Video Screencast Help
Security Response

Why didn't I think of that?!

Created: 20 Oct 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:55:54 GMT
Patrick Fitzgerald's picture
0 0 Votes
Login to vote

Many of the new threats seen today aren’t advancements in their own right; rather, they just take advantage of advancements in technology. For example, VBScript enables programs to be written quickly, but also makes writing malware extremely easy. Remember VBS.LoveLetter, also known as the “I-Love-You” worm? This was a mass-mailing worm that ultimately ended up causing millions of dollars worth of damage because of crashed servers, not to mention the punitive damages caused by files being overwritten. While VBScripts gave administrators the ability to perform more robust tasks via scripting, developers need to be aware of the possible detrimental effects of these new technologies. For example, after VBS worms became widespread, Microsoft forced user consent before a script could harness Microsoft Outlook to send itself, thereby neutering that attack vector.

Another seemingly innocuous feature has been extremely useful to some malware writers. The advent of NTFS brought with it the ADS (alternate data stream). The feature was intended to be used to store extra information about files. The problem is, anything stored in an ADS is hidden from the user, and specialized tools are required to display these hidden streams. This technology has given malware authors a simple method of stealth to use with their code on a target system.

A recent threat uses another file system feature, called EFS (encrypted file system). This allows a user to encrypt any sensitive data that they may have on their system. The threat encrypts itself on disk using the EFS feature. This encrypted file can even be run on the host system despite being encrypted, but can’t be seen by the Administrator nor the System account, which will thwart traditional antivirus programs.

History is littered with examples of great technologies being used for purposes for which they were never intended. New technology is created all the time, but development lifecycles rarely go through a process of determining the attack surface of the technology. We don’t want to stifle innovation, but at the same time the Internet isn’t only filled with altruistic users; so, developers need to think about their new technologies from a black hat perspective to try to avoid their unintended (or intended) misuse.