CWE-506
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: Embedded Malicious Code
The product contains code that appears to be malicious in nature.
CWE Description
Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
General Informations
Modes Of Introduction
ImplementationBundling
Distribution
Installation
Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Confidentiality Integrity Availability | Execute Unauthorized Code or Commands |
Observed Examples
| References | Description |
|---|---|
CVE-2022-30877 | A command history tool was shipped with a code-execution backdoor inserted by a malicious party. |
Potential Mitigations
Phases : TestingRemove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.
Detection Methods
Manual Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
- Generated Code Inspection
Effectiveness : SOAR Partial
Dynamic Analysis with Manual Results Interpretation
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Automated Monitored Execution
Effectiveness : SOAR Partial
Manual Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Manual Source Code Review (not inspections)
Effectiveness : SOAR Partial
Automated Static Analysis
According to SOAR, the following detection techniques may be useful:
Cost effective for partial coverage:
- Origin Analysis
Effectiveness : SOAR Partial
Vulnerability Mapping Notes
Justification : This CWE entry is a Class and might have Base-level children that would be more appropriateComment : Examine children of this entry to see if there is a better fit
Related Attack Patterns
| CAPEC-ID | Attack Pattern Name |
|---|---|
| CAPEC-442 | Infected Software An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain. |
| CAPEC-448 | Embed Virus into DLL An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop. |
| CAPEC-636 | Hiding Malicious Data or Code within Files Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover. |
NotesNotes
The term "Trojan horse" was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].References
REF-1431
A Taxonomy of Computer Program Security Flaws, with ExamplesCarl E. Landwehr, Alan R. Bull, John P. McDermott, William S. Choi.
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| Landwehr | Draft 3 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Sean Eidemiller | Cigital | added/updated demonstrative examples | |
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Description, Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description, Other_Notes | |
| CWE Content Team | MITRE | updated Other_Notes, Terminology_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Potential_Mitigations | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Detection_Factors | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Description, Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Observed_Examples | |
| CWE Content Team | MITRE | updated References |
