worm in that it gets executed as part of the boot process and is usually spread by worms carrying it as their payload. A back- door in a computer system is essentially a method of bypassing normal authentication or obtaining remote access to a computer while intended to remain hidden to casual inspection. The backdoor may take the form of an

92 4.3 What Is Malware?

installed program (e.g., Back Orifice) or could be a modification to a legit- imate program. A backdoor in a login system could take the form of a hard-coded user and password combination that gives access to the system.

A famous example of this was used as a plot device in the 1983 film War-

Games, wherein the designer of a computer system (the “WOPR”) had inserted an undocumented password (named after his son) that gave the user access to the system and to undocumented aspects of its behavior (a video game–like simulation mode). An attempt to plant a backdoor in the Linux kernel, exposed in November 2003, showed how subtle such a code change could be. In this case, a two-line change took the form of an appar- ent typographical error, which in reality gave the caller to the syswait func- tion root access to the machine.

The prevalence of backdoors in proprietary software systems is a topic of great speculation, but they have been occasionally exposed in practice. Pro- grammers have succeeded in secretly installing even large amounts of code,

known as Easter eggs, in programs without detection, although in these

cases, there may be official forbearance, if not actual permission, to do such acts. It is also possible to create a backdoor without modifying the source code of a program or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compro- mised compiler finds such code, it compiles it as normal, but also inserts a backdoor (such as a password recognition routine). When the user provides that input, he gains access to often undocumented aspects of program oper- ation. This attack was first outlined by Ken Thompson in his famous paper “Reflections on Trusting Trust.” [6] Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer (generally a PC on broadband running insecure versions of Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spam- mers can send junk e-mail from the machines in question.

The Ken Thompson classic “Reflections on Trusting Trust” [7] back- door was the first major article to describe black-box backdoor issues and point out that trust is relative. It described a very clever classic backdoor mechanism based upon the fact that people only review source (human- written) code and not compiled (machine) code. A program called a com- piler is used to create the second from the first, and it is trusted to do an honest job. This article described how a modified version of the UNIX C compiler could be told specifically to put an invisible backdoor in the UNIX log in command when compiled, and, as a twist, add this feature undetectably to future compiler versions upon their compilation as well.

4.3 What Is Malware? 93

Chapter 4 Because the compiler itself was a compiled program, this extra functional- ity would never be noticed and likewise would not be noticed in software created by it.

4.3.9

Exploits

An exploit is a common term in the computer security community and is used to refer to a piece of software that takes advantage of a bug, glitch, or vulnerability, leading to privilege escalation or denial of service on a com- puter system. Exploits are not necessarily malicious in intent. They are often devised by security researchers as a way of demonstrating that a vul- nerability exists.

There are several methods of classifying exploits. The most common is by how the exploit contacts the vulnerable software. A remote exploit works over a network and exploits the security vulnerability without any prior access to the vulnerable system. A local exploit requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator. Exploits can also be classified by the type of vulnerability they attack (i.e., buffer overflows, format string attacks, race conditions, cross-site scripting errors, and cross- site request forgery). Many exploits are designed to provide root-level access to a computer system. However, it is also possible to use several exploits, first to gain low-level access and then to escalate privileges repeatedly until one reaches root. Normally, a single exploit can only take advantage of a specific software vulnerability. Often, as such an exploit is published, the vulnerability is fixed and the exploit becomes obsolete for newer versions of the software. This is the reason why some blackhat hackers do not publish their exploits but keep them private to themselves or other malicious hack- ers. Such exploits are referred to as “zero day” exploits, and obtaining access to these types of exploits is a primary desire of many unskilled malicious attackers (called script kiddies).

4.3.10

Rootkits

A rootkit is a set of tools used by hackers after cracking into a computer sys- tem. The purpose of a rootkit is to hide logins, processes, and logs altered by the hackers’ presence, as well as to assist in sniffing terminals, connec- tions, and the keyboard. Rootkits may be classified as Trojan horses. There are two types of rootkits: kernel-mode and application-level (a.k.a., user- mode) rootkits. Rootkits may also include backdoors, allowing an attacker

94 4.3 What Is Malware?

to easily regain access to the compromised system at a later time, or they may contain exploit software that can be used to attack other systems.

Since its introduction into the intruder community, rootkit has seen widespread use, and its threat should not be taken lightly. A 1994 CIAC bulletin [8] estimated that the number of accounts compromised world- wide exceeded 100,000. By 1996, this number had become much, much larger. CERT and CIAC continue to issue periodic warnings about the popularity of sniffing user IDs and passwords. Network monitoring (sniff- ing) attacks represent a serious Internet threat. The typical Rootkit attack proceeds as follows: The intruders use a stolen or easily guessed password to log in to a host. They then gain unauthorized root access by exploiting known vulnerabilities in rdist, sendmail, /bin/mail, loadmodule, rpc, lpr, or passwd. The intruders use File Transport Protocol (FTP) to send a rootkit package to the host, unpack, compile, and install it; then they collect more username/password pairs and attack more hosts.

Rootkits, almost always allow an attacker to hide his or her presence on the victim’s machine. Rootkits generally take one of two basic forms: user