Malware is software designed to infiltrate or damage a
computer system, without the owner's informed consent. There are
disagreements about the etymology of the term itself, the primary
uncertainty being whether it is a portmanteau word (of "malicious"
and "software") or simply composed of the prefix "mal-" and the
morpheme "ware". Malware references the intent of the creator,
rather than any particular features. It includes computer viruses,
worms, Trojan horses, spyware, adware, and other malicious and
unwanted software. In law, malware is sometimes known as a
computer contaminant, for instance in the legal codes of
California, West Virginia, and several other U.S. states [1].
Malware should not be confused with defective software, that is, software
which has a legitimate purpose but contains harmful bugs.
Purposes
Over the years, people have written malicious software for a number of
different purposes.
Many early infectious programs, including the Internet Worm and a number of
MS-DOS viruses, were written as experiments or pranks generally intended to be
harmless or merely annoying rather than to cause serious damage. Young
programmers learning about viruses and the techniques used to write them might
write one to prove that they can do it, or to see how far it could spread. As
late as 1999, widespread viruses such as the Melissa virus appear to have been
written chiefly as pranks.
A slightly more hostile intent can be found in programs designed to vandalize
or cause data loss. Many DOS viruses were designed to destroy files on a hard
disk, or to corrupt the file system by writing junk data. Network-borne worms
such as the 2001 Code Red worm or the Ramen worm fall into the same category.
Designed to vandalize web pages, these worms may seem like the online equivalent
to graffiti tagging, with the author's name or affinity group appearing
everywhere the worm goes.
|
A Talk about Malware and how it can affect your computer
Video, Movie, Film, Clip |
|
|
However, since the rise of widespread broadband Internet access, more
malicious software has been designed for a profit motive. For instance, since
2003, the majority of widespread viruses and worms have been designed to take
control of users' computers for black-market exploitation.
Infected "zombie computers" are used to send
email spam, to host contraband data such as child pornography, or to engage in
distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in spyware --
programs designed to monitor users' web browsing, display unsolicited
advertisements, or redirect affiliate marketing revenues to the spyware creator.
Spyware programs do not spread like viruses; they are generally installed by
exploiting security holes or are packaged with user-installed software.
Infectious malware: viruses and worms
The best-known types of malware, viruses and worms, are known
for the manner in which they spread, rather than any other particular behaviour.
Originally, the term computer virus was used for a program which infected
other executable software, while a worm transmitted itself over a network
to infect computers. More recently, the words are often used interchangeably.
Today, some draw the distinction between viruses and worms by saying that a
virus requires user intervention to spread, whereas a worm spreads
automatically.
Using this distinction, infections transmitted by email or Microsoft Word
documents, which rely on the recipient opening a file to infect the system,
would be classified as viruses, not worms.
Capsule history of viruses and worms
Before Internet access became widespread, viruses spread on personal
computers by infecting programs or the executable boot sectors of floppy disks.
By inserting a copy of itself into the machine code instructions in these
executables, a virus causes itself to be run whenever the program is run or the
disk is booted. Early computer viruses were written for the Apple II and
Macintosh, but they became more widespread with the dominance of the IBM PC and
MS-DOS system. Executable-infecting viruses are dependent on users exchanging
software or boot floppies, so they spread heavily in computer hobbyist circles.
The first worms, network-borne infectious programs, originated not on
personal computers, but on multitasking Unix systems. The first well-known worm
was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike
a virus, this worm did not insert itself into other programs. Instead, it
exploited security holes in network server programs and started itself running
as a separate process. This same behaviour is used by today's worms as well.
With the rise of the Microsoft Windows platform in the 1990s, and the
flexible macro systems of its applications, it became possible to write
infectious code in the macro language of Microsoft Word and similar programs.
These macro viruses infect documents and templates rather than
applications, but rely on the fact that macros in a Word document are a form of
executable code.
Today, worms are most commonly written for the Windows OS, although a small
number are also written for Linux and Unix systems. Worms today work in the same
basic way as 1988's Internet Worm: they scan the network for computers with
vulnerable network services, break in to those computers, and copy themselves
over. Worm outbreaks have become a cyclical plague for both home users and
businesses, eclipsed recently in terms of damage by spyware.
Concealment: Trojan horses, rootkits and backdoors
For a malicious program to accomplish its goals, it must be able to do so
without being shut down by the user or administrator of the computer it's
running on. Concealment can also help get the malware installed in the first
place. By disguising a malicious program as something innocuous or desirable,
users may be tempted to install it without knowing what it does. This is the
technique of the Trojan horse or trojan.
Broadly speaking, a Trojan horse is any program that invites the user to run
it, but conceals a harmful or malicious payload. The payload may take effect
immediately and can lead to many undesirable effects, such as deleting all the
user's files, or more commonly it may install further harmful software into the
user's system to serve the creator's longer-term goals. Trojan horses known as
droppers are used to start off a worm outbreak, by injecting the worm into
users' local networks.
One of the most common ways that spyware is distributed is as a Trojan horse,
bundled with a piece of desirable software that the user downloads off the Web
or a peer-to-peer file-trading network. When the user installs the software, the
spyware is installed alongside. Spyware authors who attempt to act legally may
include an end-user license agreement which states the behaviour of the spyware
in loose terms, but with the knowledge that users are unlikely to read or
understand it.
Once a malicious program is installed on a system, it is often useful to the
creator if it stays concealed. The same is true when a human attacker
breaks into a computer directly. Techniques known as rootkits allow this
concealment, by modifying the host operating system so that the malware is
hidden from the user. Rootkits can prevent a malicious process from being
reported in the process table, or keep its files from being read. Originally, a
rootkit was a set of tools installed by a human attacker on a Unix system where
the attacker had gained administrator (root) access. Today, the term is used
more generally for concealment routines in a malicious program.
A backdoor is a method of bypassing normal authentication procedures. Many
computer manufacturers preinstall backdoors on their systems to provide
technical support for customers.
Hackers typically use backdoors to secure remote access to a computer, while
attempting to remain hidden from casual inspection. To install backdoors hackers
use either Trojan horse or computer worm.
Malware for profit: spyware, botnets, loggers, and dialers
During the 1980s and 1990s, it was usually taken for granted that malicious
programs were created as a form of vandalism or prank. More recently, the
greater share of malware programs have been written with a financial or profit
motive in mind. This can be taken as the malware authors' choice to monetize
their control over infected systems: to turn that control into a source of
revenue.
Since 2003 or so, the most costly form of malware in terms of time and money
spent in recovery has been the broad category known as spyware.
Spyware programs are commercially produced for
the purpose of gathering information about computer users, showing them pop-up
ads, or altering web-browser behaviour for the financial benefit of the spyware
creator. For instance, some spyware programs redirect search engine results to
paid advertisements. Others often called "stealware" by the media overwrite
affiliate marketing codes so that revenue goes to the spyware creator rather
than the intended recipient.
Spyware programs are sometimes installed as Trojan horses of one sort or
another.
They differ in that their creators present themselves openly as businesses, for
instance by selling advertising space on the pop-ups created by the malware.
Most such programs present the user with an end-user license agreement which
purportedly protects the creator from prosecution under computer contaminant
laws. However, spyware EULAs have not yet been upheld in court.
Another way that financially-motivated malware creator can monetize their
infections is to directly use the infected computers to do work for the creator.
Spammer viruses, such as the Sobig and Mydoom virus families, are
commissioned by e-mail spam gangs. The infected computers are used as proxies to
send out spam messages. The advantage to spammers of using infected computers is
that they are available in large supply (thanks to the virus) and they provide
anonymity, protecting the spammer from prosecution. Spammers have also used
infected PCs to target anti-spam organizations with distributed
denial-of-service attacks.
In order to coordinate the activity of many infected computers, attackers
have used coordinating systems known as botnets. In a botnet, the malware
logs in to an Internet Relay Chat channel or other chat system. The attacker can
then give instructions to all the infected systems simultaneously. Botnets can
also be used to push upgraded malware to the infected systems, keeping them
resistant to anti-virus software or other security measures.
Lastly, it is possible for a malware creator to profit by simply stealing
from the person whose computer is infected. Some malware programs install a
key logger, which copies down the user's keystrokes when entering a
password, credit card number, or other useful information. This is then
transmitted to the malware creator automatically, enabling credit card fraud and
other theft. Similarly, malware may copy the CD key or password for online
games, allowing the creator to steal accounts or virtual items.
Another way of stealing money from the infected PC owner is to take control
of the modem and dial an expensive toll call. Dialer (or porn dialer)
software dials up a premium-rate telephone number such as a U.S. "900 number"
and leave the line open, charging the toll to the infected user.
Vulnerability to Malware
In this context, as throughout, it should be borne in mind that the “system”
under attack may be of various types, ee.g. a single computer and operating
system, a network or an application.
Various factors make a system more vulnerable to malware:
- Homogeneity – e.g. when all computers in a network run the same OS,
if you can break that OS, you can break into any computer running it.
- Bugginess – most systems containing errors which may be exploited by
malware.
- Unconfirmed code – code from a floppy disk, CD or USB device may be
executed without the user’s agreement.
- Over-privileged users – some systems allow all users to modify their
internal structures.
- Over-privileged code – most popular systems allow code executed by a
user all rights of that user.
An oft-cited cause of vulnerability of networks is homogeneity or
software monoculture. In particular, Microsoft Windows has such a large share of
the market that concentrating on it will enable a cracker to subvert a large
number of systems. Introducing inhomogeneity purely for the sake of robustness
would however bring high costs in terms of training and maintenance.
Most systems contain bugs which may be exploited by malware. Typical
examples are buffer overruns, in which an interface designed to store data in a
small area of memory allows the caller to supply too much, and then overwrites
its internal structures. This may used by malware to force the system to execute
its code.
Originally, PCs had to be booted from floppy disks, and until recently it was
common for this to be the default boot device. This meant that a corrupt floppy
disk could subvert the computer during booting, and the same applies to CDs.
Although that is now less common, it is still possible to forget that one has
changed the default, and rare that a BIOS makes one confirm a boot from
removable media.
In some systems, non-administrator users are over-privileged by
design, in the sense that they are allowed to modify internal structures of the
system. In some environments, users are over-privileged because they have been
inappropriately granted administrator or equivalent status. This is a primarily
a configuration decision, but on Microsoft Windows systems the default
configuration is to over-privilege the user. This situation exists due to
decisions made by Microsoft to prioritize compatibility with older systems above
security configuration in newer systems. As privilege escalation exploits have
increased this priority is shifting for the release of Microsoft Windows Vista.
As a result, many existing applications that require excess privilege
(over-privileged code) are expected to have compatibility problems with Vista.
Malware, running as over-privileged code, can use this privilege to subvert
the system. Almost all currently popular operating systems, and also many
scripting applications allow code too many privileges, usually in the
sense that when a user executes code, the system allows that code all rights of
that user. This makes users vulnerable to malware in the form of e-mail
attachments, which may or may not be disguised.
Given this state of affairs, users are warned only to open attachments they
trust, and to be wary of code received from untrusted sources. It also common
for operating systems to be designed so that device drivers need escalated
privileges, while they are supplied by more and more hardware manufacturers,
some of whom may be unreliable.
Eliminating over-privileged code
The design flaw of over-privileged code dates from the time when most
programmes were either delivered with a computer or written in-house, and
repairing it would at a stroke render most anti-virus software almost redundant.
It would, however, have appreciable consequences for the user interface and
system management.
The system would have to maintain privilege profiles, and know which to apply
for each user and program. In the case of newly installed software, an
administrator would need to set up default profiles for the new code.
Eliminating vulnerability to rogue device drivers is probably harder than for
arbitrary rogue executables. Two techniques, used in VMS, that can help are
memory mapping only the registers of the device in question and a system
interface associating the driver with interrupts from the device.
Other approaches are:
- various forms of virtualization, allowing the code unlimited access only to
virtual resources.
- various forms of sandbox or jail.
- the security functions of Java, in 'java.security'.
Such approaches, however, if not fully integrated with the operating system,
would reduplicate effort and not be universally applied, both of which would be
detrimental to security.
Academic Research on Malware: A Brief Overview
The notion of a self-reproducing computer program can be traced back to 1949
when John von Neumann presented lectures that encompassed the theory and
organization of complicated automata [Ne49]. Neumann showed that in theory a
program could reproduce itself. This constituted a plausibility result in
computability theory. Fred Cohen experimented with computer viruses and
confirmed Neumann's postulate. He also investigated other properties of malware
(detect ability, self-obfuscating programs that used rudimentary encryption that
he called "evolutionary", and so on). His doctoral dissertation was on the
subject of computer viruses [Co86]. Cohen's faculty advisor, Leonard Adleman
(the A in RSA) presented a rigorous proof that, in the general case,
algorithmically determining whether a virus is or is not present is Turing
undecidable [Ad88]. This problem must not be mistaken for that of determining,
within a broad class of programs, that a virus is not present; this problem
differs in that it does not require the ability to recognize all viruses.
Adleman's proof is perhaps the deepest result in malware computability theory to
date and it relies on Cantor's diagonal argument as well as the halting problem.
Ironically, it was later shown by Young and Yung that Adleman's work in
cryptography is ideal in constructing a virus that is highly resistant to
reverse-engineering by presenting the notion of a cryptovirus [YY96]. A
cryptovirus is a virus that contains and uses a public key. In the cryptoviral
extortion attack, the virus hybrid encrypts plaintext data on the victim's
machine using the virus writer's public key. In theory the victim must negotiate
with the virus writer to get the plaintext back (assuming there are no backups).
Analysis of the virus reveals the public key, not the needed private decryption
key. This result was the first to show that computational complexity theory can
be used to devise malware that is robust against reverse-engineering.
Another growing area of computer virus research is to mathematically model
the infection behaviour of worms using models such as Lotka-Volterra equations,
which has been applied in the study of biological virus. Various virus
propagation scenarios have been studied by researchers such as propagation of
computer virus, fighting virus with virus like predator codes [ToKa02], virus
war- fighting between worms [TaKh06], effectiveness of patching etc.
|
Comments |
|
Awaiting your comments |
