CWE-506 Detail

CWE-506

Embedded Malicious Code
Incomplete
2006-07-19
00h00 +00:00
2024-07-16
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Embedded Malicious Code

The product contains code that appears to be malicious in nature.

CWE Description

Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.

General Informations

Modes Of Introduction

Implementation
Bundling
Distribution
Installation

Common Consequences

Scope Impact Likelihood
Confidentiality
Integrity
Availability
Execute Unauthorized Code or Commands

Observed Examples

References Description

CVE-2022-30877

A command history tool was shipped with a code-execution backdoor inserted by a malicious party.

Potential Mitigations

Phases : Testing
Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

Detection Methods

Manual Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
  • Generated Code Inspection

Effectiveness : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Automated Monitored Execution

Effectiveness : SOAR Partial

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Manual Source Code Review (not inspections)

Effectiveness : SOAR Partial

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:
  • Origin Analysis

Effectiveness : SOAR Partial

Vulnerability Mapping Notes

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

Related Attack Patterns

CAPEC-ID Attack Pattern Name
CAPEC-442 Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.
CAPEC-448 Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.
CAPEC-636 Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.

NotesNotes

The term "Trojan horse" was introduced by Dan Edwards and recorded by James Anderson [18] to characterize a particular computer security threat; it has been redefined many times [4,18-20].

References

REF-1431

A Taxonomy of Computer Program Security Flaws, with Examples
Carl E. Landwehr, Alan R. Bull, John P. McDermott, William S. Choi.
https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf

Submission

Name Organization Date Date release Version
Landwehr 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modifications

Name Organization Date Comment
Sean Eidemiller Cigital 2008-07-01 +00:00 added/updated demonstrative examples
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2008-09-08 +00:00 updated Description, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-10-29 +00:00 updated Description, Other_Notes
CWE Content Team MITRE 2010-09-27 +00:00 updated Other_Notes, Terminology_Notes
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2013-02-21 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors
CWE Content Team MITRE 2017-11-08 +00:00 updated Demonstrative_Examples, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Time_of_Introduction
CWE Content Team MITRE 2022-04-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Related_Attack_Patterns
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples
CWE Content Team MITRE 2024-07-16 +00:00 updated References