Malicious Code Information

1. What is Malicious Code?
2. Types of Malicious Code
3. Where does Malicious Code Hide?
4. Malicious Code: a Dangerous Threat

1. What is Malicious Code?

   Malicious Code is a new kind of threat which cannot be blocked by anti-virus software alone. In contrast to viruses (which require a user to execute a program in order to cause damage), malicious code is an auto-executable application. It can take the form of Java Applets, ActiveX controls, plug-ins, pushed content, scripting languages, or a number of new programming languages designed to enhance Web pages and email.

   Early in 1997, a serious threat that involved a free Plug-In advertised as a multimedia viewer for Web movies was exposed. The free Plug-In silently redirected the computer's modem from the Internet access line to a pay-per-minute number which cost users thousands of dollars in phone bills. Within a few months of this attack, a hacker organization used an ActiveX control to transfer funds by modifying Quicken files located on the local drives of people viewing their web page. In 1999, a program called "Picture.EXE" forwarded the usernames and passwords of many America Online users to unknown email addresses. Over 250 examples of malicious code has been documented since 1997.

   Usually, the victim is ignorant of a malicious code attack, making it virtually impossible to even recognize an assault until it is too late. Unlike viruses, the full payload has already been delivered by the time the actual malicious code program is identified. To make matters worse, the nature of the code makes it an ideal tool for people trying to target a particular user. Someone can send the code as an email attachment or place it on a web site visited by the user. Therefore, any protection against malicious code needs to be proactive and needs to be able to cope with new, unknown code.

2. Types of Malicious Code

   • Access Violations - The most dangerous malicious code is that which tries to access (delete, steal, alter, or execute) unauthorized files. The attacks can steal passwords, files, or other confidential data. Some examples of company information that could be exposed or include login names and passwords, secret project information, IPO plans, credit card numbers, confidential phone numbers, social security numbers, addresses, and more. Code can also delete, encrypt, or modify files on disk. Real-life examples of these attacks are described later in this paper. Access violation attacks require behavior monitoring and can't be effectively blocked by ‘code scanning' methods.
   • Denial of Service Attacks - Denial of Service attacks prevent the user from using the system, and may destroy files that are open at the time of the attack. They work by performing repetitive tasks like opening an infinite number of windows until the system locks up. These types of attacks can be stopped through inspection of all incoming content.

3. Where does Malicious Code Hide?

   • Email - Email is the most common application used on the Internet today. In addition to message text, email can also include attachments of all kinds, as well as booby-trapped shortcuts and malicious code applets. Email attachments can carry vandals, Trojan Horses, or Viruses. Anybody can send and receive email containing hostile content without knowing that they have been attacked. Without protection, the code attachment will have access to any file on the system.
   • Web Content - Web surfing is the second most popular Internet activity, and it is the least secure. The newest Internet technologies, especially Java and ActiveX, are used to create dynamic, content-driven web sites. Unfortunately, these compelling new technologies also pose the highest risk. Java applets and ActiveX controls are downloaded and executed automatically by simply viewing a web page. In this manner, users are allowing the web page to copy an unknown program to their computer and run it. Instructing web browsers not to download any Java or ActiveX content is possible, but increasingly less practical as many web sites require these technologies to provide full functionality.
   • Legitimate Sites - Just because users are viewing a “trusted” web site does not mean that the content could not have been altered to include malicious code programs. For example, in August 1996, the CIA Web site was altered. In fact, hackers often target traditional bastions of security because of the challenge. If someone can change the wording or graphics, they can also add a malicious code program to damage or steal data.
   • File Downloads - Although transferring files is a common occurrence on the Internet, and one which carries many of the risks noted previously, it poses less of a threat because it is an activity usually undertaken by experienced users. However, by trusting a product's description to be factual, a user can inadvertently download a program that, upon execution, does something unexpected.
   • Pushed Content - Push technology enables news and other content providers to automatically supply subscribers with information by downloading content to the user's desktop. This technology also provides the means by which non-security-conscious software companies automatically supply their users with updates. This technology is activated when a user installs a small program onto the PC called a “push-client”, which constantly polls the provider's server and transports the latest news, stock quotes, sports scores, etc. Just as software developers (such as Microsoft) have inadvertently provided CD-ROMs to customers that included viruses, it is very likely that malicious code programs and viruses will be inadvertently supplied along with the expected pushed content.
   
   

4. Malicious Code: a Dangerous Threat

   In contrast to viruses (which require a user to execute a program in order to cause damage) malicious code is an auto-executable Internet applications. It can be written as Java Applets, ActiveX controls, or any other type of auto-executable content. It does not replicate or infect files (like viruses), but rather causes immediate damage. It cannot be detected by traditional anti-virus software. Programmers with malicious intent use malicious code to gain access to files in a computer. Worse yet, it can be targeted to a particular company.

   Usually, the victim is ignorant of a malicious code attack, making it virtually impossible to even recognize an assault until it's too late. Unlike viruses, the full malicious payload has already been delivered by the time the actual malicious code program is identified.

   Also, malicious code can steal information which is later used to legitimately access private resources with a password. This makes it very difficult to track whether a security breach originated from a code attack.