Transcript malware_02
Chapter 2 Definitions and Timeline Categorizing Malware No agreed upon definitions o Even for “virus” and “worm” Consider categories based on… o Self-replicating o Population growth o Parasitic Then we name the different types o As defined by Aycock Self-replicating Malware Self-replicating malware Actively attempts to propagate by creating new copies May also propagate passively o But this isn't self-replication Called these “worms” (in CS 265) Population Growth Population growth Describes change in the number of instances Malware that doesn't self-replicate will have a zero population growth o But malware with a zero population growth may self-replicate Parasitic Parasitic malware Requires some other executable code "Executable” taken very broadly o Boot block code on a disk o Binary code in applications o Application scripting languages o Source code that may require compilation before executing, etc. Types of Malware Logic Bomb Trojan Back Door Virus Worm Rabbit Spyware/Adware Other Logic Bomb Self-replicating: no Population growth: 0 Parasitic: possibly Consists of 2 parts o Payload --- action to be performed o Trigger --- event to execute payload Donald Gene Burleson case (CS 265) Trojan Horse Self-replicating: no Population growth: 0 Parasitic: yes Name comes from ancient world o Pretends to be innocent, but it’s not Example: fake login prompt that steals passwords Back Door Self-replicating: no Population growth: 0 Parasitic: possibly Bypasses normal security checks o So enables unauthorized access Example: or RAT Remote Administration Tool, Virus Self-replicating: yes Population growth: positive Parasitic: yes When executed, tries to replicate itself into other executable code o So, it relies in some way on other code Does not propagate via a network Nice virus history given by Aycock Worm Self-replicating: yes Population growth: positive Parasitic: no Like a virus, except… o Spreads over network o Worm is standalone, does not rely on other code Good history in Aycock’s book Rabbit Self-replicating: yes Population growth: 0 Parasitic: no Two kinds of rabbits o One uses up system resources o One uses up network resources (special case of a worm) Spyware Self-replicating: no Population growth: 0 Parasitic: no Collects info and sends it to someone o Username/password, bank info, credit card info, software license info, etc. First mention is about 1995 May arrive via “drive-by download” Adware Self-replicating: no Population growth: 0 Parasitic: no Similar to spyware but focused on marketing Hybrids, Droppers, etc. Hybrid is combination of different types of malware o Worm that is a rabbit, trojan that acts like a virus, etc., etc. Dropper is malware that deposits other malware o For example, a worm might leave behind a back door… Zombies Compromised machines that can be used by an attacker o Spam o Denial of service (DoS) o Distributed denial of service (DDoS) Today, usually part of a botnet Naming No agreed on naming convention Virus writer might suggest a name o “Your PC is now stoned!” Different vendors might use different names Different variants might get different names, etc. Naming Factors related to naming o Malware type o Family name o Variant o Modifiers (e.g., “mm” for “mass mailer”) But many different names applied to same virus (or family) o See book for examples Authorship Author and distributor may differ Is malware author a “hacker” or “cracker”? o It depends on your definitions… So, Aycock does not use terms like hacker or cracker o Instead, uses boring terms like malware author, malware writer, virus writer, etc. Malware Writers Botnet hacker caught in Slovenia (2010) Japanese Virus Writer Arrested for the Second Time (2010) o "I wanted to see how much my computer programming skills had improved since the last time I was arrested." Teen Arrested in Blaster Case (2003) No 'sorry' from Love Bug author (2005) Timeline