210 likes | 341 Views
Chapter 2 Definitions and Timeline. Categorizing Malware. No agreed upon definitions Even for “virus” and “worm” Consider categories based on… Self-replicating Population growth Parasitic Then we name the different types As defined by Aycock. Self-replicating Malware.
E N D
Categorizing Malware • No agreed upon definitions • Even for “virus” and “worm” • Consider categories based on… • Self-replicating • Population growth • Parasitic • Then we name the different types • As defined by Aycock
Self-replicating Malware • Self-replicating malware • Actively attempts to propagate by creating new copies • May also propagate passively • But this isn't self-replication • We called these “worms”
Population Growth • Population growth • Describes change in the number of instances due to self-replication • Malware that doesn't self-replicate will have a zero population growth • But malware with a zero population growth may self-replicate
Parasitic • Parasitic malware • Requires some other executable code • "Executable” taken very broadly • Boot block code on a disk • Binary code in applications • Application scripting languages • Source code that may require compilation before executing, etc.
Types of Malware • Logic Bomb • Trojan • Back Door • Virus • Worm • Rabbit • Spyware/Adware • Other
Logic Bomb • Self-replicating: no • Population growth: 0 • Parasitic: possibly • Consists of 2 parts • Payload --- action to be performed • Trigger --- event to execute payload • Donald Gene Burleson case (CS 265)
Trojan Horse • Self-replicating: no • Population growth: 0 • Parasitic: yes • Name comes from ancient world • Pretends to be innocent, but it’s not • Example: fake login prompt that steals passwords
Back Door • Self-replicating: no • Population growth: 0 • Parasitic: possibly • Bypasses normal security checks • So enables unauthorized access • Example: Remote Administration Tool, or RAT
Virus • Self-replicating: yes • Population growth: positive • Parasitic: yes • When executed, tries to replicate itself into other executable code • So, it relies in some way on other code • Does not propagate via a network • Nice virus history given by Aycock
Worm • Self-replicating: yes • Population growth: positive • Parasitic: no • Like a virus, except… • Spreads over network • Worm is standalone, does not rely on other code • Good history in Aycock’s book
Rabbit • Self-replicating: yes • Population growth: 0 • Parasitic: no • Two kinds of rabbits • One uses up system resources • One uses up network resources (special case of a worm)
Spyware • Self-replicating: no • Population growth: 0 • Parasitic: no • Collects info and sends it to someone • Username/password, bank info, credit card info, software license info, etc. • First mention is about 1995 • May arrive via “drive-by download”
Adware • Self-replicating: no • Population growth: 0 • Parasitic: no • Similar to spyware but focused on marketing
Hybrids, Droppers, etc. • Hybrid is combination of different types of malware • Worm that is a rabbit, trojan that acts like a virus, etc., etc. • Dropper is malware that deposits other malware • Worm might leave behind a back door…
Zombies • Compromised machines that can be used by an attacker • Spam • Denial of service (DoS) • Distributed denial of service (DDoS) • Today, usually part of a botnet
Naming • No agreed on naming convention • Virus writer might suggest a name • “Your PC is now stoned!” • Different vendors might use different names • Different variants might get different names, etc.
Naming • Factors related to naming • Malware type • Family name • Variant • Modifiers (e.g., “mm” for “mass mailer”) • But many different names applied to same virus (or family) • See book for examples
Authorship • Author and distributor may differ • Is malware author a “hacker” or “cracker”? • It depends on malware and definitions… • So, Aycock does not use terms like hacker or cracker • Instead, boring terms like malware author, malware writer, virus writer, etc.
Malware Writers • Botnet hacker caught in Slovenia (2010) • Japanese Virus Writer Arrested for the Second Time (2010) • "I wanted to see how much my computer programming skills had improved since the last time I was arrested." • Teen Arrested in Blaster Case (2003) • No 'sorry' from Love Bug author (2005)