The Grey Chronicles

2008.June.27

Understanding Malwares: Characteristics



Malware attempts[2] to attack a host system, the target environment, or specifically targets a device type, such as a personal computer—an Apple Macintosh computer, or even a Personal Digital Assistant (PDA). There are bothering news that malware also assaults cellular phones, especially those connected to PC or laptop for data exchange. Malware may require a particular operating system to be effective, e.g., the CIH or Chernobyl virus in 1990s could only attack Microsoft Windows® 95 or Windows® 98 computers. Malware may also require a particular application to be installed on the target computer before it can deliver a payload or replicate.

If the malware is a virus, it will attempt to target a carrier object (a.k.a. a host) to infect it. The most commonly targeted carriers are executable files, scripts, macros, or boot sector. The “classic” replicating virus attaches itself to a host program, an executable file—typically with the .exe extension but also .com, .sys, .dll, .ovl, .ocx, and .prg. Attacks that use scripts as carriers target files that use a scripting language such as Microsoft Visual Basic® Script, JavaScript, AppleScript, or Perl Script; these files use the extension: .vbs, .js, .wsh, and .pl. Macros are files that support a macro scripting language such as a word processor [e.g., Microsoft Word], spreadsheet [e.g. Lotus Ami Pro], or database application. Viruses use macro languages to produce a number of effects from mischievous (switching words around in a document or changing colors) to malicious (formatting the computer’s hard drive). Specific areas of computer disks (hard disks and bootable removable media) such as the master boot record (MBR) or DOS boot record are also considered carriers because they are capable of executing malicious code.

Malware uses one or many different methods to try and replicate between computer systems, such as removable media, networks, e-mail and remote exploit. The original and probably the most prolific transmitter of computer viruses and other malware is file transfer: starting with floppy disks, then moved to networks, and is now finding new removable media such as Universal Serial Bus (USB) and Firewire devices. Poorly implemented security on network shares, which is replacing the use of removable media, produces an environment where malware can replicate to a large number of computers connected to the network. Malware also scan networks for vulnerable computers or randomly attack IP addresses. In order for Peer-to-Peer (P2P) file transfers to occur, a user must first install a client component of the P2P application that will use one of the network ports that are allowed though the organization’s firewall, such as port 80. Unfortunately, P2P provides a transport mechanism directly to help spread an infected file onto a client’s hard disk. E-mail has become a very effective transport mechanism of choice for many malware attacks using social engineering techniques, e.g., tricking users to open e-mail attachments, and using either a mailer or a mass mailer. While a mailer malware mails itself to a limited number of e-mail addresses, either by using mail software installed on the host (e.g., Microsoft Outlook® Express), or using its own built-in Simple Mail Transfer Protocol (SMTP) engine; the mass mailer malware searches the infected computer for e-mail addresses, and then mass mails itself to those addresses, using either mail software installed on the host or its own built-in SMTP engine. Last but not the least, is through Remote exploit, whereby malware may attempt to exploit a particular vulnerability in a service or application in order to replicate. This behavior is often seen in worms; for example, the Slammer worm took advantage of Microsoft SQL Server™ 2000’s vulnerability. Other widely used databases—, Oracle, MySQL and PostgreSQL—have all had vulnerabilities that allow the databases to be compromised.[3]

Once malware has reached the host machine via the transport, it performs an action—the payload—such a backdoor, data corruption or deletion, information theft, and denial of service. The malware’s payload maybe designed to hibernate on the local system (in the form of a Trojan horse) to allow it to spread before an attempt is made to deliver the payload. A Backdoor, or a Remote Access Trojan, allows unauthorized full or limited access to a computer. Limited access maybe to enable File Transfer Protocol (FTP) access via port 21 or Telnet on the infected computer as a staging area for Telnet attacks on other computers. Data Corruption or Deletion, one of the most destructive types of payload, renders the information on the user’s computer useless. A particularly worrying type of payload is one designed for information theft then pass captured information, like key presses (in the hope of obtaining a user name and password), automatically back to the malware perpetrators or to provide an environment on the local host allowing the attacker to control the host remotely or gain direct access to system files. The simplest payload is a Denial of Service (DoS) attack launched to overload or halt a network service, such as a Web, Domain Name System (DNS) or a file server. A distributed DoS attack uses malware installed on various computers to attack a single target—a particular host or Web site. DoS can crash the host system, flood the bandwidth with false network traffic, overload resources available to the local host or disrupt a service, such as the DNS service.

Trigger mechanisms initiate replication or payload delivery. These include: manual execution, social engineering, semi-automatic, automatic, time bomb, or conditional execution. A manual execution is simply the inadvertent malware execution conducted directly by the victim. Malware will often use some form of social engineering to help trick a victim into manually executing the malicious code. While, semi-automatic execution is started initially by a victim and then automatically executed from that point on; an automatic execution performs its attack without the need for a victim to run any malicious code on the target computer. A Time bomb performs an action after a certain period or some pre-ordained date or date range, e.g., the MyDoom.B worm would only start its payload routines against the Microsoft.com Web site on February 3, 2004, and against the SCO Group Web site on February 1, 2004. The conditional trigger uses some predetermined condition— a renamed file, a set of keystrokes, or opening an application—as the signal to deliver its payload. Malware using this trigger is referred as a logic bomb.

Many malware use some kind of defense mechanism—armor, stealth, or encryption—to help reduce its detection and removal. The armor defense foils analysis by detecting when a debugger is running and prevent it from working correctly, or adding lots of insignificant code to complicate determination of the malware’s purpose. The stealth technique hides the malware by intercepting requests for information and returning false data. Encrypted malware usually contains a static decryption routine, an encryption key, and the encrypted malicious code (which includes an encryption routine) to prevent detection or data retrieval. When executed, the malware uses the decryption routine and key to decrypt the malicious code, creates a copy of its code and generates a new encryption key. It uses that key and its encryption routine to encrypt the new copy of itself, adding the new key with the decryption routine to the start of the new copy. Under encryption defense mechanism, oligomorphic type is able to change the encryption routine only a small fixed number of times, while the polymorphic malware encrypts itself with an unlimited number of encryption routines, then providing a different decryption key for each mutation, and as the malware replicates, a portion of the decryption code is modified, which makes them difficult to be detected by signature-based antivirus software programs.


Next: Understanding Junkwares


Notes:

[2] Harrison, Richard (2004), The Antivirus: Defense-in-Depth Guide, Microsoft Corporation, pp. 11-16.
[3] Sullivan, Dan (2006), The Definitive Guide to Controlling Malware, Spyware, Phishing, and Spam. Realtime Publishers. p. 6 .

Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 LicenseDisclaimer: The posts on this site do not necessarily represent any organization’s positions, strategies or opinions; and unless otherwise expressly stated, are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: