Chapter 2
Definitions and Timeline
Categorizing Malware
 No
agreed upon definitions
o Even for “virus” and “worm”
 Consider
categories based on…
o Self-replicating
o Population growth
o Parasitic
 Then
we name the different types
o As defined by Aycock
Self-replicating Malware
 Self-replicating
malware
 Actively attempts to propagate by
creating new copies
 May also propagate passively
o But this isn't self-replication
 Called
these “worms” (in CS 265)
Population Growth
 Population
growth
 Describes change in the number of
instances
 Malware that doesn't self-replicate
will have a zero population growth
o But malware with a zero population
growth may self-replicate
Parasitic
 Parasitic
malware
 Requires some other executable code
 "Executable” taken very broadly
o Boot block code on a disk
o Binary code in applications
o Application scripting languages
o Source code that may require
compilation before executing, etc.
Types of Malware
 Logic
Bomb
 Trojan
 Back Door
 Virus
 Worm
 Rabbit
 Spyware/Adware
 Other
Logic Bomb
 Self-replicating:
no
 Population growth: 0
 Parasitic: possibly
 Consists of 2 parts
o Payload --- action to be performed
o Trigger --- event to execute payload
 Donald
Gene Burleson case (CS 265)
Trojan Horse
 Self-replicating:
no
 Population growth: 0
 Parasitic: yes
 Name comes from ancient world
o Pretends to be innocent, but it’s not
 Example:
fake login prompt that
steals passwords
Back Door
 Self-replicating:
no
 Population growth: 0
 Parasitic: possibly
 Bypasses normal security checks
o So enables unauthorized access
 Example:
or RAT
Remote Administration Tool,
Virus
 Self-replicating:
yes
 Population growth: positive
 Parasitic: yes
 When executed, tries to replicate
itself into other executable code
o So, it relies in some way on other code
 Does
not propagate via a network
 Nice
virus history given by Aycock
Worm
 Self-replicating:
yes
 Population growth: positive
 Parasitic: no
 Like a virus, except…
o Spreads over network
o Worm is standalone, does not rely on
other code
 Good
history in Aycock’s book
Rabbit
 Self-replicating:
yes
 Population growth: 0
 Parasitic: no
 Two kinds of rabbits
o One uses up system resources
o One uses up network resources (special
case of a worm)
Spyware
 Self-replicating:
no
 Population growth: 0
 Parasitic: no
 Collects info and sends it to someone
o Username/password, bank info, credit
card info, software license info, etc.
 First
mention is about 1995
 May arrive via “drive-by download”
Adware
 Self-replicating:
no
 Population growth: 0
 Parasitic: no
 Similar to spyware but focused on
marketing
Hybrids, Droppers, etc.
 Hybrid
is combination of different
types of malware
o Worm that is a rabbit, trojan that acts
like a virus, etc., etc.
 Dropper
is malware that deposits
other malware
o For example, a worm might leave behind
a back door…
Zombies
 Compromised
machines that can be
used by an attacker
o Spam
o Denial of service (DoS)
o Distributed denial of service (DDoS)
 Today,
usually part of a botnet
Naming
 No
agreed on naming convention
 Virus writer might suggest a name
o “Your PC is now stoned!”
 Different
vendors might use
different names
 Different variants might get
different names, etc.
Naming
 Factors
related to naming
o Malware type
o Family name
o Variant
o Modifiers (e.g., “mm” for “mass mailer”)
 But
many different names applied to
same virus (or family)
o See book for examples
Authorship
 Author
and distributor may differ
 Is malware author a “hacker” or
“cracker”?
o It depends on your definitions…
 So,
Aycock does not use terms like
hacker or cracker
o Instead, uses boring terms like malware
author, malware writer, virus writer, etc.
Malware Writers
 Botnet
hacker caught in Slovenia (2010)
 Japanese Virus Writer Arrested for
the Second Time (2010)
o "I wanted to see how much my computer
programming skills had improved since the
last time I was arrested."
 Teen
Arrested in Blaster Case (2003)
 No 'sorry' from Love Bug author (2005)
Timeline