The term “malware” denotes any malicious software used for the purpose of attacking systems and IT environments. There is a vast number of malware specimens in the wild, and even more that exist on a purely conceptual (laboratory) basis. Typically, malware is classified according to its impact and its prevalence in the wild, as shown in figure 1.
Figure 1: Malware Classification (Overview)
Malware encompasses a wide range of phenomena from simple pranks or jokes to advanced volatile threats (AVTs). This means that, for each category, there are usually different threat and risk profiles as well as different mitigation strategies.
Low-end malware typically shows little technical sophistication and serves a comparatively harmless purpose, often the propagation of targeted advertising or presentation of pop-up windows to end users. Examples include adware of various degrees of intrusion. At best, low-end malware may be regarded as annoying but harmless.
Variants of typical low-end malware include minor worms or viruses with a limited and low-impact payload. Examples include pranks and scareware. (Scareware, often presented as a pop-up, is intended to scare a user into downloading software that may be benign or harmful.) The wide range of such malware specimens goes back to the early days of virus developments when programmers would often highlight or publish known vulnerabilities by writing a specific, nonharmful virus demonstrating the exploit.
Medium-level malware is designed to impact end-user systems, either through causing damage or trying to control end-user behavior (ransomware). There is a vast array of malware, most of which has been documented and categorized by providers of antivirus and anti-malware packages. The medium threat level shows the highest prevalence and frequency of occurrence of infections, given that the impact is typically achieved using fairly standardized and generic components to build and deploy malware. It is characteristic that malware at this threat level tends toward “families,” i.e., an original piece of malware and any number of subsequent variants.
Historically, medium threat level malware originated as Trojans (or, more precisely, Trojan horses), gradually replacing traditional viruses. In contrast to virus propagation, more complex malware introduced the element of remote, often real-time, command and control. The emergence of this type of malware was involuntarily supported by the widespread adoption of Microsoft™ Windows™ as an operating system, and MS Office™ as the dominant standard desktop office package. The latter introduced a new class of vulnerabilities and risk by enabling end users to use the in-built programming language (a derivative of Basic).
Medium-level threat malware often incorporates a social attack element, attempting initial infection by presenting attractive or free content to end users. With the advent of mobile malware for popular mobile operating systems, the social component appears to become more pronounced, exploiting the fact that many users have adopted an attitude of implicit trust and unconstrained use of social networking tools and techniques.
Malware at the complex end of the threat spectrum is usually developed for the purpose of attacking well-protected systems, and targeting is done in line with specific interests. High-end threats often qualify as advanced persistent threats (APTs). In almost all known instances, high-end malware uses multiple attack vectors and vulnerabilities or weaknesses that are not in the public domain. These include zero-day exploits and/or back doors in popular software.
Other examples of high-end threat level malware include the manipulation of firmware images (of operating systems or device-specific firmware), embedded systems (in industrial control environments) or hardware.
EXAMPLES OF TYPICAL MALWARE
The following table lists several illustrative examples of malware categorized in line with different threat levels. The list is not exhaustive, and examples have been selected on the basis of significant characteristics and malware behavior or impact.
A virus with primitive deletion of executable files routine, noted because of its invocation on any Friday the 13thThe Jerusalem virus is a typical example of early viruses developed with a view to causing indiscriminate damage to wide circles of end users. Given its early appearance, Jerusalem continued as a fairly broad family of viruses.The first polymorph in the wild, causing antivirus software to adopt heuristic search methods rather than fixed signature search. DAME led to subsequent development of many polymorphic viruses.A virus noted because of its destructive capability, targeting certain types of BIOSThe first virus causing irreversible damage to popular BIOS implementations, rendering PCs unusableAn early successful worm with more complex payload and behavior than viruses. Melissa was able to harvest confidential end-user data. It was noted at the time how rapidly Melissa spread across unprotected machines using MS Outlook™.An example of an inadvertent malware incident caused by the (otherwise legitimate) copy protection mechanism inserted by Sony to protect its IPThe copy protection mechanism (effectively a rootkit) was designed to protect Sony IP on end-user machines. In fact, it created numerous vulnerabilities and points of entry for other malware.Self-propagating software code in two parts (“grappling hook” and downloaded payload) spreading across networksProbably the first specimen in the wild, established the typical “worm” mechanismsA virus with typical boot sector (overwriting) behavior, causing damage only on any 6 MarchThe first example of a virus with widespread media coverage and public interest. From a behavioral/technical point of view, the Michelangelo case did not introduce any new attack approach.A Trojan to establish and maintain persistent botnetsOne of the most successful Trojans used to infect millions of machines, with a view to establishing and maintaining botnets to be used for criminal purposesA worm with unusual complexity, used for cyberwar purposesThe first specimen of a very complex worm used to target SCADA systems and ultimately targets of military interest. First example of active cyberwar.
|Morris worm (1988)||The Morris worm or Internet worm of November 2, 1988 was one of the first computer worms distributed via the Internet. It was the first to gain significant mainstream media attention. It also resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a graduate student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from the computer systems of the Massachusetts Institute of Technology.|
|Jerusalem family (1988)||Jerusalem is a DOS virus first detected in Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. .EXE files grow by 1,808 to 1,823 bytes each time they are infected. The virus re-infects .EXE files each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.|
|Michelangelo (1992)||The Michelangelo virus is a computer virus first discovered on 4 February 1991 in Australia.
The virus was designed to infect DOS systems, but did not engage the operating system or make any OS calls.
Michelangelo, like all boot sector viruses, basically operated at the BIOS level. Each year, the virus remained dormant until March 6, the birthday of Renaissance artist Michelangelo.
|Dark Avenger family (1995)||The Initial Dark Avenger showed boot sector behavior, causing widespread damage. DAME variant (mutation engine) adopted stealthy modification of its own code to evade detection.|
|CIH family, a.k.a. Chernobyl (1998)||CIH, also known as Chernobyl or Spacefiller, is a Microsoft Windows 9x computer virus which first emerged in 1998. Its payload is highly destructive to vulnerable systems, overwriting critical information on infected system drives, and in some cases destroying the system BIOS.|
|Back Orifice (BO; 1998)||The first remote admin kit allowing extensive command and control. While not designed as malware, it was often used for that purpose.||The first implementation of a lean and comparatively stealthy client with an extensive (“luxury”) back-end command-and-control console. BO was frequently used to create early zombies or bots used to commit illegal acts.
A characteristic of the time was the origin of BO, given as a loose grouping of sports hackers known as “Cult of the Dead Cow.”
|Melissa (2000)||The first successful worm, piggybacking MS Outlook™ to spread across networks. It entailed some data leakage.|
|Sub Seven (2001?)(2003)||A remote administration tool (RAT) extending the concepts of Back Orifice and others to create an extremely powerful tool. Behavior resembled a Trojan. While not explicitly designed as malware, it was almost exclusively used for that purpose.||Sub Seven (S7) gained notoriety as one of the ultimate RATs with an unusually wide functionality. The S7 agent in infected machines had been perfected by inserting various protective mechanisms. S7 marked a turning point inasmuch as it allowed the remote command and control of very large numbers of bots.|
|Sony BMG copy protection (2005)||A scandal erupted in 2005 regarding Sony BMG’s implementation of deceptive, illegal, and harmful copy protection measures on about 22 million CDs. When inserted into a computer, the CDs installed one of two pieces of software which provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware.
Category : Rootkits
|Sony claims this was unintentional. One of the programs installed, even if the user refused its end-user license agreement (EULA), would still « phone home » with reports on the user’s private listening habits; the other was not mentioned in the EULA at all, contained code from several pieces of open-source software in an apparent infringement of copyright, and configured the operating system to hide the software’s existence, leading to both programs being classified as rootkits.|
|Zeus family and derivatives (2007)||A Trojan performing key logging and exfiltrating user banking data||One of the first Trojans used for cybercrime|
|Conficker (2008)||Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008
Category : worm
|Stuxnet (2010)||Stuxnet is a malicious computer worm, first uncovered in 2010 by Kaspersky Labs, the antivirus company. Thought to have been in development since at least 2005, stuxnet targets SCADA systems and was responsible for causing substantial damage to Iran’s nuclear program. Although neither country has admitted responsibility, since 2012 the worm is frequently described as a jointly built American/Israeli cyberweapon.|
|Duqu (2011)||A Stuxnet derivative used for information harvesting containing no apparent destructive payload||The evolution of Stuxnet featuring plug-and-play payload capability. While Duqu, in itself, was not destructive, it would have allowed the plugging in of various kinds of payload modules.|
|CryptoLocker (2013)||A typical ransomware designed to infect end-user machines, followed by ransom demands||See content on ransomware.|
|Regin (2014)||Believed to be a cyberweapon developed to target high-security IT environments. Publicly available information indicates that it was used against only 20-30 targets.||The first specimen of a full-fledged cyberweapon used for military and clandestine service purposes. The very few instances of targeted deployment suggest that Regin is not used for cybercrime but exclusively for “surgical” intelligence gathering.|
Source : ISACA – Cybersecurity CSX