2.4. Understanding Software Exploitation
The term software exploitation refers to attacks launched against applications and higher-level services. They include gaining access to data using weaknesses in the data access objects of a database or a flaw in a service. This section briefly outlines common exploitations that have been successful in the past. The following exploitations can be introduced using viruses, as in the case of the Klez32 virus, or by using access attacks described earlier in this chapter:
Database exploitation
Many database products allow sophisticated access queries to be made in the client/server environment. If a client session can be hijacked or spoofed, the attacker can formulate queries against the database that disclose unauthorized information. For this attack to be successful, the attacker must first gain access to the environment through one of the attacks outlined previously.
Application exploitation
The macro virus is another example of software exploitation. A macro virus is a set of programming instructions in a language such as VBScript that commands an application to perform illicit actions. Users want more powerful tools, and manufacturers want to sell users what they want. The macro virus takes advantage of the power offered by word processors, spreadsheets, or other applications. This exploitation is inherent in the product, and all users are susceptible to it unless they disable all macros.
E-mail exploitation
Hardly a day goes by without another e-mail virus being reported. This is a result of a weakness in many common e-mail clients. Modern e-mail clients offer many shortcuts, lists, and other capabilities to meet user demands. A popular exploitation of e-mail clients involves accessing the client address book and propagating viruses. There is virtually nothing a client user can do about these exploitations, although antivirus software that integrates with your e-mail client does offer some protection. To be truly successful, the software manufacturer must fix the weaknesses—an example is Outlook's option to protect against access to the address book. This type of weakness isn't a bug, in many cases, but a feature that users wanted.
|
Spyware
Spyware differs from other malware in that it works—often actively—on behalf of a third party. Rather than self-replicating, like viruses and worms, spyware is spread to machines by users who inadvertently ask for it. The users often do not know they have asked for it, but have acquired it by downloading other programs, visiting infected sites, and so on.
New Attacks on the WayThe discussion of attacks in this section isn't comprehensive. New methods are being developed even as you read this book. Your first challenge in these situations is to recognize that you're fighting the battle on two fronts. The first front involves the inherent open nature of TCP/IP and its protocol suite. TCP/IP is a robust and rich environment. This richness allows many opportunities to exploit the vulnerabilities of the protocol suite. The second front of this battle involves the implementation of TCP/IP by various vendors. A weak TCP/IP implementation will be susceptible to all forms of attacks, and there is little you'll be able to do about it except to complain to the software manufacturer. Fortunately, most of the credible manufacturers are now taking these complaints seriously and doing what they can to close the holes they have created in your systems. Keep your updates current because this is where most of the corrections for security problems are implemented. |
The spyware program monitors the user's activity and responds by offering unsolicited pop-up advertisements (sometimes known as adware), gathers information about the user to pass on to marketers, or intercepts personal data such as credit card numbers. One thing separating spyware from most other malware is that it almost always exists to provide commercial gain. The operating systems from Microsoft are the ones most affected by spyware, and Microsoft has released Microsoft AntiSpyware to combat the problem.
Rootkits
Recently, rootkits have become the software exploitation program du jour. Rootkits are software programs that have the ability to hide certain things from the operating system. With a rootkit, there may be a number of processes running on a system that do not show up in Task Manager or connections established or available that do not appear in a netstat display—the rootkit masks the presence of these items. The rootkit is able to do this by manipulating function calls to the operating system and filtering out information that would normally appear.
Unfortunately, many rootkits are written to get around antivirus and antispyware programs that are not kept up-to-date. The best defense you have is to monitor what your system is doing and catch the rootkit in the process of installation.
One of the most important measures you can take to proactively combat software attacks is to know common file extensions and the applications they're associated with. For example, the .scr filename extension is used for screensavers, and viruses are often distributed through the use of these files. No legitimate user should be sending screensavers via e-mail to your users, and all attachments with the .scr filename extension should be banned from entering the network.
Table 2.3, while not comprehensive, contains the most common filename extensions for files that should and should not, as a general rule, be allowed into the network as e-mail attachments.
| Should Be Allowed | Should Not Be Allowed |
|---|---|
| .doc | .bat |
| .com | |
| .txt | .exe |
| .xls | .hlp |
| .zip | .pif |
| .scr |