Abstract
Malicious code refers to a broad category of software threats to your network and systems. Perhaps the most sophisticated types of threats to computer systems are presented by malicious codes that exploit vulnerabilities in computer systems. Any code which modifies or destroys data, steals data , allows unauthorized access Exploits or damage a system, and does something that user did not intend to do, is called malicious code. This paper will briefly introduce you to the various types of malicious code you will encounter, including Viruses, Trojan horses, Logic bombs and Worms.
Taxonomy of malicious CodeA computer program is a sequence of symbols that are caucused to achieve a desired functionality; the program is termed malicious when their sequences of instructions are used to intentionally cause adverse affects to the system. In the other words we can’t call any “bug” as a Malicious Code. Malicious codes are also called programmed threats. The following figure provides an overall taxonomy of Malicious Code.
Figure 1 Malicious Code Taxonomy 
Taxonomy is a system of classification allowing one to uniquely identify something. As presented in the above figure, threats can be divided into two categories:
- Independents: are self contained program that can be scheduled and ran by the operating system.
- Needs host program: are essentially fragments of programs that can not exist independently of some actual application program, utility or system program.
You must also differentiate between these software threats that do not replicate and these that do. (Replication is a process that a code reproduces or duplicates itself.)The former are fragments of programs that are to be activated when the host program is invoked to perform a specific function , the latter consist of either a program fragment or an independent program (worm , zombie ) that when executed may produce one or more copies of itself to be activated later on the same system or some other system . In the following, I briefly survey each at these parts of malicious software.
Trap doors
defined - 1.syn.Back doors a bad thing. 2. A Trap door function is one which is easy to compute but very difficult to compute the inverse of [Jargon Dictionary]
A trap door is a secret entry point into a program that allows someone that is aware at the trap door to gain access without going through the usual security access procedure. In many cases attacks using trap doors can give a great degree of access to the application, important data, or given the hosting system. Trap doors have been used legitimately by programmers to debug and test programs, some of the legitimate reasons for trap doors are:
- Intentionally leaves them for testing, and make testing easier.
- Intentionally leaves them for covert means of access. In the other words, allows access in event of errors.
- Intentionally leaves them for fixing bugs.
But they may use illegitimately, to provide future, illegal access. Trap doors become threats when they are used by unscrupulous programmers to gain unauthorized access.
Back door is another name for a trap door, back doors provide immediate access to a system by passing employed authentication and security protocols, Attackers can use back doors to bypass security control and gain control at a system without time consuming hacking.
Logic Bombs
defined - The logic bomb is code embedded in some legitimate program that execute when a certain predefined events occurs, these codes surreptitiously inserted into an application or operating system that causes it to perform some destructive or security – compromising activity whenever specified conditions are met [Jargon Dictionary]
A bomb may sent a note to an attacker when a user is logged on to the internet and is using an specific program such as a word processor, this message informs the attacker that the user is ready for an attack, figure 2 shows a logic bomb in operation .Notice that this bomb dose not actually begin the attack but tells the attacker that the victim has met needed state for an attack to begin.
Figure 2 Logic Bombs 
- Attacker implants logic bomb
- Victim reports installation
- Attacker sends attack message
- Victim dose as logic bomb installation
Examples of conditions that can be used as triggers for a logic bomb are the presence or absence at certain files, a particular day of the week or date, or a particular user running the application. One triggered a bomb may alter or delete data or entire files, cause a machine half or do some other damage.
Trojan Horses
defined - A malicious, security –breaking program that is disguised as something benign, such as directory lister, archiver, game, or (in one notorious 1990 case on Mac) a program to find and destroy viruses!" [Jargon Dictionary]
A Trojan horse is a useful, or apparently useful program or command procedure containing hidden code that when invoked performs some unwanted or harmful function. Trojan Horses can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, to gain access to the files of another user on a shared system, a user could create a Trojan Horse program that when executed, changed the invoking user’s file permissions so that the file are readable by any user, the another example of Trojan horse program is a compiler that has been modified to insert additional code into certain programs as they are compiled such as a system login program, the code creates a trap door in the login program that permits the author to log on to the system using a special password. Another common motivation for the Trojan horse is data destruction.
The program appears to be performing a useful function but it may also be quietly deleting the victim’s files.
Zombie
A zombie is a program that secretly takes over another internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie’s creator. Zombies are used in Denial of service attacks, typically against targeted web sites. The zombie is planted on hundreds of computers belonging to unsuspecting third parties and then used to overwhelm the target website by launching on overwhelming onslaught of internet traffic.
Viruses
defined - [From the obvious analogy with biological viruses]. A cracker program that searches out other programs and 'infects' them by embedding a copy of itself in them so that they become Trojan horses. When these programs are executed, the embedded virus is executed too, thus propagating the ' infection ' this normally happens invisibly to the user. Unlike a worm, a virus can not infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends the virus may do nothing but propagate itself and then allow the program to run normally. Usually, however, after propagating silently for a while, it starts doing things like writing cute messages on the terminal or playing strange tricks with the display. Many nasty viruses, written by particularly perversely minded crackers, do irreversible. Damage, like nuking the entire user’s files… [Jargon Dictionary]
A virus is a program that can ' infect ' other programs by modifying them , the modification include a copy of the virus program , which can then go on to infect other programs . Therefore the key characteristic of virus is the ability to self replicate by modifying a normal program file with a copy of itself. On Nov, 1983 Fred Cohen ("father of computer virus") thought of the idea of computer viruses as a graduate student at USC. Cohen wrote the first documented virus and demonstrated on the USC campus network. “Virus” named after biological virus the following table shows details:
| Biological Virus | Computer Virus |
| Consist of DNA or RNA strand surrounded by protein shell to bond to host cell | Consist of set of instructions stored in host program |
| No life outside of host cell | Active only when host program is executed |
| Replicates by taking over host’s metabolic machinery with it’s own DNA/RNA | Replicates when host program is executed or host file is opened |
| Copies infect other cells | Copies infect (attach to) other host program |
A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function such as erasing files and programs. During its lifetime a typical virus goes through the following four phases:
- Dormant phase: The virus is idle the virus will eventually be activated by some event, such as a date. The presence of another program or file, or the capacity of the disk exceeding some limit, not all viruses have this stage.
- Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.
- Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.
- Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.
Virus Anatomy
Virus Structure has four ports
Mark can prevent re-infection attempts
Infection Mechanism causes spread to other files
Triggers are conditions for delivering payload
Payload is the possible damage to infected computer
Figure 3 Anatomy of Virus | Mark (optional) |
| Infection Mechanism |
| Trigger (optional) |
| Payload (optional) |
Memory – resident virus: lodges in main memory as part of a resident system program. From that point on, virus infects every program that executes.
Program file virus: Infects programs such as Exe/Com/Sys – files. The following figures show details:
Figure 5 Program File Viruses 
Polymorphic virus: creates copies during replication that are functionally equivalents but have distinctly different bit patterns. In this case the “signature “of the virus will vary with each copy. To achieve this variation, the virus may randomly insert superfluous instructions or interchange the order of independent in-generally called a mutation engine, creates a random encryption key to encrypt the reminder of the virus. The key is stored with the virus, and the mutation engine itself is altered. When an infected program is invoked, the virus uses the stored random key to decrypt the virus, when the virus replicates, a different random key is selected.
Boot Sector Virus: Boot sector viruses infect the system area of the disk that is read when the disk is initially accessed or booted. This area can include the master boot record the operation system’s boot sector or both. A virus infecting these areas typically takes the system instructions it finds and moves them to some other area on the disk. The virus is then free to place its own code in the boot record. When the system initializes, the virus loads into memory and simply points to the new location for the system instructions. The system then boots in a normal fashion except the virus is now resident in memory. A boot sector virus can replicate without your executing any programs from an infected disk. Simply accessing the disk is sufficient. For example, most PCs do a systems check on boot up that verifies the operation of the floppy drive even this verification process is sufficient to activate a boot sector virus if one exist on a floppy left in the machine and the hard drive can also become infected.
Stealth Virus: A format virus explicitly designed to hide itself from detection by antivirus software. When the virus is loaded into memory, it monitors system calls to files and disk sectors, when a call is trapped the, virus modifies the information returned to the process making the call so that it sees the original uninfected information. This aids the virus in avoiding detection. For example many boot sector viruses contain stealth ability. If the infected disk is booted, programs such as FDISK report a normal boot record. The virus is intercepting sector calls from FDISK and returning the original boot sector information. If you boot the system from a clean floppy disk however, the drive is inaccessible. If you run FDISK again, the program reports a corrupted boot sector on the drive. To use stealth, however, the virus must be actively running in memory, which means that the stealth portion of the virus is vulnerable to detect by antivirus.
Macro Virus: it is set of macro commands, specific to an application, which automatically executes in an unsolicited manner and spread to that application’s documents. According to the national computer security agency (www.ncsa.com), macro viruses now make up two – thirds of all computer viruses. Macro viruses are particularly threatening for a number of reasons:
- A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft word documents. Any hardware platform and operating system that supports word can be infected.
- Macro viruses infect documents, not executable portions of code. Most of the information introduced on to a computer system is in the form of a document rather than a program.
- Macro viruses are easily spread. A very common method is by electronic mail.
Macro viruses take advantage of a feature found in word and other office applications such as Microsoft Excel, namely the macro. In essence, a macro is an executable program embedded in a word processing document or other type of file. What makes it possible to create a macro virus is the auto executing macro this is a macro that is automatically invoked, without explicit user input. Common auto execute events are opening a file, closing a file and starting an application. Once a macro is running, it can copy itself to other documents, delete files and cause other sorts of damage to the users In Microsoft word. There are three types of auto executing macros:
- Auto execute: If a macro named Auto exec is in the "Normal. Dot" template or in a global template stored in word’s start up directory, it is executed whenever word is started
- Auto macro: An auto macro executes when a defined event occurs, such as opening or closing a document
- Command macro: If a macro in a global macro file or a macro attached to a document has the name of an existing word command, it is executed whenever the user invoked that command.
A common technique for spreading a macro virus is as follows:
An auto macro or command macro is attached to a word document that is introduced into a system by e-mail or disk transfer. After the document is opened, the macro executes. The macro copies itself to the global macro file. When the next session of word opens, the infected global macro is active. When this macro executes, it can replicates itself and cause damage.
Email Virus: A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft word macro embedded in an attachment. If the recipient opens the e-mail attachment, the word macro is activated then:
- The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail package
- The virus does local damage
WormsCan one IP packet cripple the Internet within 10 minutes? On January 25Th 2003 “SQL Sapphire Slammer “worm causes more than 1.2 billion US dollars damage, 70% South Korea’s network paralyzed, 300,000 ISP subscribers in Portugal knocked offline, 13,000 Bank of America machines shut down, Continental Airline’s ticketing system crippled.
Figure 6 SQL Sapphire / Slammer Worm 
Worm (n)
[From ‘tape worm’ in John Brunner’s novel “The Shockwave Rider “… ], A program that propagates itself over a network, reproducing itself as it goes … [Jargon Dictionary]
Worm is also self-replicating but a stand-alone program that exploits security holes to compromise other computers and spread copies of itself through the network. Unlike viruses, worms do not need to parasitically attach to other programs. Because of the recursive structure of this propagation, the spread rate of worms is very fast and poses a big threat on the Internet infrastructure as a whole.
Worm Anatomy
Mark: structurally similar to viruses, except a stand-alone program instead of program fragment
Infection Mechanism: searches for weakly protected computers through a network (i.e., worms are network based)
Triggers: are Conditions for delivering payload
Payload: might drop a Trojan horse or parasitically infect files, so worms can have Trojan horse or virus characteristics
Figure 7 Worms Anatomy | Mark (optional) |
| Infection Mechanism |
| Trigger (optional) |
| Payload (optional) |
