Chapter 2

Definitions and Timeline

Categorizing Malware No agreed upon definitions

o Even for “virus” and “worm” Consider categories based on…

o Self-replicatingo Population growtho Parasitic

Then we name the different typeso As defined by Aycock

Self-replicating Malware Self-replicating malware Actively attempts to propagate by

creating new copies May also propagate passively

o But this isn't self-replication Called these “worms” (in CS 265)

Population Growth Population growth Describes change in the number of

instances due to self-replication Malware that doesn't self-replicate

will have a zero population growth o But malware with a zero population

growth may self-replicate

Parasitic Parasitic malware Requires some other executable

code "Executable” taken very broadly

o Boot block code on a disko Binary code in applicationso Application scripting languageso Source code that may require

compilation before executing, etc.

Types of Malware Logic Bomb Trojan Back Door Virus Worm Rabbit Spyware/Adware Other

Logic Bomb Self-replicating: no Population growth: 0 Parasitic: possibly Consists of 2 parts

o Payload --- action to be performedo Trigger --- event to execute payload

Donald Gene Burleson case (CS 265)

Trojan Horse Self-replicating: no Population growth: 0 Parasitic: yes Name comes from ancient world

o Pretends to be innocent, but it’s not Example: fake login prompt that

steals passwords

Back Door Self-replicating: no Population growth: 0 Parasitic: possibly Bypasses normal security checks

o So enables unauthorized access Example: Remote Administration

Tool, or RAT

Virus Self-replicating: yes Population growth: positive Parasitic: yes When executed, tries to replicate

itself into other executable codeo So, it relies in some way on other

code Does not propagate via a network Nice virus history given by Aycock

Worm Self-replicating: yes Population growth: positive Parasitic: no Like a virus, except…

o Spreads over networko Worm is standalone, does not rely on

other code Good history in Aycock’s book

Rabbit Self-replicating: yes Population growth: 0 Parasitic: no Two kinds of rabbits

o One uses up system resourceso One uses up network resources

(special case of a worm)

Spyware Self-replicating: no Population growth: 0 Parasitic: no Collects info and sends it to

someoneo Username/password, bank info, credit

card info, software license info, etc. First mention is about 1995 May arrive via “drive-by download”

Adware Self-replicating: no Population growth: 0 Parasitic: no Similar to spyware but focused on

marketing

Hybrids, Droppers, etc. Hybrid is combination of different

types of malwareo Worm that is a rabbit, trojan that acts

like a virus, etc., etc. Dropper is malware that deposits

other malwareo For example, a worm might leave

behind a back door…

Zombies Compromised machines that can

be used by an attackero Spamo Denial of service (DoS)o Distributed denial of service (DDoS)

Today, usually part of a botnet

Naming No agreed on naming convention Virus writer might suggest a name

o “Your PC is now stoned!” Different vendors might use

different names Different variants might get

different names, etc.

Naming Factors related to naming

o Malware typeo Family nameo Varianto Modifiers (e.g., “mm” for “mass

mailer”) But many different names applied

to same virus (or family)o See book for examples

Authorship Author and distributor may differ Is malware author a “hacker” or

“cracker”?o It depends on your definitions…

So, Aycock does not use terms like hacker or crackero Instead, uses boring terms like

malware author, malware writer, virus writer, etc.

Malware Writers Botnet hacker caught in Slovenia

(2010) Japanese Virus Writer Arrested for th

e Second Time (2010)o "I wanted to see how much my

computer programming skills had improved since the last time I was arrested."

Teen Arrested in Blaster Case (2003) No 'sorry' from Love Bug author

(2005)

Timeline