Computer Security

This article defines malware and associated terms and describes in detail the common types of malware. It discusses strategies for avoiding malware, including anti-virus software. It also gives sociological and economic background information about malware and Internet crime.

Computer Malware

Malware is a general term applied to software which by design can damage computer systems, compromise data, inconvenience users, and/or be used to carry out criminal activities (crimeware).

Computer Malware

Blended threats Blended threats combine two or more categories of malware programs, such as a worm and a virus.
Botnets Botnets are peer-to-peer networks of compromised computers used by hackers, cybercriminals, and governments to carry out illegal activities like sending SPAM and launching cyber-attacks.

According to an article in the NY Times, it has been estimated that 11% of the 650 million computers connected to the Internet are infected with botnet software ("Wake up").

Computer Viruses Viruses are small programs that attach to a host program and spread to other computers. They may not create problems with the normal operation of their host computers, but they frequently do.
Downloaders A downloader is software that infects unprotected computers that simply land on an infected Web page, or "poisoned" URL. This technique of spreading malware, known as a "drive-by download", has become even more popular than email attachments.

Google claims one in ten of 4.5 million web pages webpages examined by one of their research teams contained infectious code (Leyden "One in").

Droppers A dropper is a program designed to release a virus as soon as the program in opened.
Root Kits Root kits are software tools used to modify a computer's operating system in such a way as to conceal the presence of malware on the computer.
Social Engineering Social engineering is techniques used by criminals to entice computer users to take actions that will compromise their personal information or computer.
Spyware/Adware Programs secreted on computer systems without the knowledge or permission of its user. Consequences and effects run the gamut from inconvenience (redirecting the user's browser, for example) to theft of personal information. Spyware is also used by governments to spy upon citizens, criminals, and suspected terrorists and by corporations to spy upon competitors.
Trojan Horses In contrast with viruses trojan horses require no host: they are standalone, like worms. Unlike worms, however, trojans do not replicate. Trojans are highly likely to cause major headaches for users on whose systems they reside.
Worms Like viruses, worms replicate, but unlike viruses, worms are standalone: they require no host in order to infect a computer system.

Symptoms of malware infection

  • Change in program size (larger when infected by virus)
  • Change in program's time/date stamp
  • Longer time loading software
  • Computer operations slowed
  • Unexplained reduction in memory available (virus in memory)
  • Programs or files disappearing (deleted by virus)
  • Unexplained spontaneous reboots
  • Odd screen displays

Computer Viruses

  • Always require a host (can never be standalone)
  • Always replicate (copy and spread)
  • Code is very compact
  • Code may be encrypted for more difficult detection

Before the Internet became popular, floppy and hard disk drive boot sectors were the most common method of virus distribution. Infected email attachments and websites have made distribution more efficient and malware has become a vastly more widespread problem.

Worms

  • Always stand-alone
  • Always replicate

Worms are stand-alone malware programs which spread from one computer to another across networks, including the Internet.

Worms can be designed for many purposes but their main effect is often to crash infected networks simply by exhausting network resources to spread themselves.

In November 1988 the first computer worm, (the work of a university student and dubbed "the Great worm") exploited security gaps in the Unix operating system to infect more than 6,000 computers on the Internet.

In January, 2003, the "Slammer" worm infected over 75,000 Internet servers in just ten minutes and caused massive slowdowns and outages.

Trojan Horses

  • Stand-alone
  • Do not replicate

Named for the Trojan Horse in Greek mythology, trojan horses are extremely dangerous programs which have been disguised to appear harmless.

Frequently conveyed by email attachment, trojan horses open an Internet connection between the infected system and remote systems running "command and control" modules.

A control system operator can perform actions on the infected system just as if they were present. Information and intelligence can be gathered from the infected system and it can be joined to a "bot-net", or network of robots. Bot-nets are used for illegal activities such as sending SPAM and carrying out Denial of Service attacks, in which targeted Internet servers are removed from service by becoming so overloaded with traffic that they crash. A bot-net can also be used to store and distribute illegal materials such as pornography, stolen credit card numbers, or malware tools.

Blended Threats

Blended threats combine two or more conventional types of malware. By design, blended threats:

  • Spread efficiently and rapidly
  • Maximize host damage
  • Exploit a wider range of vulnerabilities software

An example of a blended threat would be a worm which delivers a payload containing a virus and a trojan horse.

Malware Distribution

Common methods for the propagation of malware:
  • Email attachments
  • Drive-by downloads by poisoned URLs
  • Peer-to-Peer file sharing
  • Instant messaging
  • IRC (Internet Chat Relay)
  • Instant messaging
  • Pop-ups
  • BHOs (browser helper objects)
  • Mobile phones
  • MS-Office and PDF files
  • Video codecs
  • Macros
  • JavaScript, Visual Basic, ActiveX, Java applets

Malware must no longer rely upon user actions to spread. JavaScript, Visual Basic scripts, ActiveX, and Java applets all make it possible for it to spread with no user intervention.

Microsoft and other software publishers assist malware authors by failing to eliminate vulnerabilities in their software.

According to Anti-Virus publisher Symantec, an average of seven new software security flaws are discovered each day - more than 2,600 new vulnerabilities a year.

Persistent (24/7) DSL and cable Internet connections make users more vulnerable to malware by providing a greater window of opportunity for hackers to discover and exploit software vulnerabilities.

Detection Avoidance by Malware

Malware authors use various methods to avoid identification of their wares by A-V software.

Encryption Encryption hides all but the tiniest amount of virus code.
Variable bytes Scanners must use "wild-card" markers in place of the variable bytes so they can detect static portions of malware code.
Polymorphic A polymorhic engine can easily be attached to any virus. The polymorphic engine disguises a virus by morphing it into different forms on different occasions. Detection is only possible by identifying the fingerprint of the engine itself.

The Trident Polymorphic Engine (TPE), used by the Giraffe virus and others, can create 18,446,774,000,000,000,000 different forms for a virus.

Malware: Detection, Prevention, and Mitigation

Anti-virus Software

The job of anti-virus software is to detect the presence of computer malware and remove or disable it before it causes problems.

To provide the best protection, A-V programs should include three different components:

  • Scanner
  • Shield
  • Firewall

Scanners

Scanners detect the presence of malware in primary and secondary memory by scanning for malware "fingerprints".

Malware fingerprints are small snippets of code which uniquely identify each specific malware. These fingerprints are stored in .DAT file databases which must be updated frequently to provide protection against new threats.

Scanners are configured to scan at system boot-up or at pre-determined times of the day. Options include timing, frequency, and scope of scans.

Scanners cannot offer continuous protection because a system can become infected immediately after a scan has completed and go undetected until the next scan.

Shields

Continuous protection is provided by a shield. Once loaded, a shield remains active and continuously monitors RAM (secondary memory) for the presence of malware code and prevents it from taking harmful actions against the system.

Firewalls

Firewalls add a third layer of protection by continuously monitoring computer processes for suspicious activity and also inspecting all incoming and outgoing network traffic for the presence of malware.

Strategies for Prevention and Mitigation

  • Scan your system regularly
  • Run a shield and firewall at all times
  • Update A-V databases frequently
  • Run Windows Update frequently
  • Limit Internet connection time to actual use
  • Use caution when downloading files
  • Don't click on suspicious links
  • Don't open suspicious or unexpected attachments

Protect your data

  • Make frequent data backups
  • Maintain an archive of data backups

Sociology of Malware

In his seminal 1994 sociological description of virus authors, David J. Stang postulated that creators of computer viruses tended to be individuals with time on their hands and access to personal computers, notably white males, often high school or college students. Their motivations included anger against the system, the desire for fame, honoring a hero, spreading a socio-political message, the challenge, and to impress others, usually girlfriends.

While Stang's analysis was likely accurate at the time, such "recreational" motivations have largely been replaced by economic, political, and militaristic ones, and today's malware authors are more likely to be professional criminals or in the employ of corporations or governments.

Portrait of Internet Crime

Internet Crime 2006

1. Auction fraud 44.9% 6. Confidence fraud 2.2%
2. Non-delivery of goods 19.0% 7. Financial institution fraud 1.6%
3. Check fraud 4.9% 8. Identity theft 1.6%
4. Credit/debit card fraud 4.8% 9. Investment fraud 1.3%
5. Computer fraud 2.8% 10. Child pornography 1.0%
Other 15.9%
Source: Internet Crime Complaint Center
(National White Collar Crime Center and the FBI).

Economics of Identity Theft

Black Market Values for Personal Information
  • Complete identity $14-18
  • U.S. credit card 1-6
  • U.K. credit card 2-12
  • Compromised computer 6-12
  • World of Warcraft account 10
Source: Symantec Security

Number of Malwares




Economic Cost

  • "Melissa" virus: $385 Million
  • "LoveLetter" virus: $10 Billion
  • Worldwide, 2000: $17.1 Billion ("Lovebug") (Computer Economics)
  • Worldwide, 2001: $13.2 Billion (Computer Economics)

Bibliography

Leyden, John. "One in 10 web pages laced with malware - Google". The Register. 11 May 2007. 11 May 2007 <http://www.theregister.co.uk/2007/05/11/google_malware_map/>.

Leyden, John. "Hardy perennials dominate virus chart". 1 June 2007. 1 June 2007 <http://www.theregister.co.uk/2007/06/01/may_virus_chart/>.

"Number of Viruses". Computer Knowledge. 1 Feb 2006. 16 Apr 2008 <http://www.cknow.com/vtutor/NumberofViruses.html>.

"SoBig-F is Dead".The Register. 10 Sep 2003. 11 Sep 2003 <http://www.theregister.co.uk/2003/09/10/sobigf_is_dead/ >.

Stang, David J. Chapter 20, "Battling Viruses with DOS 6.22". Inside MS-DOS 6.22. By Minasi, Mark, et al. Indianapolis: New Riders Publishing, 1994. 1071-1171.

"Wake up your computer". New York Times. 12 January 2004. A-22.


Bruce Miller, 2011, 2014