Home arrow Security arrow Page 2 - Vectors

Common Vectors - Security

Many of us who use use security products on our computers religiously are bewildered to find that we still get infected with malware. How does this happen? No matter what we do, our computers are constantly in touch with the vectors that carry malicious software. Thomas Greene explains what this means, and what we can do about it.

TABLE OF CONTENTS:
  1. Vectors
  2. Common Vectors
  3. Other Vulnerabilities
  4. “Unsafe at Any Speed”
  5. Defense
  6. Linux Services
  7. Becoming a User
  8. Read, Write, Execute
By: Apress Publishing
Rating: starstarstarstarstar / 3
February 02, 2005

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

The Internet may not be crawling with dangerous hackers as the news media like to pretend, but it is inundated with billions of bytes of incredibly lousy and often malicious code, while most PCs are loaded with gigabytes of wretched software that either offers no protection or is itself malicious. Hackers are not your primary security concern; bad software is. This may not be terribly sexy news, but it’s true. Your computer is insecure because your software is insecure and because you’ve probably got several malware applications installed on it to boot.

Before we dig into the details, let’s take a brief survey of the most common malware vectors and other common routes to exploitation.

E-mail

The Microsoft e-mail clients Outlook and Outlook Express have for years been the Internet’s most prolific virus and worm vectors. They are joined by instant messaging (IM) clients and P2P file-sharing utilities for that dubious distinction. However, the Microsoft e-mail applications are particularly dangerous because they are deeply integrated into the Windows system, and also because, like most clients, they are code-execution environments. That is, the e-mail client itself is capable of executing code, such as HTML, ActiveX controls, and JavaScript, automatically in the body. Such code is said to be delivered in line when it appears in the body of a memo, as opposed to code contained in a file attached to it. Virtually all modern e-mail clients are capable of executing code, though the Mozilla mail client recommended in the Introduction allows users to disable all remote images, HTML, and in-line scripts and plugins. Others do as well, but Irecommend Mozilla because it’s not deeply integrated with the Windows operating system, its data traces are easy to control, and it’s both free and open source.

In addition to executing code, e-mail also transports a great number of malicious file attachments. People are repeatedly warned never to open attachments without first scanning them for malware, but still they do so every day. Some mass-mailing viruses are capable of sending themselves automatically to each correspondent in a victim’s e-mail address book. The next recipient recognizes the sender as a known contact and is therefore more likely to open the attachment and infect himself, propagating the virus to his own contacts, and so on. The Melissa, IloveYou, and Slammer e-mail worms used this technique and managed to clog up portions of the Internet for brief periods, though they contained no destructive payloads. However, many in-line scripts and e-mail attachments do contain malicious payloads, so it is very important to disable code execution (i.e., switch off HTML and all scripting and plugin support) and never to open any attachment, regardless of who sent it, without first scanning it for the presence of malware. E-mail attachments are probably the single largest vector of malware. Switching off HTML is also an important step because spam is often loaded with malicious scripting and remote images that can track recipients. Admittedly, it can be irritating to read HTML-formatted mail rendered in plain text. If your friends and regular correspondents have the habit of sending HTML e-mail, take a moment to explain the security risks of in-line scripting, and suggest that they consider sending mail in plain text.

Browsers

Most of us think of the browser as a simple window on the Internet. It is that, of course, but it has developed considerably since the early days of the humble Mosaic browser in the early 1990s, gradually swelling into what it is today: a major code-execution environment. We now have Java, JavaScript, Flash, ActiveX, PHP (Hypertext Preprocessor), XML (Extensible Markup Language), ASP (Active Server Pages), and other pulsating, decorative accessories to make our browsing experience memorable, and risky. After all, if a browser can execute code, it can execute malicious code.

It’s easy for an attacker to force a victim’s browser to run malicious code and scripts, and this is especially true of Internet Explorer. Sometimes an attack involves redirecting a browser session to a malicious Web site without the user’s knowledge; sometimes it involves enticing a user to visit a malicious site with a link in an e-mail message; sometimes it involves spoofing or obscuring URLs and filenames; sometimes it involves sending malformed packets to the browser, and sometimes it involves tricks that cause code from untrusted sites to execute in the “trusted” Internet Explorer security zone. Cookies can be misused to compromise privacy and even to hijack browser sessions and gain access to private online accounts. Local files can be read by remote attackers; downloaded files can be forced to execute automatically; and buffer overflows can be caused, allowing arbitrary code to run on a victim’s machine without any user interaction. There are literally hundreds of ways for an attacker to turn a victim’s browser against him. Some have been patched; others have not.

Here again, Windows users are at a disadvantage. The Internet Explorer browser is designed primarily as a code-execution environment and is deeply embedded in Windows. This makes it particularly dangerous because there are a vast number of exploits against it and because attacks against the browser can more readily become attacks against the system. For one ironic example, in July of 2003 an online “security scan” offered by security services giant Symantec was found to be loading a dangerous, and exploitable, ActiveX control on Windows users’ machines, which in turn allowed external code to run with the victim’s level of privilege. An ActiveX control is an executable program that can operate at a very low level within the Windows operating system, often delivered as Web content.

Internet Explorer also makes it difficult for users to clear their computers of data traces from their browsing sessions. A great deal of data is stored in the Windows Registry; and the default directories where the URL history, page cache, and cookies are stored can be difficult to clear.

Internet Explorer also does not permit fine-grained control of images to be loaded and so offers little protection against Web bugs, a commercial tracking and profiling gimmick that uses tracer images embedded in Web pages by third-party marketers. The scheme is similar to the tracer images in HTML e-mail, by which a spam victim’s e-mail account is verified. In this case, the bugs track a person’s surfing habits by logging their IP address, and possibly cross-referencing this behavior with login information and data stored in cookies.

According to Coremetrics, a marketing outfit that supplies tracer images for use on Web sites, their LIVE (lifetime individual visitor experience) profile technology (i.e., Web bugs) will “deepen and enhance customer relationships by gaining a better understanding of individual users’ behavior on your site and product preferences, giving you the insight you need to cross-sell financial products more effectively.” As you can see from the Coremetrics sales boilerplate, surfers can be identified personally with the bugs, though no doubt the decorative “privacy policy” on many of the Web sites using them will claim that personally identifiable data is not gathered. Web bugs, like tracer images in e-mail, are difficult to spot. The images themselves can be one pixel in size, making them invisible. The only way to avoid this sort of abuse in Internet Explorer is to deny all images, which makes surfing a rather dull affair. However, Mozilla allows the blocking of third-party images and cookies, which in turn helps surfers to defeat marketers while allowing a fair bit of image content to enliven their surfing experience.

Scripts

This is a generic term for quite a few similar things. Essentially, a script is a series of commands to be executed without user interaction. They are not programs per se but, rather, commands that programs will respond to or instructions they will execute. The simplest ones are called batch files in Windows parlance and shell scripts in UNIX parlance. Most users have entered commands at a shell prompt or a command prompt. A batch file or shell script would simplify this by entering the commands in sequence automatically until the desired task is completed.

A macro is a scripted series of commands taking fairly complex action at the touch of a few keys. Many people use macros to automate repetitive tasks with word processors and spreadsheets. Not surprisingly, a command is translated into code that your computer can understand by a command interpreter. There are various interpreters, just as there are different scripting languages, such as JavaScript, VBScript, Perl, and so on.

Scripts are everywhere and come in many forms. They often appear in Web pages and e-mail memos, where they provide interactive features and dynamic content. What they all share is the ability perform tasks without user interaction. They are wonderful tools for automating repetitive chores and therefore of great value to sysadmins, Webmasters, and users alike. They are also of tremendous value to attackers. Scripts in Web pages and e-mail are frequently used as weapons because scripting languages are easy to learn: an attacker does not need any experience in programming to hack out a malicious script. A trick called cross-site scripting (XSS) allows an untrusted Web site to execute code in the security context of a trusted Web site without the user’s knowledge. Therefore, scripting support in any type of Internet client, including instant messaging, and in programs that invoke Internet clients (such as a word processor might do when one activates a hyperlink in a document file) is inherently risky. Scripting support is a significant and ever-present vector of compromise, and it must be controlled by the user with prejudice against allowing it except where necessary.

Instant Messaging

Instant messaging, or IM, is one of the more enjoyable services available over the Internet, one that can bring people together from anywhere in the world in real time for the price of an ISP account. However, graphical IM clients like MSN Messenger, AIM, and ICQ, as well as the text-based IRC (Internet relay chat) clients, are major vectors of infection. One reason is that the clients offer scripting support. There are many useful and innocent capabilities associated with IM and IRC scripts, though it should be said that the vast majority of packaged ones available for download have at least some malicious function, such as mass messaging (spamming), channel and network flooding, grabbing user IP addresses and other data, hijacking accounts and screen names, and the like. Another problem is that IM attracts children and teenagers and makes exchanging files very convenient. Young people tend to trust their peers and so typically end up accepting a great number of malicious files that can compromise not only their own privacy, but the overall security of a home network. Finally, it is important to know that many of the graphical IM and IRC clients contain adware and may reveal more about a user than he is willing to share with the IM service provider.

Businesses are also using IM as an inexpensive way for telecommuters to touch base with workmates on site in real time, and even for virtual conferences. This is an extremely insecure method of communication. IM clients can reveal a user’s true IP address; they can leave one open to man-in-the-middle attacks where one’s chat session is intercepted by a third party; they can be hijacked by scripts; and users can easily be impersonated. IM is fine for casual communication, but it is not an appropriate substitute for teleconferencing via a secure VPN (virtual private network). Simply permitting IM clients on a company network is a moderate security risk; using them for sensitive communication is positively reckless.

The MSN Messenger IM client is tied to a user’s Passport and Hotmail accounts and is deeply integrated with Windows as well. Browser action, such as logging into Hotmail, can invoke the IM client and vice versa. There is also a very dubious feature in Messenger called “shared browsing,” which enables two people on different computers to synchronize their browsers. “Even if you’re in Hollywood, CA, and your friend is in Hollywood, FL, you can both be on the same page—literally. You’ll see each other’s cursors on screen and you can chat in real time via MSN Messenger,” an MS marketing copywriter gushes. This level of integration and “synergy” is an open invitation to system compromise and privacy violation from many fronts. Exploits against Passport, Hotmail, and MSN Messenger are common, and a weakness in one increasingly implies a weakness in the others, since Microsoft’s trend is toward more, not less, application and Internet service integration. It is not a bad idea to replace MSN Messenger with a third-party clone like Trillian, which does not burrow so deep in the bowels of Windows and allows connections to numerous other IM networks. Even better from a security point of view is Gaim for Windows or Linux, which is both open source and adware-free, and, like Trillian, features cross-network compatibility. Gaim lacks the handsome user interface of many IM clients, but it is a fine choice for security reasons. However, all IM clients have been found susceptible to numerous exploits in the past and need to be patched regularly.

P2P Software

Much loved by young people for trading music files, illegally cracked editions of expensive software, and pornography, P2P applications like Morpheus, KaZaA, Grokster, and the like are major malware vectors even worse than IM clients. For one thing, most are infected with adware or spyware to help fund the developers. A great deal of user behavior is tracked across the Internet in this way, though the companies producing the applications soft-pedal this fact with the same dissimulating PR-speak that any flack from the music lobby would use. For example, KaZaA “contains no spyware,” developer Sharman Networks claims. The company “does not condone the use of spyware nor support the distribution of spyware to others,” we’re told. However, the KaZaA application feeds advertisements to users through third-party ad servers. Sharman assures us that this is all benign, that no one is tracked. But since you cannot possibly verify this claim, you would be foolish to believe it. “No spyware” is pure marketing spin. The company can call it what they please, but to any security-conscious user, adware is spyware.

P2P applications also function as servers so that users can upload files to each other’s machines, which means that their potential to spread malware is tremendous. Most of them are also capable of acting as super nodes, meaning that they can relay search requests from potentially millions of users. Enabling (or, rather, not disabling) the super-node function may cause users to violate their ISP’s use policy by inadvertently exceeding bandwidth limits, and the server function can expose users to every manner of malware known. These dangerous functions are often enabled by default, so users should take care to ensure that their P2P application is not behaving more promiscuously than they wish.

Permitting strangers to load files on your machine is essentially foolhardy. So is taking files from machines to which anyone can perform uploads. All such files must be scanned with antivirus software before activation, and users who permit uploads should scan their share directory periodically. However, AV software is only effective against known malicious files; it is hardly foolproof, so some risk will always remain no matter how careful or conscientious one is. Files downloaded via P2P applications or stored in an open share directory should be treated as malicious until proven otherwise. Careful scrutiny of file extensions is not an adequate defense: even seemingly normal MP3 files have potential to cause buffer overflow conditions against media players and use them as springboards to further system exploitation. While it may seem antisocial to use P2P software only to find and download files for yourself, this is, if not quite safe, the least risky way to go about it.

Assuming that the embedded adware and real potential for attracting root-kits hasn’t daunted you, there is yet another hazard. A powerful and quite ruthless lobbying organization for the music labels, the Recording Industry Association of America (RIAA), initiated a vendetta against file sharing in the summer of 2003. Armed with federal legislation called the Digital Millennium Copyright Act (DMCA) of 1998, written by the music and film lobbies and pushed through Congress on the wings of lavish campaign donations, the labels have begun identifying and suing file sharers with a streamlined subpoena process made possible by the DMCA. According to the Act, any copyright owner is permitted to file a simple subpoena obtained from a court clerk against anyone suspected of copyright violation, without a judge’s approval. There is no standard of evidence or probable cause.

The RIAA has been serving these inexpensive, do-it-yourself court orders against ISPs and obtaining the identities of P2P users, who are then sued. Usually, the accuser will be a simple software robot automatically trawling P2P networks, identifying likely candidates for legal persecution by their online nicknames or screen names. The subpoenas, essentially fishing licenses enabling the RIAA to accuse first and gather evidence later, are then used to obtain the suspected infringer’s true identity from their ISP. The RIAA is conducting an intimidation campaign in the form of a vendetta, lashing out at random members of a virtual “family” in order to chasten everyone else.

Meanwhile, telecommunication outfit Verizon objected to revealing its customers’ names on the basis of these flimsy subpoenas and fought the RIAA in court. The U.S. Court of Appeals for the District of Columbia ruled against the quick-and-dirty subpoena process, though no doubt a long, bitter legal battle over the music industry’s tactics will ensue. The practice may be reprehensible, but it may yet be upheld by the U.S. Supreme Court, thanks to the eternal inflooding of entertainment industry money into the U.S. political system. While there are valid political reasons for defying the RIAA and its sister organization, the Motion Picture Association of America (MPAA), and the custom-designed legislation they purchased on Capitol Hill, from a security point of view, P2P sharing is moderately risky at best, and positively self-destructive if all the features are enabled.

Users of P2P applications would do well to run a packet sniffer on their Internet connections from time to time and observe directly what sort of data is being exchanged, and with whom (we will learn to do this in Chapter 4). One should be especially suspicious of encrypted data shuttling back and forth between their computers and some Internet marketing outfit. It’s also wise to seek an open-source P2P application so that no secret functions can be hidden in the code. When choosing any open-source product, always look for the availability of source-code packages. Many P2P developers like to call their products “open,” a marketing label with no more meaning than any other PR copywriter’s phrase, such as “all natural.” Unless the source-code files are available so that you can build the application yourself, it is not open source.

This chapter is from Computer Security for the Home and Small Office by Thomas C. Greene (Apress, 2004, ISBN: 1590593162). Check it out at your favorite bookstore today. Buy this book now.



 
 
>>> More Security Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: