Modern malware is constantly taking on new forms; it's hard for those of us who aren't dedicated security experts to comprehend how deviously, and methodically, it's designed and deployed. How do you fight it? Well, first, you have to know what's out there. With that goal in mind, I will provide here a brief overview of malware.
I would first like to apologise to those good guys, like Steve Wozniak and John Draper, who called themselves hackers, and who insist that the proper term for the bad guys is crackers. If you're calling yourself a hacker, and you're a good guy, you're swimming upstream, and there's a strong downstream current.
Even though we abhor malware in general, it's hard NOT sometimes to (objectively) admire how professionally it's designed and deployed. Computer owners, who become victims of hacking, will NOT (subjectively) admire the tools, or the attackers.
One of the problem is how you describe what's happening? Which came first - the chicken or the egg? How do you define hacking, other than what a hacker does?
For the purpose of this article, I will define the following terms.
- Hacking is aggressive, deceiptful, or intentional misuse of any computer not legally owned by any Attacker, for commercial, financial, or personal purpose.
- Hacker is the person, or groups of people, doing the Hacking.
- Malware is the tool used for Hacking, AND the payoff of the Hacking.
- Victim is the legal owner of the computer Attacked by a Hacker (or user of a corporate computer).
The people performing the Hacking Attacks have been referred to as, variously:
- Adware / Spyware Writers.
- Hackers (Classically).
- Virus Writers.
In the past, this cross-referencing was not necessarily done. Classically, Malware was of a distinct nature, and one type of malware was not used by another type, or group, of Attackers. Today, we have combined Attacks, where:
- Spam is used to deliver Trojans to be installed on Victims computers.
- Adware / Spyware is installed as Trojans.
- Trojans, installed on Victims computers, are used in the delivery of Spam, or Worms, to other Victims.
- Viruses are used to attack people or software used to defend against Adaware, Spam, and Spyware.
- Viruses, having infected the Victims computer, can become Worms, and attack other computers on the same Network.
- Viruses or Worms were used to Attack the data on the Victims computer, rendering the data unusable unless actual money was paid by the Victim to the Attacker. No, this is NOT fiction.
The classical Hacker was a disenfranchised teenager, hiding in his bedroom, attacking an individual computer owned by a single Victim, for amusement. See, for instance, War Games, one of the earliest movies about Hackers.
Today, Hackers use programs that they may release as Trojans, as Viruses, or as Worms. The Hack, which when installed on the Victims computer, may make that computer part of a Botnet. A Botnet, or army of computers controlled by a successful Hacker, can be sold to individuals or corporations for delivery of Spam, for hosting of Trojans, or for the creation of even more Botnets. As of June 2005, the reported value of ONE bot was $.55 USD, thus a 10,000 member Botnet (a not at all abnormal number) could net the Hacker $5,000 or so.
The term Spam comes from a legendary skit by the British comedy group Monty Python, which maligned a very controversial food product made by Hormel, called "Spam". It was originally used to describe unwanted email, which would typically be used to advertise commercial products of varying legitimacy. Now, following the links in spam email, or spam postings in various forums or on various websites, will typically take your computer to websites that are used to serve trojans to your computer, or possibly to manipulate search engines, making them favour websites serviced by (again, for a fee) a hacker.
So spam too becomes both the medium (email / Internet postings), and the payload (websites benefitting from the spam).
The term Trojan refers classically to the mythical story of the Trojan Horse in Greece. A Trojan is software which is packaged (by the hacker) with Host software that is trusted by, and intentionally installed by, the Victim.
A Trojan can be anything as innocent as an extra toolbar, installed as a part of the Victims browser, and used to "enhance the browsing experience", to software that makes the Victims computer act in a three role Spam delivery capacity. A Trojan is intentionally installed on a server (by a Hacker), with the Host software. It then requires the intentional installation of the Host software (by the Victim), for propagation onto the Victim's computer. A trojan travels as a server to client infection - from a server to a client (victim) and then no further.
A virus is software that travels, from one computer to another, in trusted Host software, such as an application or data file passed by one victim to the next. A virus requires the intentional installation of the Host software (by the Victim), for propagation, but automatically repackages itself on the Victim's computer, for transport to the next computer. A virus travels as a peer to peer infection - from any computer to other computers, and then to more computers later.
A worm is software that travels, from one computer to another, in a trusted media, such as the computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place). A worm requires no intentional action, by the Victim, for propagation. A worm travels as a peer to peer infection - from any computer to other computers, and then to more computers later.
Malware - Classified By Delivery Mechanism
- Trojan - A server to client infection, that requires action by the Victim to propagate. A trojan starts out life packaged, by a hacker, with software trusted by the Victim. When the Victim installs the trusted software, the malware gets installed. Once installed on the Victims computer, a Trojan travels no further. A trojan can be used targeted against a specific set of victims - maybe players of a specific game, or visitors to a specific website.
- Virus - A peer to peer infection, that requires action by the Victim to propagate. A virus starts out on a Victims computer, and packaged with software trusted by the next Victim. When the next Victim installs the trusted software, the virus gets installed. Unlike a Trojan, a Virus automatically repackages itself, on the Victims computer, for transport to the next Victim. A virus is simply broadcast - its spread cannot be controlled, excepting by the media in which it spreads. A successful virus spreads indiscriminantly.
- Worm - A peer to peer infection, that requires no action by the Victim to propagate. A Worm is malware that travels, from one computer to another, in a trusted media, such as a computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place).
Malware - Classified By Payload
- Adware - Malware that delivers, or influences the delivery of, commercial material (aka advertisements) to the Victims computer.
- Hijack - Malware that makes the Victims computer do things not intended by the Victim.
- Spam - Malware consisting of unwanted Messages delivered to the Victims computer.
- Spyware - Malware that collects and transmits personal information about the Victims computer, or about the Victim, to persons who have no legal entitlement to that information.
We use differing defense mechanisms, to protect against differing malware.
Since worms travel as network traffic, a firewall, or a NAT router, will protect against them. A firewall examines the content of the network traffic, detects the malware, and (possibly) alerts us to its activity. Since a NAT router passes traffic between specifically defined endpoints (a distant server, using a specific IP address / port / protocol, mapped using NAT to a specific local computer / port), a worm (which has as its destination only the public IP address / port) goes nowhere. It's simply ignored by the NAT processor.
If we care to learn of worm activity in our neighbouring public address space, we would connect a computer with firewall directly to the Internet service, and configure its firewall to log and / or report worm activity. If we don't care, a NAT router simply discards worm traffic. In either case, no worms can attack the computers on a properly protected LAN.
Since trojans and viruses travel as application traffic, a mere firewall or NAT router is useless here. Firewalls and NAT routers examine and pass packets. An infected file (virus) or a page from a web site with malicious content (trojan) will be broken down into multiple packets. A firewall or NAT router has no ability to filter or inspect multiple packets statefully.
Trojans and viruses can only be detected after reassembly of the packets into application data, and in some cases, after multiple files or web pages have been received by the client. Protection against a trojan or virus is generally by detection, after the malware has landed on the client, but hopefully before it has installed its payload.
So, if there's malware out there, how do we know what's out there? More importantly, how do we describe what's out there? And how do we remove what's on our computers, and then hopefully, keep it from coming back?
You have to know what's there before you can fight it. Knowing what's there is a matter of detecting it. Basic malware detection is based upon two alternate processes.
- Behaviour analysis and detection.
- Signature analysis and detection.
Behaviour analysis, also known as heuristic analysis, takes a suspect file (or a computer system), opens it (operates it), and sees what it does. Sophisticated heuristics are used by some antitrojan / antivirus products, which contain a sandbox, which is a replica of the operating system, within the AT / AV product code. A suspect file is copied into the sandbox, opened from within, and watched. When opened, if it makes suspicious use of system resources provided by the (replica) operating system, it is determined to be malware, and examined further.
Signature analysis takes the actual contents of the various bytes in a suspicious file, and mathematically calculates a hash of the contents. The hash becomes the signature, which is compared against a database listing known malware. If suspected malware has a hash matching known malware, it is determined to be malware.
Malware analysis can be done heuristically against the entire system. Note the difference between adware and spyware. The first will typically generate incoming network traffic; the second, outgoing.
By statefully looking for incoming or outgoing traffic, compared against what should be expected, malicious activity can be detected. Software designed to look for malicious incoming traffic will be better at detecting adware, software designed to look for malicious outgoing traffic will be better at detecting spyware.
Signature analysis is a much simpler process, but demands more repetitious work. To do a signature analysis of the system (a trojan or virus scan) requires taking each file, one at a time, on the entire system, generating a signature from the file, and comparing the signature against each entry in a very long list (database) of known malware. Multiply the number of files in your typical system, against the number of possible (known) malware, and you see what a massive effort that is. And each time a new set of signatures is produced (and with some antivirus products, it's multiple times / day), a rescan could be appropriate.
Some malware is encrypted, to fool the signature scanners. Malicious code is taken, and subjected to rearrangement (packing), with some packing containing random operations which makes unpredictable results. Simple signature checking (and the bad guys, in some cases, know what procedures are followed to produce the signatures) won't detect packed code, which follows no known pattern. So suspect files have to be examined for unpacking code embedded in the code, and in some cases, the unpacking has to be allowed to execute so the signature checking can take place. This makes signature checking even more complex, and more time consuming.
On the other hand, its somewhat possible that having unpacking code in a file indicates that it's malware. Most legitimate code (excepting openly compressed files) does not use unpackers, as most legitimate code is already in an executable state. So when an AT / AV scan finds a file with an embedded unpacker, it's a strong possibility that the file contains malware. Of course, the malware still has to be analysed, to determine just what malware it is. But the scanner doesn't have to continue the heuristic analysis, just switch to the signature check.
Malware Detection and Removal Tools
So all of the above is good background information, but what do you do about the problem, once you understand it?
The traditional way of scanning for viruses, the first malware that was distributed so long ago, was by examining each file on the computer that might carry a virus. This is where the signature and heuristic checks would be done. I'll discuss the tools required in Dealing With Malware.
The problem with scanning each individual file on the computer is several:
- You need a database on the computer being scanned, that describes each known malware.
- Scanning each file on the computer is labourious; as the signature database gets larger, scanning each file on the computer times the length of the database gets larger still.
- You still have to do heuristic scanning. If you limit your analysis to known malware, you risk overlooking undiscovered malware, that hasn't been added to the database.
- Since the scanning process constantly gets longer, the tendency is to scan only when convenient. Malware that propagates between the scans travels with ease.
The new procedure is to observe the computer as one large process. With the exception of malware that has no payload, except to travel from computer to computer, all malware has to surface with secondary symptoms. Generally, those secondary symptoms have to include one or more rogue processes, running on the victims computer.
If we treat the computer itself as one large file, we can do signature and heuristic checks against all of the processes and files, or whole computer heuristic analysis. I'll discuss that process in Dealing With Malware Version 2.