What is Malware?
Malware is mal
is to say programs that violate one or more of the Five
Pillars of IA (unbeknownst to the user under whose account
it is running). Note that malware does not generally refer to
software with unintentional bugs that adversely impact the confidentiality,
integrity or availability of an information system.
Malware usually represents a different approach to attacking a
system than the network attacks we've discussed, because the
victim generally installs the malware or takes some action that
results in the malware being installed — not realizing
what they're doing, of course.
In other words, instead of breaking into a system, we trick
users into inviting us in. I'm reminded of vampires and how
they have to be invited in.
We'll look at three types of Malware, categorized by how they
get on your computer, i.e. how they propagate.
- Trojan Horse (a.k.a. trojan)
Malware is often associated with online crime.
, Mikko Hypponen gives a short, entertaining lecture
about online crime and the threat it poses, and tells some
interesting concrete stories about malware in the process.
Computer Virus Grounds Drone Fleet
Viruses and malware are problems out in the fleet, not only on
people's everyday work computers, but also in the computers
used to control platforms — like UAVs. Click on the
image to the right to read about how a persistent virus on
computers used to control drones disrupted operations in the
Fall of 2011.
This term is the most broadly used word to describe unwanted programs on our
computers. A computer virus is a computer program that can replicate itself
and "infect" a computer without permission or knowledge of the user. A virus
might corrupt or delete data on a computer, or even the whole hard drive.
A virus will attach itself to another program or file on your computer. Most
often they will attach to executables, and cannot run unless the executable
file is executed. A virus cannot spread past your computer without some
human action assisting. There are many different kinds of
How a virus can make copies of itself (i.e. how a virus could
"propagate") may seem like a bit of a mystery. To help understand
and make things a bit more concrete we looked in class at the
following virus for our message board
encodeURIComponent( ) takes a string and encodes it in the form it
should have to be in a URL calling a server side script.):
Macro: A virus written in a macro language for a separate application, such as a word processor.
Some programs allow macro programs to be embedded in documents (Microsoft
Office products), this provides a unique vector for
viruses. A famous example is
the Melissa virus.
The virus was a macro inside a Microsoft Word
List.DOC. A macro
embedded in a
Word document is exactly analogous to a script embedded in a
web page: when the word document is opened, the macro is
executed. In the case of the Melissa virus, the macro/script
did some bad things, including sending e-mails out to the
first 50 addresses in your "address book" that had
as attachments, thereby propagating itself.
Program virus: This is the most traditional virus, a stand-alone
executable program attached to some other file (which
usually looks benign).
Boot sector: A virus that starts every time computer
boots. This can be mitigated by setting this area on the disk to read-only, so that only the Administrator can override.
I love SY110!
encodeURIComponent('<em id="foo">' + document.getElementById("foo").innerHTML + '</em>');
Someone has to post this to the message board initially. For
anyone visiting the message board subsequently, they see the
message I love SY110!, but what they don't see is that
their browser executes the script. There is a 95% chance that the
script will do nothing. But, the other 5% of the time it sends a
message to the server that posts a copy of itself on the message
board, except that the username attached to that message will be
of the victim, i.e. the user who's just visited the message board.
The script uses
to get a copy of itself, which is how it can reproduce. When your
instructor demoed this in class, you should have gotten a feeling
for the nasty nature of exponential growth!
A computer worm is a self-replicating, self-propagating program that
uses networking mechanisms to spread itself. This is a virus with the added
functionality of spreading across a network without any help
from a user. This is in contrast with most viruses and
Trojans, which rely on the unwitting help of users.
A worm typically scans the surrounding network and then exploits specific
vulnerabilities in the host operating systems or services via an open port
and then transfers itself to the new host. There are also other methods of
The Stuxnet worm targeted Siemens Supervisory Control and Data
Acquisition (SCADA) systems.
Some famous examples:
A trojan horse is named for the famous Greek story of ancient times. In the
computer world, a trojan horse is a program that appears to have a useful
function, but also has a hidden and potentially malicious function that
evades security mechanisms, sometimes exploiting legitimate authorizations
of a system entity that invoked the program.
In contrast to viruses, Trojans don't try to propagate —
they don't try to replicate themselves or send themselves to
other machines. In fact, "trojan" refers to the mechanism by
which the malware is delivered not really to the malware
itself. Once malware is delivered via a trojan, in might be
used to gain access to other hosts, but not usually via the
same trojan mechanism.
Back Orifice is an example of a trojan program. It provided legitimate
functionality as a remote administration tool, but other functionality
made it less suited for this legitimate role. The Back Orifice server program
can hide itself from cursory inspections of the system and can even be
installed without the user's permission.
Another vector prevalent today is through anti-virus programs on the web.
A person visits a web site, and a pop-up window indicates they have 17
different types of spyware/viruses on their computer. If the user then
downloads the program to eliminate the malware, he or she has now installed
a different malware program! The initial windows that the user sees is in
all likelihood just making up results to get the user to download the
To see a concrete example of a Trojan Horse, go check out your
personal SY110 web page (recall: http://rona.cs.usna.edu/~m9999/index.html).
function of displaying the HTML code in the body of your web page.
However, hidden inside that script is a "logic bomb", a piece
of code which, when the right conditions are satisfied, will
suddenly change the behaviour of the program to do
something bad. (If you do a view Source on your personal page
you should be able to discover the logic bomb!)
Malware: Once it gets on my computer, what does it do?
Once on your system, Malware could be doing a host of bad
Files could be deleted or sent back to the attacker.
This is not very imaginative, of course, but still bad for you.
Your machine could become
a zombie, i.e. a host that's owned (in the sense of
being able to give it commands as administrator) by a bad guy and, at
his bidding, might be used to do bad things like send spam or
participate in a DDoS attack.
Collections of zombies with a single master are often called
botnets. There are large botnets out there of
hundreds of thousands of hosts, whose services are for sale.
Malware often uses the Internet to communicate with a
command and control host from which it receives
instructions on what to do next. Zombie hosts may simply be
waiting for a signal from the command and control host.
Check out Attack of the Bots, Wired
Magazine, 2006. It's a bit old (2006) but is, in
typical Wired fashion, a very nicely written, engaging
account of a botnet attack. Botnets are a serious
problem, posing a threat not only to businesses, but even
Your machine may become a springboard for a larger attack
against the system you are a part of. Once again, there may
be a command and control host sending instruction as to what
to do next.
Programs that violate confidentiality might be
installed, like keyloggers which capture what you
type (or more generally what you click on or see on the
screen). The Malware could even turn on your computer's
webcam unbeknownst to you and get a video feed!
Technician Trevor Harwell Installed Peeping Software On
Sophos press release on webcam spying
Revisiting the DoD ban on USB sticks
You now know enough to understand the malware threat
that led to the DoD banning use of USB sticks. It was
named "Agent.btz", and is a variant of
the following capabilities:
- it begins executing when the Windows Desktop appears
- it injects code into explorer.exe (i.e., the Windows Desktop program itself)
- copies itself to attached removable drives (e.g., a USB stick)
- executes automatically when an infected removable drive is attached
- can download and install files from particular URLs
- modifies security settings and Safe Mode settings
- bypasses Windows firewall and disables Task Manager
Imagine that malware on the NIPRnet!
Spyware is software that is secretly installed onto a computer with the
express intent of gathering information on individuals or organizations
without their knowledge. This type of malware is commonly
associated with identity theft, software based keylogging, or "spying"
on another user's activities in the digital realm (Loverspy).
HTTP cookies may be used for spying, but unlike a cookie, spyware is an executable program.
Adware is advertising-supported software. Adware is any
software package which automatically plays, displays, or downloads
advertisements to a computer. These advertisements can be in the form of
a pop-up. This software may also change settings on a computer
such as the browser homepage. The object of the adware is to generate revenue for its
author. Adware, by itself, is harmless (other than the bandwidth reduction
it typically causes). However, some adware may come with integrated
spyware such as a keylogger. Like spyware, HTTP cookies can be used to target you with advertisements,
but adware and HTTP cookies are quite different entities.
Duqu: a mini case study
One instance of Malware that has recently come to light is known
as Duqu. Taking a little closer look at it is worthwhile
because it illustrates a few points from this lesson along with
connections to prior lessons. First off, there have been
several Duqu attacks. We're talking about one of them. An
interesting feature is that they each appear to have been
somewhat customized to their target.
Getting a foot in the door
Duqu was initiated with a spearphishing attack: an e-mail to a
company employee requesting more information with, in
particular, the line "In the attached file, please see a
list of requests." The "attached file" was an
innocuous-looking Microsoft Word document. Opening up that
Word document is what started all the trouble. In this we see
why malware offers a different approach to attacking: the user
actually opened the door and let the attacker in when he
opened that e-mail.
The exploit: executing shell-code with administrator privileges
So how could simply viewing a Word document cause problems?
Well, the Word document sent in this attack contained an
"embedded font", meaning that the file contained within in
it a block of bytes that defined what the characters used in
the document should look like when displayed. The bytes
that comprise the font definition are read in and processed
by OS code that runs with administrator privileges. The
font definition was actually badly formed in such a way as
to trick this OS code into executing shell code (which was
also part of the badly formed font definition) which,
because it was executed by the OS code, ran with
the highest possible privileges.
This shell code installed the Duqu malware, which then was
up and running long-term on the host, regardless of whether
the Word document or Word itself remained open.
Once established, what did it do?
The motives of the attackers using Duqu have not been
publicly reported. But some of the activities of the
malware, if not the reasons for the activities, have been
disclosed. Duqu contacted a command-and-control (C&C)
server to receive instructions. In fact, the communication
between C&C and the infected machine was
done over HTTP and HTTPS.
At least one Duqu C&C server, though not the one in the
attack we're describing, was traced to a machine in Belgium at IP
address 184.108.40.206. The C&C server loaded an extra
module (piece of code)
on the infected host that allowed it to attack another
machine on the same network, making use of that local
network access. Yet another module loaded onto the infected
host by the C&C server was a key logger, which logged
keystrokes and grabbed screen captures.
Information on the scope of Duqu infections.
A detailed description of one particular infection. Lots of nice screenshots!
NIST National Vulnerability Database entry for the Windows
font processing vulnerability exploited by Duqu.
7 Facts On Duqu Malware Attacks
Malware as a Weapon
Malware has actually been used as an alternative to physical
("kinetic") attacks. In particular, as was related in a
, the U.S. and Israel cooperated to produce
malware dubbed "Stuxnet", which was designed to cripple the
Iranian nuclear weapons program. The article claims that one
of the motivations for the U.S. in creating Stuxnet was to
dissuade Israel from carrying out a physical attack.
Was the U.S. also responsible for the Flame malware? Duqu?
There are serious ethical, legal, and policy questions
surrounding the use of offensive "cyber weapons". With the
revelation that the U.S. has created and used such a weapon,
the debate around these questions has become more urgent.
Your are taking or will take courses here at USNA about
ethics, policy and even law. Keep these questions about the
use of cyber weapons in mind as you take these other courses.
- Open email only from trusted sources. Verify the executable
file was intended to be sent, and use a virus scanning program
to scan the incoming attachment.
- No one wants to give you money!
- Do not respond to requests for personal information!
- Anti-Virus Software:
- Scan new files/media prior to execution.
- Maintain up-to-date definitions.
- Run a full system scan periodically.
- Many anti-virus solutions come with a system backup
functionality that you may wish to explore.
- Removable Media:
- Disable Autorun in your Control Panel.
- Do not share thumb drives/removable media between networks!
- Follow established network user policy.
- Install Operating System updates when they are available.
- Maintain 3rd party software with the latest patches and updates.
- Only visit trusted websites.
- Be aware of HTTP cookies. You may block or disable as applicable.
- Best Practices:
- Turn off the computer system when it is not being monitored by an
Intrusion Detection System(IDS)/Intrusion Protection System(IPS).
- Enable auditing and monitor audits.
- Correct any unsafe habits/policy violations.
- Keep systems physically secure.
- Follow/police established usage policies.
- Report any abnormal response/uninitiated behavior to your
system administrator immediately.
- User/Administrator may observe abnormal behavior of the computer
system. This maybe be an action that was not initiated by the user,
a new toolbar, a program the user did not install, browser homepage
changes, etc. A processing and/or network bandwidth slowdown may also
- Anti-virus software scan can catch many types of malware! Make
sure your program is using up-to-date definitions.
- An IDS/IPS may detect an abnormally high amount of network traffic
coming from a particular node, and can then scan for worms looking to
propagate, or even discover worms in action.
- Firewalls and email gateways can be connected to incorporate a
Recovery is the final step in the process of moving back to a functional
computing environment. Keep the following in mind as you proceed.
- Contact the IT Department or network administrator if available.
- Disconnect the computer from the network. This will prevent the
sending of personal information back to the attacker, and will also
prevent the propagation of a worm.
- Backup your important files. You should do this at periodic intervals.
This is like car insurance. You want it there if you ever need it, but
you hope you never need it.
- Scan your machine for malware with an anti-virus/anti-malware
solution. It is best to use a recovery cd from the anti-virus
company or your operating system disk. You should treat the operating
system, programs, and files as if they are infected.
- Use a web-based scanning solution, such as Microsoft PC Protection
- To achieve the best results, it may be necessary to start windows
in Safe Mode (typically press F8 on startup). Safe Mode will prevent
programs from automatically starting. You can also reinstall your
anti-virus solution and perform a scan.
- As a last resort, you can always format the hard drive. Unless you are
good friends with a computer forensics analyst, you will lose all of your
programs and data. Once formatted, you will reinstall your operating
system, and start over again. Make sure to properly configure your
- Always connect your computer back to the network as a last step.
This helps protect everyone!