A computer is a tool that executes instructions, or programs, at a very rapid pace. For the most part, a benign program does productive work, safely interacting with the
components of computer, such as the processor, the files on the hard drive, and other processes and data in memory.
Malicious programs perform work or actions that the user does not want and ends with results that are insulting, frustrating, and/or damaging. Spam e-mail fits into all of those categories. Virus logic bombs that destroy critical files are incredibly damaging. Denial of Service attacks on e-commerce sites can be frustrating for the customer and potentially damaging for the business, normally resulting in lost business and revenue. Root-kits that allow unauthorized access to other people’s or organization’s computer resources are a significant security risk, and usually causing some form of loss or damage.
“Malware” is the overarching term used to describe the programs that force the computer to execute these misbehaving tasks. The types of malware that will be considered herein are: worms, botnets and viruses.
1. Worms
A worm is stand-alone malicious code that propagates across the hosts of a network, with or without human assistance—no interaction on the part of a user is required.
According to Gu (et al.), there are three characteristics of an Internet worm:
• Internet worms generate a substantial volume of identical or similar traffic. This can be detected by passive listening on the network, as
15
• They use random scanning to probe for vulnerable hosts, which can also be detected by those passive listeners.
• Compromised hosts exhibit predictable signatures:
an uninfected host would have “normal” traffic, but when infected, the host begins random scanning looking for other vulnerable hosts on the network.
In addition to propagating itself by finding additional vulnerable hosts, worms typically have some other malicious function. It may direct users to certain websites or it may collect information from the infected host and report it back to some central computer. It could also be malicious and try to destroy key files on the host computer [8].
Some examples of worms include the Morris worm (1988) [9], the first known instance of a worm, as well as the Nimda and the Code Red worms [10].
2. Botnets
Bots and networks of bots (“botnets”) are emerging as the most significant threat facing online ecosystems and computing assets [11]. Like viruses and worms, a bot is a self-propagating application (code) that infects vulnerable hosts through exploit activities in order to expand the reach of the Bot network [11]. Bots can use worms or other bots to propagate to other computers on the network.
Bots can be distinguished from viruses and worms by their command and control characteristic: bots will normally include facilities that allow for control by some sort of Command and Control structure, be it a single server or some
type of distributed system. Since bots can be controlled by a single entity, they can be remotely directed towards a single purpose. A typical use for a bot is a Distributed Denial of Service (DDOS) attack, where a massive number of bots can coordinate their traffic in order to overwhelm a network server [11].
Bot behaviors include those of worms outlined above, with the addition of command and control traffic that rides within different protocols: commonly Hyper Text Transfer Protocol (HTTP) and Internet Relay Chat (IRC). In actual bots, this traffic may or may not be encrypted. Detection of bots through passive packet monitoring (as above—with protocol analysis by tools such as Snort or Wireshark) of data streams can be useful, as bots will often exhibit typical signatures or behaviors. Like worms, the scanning behaviors used for propagation can also be detected passively and the results used for bot (and worm) identification [11]. Bots will often remain hidden until they receive instruction from the command and control server to execute some action, which is typically a denial of service attack as described above [12],[13].
Perhaps the most widely known example of a bot is
“Conficker,” which is still active at the time of this writing. One estimate of Conficker held it responsible for 8.9 million infections, and it appeared in a variety of different networks, including those of the German and British Armed Forces [14].
17 3. Viruses
In Peter Czor’s The Art of Virus Research and Defense, he defines a computer virus as “…code that recursively replicates a possibly evolved copy of itself. Viruses infect a host file or system area, or they simply modify a reference to such objects to take control and then multiply again to form new generations.” [15]
Viruses can be classified by many categories. These include what computer architectures they target, such as processor types or operating systems; file systems and file formats; interpreted environments such as scripts (PHP, Jscript, Batch and Shell scripts) and macros; and more.
They can also be classified as to how they infect, such as boot records, files, and in-memory. They could be classified as to their defensive mechanisms, like tunneling, armored, retroviruses, morphing and encrypting. Finally, they could be classified according to their payload, whether it is intended to be benign and non-destructive, destructive, data-stealing, or denial of service.
Since all viruses are code and that code must reside somewhere on the host, the signature-based virus scanner periodically searches for those classic signatures on a system. Only new viruses or emerging variants of existing viruses will cause the scanner to fail to match the stored signatures and claim that the code is safe.
A canonical example of a virus is the “Anna Kournikova”
virus. Although it did not have a malicious payload, it made its way through a bulletin board posting, through mass-mailing capability, and social engineering (enticing people with a new picture of Anna Kournikova) to spread itself
around the world. The file was a visual basic script:
AnnaKournikova.jpg.vbs. It duped the user into executing the script, e-mailing itself with the VBS attachment to everyone in the user’s e-mail address book. Its payload was nothing except spam e-mails that quickly spanned the world [16].