Why do we get infected...

Whats the golden rule to stay away from viruses? What do you do to make
sure you dont get infected? Dont install software from untrusted
source, run Antivirus, dont execute attachments unless they are from
trusted source or without scanning them through Antivirus etc? Do you
think this will ensure that you would never get infected? Answer is No!

I personally dont prefer running antivirus on my machine. It makes your
system crawling slow. But when you are running windows, you have to make
sure you run one. Ever wondered how these viruses get into your systems?
Most of the viruses get into the systems through vulnerabilities in
software. A vulnerability is a bug in software of which you can take
some advantage. Vulnerabilities are more vulnerable if they can be
remotely exploited. Vulnerabilities can be of any sort. But most
dangerous of them are some which can let attacker execute some code on
target machine by exploiting them remotely. And one major category of
the remotely exploitable vulnerability is "Buffer Overruns".

Buffer Overrun is a bug in which you allocate some buffer (memory) and
while filling it up you forget to check bounds of it. In a way allowing it
to overflow. The matter is made worse when the allocated buffer is used
to store some externally provided entity. Something which user provides
to software. This can allow the attacker to execute some arbitrary code
on the system running such software. Detailed description of how buffer
overruns work can be found in a classical paper published in a Phrack
magazine called "Smashing the stack for fun and profit"

Buffer overrun is a very common error which you can make while coding in
C, C++. 90% of such errors maybe exploitable. And if they are remotely
exploitable, then you have a virus targeted at that vulnerability.
Buffer Overruns are scarier than this! So, now what are the things that
can get you infected?

You tried to view an image sent you by your friend. The image was
specially crafted to exploit the problem with your jpeg rendering
engine. You get infected.

You tried to open short movie clip you downloaded from server, The movie
had exploited bug in your movie player's codec. You get infected.

You visited a web-page which exploited some javascript vulnerability,
You get infected.

You play safe and disable javascript and visit a web-page, page exploits
vulnerability with HTML rendering engine. You get infected.

Worst! you plug in your network cable, attacker sends a vulnerable
packet to you that exploits some vulnerability in your kernel networking
code. You get infected.

Whatever you do you cannot make sure you dont get infected. But sure,
prevention is better than cure! Either use antivirus or dont use Windows :D


Anonymous said...

Nice post Kalpak, I believe there are some software that maintain an MD5 checksum of all your executables. If an exploit succeeds in infecting a library or executable, the change will be flagged by the software.


Kalpak said...

Yes Parag, But not all viruses infect (Modify contents) of binaries. They just use the vulnerabilities to execute code and drop a copy of virus there. Also they provide auto entry points for viruses like adding them as startup item in windows so that they execute every time you start Windows. And also checking MD5 hash of all the files on the system, even once in a while is what i would never like do.. Because it will always be heavily time and resource consuming.