Transcript malware_02
Chapter 2
Definitions and Timeline
Categorizing Malware
No
agreed upon definitions
o Even for “virus” and “worm”
Consider
categories based on…
o Self-replicating
o Population growth
o Parasitic
Then
we name the different types
o As defined by Aycock
Self-replicating Malware
Self-replicating
malware
Actively attempts to propagate by
creating new copies
May also propagate passively
o But this isn't self-replication
Called
these “worms” (in CS 265)
Population Growth
Population
growth
Describes change in the number of
instances
Malware that doesn't self-replicate
will have a zero population growth
o But malware with a zero population
growth may self-replicate
Parasitic
Parasitic
malware
Requires some other executable code
"Executable” taken very broadly
o Boot block code on a disk
o Binary code in applications
o Application scripting languages
o Source code that may require
compilation before executing, etc.
Types of Malware
Logic
Bomb
Trojan
Back Door
Virus
Worm
Rabbit
Spyware/Adware
Other
Logic Bomb
Self-replicating:
no
Population growth: 0
Parasitic: possibly
Consists of 2 parts
o Payload --- action to be performed
o Trigger --- event to execute payload
Donald
Gene Burleson case (CS 265)
Trojan Horse
Self-replicating:
no
Population growth: 0
Parasitic: yes
Name comes from ancient world
o Pretends to be innocent, but it’s not
Example:
fake login prompt that
steals passwords
Back Door
Self-replicating:
no
Population growth: 0
Parasitic: possibly
Bypasses normal security checks
o So enables unauthorized access
Example:
or RAT
Remote Administration Tool,
Virus
Self-replicating:
yes
Population growth: positive
Parasitic: yes
When executed, tries to replicate
itself into other executable code
o So, it relies in some way on other code
Does
not propagate via a network
Nice
virus history given by Aycock
Worm
Self-replicating:
yes
Population growth: positive
Parasitic: no
Like a virus, except…
o Spreads over network
o Worm is standalone, does not rely on
other code
Good
history in Aycock’s book
Rabbit
Self-replicating:
yes
Population growth: 0
Parasitic: no
Two kinds of rabbits
o One uses up system resources
o One uses up network resources (special
case of a worm)
Spyware
Self-replicating:
no
Population growth: 0
Parasitic: no
Collects info and sends it to someone
o Username/password, bank info, credit
card info, software license info, etc.
First
mention is about 1995
May arrive via “drive-by download”
Adware
Self-replicating:
no
Population growth: 0
Parasitic: no
Similar to spyware but focused on
marketing
Hybrids, Droppers, etc.
Hybrid
is combination of different
types of malware
o Worm that is a rabbit, trojan that acts
like a virus, etc., etc.
Dropper
is malware that deposits
other malware
o For example, a worm might leave behind
a back door…
Zombies
Compromised
machines that can be
used by an attacker
o Spam
o Denial of service (DoS)
o Distributed denial of service (DDoS)
Today,
usually part of a botnet
Naming
No
agreed on naming convention
Virus writer might suggest a name
o “Your PC is now stoned!”
Different
vendors might use
different names
Different variants might get
different names, etc.
Naming
Factors
related to naming
o Malware type
o Family name
o Variant
o Modifiers (e.g., “mm” for “mass mailer”)
But
many different names applied to
same virus (or family)
o See book for examples
Authorship
Author
and distributor may differ
Is malware author a “hacker” or
“cracker”?
o It depends on your definitions…
So,
Aycock does not use terms like
hacker or cracker
o Instead, uses boring terms like malware
author, malware writer, virus writer, etc.
Malware Writers
Botnet
hacker caught in Slovenia (2010)
Japanese Virus Writer Arrested for
the Second Time (2010)
o "I wanted to see how much my computer
programming skills had improved since the
last time I was arrested."
Teen
Arrested in Blaster Case (2003)
No 'sorry' from Love Bug author (2005)
Timeline