The Purposes
Many early
infectious programs,
including the first Internet Worm and a number of MS-DOS viruses, were
written as experiments or pranks generally intended to be harmless or
merely annoying rather than to cause serious damage to computers. In
some cases the perpetrator did not realize how much harm their
creations could do. Young programmers learning about viruses and the
techniques used to write them only to prove that they could or to see
how far it could spread. As late as 1999, widespread viruses such as
the Melissa virus appear to have been written chiefly as pranks.
Hostile intent related to vandalism can be found in programs designed to cause harm or data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the file system by writing junk data. Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, these worms may seem like the online equivalent to graffiti tagging, with the author's alias or affinity group appearing everywhere the worm goes.
However, since the rise of widespread broadband Internet access, malicious software has come to be designed for a profit motive, either more or less legal (forced advertising) or criminal. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service (Ping of Death) attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affilate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally installed by exploiting security holes or are packaged with user-installed software, such as peer-to-peer applications. It is not uncommon for spyware and advertising programs to install so many processes that the infected machine becomes unusable, defeating the intention of the attack.
Malware for profit: spyware, botnets, keystroke loggers, and dialers
During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank (although some viruses were spread only to discourage users from illegal software exchange.) More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.
Since 2003 or so, the most costly form of malware in terms of time and money spent in recovery has been the broad category known as spyware. Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate marketing codes so that revenue goes to the spyware creator rather than the intended recipient.
Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement which purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.
Another way that financially-motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobig and Mydoom virus families, are commissioned by e-mail spam gangs. The infected computers are used as proxies to send out spam messages. The advantage to spammers of using infected computers is that they are available in large supply (thanks to the virus) and they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with Distributed denial-of-service attacks (Ping of Death).
In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or mallbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures.
Lastly, it is possible for a malware creator to profit by simply stealing from the person whose computer is infected. Some malware programs install a key logger, which copies down the user's keystrokes when entering a password, credit card number, or other information that may be useful to the creator. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD Key or password for online games, Operating Systems, allowing the creator to steal accounts or virtual items.
Another way of stealing money from the infected PC owner is to take control of the modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.
Data-stealing malware
Data-stealing malware is a web threat that divests victims of personal and proprietary information with the intent of monetizing stolen data through direct use or underground distribution. Content security threats that fall under this umbrella include keyloggers, screen scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file download or direct installation, as most hybrid attacks do, files that act as agents to proxy information will fall into the data-stealing malware category.
Characteristics of data-stealing malware
Does not leave traces of the event
The malware is typically stored in the local cache which is routinely flushed
The malware may be installed via a drive-by-download process
The website hosting the malware as well as the malware is generally temporary or rogue
Frequently changes and extends its functions
It is difficult for antivirus software to detect final payload attributes due to the combinations of malware components
The malware uses multiple file encryption levels
Malware kits sold via underground forums are able to generate different files on-the-fly
Thwarts Intrusion Detection Systems (IDS) after successful installation
There are no perceivable network anomalies
The malware hides in web traffic
The malware is stealthier in terms of traffic and resource use
Thwarts disk encryption
Data is stolen during decryption and display
The malware can monitor keystrokes and passwords
Thwarts Data Loss Prevention (DLP)
Leakage protection hinges on metadata tagging, not everything is tagged
Miscreants can use encryption to port data
Examples of data-stealing malware
LegMir, spyware that steals personal information such as account names and passwords related to online games and Operating Systems
Qhost, a Trojan that modifies the HOSTS file to point to a different DNS server when banking sites are accessed then opens a spoofed login page to steal login credentials for those financial institutions
Bancos, an info stealer that waits for the user to access banking websites then spoofs pages of the bank website to steal sensitive information
Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for analysis then serves targeted pop-up ads
Data-stealing malware incidents
Eleven people were implicated in a massive identity theft and computer fraud scheme targeting nine U.S. retailers (BJ's Wholesale Club, TJX, DSW Shoe, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21). Over 40 million credit and debit card numbers were stolen.
A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc job search service. The data was used by cybercriminals to craft phishing emails targeted at Monster.com users to plant additional malware on users PCs.
Customers of Hannaford Bros. Co, a supermarket chain based in Maine, were victims of a data security breach involving the potential compromise of 4.2 million debit and credit cards. The company was hit by several class-action law suits.
Vulnerability to malware
In this context, as throughout, it should be borne in mind that the system under attack may be of various types, e.g. a single computer and operating system, a network or an application.
Various factors make a system more vulnerable to malware:
Homogeneity e.g. when all computers in a network run the same OS, if you can hack that OS, you can break into any computer running it.
Defects most systems containing errors which may be exploited by malware.
Unconfirmed code code from a floppy disk, CD-ROM or USB device may be executed without the user agreement.
Over-privileged users some systems allow all users to modify their internal structures.
Over-privileged code most popular systems allow code executed by a user all rights of that user.
An often cited cause of vulnerability of networks is homogeneity or software monoculture. In particular, Microsoft Windows has such a large share of the market that concentrating on it will enable a cracker to subvert a large number of systems. Introducing inhomogeneity purely for the sake of robustness would however bring high costs in terms of training and maintenance.
Most systems contain bugs which may be exploited by malware. A typical example is the buffer overrun, in which an interface designed to store data in a small area of memory allows the caller to supply more data than will fit. This extra data then overwrites the interface's own structure. In this way malware can force the system to execute malicious code, by replacing legitimate code with its own payload.
Originally, PCs had to be booted from floppy disks, and until recently it was common for this to be the default boot device. This meant that a corrupt floppy disk could subvert the computer during booting, and the same applies to CDs. Although that is now less common, it is still possible to forget that one has changed the default, and rare that a BIOS makes one confirm a boot from removable media.
In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is a primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft to prioritize compatibility with older systems above security configuration in newer systems and because typical applications were developed without the under-privileged users in mind. As privilege escalation exploits have increased this priority is shifting for the release of Microsoft Windows Vista. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users through virtualization, acting as a crutch to resolve the privileged access problem inherent in legacy applications.
Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of email attachments, which may or may not be disguised.
Given this state of affairs, users are warned only to open attachments they trust, and to be wary of code received from untrusted sources. It is also common for operating systems to be designed so that device drivers need escalated privileges, while they are supplied by more and more hardware manufacturers, some of whom may be unreliable.
Eliminating over-privileged code
Over-privileged code dates from the time when most programs were either delivered with a computer or written in-house, and repairing it would at a stroke render most anti-virus software almost redundant. It would, however, have appreciable consequences for the user interface and system management.
The system would have to maintain privilege profiles, and know which to apply for each user and program. In the case of newly installed software, an administrator would need to set up default profiles for the new code.
Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue executables. Two techniques, used in VMS, that can help are memory mapping only the registers of the device in question and a system interface associating the driver with interrupts from the device.
Other approaches are:
Various forms of virtualization, allowing the code unlimited access only to virtual resources
Various forms of sandbox or jaill
The security functions of Java, in java.security
Such approaches, however, if not fully integrated with the operating system, would reduplicate effort and not be universally applied, both of which would be detrimental to security.
Hostile intent related to vandalism can be found in programs designed to cause harm or data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the file system by writing junk data. Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, these worms may seem like the online equivalent to graffiti tagging, with the author's alias or affinity group appearing everywhere the worm goes.
However, since the rise of widespread broadband Internet access, malicious software has come to be designed for a profit motive, either more or less legal (forced advertising) or criminal. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service (Ping of Death) attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affilate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally installed by exploiting security holes or are packaged with user-installed software, such as peer-to-peer applications. It is not uncommon for spyware and advertising programs to install so many processes that the infected machine becomes unusable, defeating the intention of the attack.
Malware for profit: spyware, botnets, keystroke loggers, and dialers
During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank (although some viruses were spread only to discourage users from illegal software exchange.) More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.
Since 2003 or so, the most costly form of malware in terms of time and money spent in recovery has been the broad category known as spyware. Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate marketing codes so that revenue goes to the spyware creator rather than the intended recipient.
Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement which purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.
Another way that financially-motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobig and Mydoom virus families, are commissioned by e-mail spam gangs. The infected computers are used as proxies to send out spam messages. The advantage to spammers of using infected computers is that they are available in large supply (thanks to the virus) and they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with Distributed denial-of-service attacks (Ping of Death).
In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or mallbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures.
Lastly, it is possible for a malware creator to profit by simply stealing from the person whose computer is infected. Some malware programs install a key logger, which copies down the user's keystrokes when entering a password, credit card number, or other information that may be useful to the creator. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD Key or password for online games, Operating Systems, allowing the creator to steal accounts or virtual items.
Another way of stealing money from the infected PC owner is to take control of the modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.
Data-stealing malware
Data-stealing malware is a web threat that divests victims of personal and proprietary information with the intent of monetizing stolen data through direct use or underground distribution. Content security threats that fall under this umbrella include keyloggers, screen scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file download or direct installation, as most hybrid attacks do, files that act as agents to proxy information will fall into the data-stealing malware category.
Characteristics of data-stealing malware
Does not leave traces of the event
The malware is typically stored in the local cache which is routinely flushed
The malware may be installed via a drive-by-download process
The website hosting the malware as well as the malware is generally temporary or rogue
Frequently changes and extends its functions
It is difficult for antivirus software to detect final payload attributes due to the combinations of malware components
The malware uses multiple file encryption levels
Malware kits sold via underground forums are able to generate different files on-the-fly
Thwarts Intrusion Detection Systems (IDS) after successful installation
There are no perceivable network anomalies
The malware hides in web traffic
The malware is stealthier in terms of traffic and resource use
Thwarts disk encryption
Data is stolen during decryption and display
The malware can monitor keystrokes and passwords
Thwarts Data Loss Prevention (DLP)
Leakage protection hinges on metadata tagging, not everything is tagged
Miscreants can use encryption to port data
Examples of data-stealing malware
LegMir, spyware that steals personal information such as account names and passwords related to online games and Operating Systems
Qhost, a Trojan that modifies the HOSTS file to point to a different DNS server when banking sites are accessed then opens a spoofed login page to steal login credentials for those financial institutions
Bancos, an info stealer that waits for the user to access banking websites then spoofs pages of the bank website to steal sensitive information
Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for analysis then serves targeted pop-up ads
Data-stealing malware incidents
Eleven people were implicated in a massive identity theft and computer fraud scheme targeting nine U.S. retailers (BJ's Wholesale Club, TJX, DSW Shoe, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21). Over 40 million credit and debit card numbers were stolen.
A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc job search service. The data was used by cybercriminals to craft phishing emails targeted at Monster.com users to plant additional malware on users PCs.
Customers of Hannaford Bros. Co, a supermarket chain based in Maine, were victims of a data security breach involving the potential compromise of 4.2 million debit and credit cards. The company was hit by several class-action law suits.
Vulnerability to malware
In this context, as throughout, it should be borne in mind that the system under attack may be of various types, e.g. a single computer and operating system, a network or an application.
Various factors make a system more vulnerable to malware:
Homogeneity e.g. when all computers in a network run the same OS, if you can hack that OS, you can break into any computer running it.
Defects most systems containing errors which may be exploited by malware.
Unconfirmed code code from a floppy disk, CD-ROM or USB device may be executed without the user agreement.
Over-privileged users some systems allow all users to modify their internal structures.
Over-privileged code most popular systems allow code executed by a user all rights of that user.
An often cited cause of vulnerability of networks is homogeneity or software monoculture. In particular, Microsoft Windows has such a large share of the market that concentrating on it will enable a cracker to subvert a large number of systems. Introducing inhomogeneity purely for the sake of robustness would however bring high costs in terms of training and maintenance.
Most systems contain bugs which may be exploited by malware. A typical example is the buffer overrun, in which an interface designed to store data in a small area of memory allows the caller to supply more data than will fit. This extra data then overwrites the interface's own structure. In this way malware can force the system to execute malicious code, by replacing legitimate code with its own payload.
Originally, PCs had to be booted from floppy disks, and until recently it was common for this to be the default boot device. This meant that a corrupt floppy disk could subvert the computer during booting, and the same applies to CDs. Although that is now less common, it is still possible to forget that one has changed the default, and rare that a BIOS makes one confirm a boot from removable media.
In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is a primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft to prioritize compatibility with older systems above security configuration in newer systems and because typical applications were developed without the under-privileged users in mind. As privilege escalation exploits have increased this priority is shifting for the release of Microsoft Windows Vista. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users through virtualization, acting as a crutch to resolve the privileged access problem inherent in legacy applications.
Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of email attachments, which may or may not be disguised.
Given this state of affairs, users are warned only to open attachments they trust, and to be wary of code received from untrusted sources. It is also common for operating systems to be designed so that device drivers need escalated privileges, while they are supplied by more and more hardware manufacturers, some of whom may be unreliable.
Eliminating over-privileged code
Over-privileged code dates from the time when most programs were either delivered with a computer or written in-house, and repairing it would at a stroke render most anti-virus software almost redundant. It would, however, have appreciable consequences for the user interface and system management.
The system would have to maintain privilege profiles, and know which to apply for each user and program. In the case of newly installed software, an administrator would need to set up default profiles for the new code.
Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue executables. Two techniques, used in VMS, that can help are memory mapping only the registers of the device in question and a system interface associating the driver with interrupts from the device.
Other approaches are:
Various forms of virtualization, allowing the code unlimited access only to virtual resources
Various forms of sandbox or jaill
The security functions of Java, in java.security
Such approaches, however, if not fully integrated with the operating system, would reduplicate effort and not be universally applied, both of which would be detrimental to security.