Injection of Malicious Code in Application
© Springer International Publishing Switzerland 2015
Mohamed Chawki, Ashraf Darwish, Mohammad Ayoub Khan and Sapna TyagiCybercrime, Digital Forensics and JurisdictionStudies in Computational Intelligence59310.1007/978-3-319-15150-2_33. Injection of Malicious Code in Application
(1)
International Association of Cybercrime Prevention (AILCC), Paris, France
(2)
Department of Computer Science, Faculty of Science, Helwan University, Cairo, Egypt
(3)
Department of Computer Science and Engineering, School of Engineering and Technology, Sharda University, Greater Noida, India
(4)
College of Computer Science and Engineering, Yanbu Branch, Taibah University, Medina, Kingdom of Saudi Arabia
(5)
Institute of Management Studies, Ghaziabad, India
3.1 Introduction
One of the biggest headaches that come along with networked and internet-connected computers is the absolute requirement of dealing with malicious code attacks (Erbschloe 2004). There is no choice; if your systems are not equipped in some way with antivirus protection, sooner or later some bug will eat them. There is also very little to be gained by whining about how vulnerable computer systems are to malicious code attacks. The unfortunate circumstances that wired societies face can be depicted in the following manner (Ibid):
Organizations and individuals want computing and communications resources, and want them as cheaply as possible.
Software and hardware manufacturers work synergistically to meet market demands for cheap but highly functional computing and communications resources.
The corporate interests that drive cooperation between software and hardware manufacturers have resulted in a marketplace that is dominated by very few companies.
Market dominance by very few companies has created computing and communications technology ecology with very few species.
The antithesis to the social forces that drive the dominant companies to cooperate in controlling the marketplace is a counterculture of malicious code writers that revels in embarrassing the corporate giants on their lack of technology prowess.
The small number of species in the technology ecology makes it easy for the malicious code writers to find vulnerabilities and launch attacks that can spread around the world in a very short time.
Law enforcement agencies and the corporate giants that dominate the computer marketplace label malicious code writers and attackers as criminals and, at times, even as terrorists. The malicious code writers and attackers view the corporate giants as criminal and parasitic organizations dominated by greedy capitalists. Meanwhile, the governments of the computer-dependent parts of the world are struggling to unify their efforts to fight malicious code attacks, doing so largely under the umbrella of the global war on terrorism.
These circumstances, in the grandest of capitalistic glory, have created a marketplace in which virus protection and computer security product companies have thrived. This labyrinth of social, political, and economic forces have several results, many of which are very embarrassing for modern societies (Ibid):
Very few malicious code attackers are ever caught by the police.
Government agencies cannot catch up with malicious code attackers, let alone build a national defense system to stop attacks.
Large organizations that purchase technology are the prisoners of the dominant technology companies and have little resource or market alternatives.
Elected public officials, many of whom are the recipients of campaign contributions from the dominant technology companies, are strongly resisting confronting the industry about product liability.
When all is said and done, the burden caused by these collective and converging trends falls on the computer user. State and local law enforcement can do little to help in the computer security and computer crimes realm. The governments, through laws and incident response by federal agencies, are often slow to react to trends. Perhaps most worrisome of all, the dominant technology companies from which you buy products—in designing the products on ever-shorter production and release cycles—do little to protect the end user. If computer users want to keep their computers up and running and keep the malicious code attackers at bay, they need to do two things: (1) take a comprehensive approach to dealing with malicious code attacks, and (2) become a customer of one of the well-established virus protection companies and buy, install, and maintain their products on their computer systems.
3.2 Types of Malicious Code
Malicious code can be categorized into several different types according to the ways in which it infects a system (Griffin 2000):
3.2.1 File Infector Viruses
File infector viruses are those that infect other files or programs on computer systems. They operate in a number of ways. Once the original “host” program is run, the virus can stay resident or “live” inside the system memory (RAM) and infect programs as they are opened, or lay dormant inside another program. Each time that program is run, the virus will infect another program or file.
A second, more complex file infector is one that doesn’t alter the program itself, but alters the route a computer takes to open a file. In this way, the virus is executed first, and then the original program is opened. If a program or file that is infected with a file infector virus is passed from one computer to another, over a network or via floppy disk for example, the virus will begin infecting the “clean” computer as soon as the file or program is opened.
3.2.2 Boot Sector Viruses
Whereas file infector viruses infect programs on a computer’s hard drive, boot sector viruses can infect hard drives and removable disks, such as floppy disks. The boot sector is an area at the beginning of a hard drive or other disk where information about the drive or disk structure is stored. Symptoms of a boot sector virus may be a computer that is unbootable or gives error messages upon booting. Frustratingly, boot sector viruses may be present with no noticeable problems. One thing should be noted about floppy disks, however. It does not matter whether the floppy disk is a “bootable” disk or not, if the disk is infected with a boot sector virus and the users inadvertently leaves the disk in the drive when he/she reboots the computer, the virus can still be executed.
3.2.3 Macro Viruses
Macro viruses are by far the most common type of malicious code found today. This is due to the popularity of software such as Microsoft Office and others such as Corel Draw, which use macro programming languages extensively in their products. Macro viruses use an application’s own macro programming language to distribute themselves. Macro viruses do not infect programs; they infect documents. Macro viruses typically arrive in an infected document, a price list written with MS Word for example. When the file is opened, the virus infects the base template on the victim computer, in this case “Normal.dot”. Normal.dot is the “framework” that Word documents are created on. Once this template is infected, every document that is opened from then on will be infected as well, making all documents created or opened in Word a carrier of the macro virus. Macro viruses have been written for most Microsoft Office applications, including Excel, Access, PowerPoint and Word. They can also be found in Lotus AmiPro and Corel products to name a few. One more warning about macro viruses is that they are not platform specific. They can be found and spread through Macintosh, DEC Alpha, Microsoft NT and Microsoft Windows. In other words, just because a computer user received a Microsoft Word file from a colleague using a Macintosh, doesn’t mean he/she will not be infected by a macro virus embedded in that document.
3.2.4 Worms
A worm is a piece of code that can make fully functional copies of itself and travel through a computer network and/or across the internet through a number of means. A worm does not attach itself to other programs like traditional viruses, but creates copies of itself, which in turn creates even more copies. The computer “worm” is so-called because of the way in which “rogue” computer code was originally detected. Printouts of computer memory locations would show random “wormhole” patterns, much like that of the patterns on worm eaten wood. The term eventually became shortened and used to describe viruses that could “worm” or propagate across networks and the internet, leaving copies of themselves as they travelled. Worms are prolific due to the fact that most are created using simple scripting languages that can be created with a text editor and become fully functional “programs” under the right conditions. For example, if you were to obtain a copy of the “I Love You” worm and changed the files extension from vbs to txt, you could safely open the file in Notepad and view the structure of the worm. This makes the vbs script worm extremely popular among the script kiddy fraternity, as it takes no (or very little) programming knowledge to modify an existing worm and release it into the wild (when a virus is circulating in the computing community or throughout the internet, it is said to be “in the wild”.)