Definition[edit | edit source]

A blended attack is "malicious code that uses multiple methods to spread."[1]

Overview[edit | edit source]

The well-known Nimda "worm" is actually an example of a blended attack. It used four distribution methods:

In addition to using the methods described above, blended attacks can spread through such services as instant messaging and peer-to-peer file sharing. Many instances of blended attacks, like Nimda, are incorrectly referred to as worms because they have some worm characteristics. In fact, Nimda has characteristics of viruses, worms, and malicious mobile code.

Another example of a blended attack is Bugbear, which acted as both a mass mailing worm and a network service worm. Because blended attacks are more complex than single-method malware, they are considerably harder to create. Blended attacks do not have to use multiple methods simultaneously to spread; they can also perform multiple infections in sequence. This is becoming more popular, primarily as a way of delivering and installing Trojan horses on systems. For example, a virus, a worm, or malicious mobile code that successfully enters a system can install and run a copy of a Trojan horse. The Trojan horse can then perform additional malicious acts, such as installing spyware on the system.

References[edit | edit source]

  1. NIST, Computer Security Incident Handling Guide, Glossary, at D-1 (NIST Special Publication 800-61, rev. 1) (Mar. 2008) (full-text).
Community content is available under CC-BY-SA unless otherwise noted.