CVSS 4.3 – Evaluating the Common Vulnerability Scenario
The CVSS is an acronym for “Computer Virus Style Shadow Security”. CVSS stands for a CVSS worm, which injects random numbers into the executable files. CVSS worm infections are used by several DDoS attackers to cause massive denial of service to targeted websites. The CVSS worm can infect any executable file and is usually hidden inside a legitimate executable file such as a DLL or a shared library.
The CVSS is typically executed when a user opens an e-mail attachment that might have a virus attached to it. CVSS worms often have multiple payloads that executing other malicious software. The worm first modifies the attached file to bypass security measures commonly known as “security bridges”, or simply put, rules which allow software to communicate with one another on the internet without fear of a security breach. Then the worm copies itself into the user’s computer, where it resides and continues to work its way through multiple layers of security until it reaches the targeted program, ultimately leading to the creation of exploitable holes in the system.
While this is a pretty sophisticated attack on a vulnerable server, it is not highly technical in nature. There are many common types of attacks on networked systems that are less sophisticated and thus more easily blocked by modern anti-malware vendors than a DDoS attack on a single server. Many people associate the concept of a CVSS worm with phishing scams, or other techniques used to obtain private information. In reality, there are several real world ways that a CVSS injection point can lead to an infestation.
These countermeasures are designed to prevent the attacker from exploiting the vulnerability in the network. Common countermeasures include firewall or network protection. Other countermeasures include preventing the infected files from loading, or manually removing the infected XMPP messages. The vulnificator typically modifies the existing XMCP messages or creates new message formats that can be injected into the affected server.
After the vulnificator has found a vulnerability, the next step is to find any command injection points or other vulnerable areas of the server. A “worm” is used to locate these injection points. The vulnificator connects to the server behind a “sock” and executes a series of PHP commands in the background.
Once the vulnificator has found injection points, he/she implants the malicious code into the server. Typically, the vulnificator will use a “meter” program to determine the amount of time it takes to inject the code into the server. Once the code has been placed, the vulnificator redirects the user to another page. Most common attack pages are gaming sites. It should be noted that while this type of attack can work against any application with PHP programming language, some common attack pages include casino sites, adult websites, and social networking sites.
CVSS is an industry-standard classification used by many security firms to determine the level of risk associated with a particular server. There are several versions of CVSS, including Simple, Evolved, Enterprise and Advanced CVSS. Simple CVSS allows for a simple list of errors/crashes, while Advanced CVSS includes more detailed information about what kind of attacks may be possible. Simple CVSS lets you manually examine the errors/crash problems on the current server, while Advanced CVSS allows for the viewing of attack logs, patches applied and other details needed for successful attacks. CVSS is a very important and valuable metric in today’s web security environment.