How Malware Actually Infects the Computer

People know that phishing lets hackers invade computers using drive by downloads. But how does this actually work? Let’s look at one example.

Recently Microsoft released this security advisory:

* Microsoft Security Advisory (2934088)
– Title: Vulnerability in Internet Explorer Could Allow
Remote Code Execution
– Revision Note: V2.0 (March 11, 2014): Advisory updated to
reflect publication of security bulletin.

Fireye wrote a detailed security analysis of it here. Reading that and the blog posts mentioned there, one can gain a deeper understanding of how malware is able to bypass anti-virus software.

The analysis says that hackers were able to modify a web page on the US Department of Veterans Affairs web site (They don’t explain how they did that.) to load the hackers page. That page uses JavaScript to instantiate an Abobe Flash object and call one of its method to exploit a weakness in Internet Explorer version 10.

The attack works by modifying the memory addressed by Flash to insert its own instructions there. It works something like this:

Strings in memory are terminated by the NULL character. So the word “word” is stored in memory as “word\0” where “\0” is the NULL character that terminates the string. So if in memory we have:


And we change the “\0” to something else, say a space, then we have gained access to the memory that was to the right of the “\0”. In particular it now says:

“left right\0”

and we have access to the space reserved for “right\0”.

All of this has to work inside the program, since the program cannot address space not allocated to it. This means the hacker has to use the, in this case, the Adobe Flash object and its methods to corrupt memory, because Javascript running inside the browser would not be able to do that directly.

A similar approach to corrupting memory is to change the size of a vector. For example, suppose a program declares a vector of size 10 to contain 10 Employee objects, like this: vector employees(10). Then the computer sets aside space to contain 10 objects of size sizeof(Employees). In memory that number “10” can be changed to say, “15,” thus giving the hacker access to 5 * sizeof(Employees) bytes where they can read or write data.

Microsoft ASLR (Address Space Layout Randomization) is a technique designed to foil this type of attack. What that does is replace writing blocks of memory in contiguous fashion (i.e. one right next to the other) with using random addresses to store data instead. That way the hacker cannot assume, for example, that the memory space for the “\0” in “word\0” is right next to “word.” So it is harder to find the memory addresses used by a running program.

Having gained access to additional memory, the program looks to see what .dlls are loaded into memory. It then searches for older .dlls that are part of Microsoft’s Visual C++ runtime that were compiled without ASLR protection. Then it changes a function pointer in the program to execute that other .dll, which lacks the ASLR memory-corruption protection. Because it lacks ASLR, it can be exploited.

Having gained access to the machine’s memory, the virus then downloads a file which is a JPG image in the front and an executable program at the end.

There are two ways to fix this zero-day exploit. One is to upgrade to IE 11. The other is to install Microsoft’s Experience Mitigation Toolkit (EMET) so that non-ASLR .dlls are forced to adhere to the ASLR rules.