What is a buffer overflow?A buffer overflow is one of the most fundamental concepts in computing security, exploits and hacking discourse. A buffer overflow can best be described as an anomaly where a process stores some kind of executable code or data in a buffer outside of the region of memory that a software engineer allocated for it. This prohibitively written-into space overwrites adjacent memory regions, which may contain other legitimately allocated data. This often results in erratic program runtime behaviour exemplified by odd memory performance, incorrect results on output and entire software/kernel crashes, which can lead to security flaws or exploits. The most common way to achieve a buffer overflow exploit is to write data into a location where there is no known bounds checking.
Second wave: Polymorphism and tools of the tradeThe coming of the second wave, as many experts consider it, started in 1990 with high virus activity and lower worm distribution. Technical complexity of viruses would go on to have a direct impact on the effectiveness and capabilities of worms. Viral activity leapt from MS-DOS to Windows and cross-platform macro virus activity was detected. Email infection became the mainstay of virus propagation towards 1995 and the concept of polymorphism came into being.
In the late 80s, end-to-end encryption was put to work for malicious code creation. The idea was that one could mask or scramble the ‘code signature' of a virus so that security software couldn't detect and delete it. The simplistic method used for detecting viruses of a known type was simple checksums. If the bit pattern was validated against a known sum, it'd be considered a virus, and deleted. When a virus learnt to maintain many bit patterns and unique global checksums as a result of encryption and decryption keys, it became very difficult for a virus scanner to make a decision about whether or not a file was indeed malicious. The concept of polymorphism took this a step further, making it possible for the virus to continually permute the body of the attacking code. This behaviour was first reported in Germany in 1989, though conjecture by several security response teams suggest it was reported as early as 1988 at Oxford University. The virus in question replicated by injecting a random number plucked from a typical host based <i>rand()</i> function into a byte generator.
Unfortunately, this meant that there was no commonality between any given infection, and if there could be, it would only result by the rand() function generating the same data.
The concept of the toolkit was gestating when, in 1992, a well known but tragically named hacker (Dark Avenger) authored a self-styled end user ‘Mutation Engine' allowing any user to plug in their own code to mutate their virus with limitless permutations. Pathogen, Queeg and SMEG (Simulated Metamorphic Encryption enGine) are among the most prevalent of these engines documented.
The ultimate achievement of the virus creators was the ‘Virus Creation Lab' that was an intuitive, user friendly GUI that allowed an end user to generate malicious binaries with no programming capabilities. This was exemplified in the mass media in 1991 by the Anna Kournikova virus. The harmless JPEG promising a provocatively dressed tennis star would turn up in an email, but when opened would run a Visual Basic macro, sending itself to every person in the hapless victim's MS Outlook address book. Shortly after this, Outlook got smart and MS went on the offense to prevent this kind of continual behaviour. Unsurprisingly, the general public got wise to it and macro virus attacks in email as the vector dwindled in popularity.
Issue: 137 | June, 2012