Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Why didn't I think of that?!

Created: 20 Oct 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:55:56 GMT
Patrick Fitzgerald's picture
+1 1 Vote
Login to vote

Many of the new threats seen today aren’tadvancements in their own right; rather, they just take advantage ofadvancements in technology. For example, VBScript enables programs tobe written quickly, but also makes writing malware extremely easy.Remember VBS.LoveLetter, also known as the “I-Love-You” worm? This wasa mass-mailing worm that ultimately ended up causing millions ofdollars worth of damage because of crashed servers, not to mention thepunitive damages caused by files being overwritten. While VBScriptsgave administrators the ability to perform more robust tasks viascripting, developers need to be aware of the possible detrimentaleffects of these new technologies. For example, after VBS worms becamewidespread, Microsoft forced user consent before a script could harnessMicrosoft Outlook to send itself, thereby neutering that attack vector.

Another seemingly innocuous feature has been extremely useful tosome malware writers. The advent of NTFS brought with it the ADS(alternate data stream). The feature was intended to be used to storeextra information about files. The problem is, anything stored in anADS is hidden from the user, and specialized tools are required todisplay these hidden streams. This technology has given malware authorsa simple method of stealth to use with their code on a target system.

A recent threat uses another file system feature, called EFS(encrypted file system). This allows a user to encrypt any sensitivedata that they may have on their system. The threat encrypts itself ondisk using the EFS feature. This encrypted file can even be run on thehost system despite being encrypted, but can’t be seen by theAdministrator nor the System account, which will thwart traditionalantivirus programs.

History is littered with examples of great technologies being usedfor purposes for which they were never intended. New technology iscreated all the time, but development lifecycles rarely go through aprocess of determining the attack surface of the technology. We don’twant to stifle innovation, but at the same time the Internet isn’t onlyfilled with altruistic users; so, developers need to think about theirnew technologies from a black hat perspective to try to avoid theirunintended (or intended) misuse.