Definitions[edit | edit source]
Malware (a concatenation of malicious software) (also known as computer malicious code (CMC), malicious code and malicious software) is
|“||a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim.||”|
|“||[s]oftware or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware).||”|
Overview[edit | edit source]
Malware includes parasites, Trojan horses, viruses, worms, backdoors, keystroke loggers, rootkits, phishing, spyware or other types of software, known as the payload. Malware can give attackers unauthorized access to a storage device, transfer information from a storage device to an attacker’s system, and perform other actions that jeopardize the confidentiality of the information on a storage device.
|“||Malicious software is an integral and dangerous aspect of Internet threats, targeting end-users and organizations via web browsing, e-mail attachments, mobile devices, the cloud, and other vectors. Malicious code may tamper with the system’s contents, capture sensitive data, and spread to other systems. Modern malware aims to avoid signature-based and behavioral detection, and may disable anti-virus tools running on the targeted system.||”|
Malware generally is grouped into two categories: "family" and "variant." "Family" refers to the distinct or original piece of software. "Variant" refers to a different version of the original malicious code, or family, with minor changes.
Malware, in the form of botnets, has become a critical part of a self-sustaining, cyberattack system. Malware can gain remote access to an information system, record and send data from that system to a third party without the user's permission or knowledge, conceal that the information system has been compromised, disable security measures, damage the information system, or otherwise affect the data integritydata and system integrity.
Malware often violates one or more of the following fundamental principles:
- (a) Consent: Malware may be installed even though the user did not knowingly ask for that to happen.
- (b) Honesty: Malware may pretend to do one thing, while actually doing something completely different.
- (c) Privacy-Respectfulness: Malware may violate a user's privacy, perhaps capturing user passwords or credit card information.
- (d) Non-Intrusiveness: Malware may annoy users by popping up advertisements, changing web browser's home page, making systems slow or unstable and prone to crash, or interfering with already installed-security software.
- (e) Harmlessness: Malware may be software that hurts users (such as software that damages our system, sends spam emails, or disables security software).
- (f) Respect for User Management: If the user attempts to remove the software, it may reinstall itself or otherwise override user preferences.
How malware works[edit | edit source]
Malware is able to compromise information systems due to a combination of factors that include insecure operating system design and related software vulnerabilities. Malware works by running or installing itself on an information system manually or automatically. Software may contain vulnerabilities, or "holes" in its fabric caused by faulty coding. Software may also be improperly configured, have functionality turned off, be used in a manner not compatible with suggested uses or improperly configured with other software. All of these are potential vulnerabilities and vectors for attack. Once these vulnerabilities are discovered, malware can be developed to exploit them for malicious purposes before the security community has developed a “fix”, known as a patch. Malware can also compromise information systems due to non-technological factors such as poor user practices and inadequate security policies and procedures.
|“||Malware can have multiple capabilities when inserted into an adversary system or network — that is, malware can be programmed to do more than one thing. The timing of these actions can also be varied. And if a communications channel to the intruder is available, malware can be remotely updated. Indeed, in some cases, the initially delivered malware consists of nothing more than a mechanism for scanning the penetrated system to determine its technical characteristics and an update mechanism to retrieve the best packages to further the malware's operation.
Malware may be programmed to activate either immediately or when some condition is met. In the second case, the malware sits quietly and does nothing harmful most of the time. However, at the right moment, the program activates itself and proceeds to (for example) destroy or corrupt data, disable system defenses, or introduce false message traffic. The "right moment" can be triggered because:
Malware may also install itself in ways that keep it from being detected. It may delete itself, leaving behind little or no trace that it was ever present. In some cases, malware can remain even after a computer is scanned with anti-malware software or even when the operating system is reinstalled from scratch.
The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay “below the radar” of the security and law enforcement communities. Malware often masquerades as useful programs or is embedded into useful programs so that users are induced into executing it. Over the last 20 years, malware has evolved from occasional “exploits” to a global multi-million dollar criminal industry.
Categories of malware[edit | edit source]
Malware is divided into the following major categories:
Malware activities[edit | edit source]
"Malware is being used to conduct the following activities:
- Capturing personal and business information by:
- capturing keystrokes
- collecting logins and passwords
- copying address books
- stealing sensitive corporate information, documentation, and/or trade secrets or even capturing sensitive government or military information
- collecting banking and transactional information
- Facilitating devastating DDoS attacks for nation state purposes, political activism, or as a prelude to extortion, among many other purposes
- Sending spam via email, SMS and other methods."
History[edit | edit source]
The following brief history is derived from an NIST Report:
|“||The concept of the computer virus was actually formed in the early days of computing. The earliest viruses were benign pranks; malicious viruses did not surface publicly until the early 1980s. The first worms, created in the late 1970s, were also benign, intended to perform system maintenance. Malware did not become common until the late 1980s. In that period, its most common form was compiled viruses, particularly boot sector viruses. At that time, virus writers also created several obfuscation techniques so that their viruses could avoid detection. In 1988, the infamous Morris worm was released, disrupting thousands of networked computers. Trojan horses began to surface in the mid-1980s.
During the early 1990s, the malware situation remained largely unchanged, with compiled viruses continuing to be the prevalent form of malicious code. However, during the latter half of the 1990s, several important changes in computing created new opportunities for malware. First, the number of personal computers greatly increased. In addition, the use of e-mail clients and software with macro languages, such as word processors and spreadsheets, became widespread. Accordingly, virus writers began developing interpreted viruses and spreading them through e-mail, as well as developing self-contained worms with similar capabilities. Interpreted viruses had the advantage of being generally easier to write and modify than compiled viruses, allowing less skilled programmers to create viruses. Two interpreted malware attacks, the Melissa virus (in 1999) and the LoveLetter worm (in 2000), each affected millions of systems. Trojan horse and RAT combinations, such as BackOrifice, also became popular in the late 1990s.
Since 2000, worms have been the prevalent form of malware. Virus writers often favor worms over viruses because worms can spread much more quickly. Among viruses, boot sector viruses have become relatively uncommon, primarily because of the declining usage of floppy disks; in contrast, macro viruses have become the most common virus type.
In 2001, the first major blended attack, Nimda, was released, causing major disruptions. Nimda had characteristics of viruses, worms, and malicious mobile code. More recently, malicious mobile code attacks have become increasingly common, largely because of the prevalence of Web browsers and HTML-based e-mail; however, malicious mobile code is still not as common as worms. Another trend is that more instances of malware, including worms, Trojan horses, and malicious mobile code, deliver attacker tools, such as rootkits, keystroke loggers, and backdoors, to infected systems.
Malware prevention policies[edit | edit source]
Organizations should ensure that their policies address prevention of malware incidents. These policy statements should be used as the basis for additional malware prevention efforts, such as user and IT staff awareness, vulnerability mitigation, and threat mitigation. If an organization does not state malware prevention considerations clearly in its policies, it is unlikely to perform malware prevention activities consistently and effectively throughout the organization.
Malware prevention-related policy should be as general as possible to provide flexibility in policy implementation and reduce the need for frequent policy updates, but also specific enough to make the intent and scope of the policy clear. Although some organizations have separate malware policies, many malware prevention considerations belong in other policies, such as an acceptable use policy, so a separate malware policy might duplicate some of the content of other policies. Malware prevention-related policy should include provisions related to remote workers — both those using systems controlled by the organization and those using systems outside of the organization's control (e.g., contractor computers, employees' home computers, business partners' computers, mobile devices).
Common malware prevention-related policy considerations include the following:
- Requiring the scanning of media from outside of the organization for malware before they can be used;
- Requiring that e-mail file attachments, including compressed files (e.g., .zip files), be saved to local disk drives or media and scanned before they are opened;
- Forbidding the sending or receipt of certain types of files (e.g., .exe files) via e-mail and allowing certain additional file types to be blocked for a period of time in response to an impending malware threat;
- Restricting or forbidding the use of unnecessary software, such as user applications that are often used to transfer malware (e.g., personal use of external instant messaging, desktop search engine, and peer-to-peer file sharing services), and services that are not needed or duplicate the organization-provided equivalents (e.g., e-mail) and might contain additional vulnerabilities that could be exploited by malware;
- Restricting the use of administrator-level privileges by users, which helps to limit the privileges available to malware introduced to systems by users;
- Requiring that systems be kept up-to-date with operating system and application upgrades and patches;
- Restricting the use of removable media (e.g., floppy disks, compact discs (CD), Universal Serial Bus (USB) flash drives), particularly on systems that are at high risk of infection, such as publicly accessible kiosks;
- Specifying which types of preventive software (e.g., antivirus software, Spyware detection and removal utility) are required for each type of system (e.g., file server, e-mail server, proxy server, workstation, personal digital assistant (PDA)) and application (e.g., e-mail client, Web browser), and listing the high-level requirements for configuring and maintaining the software (e.g., software update frequency, system scan scope and frequency);
- Permitting access to other networks (including the Internet) only through organization-approved and secured mechanisms;
- Requiring firewall configuration changes to be approved through a formal process;
- Specifying which types of mobile code may be used from various sources (e.g., internal Web servers, other organizations' Web servers); and
- Restricting the use of mobile devices on trusted networks.
References[edit | edit source]
- NIST Special Publication 800-83, at 1-3.
- NIST Special Publication 800-82, at B-5.
- 20 Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, at 27.
- U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs), at 23.
- Malware may also exploit vulnerabilities in hardware, however, this is rare compared to the number of software vulnerabilities which are available at any given time to exploit.
- At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 47.
- Best Practices to Address Online and Mobile Threats, at 6.
- NIST Special Publication 800-83, at 2-10.
- Boot sector viruses were most prevalent in the early 1990s, when floppy disks were the most common medium for storing files and transferring files between systems. As faster methods of transferring files became more popular, such as e-mail and file-sharing software, attackers started developing other types of malware that took advantage of these faster methods to spread much more rapidly. However, boot sector viruses still do occur, and CDs, DVDs, and other removable media present in systems during boot can infect systems with such viruses.
See also[edit | edit source]
- Commodity malware
- Destructive malware
- Drive-by malware
- “Drive-by” ransomware
- GameOver Zeus
- Handling Destructive Malware
- Injection flaw
- Malicious code
- Malicious payload
- Malware propagation vector
- Melissa virus
- Memory-scraping attack
- Morris worm
- Polymorphic malware
- Rogue security software
- Slammer worm
- SQL injection vulnerability
- Watering hole attack
- ZeroAccess Trojan