Chapter 21 Malicious Code and Application Attacks Flashcards
What are four common virus propagation techniques?
–Master Boot Record Viruses. Portion of bootable media such as a hard disk or flash drive, that the computer uses to load the OS. MBR is usually 512 bytes, so it can’t hold the whole virus. What the virus will do is instruct the code to read and execute the payload stored somewhere esle. Viruses can attack both the MBR and the boot sector with similar results. Boot sector viruses infect the legitimate boot sector and are loaded into memory. MBR viruses spread betgween use of infected media.
–File Infector viruses. Infect different types of executable files and execute when the OS attempts to execute them. Could be they slightly change a legit file, or actually replace the entire file. Generally not using cloaking techniques. Companion virus uses files with similar filenames.
–Macro viruses. Many applications use scripting to help with automation of repetitive tasks. VBA is a common example. They proliferate because of the ease of writing code into the scripting. However, they were easy to block because software developers blocked the ability to run untrusted macros without user intervention.
–Service injection viruses. They are injected into runtime processes like svchost.exe, winlogin.exe, and explorer.exe. Important to keep these updates.
What are advanced virus tactics?
Multipartite viruses use more than one propagation technique. For example, they might use both file infector and MBR techniques.
Stealth viruses tamper with the OS to fool AV systems into thinking everything is functioning normally. For example, might overwrite the MBR with malicious code and then modify the OS’s file access functionality to cover its tracks. When the AV requests a copy of the MBR, the OS provides it with a ““clean”” version of the code.
Polymorphic viruses modify their own code as they travel from one system to another. The signature of the virus changes each time. This makes signature-based AV useless. Modern AV vendors generally can detect these, but it’s faster to make these than it is to come up with the code to stop them.
Encrypted viruses use encryption to stop detection. Similar to polymorphic viruses, but instead of modifying their signatures, they alter the way they are stored on the disk. They have a short segment of code, known as the virus decryption routine, with the informaiton to load and decrypt the main code stored elsewhere. Each code has a different key.
Describe buffer overflows.
Exist when a developer does not properly validate user input to ensure it is the appropriate size. Input that is too large will overflow the data structure and affect other data in the computer memory. In the worst case, that data can be used to overwrite system commands, allowing an attacker to use the vulnerability to execute targeted commands on the server.
Many programming languages do not enforce size limits on variables intrinsically; they rely on programmers to do bounds-checking in their code. However, programmers may see parameter checking because it slows down development. Security practitioners must make sure developers do this. Examples of steps to enforce:
–do not allow users to enter a value longer than the size of the buffer
–user can’t enter an invalid value for the variable tool
–user can’t enter a value that will cause the program to operate outside its specified parameters
Most vulnerabilities are mitigated with patches provided by software and OS.
What is a TOC/TOU attack?
Attackers can develop attacks based on the predictability of task execution. The most common sequence of events is to check that a resource is available and then access it if permitted. time of check (TOC) is the time at which the subjects checks on the status of the object. Time of use (TOU) is when the object is accesses. Sometimes the difference is enough to replace the original object with a malicious file. TOC/TOU attacks are known as race conditions.
Example: replace a data file after its identify has been verified but before it has been read. Attackers can attempt to take action between two known states when the state of a resource changes.
Describe blind SQL injections.
Blind SQL injection is when attackers can’t see the results directly. In content-based blind injection, the attacker sends input to the web application to test whether the application is interpreting injected code before attempting to the actual attack. The attacker essentially tests with queries that produce known results to see what happens when changed.
Blind timing-based attacks are based on the amount of time it takes to get a response. If the attacker specifies a delay and there is no delay, it’s probably not vulnerable. If it does in fact delay, it might be.
What are code injection attacks?
SQL injection is a type of code injection attack. Idea is injecting attacker-written code into legitimate applications. Might be used against LDAP or XML. DLL is another possibility.
What is an insecure direct object reference?
Web designers sometimes design applications to directly retrieve information from a database based on an argument provided by the user in a query string or a POST request. The application must implement some sort of authorization, because if it doesn’t, the attacker can view the URL and then modify it to try to retrieve other documents. That is known as insecure direct object reference.
What is a file inclusion attack?
Take directory transversal to the next level. Instead of just retrieving a file, they execute code within a file. A local file inclusion attack executes code stored in a file located elsewhere on the server. A remote file incllusion attack executes code stored elsewhere.
When attackers discover a file inclusion vulnerability, they often exploit it to upload a web shell.
What is cross-site scripting?
Occur when applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page
What is a reflected XSS attack?
Some web applications take your input and send back. Example: you enter your name and it says, ““Hello [name].”” You could use this to insert malicious code. The way this gets exploited is that you send someone a phishing link. They click on it, and the web site executes the malicious code included in the link.
To prevent this, web applications should perform input validation. For example, they should never allow
tags in a reflected input field. Also, output encoding takes user input and encodes it so the text will be safe.
What is a stored/persistent XSS attack?
Storing XSS code on a remote web server. They are described as persistent because they remain on the server even when an attack is not actively under way. Example: posting a message on a messagge board with HTML code that includes malicious scripting. Some attacks modify the document object model (DOM) environment within the browser.
What is request forgery?
Exploit trust relationships and attempt to have users unwittingly execute commands against a remote server. They can be cross-site request forgery (CSRF) or server-side.
What is cross-site request forgery?
Similar to XSS but exploit a different trust relationship. Instead of taking advantage of the trust users have in a Web site, CSRF takes advantage of the trust that remote sites have in a user’s system. They assume users are often logged into different sites at the same time. The attacker will embed code in one web site that sends a command to a second site. Example: posting something on a forum that has a hidden link to transfer funds to the attacker’s account. If you are logged into your bank account when you click the link, it might work. Developers can protect against this by using secue tokens the attacker would not known. They can also check the referring URL and only accept requests that originated from their own site.
What is server-side request forgery?
Same idea, but instead of tricking a user’s browser into visiting a URL, they trick a server into visting a URL based on user-supplied input. Possible when a web application accepts URLs from a user as input.
What is parameter pollution?
Technique that attackers used to defeat input validation. Works by sending a web application more than one value for the same input variable. Depends on defects in web platforms that don’t handle multiple copies of the same parameter properly.