Malicious mobile code is a new term to describe all sorts of destructive programs: viruses, worms, Trojans, and rogue Internet content. Until fairly recently, experts worried mostly about computer viruses that spread only through executable files, not data files, and certainly not through email exchange. The Melissa virus and the Love Bug proved the experts wrong, attacking Windows computers when recipients did nothing more than open an email. Today, writing programs is easier than ever, and so is writing malicious code. The idea that someone could write malicious code and spread it to 60 million computers in a matter of hours is no longer a fantasy.The good news is that there are effective ways to thwart Windows malicious code attacks, and author Roger Grimes maps them out in Malicious Mobile Code: Virus Protection for Windows. His opening chapter on the history of malicious code and the multi-million dollar anti-virus industry sets the stage for a comprehensive rundown on today's viruses and the nuts and bolts of protecting a system from them. He ranges through the best ways to configure Windows for maximum protection, what a DOS virus can and can't do, what today's biggest threats are, and other important and frequently surprising information. For example, how many people know that joining a chat discussion can turn one's entire computer system into an open book? Malicious Mobile Code delivers the strategies, tips, and tricks to secure a system against attack. It covers:
- The current state of the malicious code writing and cracker community
- How malicious code works, what types there are, and what it can and cannot do
- Common anti-virus defenses, including anti-virus software
- How malicious code affects the various Windows operating systems, and how to recognize, remove, and prevent it
- Macro viruses affecting MS Word, MS Excel, and VBScript
- Java applets and ActiveX controls
- Enterprise-wide malicious code protection
- The future of malicious mobile code and how to combat such code
|Publisher:||O'Reilly Media, Incorporated|
|Edition description:||1 ED|
|Product dimensions:||7.00(w) x 9.19(h) x 1.04(d)|
About the Author
Roger A. Grimes (CPA, CISSP, CEH, MCSE: Security) is a 19-year Windows security veteran with 6 books and over 150 national magazine articles on the subject. Roger is a 3-time Microsoft MVP in Windows Security (and MVP of the Month in December 2005). He participated in the Microsoft Windows Server 2003 Learning curriculum and was an Early Achiever of theWindows Server 2003 MSCE: Security desination. Roger has written advanced Windows security courses for Microsoft, Foundstone, and SANS.
Read an Excerpt
Chapter 11: Malicious ActiveX Controls
ActiveX is considered by many to be Microsoft's answer to Sun's Java language, but it is much more than that. Chapter 11 discusses ActiveX, digital signing, and Microsoft's Authenticode security program.
Unlike Java, there isn't an ActiveX programming language. Instead, ActiveX is a Microsoft platform initiative grouping software development tools that allow Windows programs to work across networks. Initially code-named "Sweeper", the ActiveX architecture was formally announced at a San Francisco Developer's Conference in early 1996, as Microsoft's way to address the booming Internet programming market. At that conference, a slew of new tools were announced in support of ActiveX, including- VBScript, the OLE Scripting Service, new APIs, Microsoft-developed Internet protocols, and ActiveX controls. Microsoft released these new tools as part of its ActiveX Software Development Kit (SDK). ActiveX is an extension of Microsoft's 32-bit Windows API and Component Object Model (COM) models, and is now covered under the umbrella of the Distributed COM (DCOM) architecture. DCOM encompasses all programming tools that allow a Windows client to use a server program over a network. This distributed programming architecture is eventually culminating in Microsoft's .NET initiative (covered in Chapter 15).
Although began as a reactionary response to competitive pressures, ActiveX is really just a natural evolution of Microsoft API's allowing data to be shared between applications. Microsoft's Object Linking and Embedding (OLE) technology allows users to place data objects from one application into another, something DOS couldn't do. The first versions of OLE allowed users to copy data objects from one program to another. For example, a graphic chart could be copied from a spreadsheet into a word processor. The next phase of OLE allowed a linked object to "live" in another application. Now, a user could edit a chart in a word processor, and with an OLE link to a spreadsheet have the changes made in one automatically reflected in the other. ActiveX extends the functionality and allows, not just the data, but the entire application to be shared across the Internet.
Today, you can save a spreadsheet or document directly to the Web, or allow multiple users flung far across the Internet to make changes to a document you created. Objects, pictures, even sound files, can be linked from their distributed locations onto one page. ActiveX includes all the tools and methods to allow programmers to distribute their applications across the web into user's desktops.
TIP: ActiveX programs can be installed, used, and executed by hundreds of applications, including Microsoft's Outlook, Outlook Express, and Office product lines. Throughout this chapter, I will be discussing ActiveX as it runs within a browser, even when I often mean to include other applications within the context of the discussion.
An ActiveX control is an executable program that can be automatically delivered over the Internet where it usually runs within a browser. Contrasted against Java applets which are created in their own special language, ActiveX controls can be written in many different languages, including: C++, Visual Basic, Visual C++, Delphi, Powersoft, Java, C-Sharp (C#) and Visual J++. And because ActiveX controls are based on the OLE specification, controls written in one language can be re-used within controls written in another language. ActiveX controls are compiled into fast 32-bit machine language for Windows platforms. This means they can run only on systems that work with the WIN32 API and lose the portability advantaged gained by Java.
Since ActiveX controls are compiled programs originating from a variety of programming languages, they aren't limited to a basic set of routines. Besides being able to jazz up web pages and build sophisticated user forms, ActiveX controls can be any program they want to be. Complete spreadsheet and database programs are no problem. Local disk systems can be manipulated, connections can be established to other computers and networks, files transferred, and all invisible to the user. It is this feature-rich, openness that worries security experts. Every type of malicious code exploit that can be attempted with viruses, worms, and trojans, can be accomplished with ActiveX.
When you accept a control for the first time, the control is downloaded to your computer and the appropriate registry entries are created. Controls are registered in the
HKEY_CLASSES_ROOT\CLSID subkey, and can also be found in
HKEY_LM\Software\Classes. ActiveX controls usually have the file extension, .OCX, which stands for OLE Control. The typical Windows system has dozens of controls installed. Most are located in C:\%windir%\SYSTEM and C:\%windir%\Program Files\Common Files\Microsoft Shared, if you have MS-Office installed. Controls downloaded and installed by Internet Explorer are usually located at C:\%windir%\Download Program Files.
TIP: Files in C:\%windir%\Download Program Files are specifically concealed by the newer versions of Windows and will not show up with a File Find or DIR command. But you can use Windows Explorer or the DOS Change Directory and find the hidden subdirectory.
TIP: Internet Explorer 3.x stores ActiveX controls in C:\%windir%\OCCACHE.
Safe for scripting and initializing
ActiveX controls can be defined as Safe for Scripting and Safe for Initialization by the software publisher. By designating the control as safe, the vendor is saying that the control cannot be used maliciously and is safe to be manipulated by other scripting languages. Safe for Initialization means that no matter what values are passed to the control during its startup, it cannot do damage to a user's system. Safe for Scripting means that the control cannot be used maliciously no matter how its manipulated. Although each control has two safety settings, most of the popular press focuses on the Safe for Scripting moniker, even though they are referring to both. Controls that can create, read, or write files, or write to the registry are not considered explicitly safe, unless their actions are predetermined and specific.
Without this predefined safety check, a seemingly innocuous program could easily be used to do harm that the original publisher (programmer) did not intend. For example, a control could be made to function as a popup word processor that a user could write with and save notes. If marked Safe For Scripting, a malicious web page might be able to load the control, create and save new files, and use it to overwrite the user's startup files. There is much discussion within the security industry over this controversial setting. Particularly, how does a vendor guarantee his control to be bug free and not susceptible to maliciousness from other programs? There is no standard way for a vendor to test the safety of their code. As we will see later, it's difficult for a vendor to consider all the possibilities of their program's interactions.
Safe for Scripting or Initialization does not mean the control is safe for use. There might be a control that scrambles and deletes all your files when you execute it. As long as the result was not implemented by a script or initiated during startup by an unintended third party, it could still qualify for the Safe for Scripting setting. Obviously, this control would not be safe to have on your computer.
Differences between ActiveX and Java
ActiveX is often thought of as a Microsoft Java-clone. It isn't. Without the common goal of being optimized for Internet component-downloading, the two platforms don't share much in common. Here are some key differences.
- An ActiveX object is compiled, not interpreted. This means ActiveX programs can run extremely fast as compared to Java programs.
- ActiveX controls can be made with many different languages. Java applets can only be made by Java.
- ActiveX controls can do more than Java applets.
- ActiveX doesn't have the platform independence of Java.
- ActiveX controls only work in Microsoft's Internet Explorer browser (or with Netscape's browser with an ActiveX plug-in).
- With ActiveX there is no difference between the security rights given local or remote programs.
Web developers include an <OBJECT> tag within their HMTL page (see Example 11-1) to automatically download a control to the browser, much as with a Java applet. The ID field defines the name used by any related scripting language that presents the control. The CLASSID is a globally unique identifier used to identify the control (something you'll need to become comfortable with to locate a specific control on your machine) and the CODEBASE contains file identification information (minimum version and location). HEIGHT and WIDTH tell the browser how many pixels tall and wide to make the displayed control. Other custom startup parameters, such as the background color, can be passed to the control as it starts....
Table of Contents
- Chapter 1: Introduction
- Chapter 2: DOS Computer Viruses
- Chapter 3: Windows Technologies
- Chapter 4: Viruses in a Windows World
- Chapter 5: Macro Viruses
- Chapter 6: Trojans and Worms
- Chapter 7: Instant Messaging Attacks
- Chapter 8: Internet Browser Technologies
- Chapter 9: Internet Browser Attacks
- Chapter 10: Malicious Java Applets
- Chapter 11: Malicious ActiveX Controls
- Chapter 12: Email Attacks
- Chapter 13: Hoax Viruses
- Chapter 14: Defense
- Chapter 15: The Future
Most Helpful Customer Reviews
Roger Grimes book is a great desktop reference and field recovery resource book. Using it will save users and administrators who deal with malicious code from wasting critical time and money during resolution of malicious code problems. The author's unmatched writing approach has easy to follow and implement steps for anyone (user or administrator) who needs to diagnose and recover from a malicious mobile code infection. The book also has up to date step by step configuration recommendations for protecting operating systems and applications. And the best part is that the author understands the criticality of recovering data and clearly explains the field proven methods that give you the best chance of successfully recovering your data, applications and operating system files that have been affected by malicious code. When you need to understand malicious mobile code this is THE book to have, I don't call on a client or provide remote incident assistance without it.
I like to think of myself as being fairly knowledgeable about what to look for regarding viruses, Trojans, worms, etc. However, I had no idea before reading this book how widespread all of these different malicious programs were and how they can infect any type of operating system or programming language. While Visual Basic Script may be the 'language of choice' for malicious code writers, viruses can appear with any language or in any form. This book takes an excellent look at various types of malicious programs, and the environments in which they appear. Ranging from DOS to Windows, HTML, Java, ActiveX, even macro viruses, it would seem no system is safe. And that's another way this book is an excellent reference. Not only does it describe in various chapters how a virus, worm or Trojan exists, it also gives examples of them and what to do in case your PC gets infected. Something else I liked about this book was its description of the various 'computer environments' (like DOS, HTML, Java, etc) and how malicious programmers can manipulate them to create potential disasters for your PC. No one is truly safe against malicious programmers and this book offers great advice on defending yourself against them.