Malware
Encyclopedia
Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
es, worms
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, trojan horses
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
, spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
, dishonest adware
Adware
Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during...
, scareware
Scareware
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...
, crimeware
Crimeware
Crimeware is a class of malware designed specifically to automate cybercrime. The term was coined by Peter Cassidy, Secretary General of the Anti-Phishing Working Group to distinguish it from other kinds of malevolent programs...
, most rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
s, and other malicious and unwanted software or program. In law
Law
Law is a system of rules and guidelines which are enforced through social institutions to govern behavior, wherever possible. It shapes politics, economics and society in numerous ways and serves as a social mediator of relations between people. Contract law regulates everything from buying a bus...
, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U.S.
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
states, including California
California
California is a state located on the West Coast of the United States. It is by far the most populous U.S. state, and the third-largest by land area...
and West Virginia
West Virginia
West Virginia is a state in the Appalachian and Southeastern regions of the United States, bordered by Virginia to the southeast, Kentucky to the southwest, Ohio to the northwest, Pennsylvania to the northeast and Maryland to the east...
.
Preliminary results from Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications." According to F-Secure
F-Secure
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
, "As much malware [was] produced in 2007 as in the previous 20 years altogether." Malware's most common pathway from criminals to users is through the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
: primarily by e-mail and the World Wide Web
World Wide Web
The World Wide Web is a system of interlinked hypertext documents accessed via the Internet...
.
The prevalence of malware as a vehicle for organized Internet crime, along with the general inability of traditional anti-malware protection platforms (products) to protect against the continuous stream of unique and newly produced malware, has seen the adoption of a new mindset for businesses operating on the Internet: the acknowledgment that some sizable percentage of Internet customers will always be infected for some reason or another, and that they need to continue doing business with infected customers. The result is a greater emphasis on back-office systems designed to spot fraudulent activities associated with advanced malware operating on customers' computers.
On March 29, 2010, Symantec Corporation named Shaoxing
Shaoxing
Shaoxing is a prefecture-level city in northeastern Zhejiang province, People's Republic of China. Located on the south bank of the Qiantang River estuary, it borders Ningbo to the east, Taizhou to the southeast, Jinhua to the southwest, and Hangzhou to the west. It was once known as "越"...
, China, as the world's malware capital.
A 2011 study from the University of California, Berkeley, and the Madrid Institute for Advanced Studies published in Software Development Technologies, “Measuring Pay-per-Install: The Commoditization of Malware Distribution," examined how entrepreneurial hackers are helping enable the proliferation of malware by offering access for a price (from $7 to $180 per thousand infections) and make up an informal underground Pay-Per-Install (PPI) industry. The study's authors identified more than 57 malware “families," including spam bots, fake antivirus programs, information-stealing trojans, denial-of-service bots and adware. To avoid detection by anti-virus software, malware distributed by PPI services is on average repacked every 11 days, with one observed family of malware repacking up to twice a day. Although most common families of malware targeted both Europe and the United States, there were some families with a single-country focus and some families with no geographic bias. In terms of cost per thousand infections, the United States and Great Britain were at the high end ($100 to $180), other European countries at $20 to $160, and the rest of the world below $10, the study found.
Microsoft reported in May 2011 that every one in 14 downloads from the Internet may now contain malware code, according to the Wall Street Journal. Social media, and Facebook in particular, is seeing a rise in new tactics for spreading harm to computers.
Malware is not the same as defective software, that is, software that has a legitimate purpose but contains harmful bugs
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
. Sometimes, malware is disguised as genuine software, and may come from an official site. Therefore, some security programs, such as McAfee may call malware "potentially unwanted programs" or "PUP". Though a computer virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
is malware that can reproduce itself, the term is often used erroneously to refer to the entire category.
Purposes
Many early infectious programs, including the first Internet Worm and a number of MS-DOSMS-DOS
MS-DOS is an operating system for x86-based personal computers. It was the most commonly used member of the DOS family of operating systems, and was the main operating system for IBM PC compatible personal computers during the 1980s to the mid 1990s, until it was gradually superseded by operating...
viruses, were written as experiments or pranks. They were generally intended to be harmless or merely annoying, rather than to cause serious damage to computer systems. In some cases, the perpetrator did not realize how much harm his or her creations would do. Young programmer
Programmer
A programmer, computer programmer or coder is someone who writes computer software. The term computer programmer can refer to a specialist in one area of computer programming or to a generalist who writes code for many kinds of software. One who practices or professes a formal approach to...
s learning about viruses and their techniques wrote them simply for practice, or to see how far they could spread. As late as 1999, widespread viruses such as the Melissa virus and the David virus appear to have been written chiefly as pranks. The first mobile phone virus
Mobile virus
A mobile virus is an electronic virus that targets mobile phones or wireless-enabled PDAs.As wireless phone and PDA networks become more numerous and more complex, it has become more difficult to secure them against electronic attacks in the form of viruses or other malicious software .-History:The...
, Cabir
Caribe (computer worm)
Cabir is the name of a computer worm developed in 2004 that is designed to infect mobile phones running Symbian OS. It is believed to be the first computer worm that can infect mobile phones...
, appeared in 2004.
Hostile intent related to vandalism
Vandalism
Vandalism is the behaviour attributed originally to the Vandals, by the Romans, in respect of culture: ruthless destruction or spoiling of anything beautiful or venerable...
can be found in programs designed to cause harm or data loss. Many DOS viruses, and the Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
ExploreZip
ExploreZip
ExploreZip, also known as I-Worm.ZippedFiles, is a destructive computer worm which attacks machines running Microsoft Windows. It was first discovered in Israel on June 6, 1999.Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, or...
worm, were designed to destroy files on a hard disk
Hard disk
A hard disk drive is a non-volatile, random access digital magnetic data storage device. It features rotating rigid platters on a motor-driven spindle within a protective enclosure. Data is magnetically read from and written to the platter by read/write heads that float on a film of air above the...
, or to corrupt the file system by writing invalid data to them. Network-borne worms such as the 2001 Code Red worm or the Ramen worm
Ramen worm
The Ramen worm, also referred to as the "Ramen virus", was a worm that spread in January 2001, targeting systems running versions 6.2 and 7.0 of the Red Hat Linux distribution....
fall into the same category. Designed to vandalize web pages, worms may seem like the online equivalent to graffiti
Graffiti
Graffiti is the name for images or lettering scratched, scrawled, painted or marked in any manner on property....
tagging, with the author's alias or affinity group appearing everywhere the worm goes.
Since the rise of widespread broadband
Broadband
The term broadband refers to a telecommunications signal or device of greater bandwidth, in some sense, than another standard or usual signal or device . Different criteria for "broad" have been applied in different contexts and at different times...
Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
access, malicious software has been designed for a profit (e.g. forced advertising). For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computer
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
s" are used to send email spam, to host contraband data such as child pornography
Child pornography
Child pornography refers to images or films and, in some cases, writings depicting sexually explicit activities involving a child...
, or to engage in distributed denial-of-service attacks
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
as a form of extortion
Extortion
Extortion is a criminal offence which occurs when a person unlawfully obtains either money, property or services from a person, entity, or institution, through coercion. Refraining from doing harm is sometimes euphemistically called protection. Extortion is commonly practiced by organized crime...
.
Another strictly for-profit category of malware has emerged in spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
-- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing
Affiliate marketing
Affiliate marketing is a marketing practice in which a business rewards one or more affiliates for each visitor or customer brought about by the affiliate's own marketing efforts...
revenues to the spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
creator. Spyware programs do not spread like viruses; they are, in general, installed by exploiting security holes or are packaged with user-installed software, such as peer-to-peer applications.
Infectious malware: viruses and worms
The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virusComputer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. Viruses may also contain a payload
Payload (software)
Payload in computing is the cargo of a data transmission. It is the part of the transmitted data which is the fundamental purpose of the transmission, to the exclusion of information sent with it solely to facilitate delivery.In computer security, payload refers to the...
that performs other actions, often malicious. On the other hand, a worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
is a program that actively transmits itself over a network to infect other computers. It too may carry a payload.
These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads itself automatically. Using this distinction, infections transmitted by email
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
or Microsoft Word
Microsoft Word
Microsoft Word is a word processor designed by Microsoft. It was first released in 1983 under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platforms including IBM PCs running DOS , the Apple Macintosh , the AT&T Unix PC , Atari ST , SCO UNIX,...
documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms.
Some writers in the trade and popular press misunderstand this distinction and use the terms interchangeably.
Capsule history of viruses and worms
Before InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
access became widespread, viruses spread on personal computers by infecting the executable boot sector
Boot sector
A boot sector or boot block is a region of a hard disk, floppy disk, optical disc, or other data storage device that contains machine code to be loaded into random-access memory by a computer system's built-in firmware...
s of floppy disks. By inserting a copy of itself into the machine code
Machine code
Machine code or machine language is a system of impartible instructions executed directly by a computer's central processing unit. Each instruction performs a very specific task, typically either an operation on a unit of data Machine code or machine language is a system of impartible instructions...
instructions in these executables, a virus causes itself to be run whenever a program is run or the disk is booted. Early computer viruses were written for the Apple II
Apple II
The Apple II is an 8-bit home computer, one of the first highly successful mass-produced microcomputer products, designed primarily by Steve Wozniak, manufactured by Apple Computer and introduced in 1977...
and Macintosh, but they became more widespread with the dominance of the IBM PC
IBM PC
The IBM Personal Computer, commonly known as the IBM PC, is the original version and progenitor of the IBM PC compatible hardware platform. It is IBM model number 5150, and was introduced on August 12, 1981...
and MS-DOS
MS-DOS
MS-DOS is an operating system for x86-based personal computers. It was the most commonly used member of the DOS family of operating systems, and was the main operating system for IBM PC compatible personal computers during the 1980s to the mid 1990s, until it was gradually superseded by operating...
system. Executable-infecting viruses are dependent on users exchanging software or boot-able floppies, so they spread rapidly in computer hobbyist circles.
The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS
SunOS
SunOS is a version of the Unix operating system developed by Sun Microsystems for their workstation and server computer systems. The SunOS name is usually only used to refer to versions 1.0 to 4.1.4 of SunOS...
and VAX
VAX
VAX was an instruction set architecture developed by Digital Equipment Corporation in the mid-1970s. A 32-bit complex instruction set computer ISA, it was designed to extend or replace DEC's various Programmed Data Processor ISAs...
BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes (vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
) in network server programs and started itself running as a separate process. This same behaviour is used by today's worms as well.
With the rise of the Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
platform in the 1990s, and the flexible macros of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses
Macro virus (computing)
In computing terminology, a macro virus is a virus that is written in a macro language: that is to say, a language built into a software application such as a word processor...
infect documents and templates rather than applications (executables), but rely on the fact that macros in a Word document are a form of executable code.
Today, worms are most commonly written for the Windows OS, although a few like Mare-D and the Lion worm
L10n worm
The L10n worm was a Linux worm that spread in 2001 by exploiting a buffer overflow in the BIND DNS server. It was based on an earlier worm known as the Ramen virus which was written to target systems running versions 6.2 and 7.0 of the Red Hat Linux distribution....
are also written for Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
and Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network and leverage vulnerable computers to replicate. Because they need no human intervention, worms can spread with incredible speed. The SQL Slammer infected thousands of computers in a few minutes.
Concealment: Trojan horses, rootkits, and backdoors
Trojan horses
For a malicious program to accomplish its goals, it must be able to run without being shut down, or deleted by the user or administrator of the computer system on which it is running. Concealment can also help get the malware installed in the first place. When a malicious program is disguised as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horseTrojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
or trojan.
In broad terms, a Trojan horse is any program that invites the user to run it, concealing a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting the user's files or further installing malicious or undesirable software. Trojan horses known as dropper
Dropper
A dropper is a program that has been designed to "install" some sort of malware to a target system. The malware code can be contained within the dropper in such a way as to avoid detection by virus scanners or the dropper may download the malware to the target machine once activated ....
s are used to start off a worm outbreak, by injecting the worm into users' local network.
One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement that states the behavior of the spyware in loose terms, which the users are unlikely to read or understand.
Trojans are most commonly used for marketing. Today's advanced malware/trojans are fully capable of hijacking complete control of a browser regardless of IE or Mozilla. It has even been known to add false exceptions to a browser's security settings as well as editing a computer's registry.
Rootkits
Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection and disinfection. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkitRootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
s allow this concealment, by modifying the host's operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system, allowing the attacker to gain administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.
Some malicious programs contain routines to defend against removal, not merely to hide themselves, but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File
Jargon File
The Jargon File is a glossary of computer programmer slang. The original Jargon File was a collection of terms from technical cultures such as the MIT AI Lab, the Stanford AI Lab and others of the old ARPANET AI/LISP/PDP-10 communities, including Bolt, Beranek and Newman, Carnegie Mellon...
tale of a pair of programs infesting a Xerox CP-V time sharing system:
- Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.
Similar techniques are used by some modern malware, wherein the malware starts a number of processes that monitor and restore one another as needed. In the event a user running Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
is infected with such malware, if they wish to manually stop it, they could use Task Manager
Windows Task Manager
Windows Task Manager is a task manager application included with the Microsoft Windows NT family of operating systems that provides detailed information about computer performance and running applications, processes and CPU usage, commit charge and memory information, network activity and...
's 'processes' tab to find the main process (the one that spawned the "resurrector process(es)"), and use the 'end process tree' function, which would kill not only the main process, but the "resurrector(s)" as well, since they were started by the main process.
Some malware programs use other techniques, such as naming the infected file similar to a legitimate or trustworthy file (expl0rer.exe VS explorer.exe).
Backdoors
A backdoor is a method of bypassing normal authenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed in order to allow easier access in the future. Backdoors may also be installed prior to malicious software, to allow attackers entry.
The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
, worms
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
, or other methods.
Malware for profit: spyware, botnets, keystroke loggers, and dialers
During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalismVandalism
Vandalism is the behaviour attributed originally to the Vandals, by the Romans, in respect of culture: ruthless destruction or spoiling of anything beautiful or venerable...
or prank. More recently, the greater share of malware programs have been written with a profit motive (financial or otherwise) in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.
Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ad
Pop-up ad
Pop-up ads or pop-ups are a form of online advertising on the World Wide Web intended to attract web traffic or capture email addresses. Pop-ups are generally new web browser windows to display advertisements...
s, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine
Web search engine
A web search engine is designed to search for information on the World Wide Web and FTP servers. The search results are generally presented in a list of results often referred to as SERPS, or "search engine results pages". The information may consist of web pages, images, information and other...
results to paid advertisements. Others, often called "stealware
Stealware
Stealware refers to a type of software that effectively transfers money owed to a website owner to a third party.Specifically, stealware uses an HTTP cookie to redirect the commission ordinarily earned by the site for referring users to another site....
" by the media, overwrite affiliate marketing
Affiliate marketing
Affiliate marketing is a marketing practice in which a business rewards one or more affiliates for each visitor or customer brought about by the affiliate's own marketing efforts...
codes so that revenue is redirected to the spyware creator rather than the intended recipient.
Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement
Software license agreement
A software license agreement is a contract between the "licensor" and purchaser of the right to use software. The license may define ways under which the copy can be used, in addition to the automatic rights of the buyer including the first sale doctrine and .Many form contracts are only contained...
that purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.
Another way that financially motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. The infected computers are used as proxies
Open proxy
An open proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server allows users within a network group to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group...
to send out spam messages. A computer left in this state is often known as a zombie computer
Zombie computer
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam...
. The advantage to spammers of using infected computers is they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks.
In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
s. In a botnet, the malware or malbot logs in to an Internet Relay Chat
Internet Relay Chat
Internet Relay Chat is a protocol for real-time Internet text messaging or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file...
channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to antivirus software or other security measures.
It is possible for a malware creator to profit by stealing sensitive information from a victim. Some malware programs install a key logger
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
, which intercepts the user's keystrokes when entering a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
, credit card
Credit card
A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services...
number, or other information that may be exploited. This is then transmitted to the malware creator automatically, enabling credit card fraud
Credit card fraud
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also...
and other theft. Similarly, malware may copy the CD key
CD key
A product key, also known as a Software key, is a specific software-based key for a computer program. It certifies that the copy of the program is original. Activation is sometimes done offline by entering the key, or with software like Windows XP online activation is required to prevent multiple...
or password for online games, allowing the creator to steal accounts or virtual items.
Another way of stealing money from the infected PC owner is to take control of a dial-up modem and dial an expensive toll call. Dialer
Dialer
A dialer or dialler is an electronic device that is connected to a telephone line to monitor the dialed numbers and alter them to seamlessly provide services that otherwise require lengthy access codes to be dialed...
(or porn dialer) software dials up a premium-rate telephone number
Premium-rate telephone number
Premium-rate telephone numbers are telephone numbers for telephone calls during which certain services are provided, and for which prices higher than normal are charged. Unlike a normal call, part of the call charge is paid to the service provider, thus enabling businesses to be funded via the calls...
such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.
Data-stealing malware
Data-stealing malware is a web threatWeb threat
A web threat is any threat that uses the internet to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers...
that divest victims of personal and proprietary information with the intent of monetizing stolen data through direct use or underground distribution. Content security threats that fall under this umbrella include keyloggers, screen scrapers, spyware
Spyware
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
, adware
Adware
Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during...
, backdoors, and bots
Bots
Bots may refer to:* BOTS!!, a massively multiplayer online game distributed by Acclaim Games* Bots , open source EDI translator * Bots , a Dutch language folk rock group* British overseas territories...
. The term does not refer to activities such as spam, phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
, DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
poisoning, SEO
Search engine optimization
Search engine optimization is the process of improving the visibility of a website or a web page in search engines via the "natural" or un-paid search results...
abuse, etc. However, when these threats result in file download or direct installation, as most hybrid attacks do, files that act as agents to proxy
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
information will fall into the data-stealing malware category.
Characteristics of data-stealing malware
Does not leave traces of the event- The malware is typically food.
- The malware may be installed via a drive-by-download process
- The website hosting the malware as well as the malware is generally temporary or rogue
Frequently changes and extends its functions
- It is difficult for antivirus software to detect final payload attributes due to the combination(s) of malware components
- The malware uses multiple file encryption levels
Thwarts Intrusion Detection Systems (IDS) after successful installation
- There are no perceivable network anomalies
- The malware hides in web traffic
- The malware is stealthier in terms of traffic and resource use
Thwarts disk encryption
- Data is stolen during decryption and display
- The malware can record keystrokes, passwords, and screenshots
Thwarts Data Loss Prevention (DLP)
- Leakage protection hinges on metadata tagging, not everything is tagged
- Miscreants can use encryption to port data
Examples of data-stealing malware
- Bancos, an info stealer that waits for the user to access banking websites then spoofs pages of the bank website to steal sensitive information.
- GatorClaria CorporationClaria Corporation was a software company based in Redwood City, California with products many considered spyware. It was established in 1998 by Denis Coleman. Its name was often used interchangeably with its Gain advertising network, which it claimed serviced over 40 million users...
, spyware that covertly monitors web-surfing habits, uploads data to a server for analysis then serves targeted pop-up ads. - LegMir, spyware that steals personal information such as account names and passwords related to online games.
- Qhost, a Trojan that modifies the Hosts fileHosts fileThe hosts file is a computer file used in an operating system to map hostnames to IP addresses. The hosts file is a plain-text file and is conventionally named hosts.-Purpose:...
to point to a different DNS server when banking sites are accessed then opens a spoofed login page to steal login credentials for those financial institutions.
Data-stealing malware incidents
- Albert GonzalezAlbert GonzalezAlbert Gonzalez is a computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007—the biggest such fraud in history.Gonzalez and his accomplices used SQL injection...
(not to be confused with the U.S. Attorney General Alberto Gonzalez) is accused of masterminding a ring to use malware to steal and sell more than 170 million credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the firms targeted were BJ's Wholesale ClubBJ's Wholesale ClubBJ's Wholesale Club, Inc. , commonly referred to simply as BJ's, is a membership-only warehouse club chain operating on the United States East Coast, as well as in the state of Ohio...
, TJX, DSW Shoes, OfficeMaxOfficeMaxOfficeMax , is an American office supplies retailer that was founded in 1988 and is headquartered in Naperville, Illinois.-History:On April 1, 1988, OfficeMax was founded in Cleveland, Ohio, by Bob Hurwitz and Michael Feuer. Hurwitz served as executive chairman and chief executive officer and Feuer...
, Barnes & NobleBarnes & NobleBarnes & Noble, Inc. is the largest book retailer in the United States, operating mainly through its Barnes & Noble Booksellers chain of bookstores headquartered at 122 Fifth Avenue in the Flatiron District in Manhattan in New York City. Barnes & Noble also operated the chain of small B. Dalton...
, Boston MarketBoston MarketBoston Market, known as Boston Chicken until 1995, headquartered in Golden, Colorado, is a chain of American fast casual restaurants. It is owned by private equity firm Sun Capital Partners, headquartered in Boca Raton, Florida.-History:...
, Sports AuthoritySports AuthorityThe Sports Authority, Inc. is one of the largest sporting goods retailers in the United States. It is headquartered in Englewood, Colorado, and operates more than 460 stores in 45 U.S...
and Forever 21Forever 21Forever 21 is an American chain of clothing retailers with branches in major cities in The United States, Puerto Rico, Canada, Europe, Asia, and the Middle East that offers fashion and accessories for young women and men....
. - A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc’s job search service. The data was used by cybercriminals to craft phishing emails targeted at Monster.com users to plant additional malware on users’ PCs.
- Customers of Hannaford Bros. Co.Hannaford Bros. Co.Hannaford is an American supermarket chain based in Scarborough, Maine. Founded in 1883, Hannaford now operates stores in New England and upstate New York. Formerly known as Shop 'N' Save, Hannaford is owned by the American subsidiary of the Belgian Delhaize Group, Delhaize America, which owns over...
, a supermarket chain based in MaineMaineMaine is a state in the New England region of the northeastern United States, bordered by the Atlantic Ocean to the east and south, New Hampshire to the west, and the Canadian provinces of Quebec to the northwest and New Brunswick to the northeast. Maine is both the northernmost and easternmost...
, were victims of a data security breach involving the potential compromise of 4.2 million debit and credit cards. The company was hit by several class-action law suits. - The TorpigTorpigTorpig, also known as Sinowal or Anserin , is a type of botnet spread by a variety of trojan horses which can affect computers that use Microsoft Windows...
Trojan has compromised and stolen login credentials from approximately 250,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.
Controversy about assignment to spyware
There is a group of software (Alexa toolbarAlexa Toolbar
The Alexa Toolbar, is an application produced by Alexa Internet, and is a Firefox extension and Browser Helper Object for Internet Explorer on Microsoft Windows that is used by Alexa to measure website specific statistics.-Content:...
, Google toolbar
Google Toolbar
Google Toolbar is an Internet browser toolbar only available for Internet Explorer and Firefox .-Google Toolbar 1.0 December 11, 2000:New features:*Direct access to the Google search functionality from any web page*Web Site search...
, Eclipse
Eclipse (software)
Eclipse is a multi-language software development environment comprising an integrated development environment and an extensible plug-in system...
data usage collector, etc.) that send data to a central server about which pages have been visited or which features of the software have been used. However differently from "classic" malware these tools document activities and only send data with the user's approval. The user may opt in to share the data in exchange to the additional features and services, or (in case of Eclipse) as the form of voluntary support for the project. Some security tools report such loggers as malware while others do not. The status of the group is questionable. Some tools like PDFCreator
PDFCreator
PDFCreator is an application for converting documents into Portable Document Format format on Microsoft Windows operating systems. It works by creating a virtual printer that prints to PDF files, and thereby allows practically any application to create PDF files by choosing to print from within...
are more on the boundary than others because opting out has been made more complex than it could be (during the installation, the user needs to uncheck two check boxes rather than one). However also PDFCreator is only sometimes mentioned as malware and is still subject of discussions.
Vulnerability to malware
In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application.Various factors make a system more vulnerable to malware:
- Homogeneity: e.g. when all computers in a network run the same OS, upon exploiting one, one can exploit them all.
- Weight of numbers: simply because the vast majority of existing malware is written to attack Windows systems, then Windows systems, ipso facto, are more vulnerable to succumbing to malware (regardless of the security strengths or weaknesses of Windows itself).
- Defects: malware leveraging defects in the OS design.
- Unconfirmed code: code from a floppy diskFloppy diskA floppy disk is a disk storage medium composed of a disk of thin and flexible magnetic storage medium, sealed in a rectangular plastic carrier lined with fabric that removes dust particles...
, CD-ROMCD-ROMA CD-ROM is a pre-pressed compact disc that contains data accessible to, but not writable by, a computer for data storage and music playback. The 1985 “Yellow Book” standard developed by Sony and Philips adapted the format to hold any form of binary data....
or USB device may be executed without the user’s agreement. - Over-privileged users: some systems allow all users to modify their internal structures.
- Over-privileged code: some systems allow code executed by a user to access all rights of that user.
An oft-cited cause of vulnerability of networks is homogeneity or software monoculture.
For example, Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
or Apple Mac
Apple Computer
Apple Inc. is an American multinational corporation that designs and markets consumer electronics, computer software, and personal computers. The company's best-known hardware products include the Macintosh line of computers, the iPod, the iPhone and the iPad...
have such a large share of the market that concentrating on either could enable a cracker to subvert a large number of systems, but any total monoculture is a problem. Instead, introducing inhomogeneity (diversity), purely for the sake of robustness, could increase short-term costs for training and maintenance. However, having a few diverse nodes would deter total shutdown of the network, and allow those nodes to help with recovery of the infected nodes. Such separate, functional redundancy would avoid the cost of a total shutdown, would avoid homogeneity as the problem of "all eggs in one basket".
Most systems contain bugs, or loopholes, which may be exploited by malware. A typical example is the buffer-overrun weakness, in which an interface designed to store data, in a small area of memory, allows the caller to supply more data than will fit. This extra data then overwrites the interface's own executable structure (past the end of the buffer and other data). In this manner, malware can force the system to execute malicious code, by replacing legitimate code with its own payload of instructions (or data values) copied into live memory, outside the buffer area.
Originally, PCs had to be booted from floppy disks, and until recently it was common for this to be the default boot device. This meant that a corrupt floppy disk could subvert the computer during booting, and the same applies to CDs. Although that is now less common, it is still possible to forget that one has changed the default, and rare that a BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....
makes one confirm a boot from removable media.
In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft to prioritize compatibility with older systems above security configuration in newer systems and because typical applications were developed without the under-privileged users in mind. As privilege escalation
Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
exploits have increased this priority is shifting for the release of Microsoft Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users, acting as a crutch to resolve the privileged access problem inherent in legacy applications.
Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of e-mail attachment
E-mail attachment
An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images...
s, which may or may not be disguised.
Given this state of affairs, users are warned only to open attachments they trust, and to be wary of code received from untrusted sources. It is also common for operating systems to be designed so that device driver
Device driver
In computing, a device driver or software driver is a computer program allowing higher-level computer programs to interact with a hardware device....
s need escalated privileges, while they are supplied by more and more hardware manufacturers.
Eliminating over-privileged code
Over-privileged code dates from the time when most programs were either delivered with a computer or written in-house, and repairing it would at a stroke render most antivirus software almost redundant. It would, however, have appreciable consequences for the user interface and system management.The system would have to maintain privilege profiles, and know which to apply for each user and program.
In the case of newly installed software, an administrator would need to set up default profiles for the new code.
Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue executables. Two techniques, used in VMS
OpenVMS
OpenVMS , previously known as VAX-11/VMS, VAX/VMS or VMS, is a computer server operating system that runs on VAX, Alpha and Itanium-based families of computers. Contrary to what its name suggests, OpenVMS is not open source software; however, the source listings are available for purchase...
, that can help are memory mapping only the registers of the device in question and a system interface associating the driver with interrupts from the device.
Other approaches are:
- Various forms of virtualization, allowing the code unlimited access only to virtual resources
- Various forms of sandboxSandbox (computer security)In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
or jail - The security functions of JavaJava (programming language)Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, injava.security
Such approaches, however, if not fully integrated with the operating system, would reduplicate effort and not be universally applied, both of which would be detrimental to security.
Anti-malware programs
As malware attacks become more frequent, attention has begun to shift from viruses and spyware protection, to malware protection, and programs have been developed specifically to combat them.Anti-malware programs can combat malware in two ways:
- They can provide real time protection against the installation of malware software on a computer. This type of spyware protection works the same way as that of antivirus protection in that the anti-malware software scans all incoming network data for malware software and blocks any threatsThreat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
it comes across. - Anti-malware software programs can be used solely for detection and removal of malware software that has already been installed onto a computer. This type of malware protection is normally much easier to use and more popular. This type of anti-malware software scans the contents of the Windows registry, operating system files, and installed programs on a computer and will provide a list of any threats found, allowing the user to choose which files to delete or keep, or to compare this list to a list of known malware components, removing files that match.
Real-time protection from malware works identically to real-time antivirus protection: the software scans disk files at download time, and blocks the activity of components known to represent malware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many malware components are installed as a result of browser exploit
Browser exploit
A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user's browser settings without their knowledge...
s or user error, using security software (some of which are anti-malware, though many are not) to "sandbox" browsers (essentially babysit the user and their browser) can also be effective in helping to restrict any damage done.
Website security scans
As malware also harms the compromised websites (by breaking reputation, blacklisting in search engines, etc.), some companies offer the paid site scan service. Such scans periodically check the site, detecting malware, noticed security vulnerabilities, outdated software stack with known security issues, etc. The found issues are only reported to the site owner who can take means to fix them. The provider may also offer the security badge that the owner can only display if the site has been recently scanned and is "clean".Academic research
The notion of a self-reproducing computer program can be traced back to when presented lectures that encompassed the theory and organization of complicated automata. John von NeumannJohn von Neumann
John von Neumann was a Hungarian-American mathematician and polymath who made major contributions to a vast number of fields, including set theory, functional analysis, quantum mechanics, ergodic theory, geometry, fluid dynamics, economics and game theory, computer science, numerical analysis,...
showed that in theory a program could reproduce itself. This constituted a plausibility result in computability theory
Computability theory (computer science)
Computability is the ability to solve a problem in an effective manner. It is a key topic of the field of computability theory within mathematical logic and the theory of computation within computer science...
. Fred Cohen
Fred Cohen
Frederick B. Cohen is an American computer scientist and best known as the inventor of computer virus defense techniques.In 1983, while a student at the University of Southern California's School of Engineering , he wrote a program for a parasitic application that seized control of computer...
experimented with computer viruses and confirmed Neumann's postulate. He also investigated other properties of malware (detectability, self-obfuscating programs that used rudimentary encryption that he called "evolutionary", and so on). His 1988 doctoral dissertation was on the subject of computer viruses. Cohen's faculty advisor, Leonard Adleman
Leonard Adleman
Leonard Max Adleman is an American theoretical computer scientist and professor of computer science and molecular biology at the University of Southern California. He is known for being a co-inventor of the RSA cryptosystem in 1977, and of DNA computing...
(the A in RSA) presented a rigorous proof that, in the general case, algorithmically determining whether a virus is or is not present is Turing
Alan Turing
Alan Mathison Turing, OBE, FRS , was an English mathematician, logician, cryptanalyst, and computer scientist. He was highly influential in the development of computer science, providing a formalisation of the concepts of "algorithm" and "computation" with the Turing machine, which played a...
undecidable
Undecidable problem
In computability theory and computational complexity theory, an undecidable problem is a decision problem for which it is impossible to construct a single algorithm that always leads to a correct yes-or-no answer....
. This problem must not be mistaken for that of determining, within a broad class of programs, that a virus is not present; this problem differs in that it does not require the ability to recognize all viruses. Adleman's proof is perhaps the deepest result in malware computability theory
Computability theory (computer science)
Computability is the ability to solve a problem in an effective manner. It is a key topic of the field of computability theory within mathematical logic and the theory of computation within computer science...
to date and it relies on Cantor's diagonal argument
Cantor's diagonal argument
Cantor's diagonal argument, also called the diagonalisation argument, the diagonal slash argument or the diagonal method, was published in 1891 by Georg Cantor as a mathematical proof that there are infinite sets which cannot be put into one-to-one correspondence with the infinite set of natural...
as well as the halting problem
Halting problem
In computability theory, the halting problem can be stated as follows: Given a description of a computer program, decide whether the program finishes running or continues to run forever...
. Ironically, it was later shown by Young and Yung that Adleman's work in cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
is ideal in constructing a virus that is highly resistant to reverse-engineering by presenting the notion of a cryptovirus
Cryptovirology
Cryptovirology is a field that studies how to use cryptography to design powerful malicious software. The field was born with the observation that public-key cryptography can be used to break the symmetry between what an antivirus analyst sees regarding a virus and what the virus writer sees...
. A cryptovirus is a virus that contains and uses a public key and randomly generated symmetric cipher initialization vector
Initialization vector
In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
(IV) and session key
Session key
A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is traffic encryption key or TEK, which refers to any key used to encrypt messages, as opposed to other uses, like encrypting other keys .Session keys can introduce...
(SK). In the cryptoviral extortion attack, the virus hybrid encrypts plaintext
Plaintext
In cryptography, plaintext is information a sender wishes to transmit to a receiver. Cleartext is often used as a synonym. Before the computer era, plaintext most commonly meant message text in the language of the communicating parties....
data on the victim's machine using the randomly generated IV and SK. The IV+SK are then encrypted using the virus writer's public key. In theory the victim must negotiate with the virus writer to get the IV+SK back in order to decrypt the ciphertext
Ciphertext
In cryptography, ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher...
(assuming there are no backups). Analysis of the virus reveals the public key, not the IV and SK needed for decryption, or the private key needed to recover the IV and SK. This result was the first to show that computational complexity theory
Computational complexity theory
Computational complexity theory is a branch of the theory of computation in theoretical computer science and mathematics that focuses on classifying computational problems according to their inherent difficulty, and relating those classes to each other...
can be used to devise malware that is robust against reverse-engineering.
A growing area of computer virus research is to mathematically model the infection behavior of worms using models such as Lotka–Volterra equations, which has been applied in the study of biological virus. Various virus propagation scenarios have been studied by researchers such as propagation of computer virus, fighting virus with virus like predator codes, effectiveness of patching etc.
Behavioral malware detection has been a particularly lively research area lately. Most approaches to behavioral detection are based on analysis of system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
dependencies. The executed binary is traced using strace
Strace
strace is a debugging utility for Linux and some other Unix-like systems to monitor the system calls used by a program and all the signals it receives, similar to "truss" utility in other Unix systems...
or more precise taint analysis
Taint checking
Taint checking is a feature in some computer programming languages, such as Perl and Ruby, designed to increase security by preventing malicious users from executing commands on a host computer...
to compute data-flow dependencies among system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
s. The result is a directed graph
Directed graph
A directed graph or digraph is a pair G= of:* a set V, whose elements are called vertices or nodes,...
such that nodes are system callSystem call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
s, and edges represent dependencies. For example,
if a result returned by system call 
(either directly as a result or indirectly through output parameters) is later used as a parameter of system call 
. The origins of the idea to use system calls to analyze software can be found in the work of Forrest et al. Christodorescu et al. point out that malware authors cannot easily reorder system calls without changing the semantics of the program, which makes system call dependency graphs suitable for malware detection. They compute a difference between malware and goodware system call dependency graphs and use the resulting graphs for detection, achieving high detection rates. Kolbitsch et al. precompute symbolic expressions and evaluate them on the syscall parameters observed at runtime. They detect dependencies by observing whether the result obtained by evaluation matches the parameter values observed at runtime. Malware is detected by comparing the dependency graphs of the training and test sets. Fredrikson et al. describe an approach that uncovers distinguishing features in malware system call dependency graphs. They extract significant behaviors using concept analysisFormal concept analysis
Formal concept analysis is a principled way of automatically deriving an ontology from a collection of objects and their properties. The term was introduced by Rudolf Wille in 1984, and builds on applied lattice and order theory that was developed by Birkhoff and others in the 1930s.-Intuitive...
and leap mining. Babic et al. recently proposed a novel approach for both malware detection and classification based on grammar inference
Grammar Induction
Grammatical induction, also known as grammatical inference or syntactic pattern recognition, refers to the process in machine learning of learning a formal grammar from a set of observations, thus constructing a model which accounts for the characteristics of the observed objects...
of tree automata
Tree automaton
A tree automaton is a type of state machine. Tree automata deal with tree structures, rather than the strings of more conventional state machines.The following article deals with branching tree automata, which correspond to regular languages of trees...
. Their approach infers an automaton
Automaton
An automaton is a self-operating machine. The word is sometimes used to describe a robot, more specifically an autonomous robot. An alternative spelling, now obsolete, is automation.-Etymology:...
from dependency graphs, and they show how such an automaton could be used for detection and classification of malware.
Grayware
Grayware (or GreynetGreynet
Within the context of corporate and organizational networks, a greynet is an elusive networked computer application that is downloaded and installed on end user systems without express permission from network administrators and often without awareness or cognition that it is deeply embedded in the...
) is a general term sometimes used as a classification for applications that behave in a manner that is annoying or undesirable, and yet less serious or troublesome than malware. Grayware encompasses spyware, adware, dialers, joke programs, remote access tools, and any other unwelcome files and programs apart from viruses that are designed to harm the performance of computers on one's network. The term has been in use since at least as early as September 2004.
Grayware refers to applications or files that are not classified as viruses or trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
programs, but can still negatively affect the performance of the computers on a network and introduce significant security risks to an organization. Often grayware performs a variety of undesired actions such as irritating users with pop-up
Pop-Up
Pop Up is the debut album by French electropop trio Yelle. It was released in France on 3 September 2007 by the EMI-owned label Source Etc. The album peaked at number sixty-one on the French Albums Chart, and went on to sell 20,000 copies.-Promotion:...
windows, tracking user habits and unnecessarily exposing computer vulnerabilities to attack.
- SpywareSpywareSpyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's...
is software that installs components on a computer for the purpose of recording Web surfing habits (primarily for marketing purposes). Spyware sends this information to its author or to other interested parties when the computer is online. Spyware often downloads with items identified as 'free downloads' and does not notify the user of its existence or ask for permission to install the components. The information spyware components gather can include user keystrokes, which means that private information such as login names, passwords, and credit card numbers are vulnerable to theft. - AdwareAdwareAdware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. They may also be in the user interface of the software or on a screen presented to the user during...
is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla Firefox. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance. Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software. Adware are also often installed in tandem with spyware programs. Both programs feed off each other's functionalities: spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profile.
Web and spam
The World Wide WebWorld Wide Web
The World Wide Web is a system of interlinked hypertext documents accessed via the Internet...
is a criminals' preferred pathway for spreading malware. Today's web threats use combinations of malware to create infection chains. About one in ten Web pages may contain malicious code.
Wikis and blogs
Attackers may use wikis and blogs to advertise links that lead to malware sites.Wiki and blog servers can also be attacked directly. In 2010, Network Solutions was compromised and some hosted sites became a path to malware and spam.
Targeted SMTP threats
Targeted SMTPSimple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
threats
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
also represent an emerging attack vector through which malware is propagated. As users adapt to widespread spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
attacks, cybercriminals distribute crimeware
Crimeware
Crimeware is a class of malware designed specifically to automate cybercrime. The term was coined by Peter Cassidy, Secretary General of the Anti-Phishing Working Group to distinguish it from other kinds of malevolent programs...
to target one specific organization or industry, often for financial gain.
See also
:Category:Web security exploits- Computer crimeComputer crimeComputer crime, or cybercrime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers to criminal exploitation of the Internet. Such crimes may threaten a nation’s security and financial health...
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Cyber spyingCyber spyingCyber spying or Cyber espionage is the act or practice of obtaining secrets without the permission of the holder of the information , from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using illegal exploitation methods on...
- Firewall (computing)Firewall (computing)A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
- Industrial espionageIndustrial espionageIndustrial espionage, economic espionage or corporate espionage is a form of espionage conducted for commercial purposes instead of purely national security purposes...
- It riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- MalvertisingMalvertisingMalvertising is the use of online advertising to spread malware.Because advertising content can be inserted into high-profile reputable websites, malvertising provides malefactors an opportunity to "push" their attacks at cautious web users who would not normally visit unknown external URLs, by...
- Play mp3.exe (trojan)Play mp3.exe (trojan)Play_mp3.exe is a trojan horse. It is an executable file downloaded from a website which promises the user a free MP3 or MPG player.-The trojan:...
- Privacy-invasive softwarePrivacy-invasive softwarePrivacy-invasive software is a category of computer software that ignores users’ privacy and that is distributed with a specific intent, often of a commercial nature. Three typical examples of privacy-invasive software are adware, spyware and content hijacking programs.- Background :In a...
- Security in Web applications
- Social engineering (security)Social engineering (security)Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information...
- Spy software
- Targeted threatTargeted threatTargeted threats are a class of malware destined for one specific organization or industry. A type of crimeware, these threats are of particular concern because they are designed to capture sensitive information. Targeted attacks may include threats delivered via SMTP e-mail, port attacks, zero...
- Securelist.com
- Web server overload causes
- White-collar crimeWhite-collar crimeWithin the field of criminology, white-collar crime has been defined by Edwin Sutherland as "a crime committed by a person of respectability and high social status in the course of his occupation" . Sutherland was a proponent of Symbolic Interactionism, and believed that criminal behavior was...
External links
- Malicious Programs Hit New High – retrieved February 8, 2008
- Malware Block List
- Open Security Foundation Data Loss Database
- Internet Crime Complaint Center
- US Department of Homeland Security Identity Theft Technology Council report "The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond"
- Video: Mark Russinovich – Advanced Malware Cleaning
- MalConMalconMALCON is an annual information security conference focusing exclusively on malware. It aims in bringing together Malware and Information Security Researchers from across the globe to share key research insights into building and containment of the next generation malwares. Unlike most hacker...
, International Malware Conference (convention), focused specifically on Malware development, research and containment. - Jamie Crapanzano (2003): "Deconstructing SubSeven, the Trojan Horse of Choice", SANS Institute, Retrieved on 2011-05-23