March 4, 2021
Hot Topics:

Malware: Is Your Workstation at Risk? Part 2

  • By Dinis Cruz
  • Send Email »
  • More Articles »

Back at the Malicious Attackers' HQ

Having sent the e-mails with the V.W.T.B.R.M. program, the malicious attackers are now waiting for the responses.

And, sure enough, eventually YOUR computer is 'calling home', by contacting the 'listening server' (which is another previously compromised machine located somewhere on the Internet) asking for orders.

The BACKDOOR installed in YOUR computer provides the malicious attackers with a command prompt shell with Administrative rights. This shell will be used to:

  1. Scan your computer for files and e-mails containing sensitive information (trade secrets, development plans, and account details).
  2. Download source code stored in your local copy of your Visual Studio projects.
  3. Upload changes to those source code files containing a BACKDOOR that will activate when your code is executed (i.e. your will be a victim of SOURCE-CODE POISONING).
  4. Once the changed files are committed to the VSS repository, the VIRUS and all its traces are deleted from your computer.

Waiting for the Jackpot

The malicious attackers will, now patiently, wait for your development cycle to finish and for your product to be shipped to your clients, which will install them in their servers located inside their corporate network.

Because your company doesn't provide the source code of your software, it will be almost impossible for your clients to detect the BACKDOOR included.

Once the program is executed in your client's servers, the BACKDOOR is activated and your client will be involved in a serious security incident that could be very expensive and damaging.

And once the authorities get involved, guess where the forensic evidence will point to: Your Company, Your Computer, and ultimately YOU!

V.W.T.B.R.M. in a Nutshell

Recapping the different types of Malware used in this example:

  • V. (Virus)—Program containing the 'malicious' Business Logic code and (when required) 'infected' other executables
  • W. (Worm)—Self Propagated using a Buffer Overflow vulnerability
  • T. (Trojan)—Malicious payload delivered though an authentic, look-alike 'Request for Proposal'
  • B. (Backdoor)—Allows the malicious attackers to execute commands remotely on your computer
  • R. (RootKit)—Changes core Operating System functions, which made it invisible and undetectable
  • M. (Malware)—Malicious Software (all of the above)

Nahh.... It Could Never Happen to Me

If your company has a good security infrastructure and is well prepared to mitigate these stealth attacks, you are correct.

But... if your company's IT security is not able to detect and block the attacks described in this article, the question will be WHEN and not IF.

Today, most System Administrators and IT Security staff don't have programming backgrounds. They are not able to write scripts that, for example, automate security tests and detect possible intrusions.

If you are interested in learning about security and dedicate enough time to that endeavour, you could make a real difference in your company's security infrastructure (and your value as a IT professional will increase dramatically).

Now is the time to make the jump and add 'IT Security Knowledge' to your skills set and CV. Learn how Malware works and you will be able to write Anti-Malware scripts and applications for your projects and for your company.

About the Author

Dinis Cruz is an experienced security consultant based in London (UK) and specialized in ASP.NET Application Security, Active Directory Deployments, and Ethical Hacking. Dinis is also the creator and main developer of the OWASP's Open Source project: ASP.NET Security Analyser (ANSA). You can contact him at Dinis.developer.com@ddplus.net.

Page 2 of 2

This article was originally published on March 9, 2004

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date