application program vulnerabilities that allow it to hide in a seemingly innocent
data packet. These are the vulnerabilities we discussed in Chapter 7, which can
be utilized by attackers in a variety of ways, but they’re most commonly used for
developing malicious worms. Another common infection method for modern
worms is e-mail. Mass mailing worms typically scan the user’s contact list and
mail themselves to every contact on such a list. It depends on the specific e-mail
program, but in most cases the recipient will have to manually open the infected
attachment in order for the worm to spread. Not so with vulnerability-based
attacks; these rarely require an end-user operation to penetrate a system.
Trojan Horses
I’m sure you’ve heard the story about the Trojan horse. The general idea is that
a Trojan horse is an innocent artifact openly delivered through the front door
when it in fact contains a malicious element hidden somewhere inside of it. In
the software world, this translates to seemingly innocent files that actually
contain some kind of malicious code underneath. Most Trojans are actually
functional programs, so that the user never becomes aware of the problem; the
functional element in the program works just fine, while the malicious element
works behind the user’s back to promote the attacker’s interests.
It’s really quite easy to go about hiding unwanted functionality inside a use-
ful program. The elegant way is to simply embed a malicious element inside
an otherwise benign program. The victim then receives the infected program,
launches it, and remains completely oblivious to the fact that the system has
been infected. The original application continues to operate normally to elim-
inate any suspicion.
Another way to implement Trojans that is slightly less elegant (yet quite
effective) is by simply fooling users into believing that a file containing a mali-
cious program is really some kind of innocent file, such as a video clip or an
image. This is particularly easy under Windows, where file types are deter-
mined by their extensions as opposed to actually examining their headers.
This means that a remarkably silly trick such as hiding the file’s real extension
after a couple of hundred spaces actually works. Consider the following file
name for example: “A Great Picture.jpg .exe”. Depending on the
program showing the file name, it might not have room to actually show this
whole thing, so it might appear something like “A Great Picture.jpg.. .”,
essentially hiding the fact that the file is really a program, and not a JPEG pic-
ture. One problem with this trick is that Windows will still usually show an
application icon, but in some cases Windows will actually show an executable
program’s icon, if one is available. All one would have to do is simply create
an executable that has the default Windows picture icon as its program icon
and name it something similar to my example.
Reversing Malware 275