What is Malware?

Malware is malicious software — that is to say programs that violate one or more of the Five Pillars of IA (unbeknownst to the user under whose account it is running). Note that malware does not generally refer to software with unintentional bugs that adversely impact the confidentiality, integrity or availability of an information system.

Malware usually represents a different approach to attacking a system than the network attacks we've discussed, because the victim generally installs the malware or takes some action that results in the malware being installed — not realizing what they're doing, of course. In other words, instead of breaking into a system, we trick users into inviting us in. I'm reminded of vampires and how they have to be invited in.

This webopedia article is actually not a bad little write-up on the distinction between virus/trojan/worm.

We'll look at three types of Malware, categorized by how they get on your computer, i.e. how they propagate.

Virus
Worm
Trojan

Malware is often associated with online crime. In this video, Mikko Hypponen gives a short, entertaining lecture about online crime and the threat it poses, and tells some interesting concrete stories about malware in the process.

Computer Virus Grounds Drone Fleet

Viruses and malware are problems out in the fleet, not only on people's everyday work computers, but also in the computers used to control platforms — like UAVs. Click on the image to the right to read about how a persistent virus on computers used to control drones disrupted operations in the Fall of 2011.

Computer Virus

This term is the most broadly used word to describe unwanted programs on our computers. A computer virus is a computer program that can replicate itself and "infect" a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, or even the whole hard drive.

A virus will attach itself to another program or file on your computer. Most often they will attach to executables, and cannot run unless the executable file is executed. A virus cannot spread past your computer without some human action assisting. There are many different kinds of viruses including:

Macro: A virus written in a macro language such as a word processor. Some programs allow macro programs to be embedded in documents (Microsoft Office products), this provides a unique vector for viruses. A famous example is the Melissa virus. The virus was a macro inside a Microsoft Word document named List.DOC. A macro embedded in a Word document is exactly analogous to a script embedded in a webpage: when the word document is opened, the macro is executed. In the case of the Melissa virus, the macro/script did some bad things, including sending e-mails out to the first 50 addresses in your "address book" that had List.DOC as attachments, thereby propagating itself.
Cross-site Scripting: Up and coming virus type, virus executed by your web browser. The Samy virus is an example.
You can check out the actual injected Javascript used in the virus, with a technical explanation of how it works from Samy himself.
Program virus: This is the most traditional virus, a stand-alone executable program attached to some other file (which usually looks benign).
Boot sector: Located in boot sector, starts every time computer boots. Set this area on disk to read-only.

How a virus can make copies of itself (i.e. how a virus could "propagate") may seem like a bit of a mystery. To help understand and make things a bit more concrete we looked in class at the following virus for our message board (NOTE: The Javascript function encodeURIComponent( ) takes a string and encodes it in the form it should have to be in a URL calling a server side script.):

<em id="foo">   
I love SI110!
<script type="text/javascript">
if(Math.random()<0.05)
{
  document.location="mb.cgi?msg="
  +
  encodeURIComponent('<em id="foo">' + document.getElementById("foo").innerHTML + '</em>');
}
</script>
</em>

Someone has to post this to the message board initially. For anyone visiting the message board subsequently, they see the message I love SI110!, but what they don't see is that their browser executes the script. There is a 95% chance that the script will do nothing. But, the other 5% of the time it sends a message to the server that posts a copy of itself on the message board, except that the username attached to that message will be of the victim, i.e. the user who's just visited the message board. The script uses document.getElementById("foo").innerHTML to get a copy of itself, which is how it can reproduce. When your instructor demoed this in class, you should've gotten a feeling for the nasty nature of exponential growth!

Worms

A computer worm is a self-replicating, self-propagating program that uses networking mechanisms to spread itself. This is a virus with the added functionality of spreading across a network without any help from a user. This is in contrast with most viruses and trojans, which rely on the unwitting help of users. A worm typically scans the surrounding network and then exploits specific vulnerabilities in the host operating systems or services via an open port and then transfers itself to the new host. There are also other methods of propagation.

The Stuxnet worm targeted Siemens Supervisory Control and Data Acquisition (SCADA) systems.

Some famous examples:

Trojan Horse

A trojan horse is named for the famous Greek story of ancient times. In the computer world, a trojan horse is a program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes exploiting legitimate authorizations of a system entity that invoked the program. In contrast to viruses, trojans don't try to propagate — they don't try to replicate themselves or send themselves to other machines. In fact, "trojan" refers to the mechanism by which the malware is delivered not really to the malware itself. Once malware is delivered via a trojan, in might be used to gain access to other hosts, but not usually via the same trojan mechanism.

Back Orifice is an example of a trojan program. It provided legitimate functionality as a remote administration tool, but other functionality made it less suited for this legitimate role. The Back Orifice server program can hide itself from cursory inspections of the system and can even be installed without the user's permission.

Another vector prevalent today is through anti-virus programs on the web. A person visits a web site, and a pop-up window indicates they have 17 different types of spyware/viruses on their computer. If the user then downloads the program to eliminate the malware, he or she has now installed a different malware program! The initial windows that the user sees is in all likelihood just making up results to get the user to download the program.

To see a concrete example of a Trojan Horse, go check out your personal SI110 webpage (recall: http://rona.cs.usna.edu/~m169999/index.html). You included a Javascript script that served the really useful function of displaying the HTML code in the body of your webpage. However, hidden inside that script is a "logic bomb", a piece of code which, when the right conditions are satisfied, will suddenly change the behavior of the program to do something bad. (If you do a view Source on your personal page and then click on the link for the Trojan Horse Javascript, you should be able to discover the logic bomb!)

Malware: Once it gets on my computer, what does it do?

Once on your system, Malware could be doing a host of bad things.

Files could be deleted or sent back to the attacker. This is not very imaginative, of course, but still bad for you.
Your machine could become a zombie, i.e. a host that's owned (in the sense of being able to give it commands as administrator) by a bad guy and, at his bidding, might be used to do bad things like send spam or participate in a DDoS attack. Collections of zombies with a single master are often called botnets. There are large botnets out there of hundreds of thousands of hosts, whose services are for sale. Malware often uses the internet to communicate with a command and control host from which it receives instructions on what to do next. Zombie hosts may simply be waiting for a signal from the command and control host.
Check out Attack of the Bots, Wired Magazine, 2006. It's a bit old (2006) but is, in typical Wired fashion, a very nicely written, engaging account of a botnet attack. Botnets are a serious problem, posing a threat not only to businesses, but even to governments.
Your machine may become a springboard for a larger attack against the system you are a part of. Once again, there may be a command and control host sending instruction as to what to do next.
Programs that violate confidentiality might be installed, like keyloggers which capture what you type (or more generally what you click on or see on the screen). The Malware could even turn on your computer's webcam unbeknownst to you and get a video feed! [Computer Technician Trevor Harwell Installed Peeping Software On Women's Computers, Sophos press release on webcam spying ]
Revisiting the DoD ban on USB sticks

You now know enough to understand the malware threat that led to the DoD banning use of USB sticks. It was named "Agent.btz", and is a variant of "SillyFDC" with the following capabilities:
- it begins executing when the Windows Desktop appears
- it injects code into explorer.exe (i.e., the Windows Desktop program itself)
- copies itself to attached removable drives (e.g., a USB stick)
- executes automatically when an infected removable drive is attached
- can download and install files from particular URLs
- modifies security settings and Safe Mode settings
- bypasses Windows firewall and disables Task Manager
Imagine that malware on the NIPRnet!
Spyware Spyware is software that is secretly installed onto a computer with the express intent of gathering information on individuals or organizations without their knowledge. This may involve changing settings on a computer such as browser homepage, slowing down your network connection speed, or directing you to specific webpages. This type of malware is commonly associated with identity theft, software based keylogging, or "spying" on another user's activities in the digital realm ( Loverspy). HTTP cookies may be used, but unlike a cookie, spyware is an executable program.

Adware Adware is advertising-supported software. Adware is any software package which automatically plays, displays, or downloads advertisements to a computer. These advertisements can be in the form of a pop-up. The object of the adware is to generate revenue for its author. Adware, by itself, is harmless (other than the bandwidth reduction it typically causes). However, some adware may come with integrated spyware such as a keylogger. Like spyware, adware may use HTTP cookies, but adware and HTTP cookies are quite different entities.

Duqu: a mini case study

The Word file that carried Duqu. from securelist.com

One instance of Malware that has recently come to light is known as Duqu. Taking a little closer look at it is worthwhile because it illustrates a few points from this lesson along with connections to prior lessons. First off, there have been several Duqu attacks. We're talking about one of them. An interesting feature is that they each appear to have been somewhat customized to their target.

Getting a foot in the door
Duqu was initiated with a spearphishing attack: an e-mail to a company employee requesting more information with, in particular, the line "In the attached file, please see a list of requests." The "attached file" was an innocuous-looking Microsoft Word document. Opening up that Word document is what started all the trouble. In this we see why malware offers a different approach to attacking: the user actually opened the door and let the attacker in when he opened that e-mail.
The exploit: executing shell-code with administrator privileges
So how could simply viewing a Word document cause problems? Well, the Word document sent in this attack contained an "embedded font", meaning that the file contained within in it a block of bytes that defined what the characters used in the document should look like when displayed. The bytes that comprise the font definition are read in and processed by OS code that runs with administrator privileges. The font definition was actually badly formed in such a way as to trick this OS code into executing shell code (which was also part of the badly formed font definition) which, because it was executed by the OS code, ran with the highest possible privileges. This shell code installed the Duqu malware, which then was up and running long-term on the host, regardless of whether the Word document or Word itself remained open.
Once established, what did it do?
The motives of the attackers using Duqu have not been publicly reported. But some of the activities of the malware, if not the reasons for the activities, have been disclosed. Duqu contacted a command-and-control (C&C) server to receive instructions. In fact, the communication between C&C and the infected machine was done over HTTP and HTTPS. At least one Duqu C&C server, though not the one in the attack we're describing, was traced to a machine in Belgium at IP address 77.241.93.160. The C&C server loaded an extra module (piece of code) on the infected host that allowed it to attack another machine on the same network, making use of that local network access. Yet another module loaded onto the infected host by the C&C server was a key logger, which logged keystrokes and grabbed screen captures.

Further Reading

symantec.com Information on the scope of Duqu infections.

securelist.com detailed description of one particular infection. Lots of nice screenshots!
nist.gov NIST National Vulnerability Database entry for the Windows font processing vulnerability exploited by Duqu.
informationweek.com 7 Facts On Duqu Malware Attacks

Malware as a Weapon

Malware has actually been used as an alternative to physical ("kinetic") attacks. In particular, as was related in a June 1 NY Times article, the U.S. and Israel cooperated to produce malware dubbed "Stuxnet", which was designed to cripple the Iranian nuclear weapons program. The article claims that one of the motivations for the U.S. in creating Stuxnet was to dissuade Israel from carrying out a physical attack. Was the U.S. also responsible for the Flame malware? Duqu?

There are serious ethical, legal, and policy questions surrounding the use of offensive "cyber weapons". With the revelation that the U.S. has created and used such a weapon, the debate around these questions has become more urgent. Your are taking or will take courses here at USNA about ethics, policy and even law. Keep these questions about the use of cyber weapons in mind as you take these other courses.

Prevention/Detection/Recovery

Malware Prevention	Malware Detection	Recovery
Email: Open email only from trusted sources. Verify the executable file was intended to be sent, and use a virus scanning program to scan the incoming attachment. No one wants to give you money! Do not respond to requests for personal information! Anti-Virus Software: Scan new files/media prior to execution. Maintain up-to-date definitions. Run a full system scan periodically. Many anti-virus solutions come with a system backup functionality that you may wish to explore. Removable Media: Disable Autorun in your Control Panel. Do not share thumbdrives/removable media between networks! Follow established network user policy. Software: Install Operating System updates when they are available. Maintain 3rd party software with the latest patches and updates. Online: Only visit trusted websites. Be aware of HTTP cookies. You may block or disable as applicable. Best Practices: Turn off the computer system when it is not being monitored by an Intrusion Detection System(IDS)/Intrusion Protection System(IPS). Enable auditing and monitor audits. Correct any unsafe habits/policy violations. Keep systems physically secure. Follow/police established usage policies. Report any abnormal response/uninitiated behavior to your system administrator immediately.	User/Administrator may observe abnormal behavior of the computer system. This maybe be an action that was not initiated by the user, a new toolbar, a program the user did not install, browser homepage changes, etc. A processing and/or network bandwidth slowdown may also be observed. Anti-virus software scan can catch many types of malware! Make sure your program is using up-to-date definitions. An IDS/IPS may detect an abnormally high amount of network traffic coming from a particular node, and can then scan for worms looking to propagate, or even discover worms in action. Firewalls and email gateways can be connected to incorporate a malware scanner.	Recovery is the final step in the process of moving back to a functional computing environment. Keep the following in mind as you proceed. Contact the IT Department or network administrator if available. Disconnect the computer from the network. This will prevent the sending of personal information back to the attacker, and will also prevent the propagation of a worm. Backup your important files. You should do this at periodic intervals. This is like car insurance. You want it there if you ever need it, but you hope you never need it. Scan your machine for malware with an anti-virus/anti-malware solution. It is best to use a recovery cd from the anti-virus company or your operating system disk. You should treat the operating system, programs, and files as if they are infected. Use a web-based scanning solution, such as Microsoft PC Protection Scan. To achieve the best results, it may be necessary to start windows in Safe Mode (typically press F8 on startup). Safe Mode will prevent programs from automatically starting. You can also reinstall your anti-virus solution and perform a scan. As a last resort, you can always format the hard drive. Unless you are good friends with a computer forensics analyst, you will lose all of your programs and data. Once formatted, you will reinstall your operating system, and start over again. Make sure to properly configure your security settings! Always connect your computer back to the network as a last step. This helps protect everyone!