TechNet Home > TechNet Security > Library > Server Security

Antivirus Defense-in-Depth Guide

Chapter 2: Malware Threats

Published: May 20, 2004 | Updated: August 25, 2004
On This Page
IntroductionIntroduction
The Evolution of Computer VirusesThe Evolution of Computer Viruses
What Is Malware?What Is Malware?
Malware CharacteristicsMalware Characteristics
What Is Not Malware?What Is Not Malware?
Antivirus SoftwareAntivirus Software
A Typical "In the Wild" Malware TimelineA Typical "In the Wild" Malware Timeline
SummarySummary

Introduction

This chapter of TheAntivirus Defense-in-Depth Guide provides a concise explanation of the evolution of computer viruses, from the first relatively simple viruses to the diverse assortment of malicious software or malware that exists today. The chapter defines an assortment of known malware types and techniques, and also provides information about malware propagation and the risks it poses to organizations of any size.

Because of the nature of this ever-evolving topic, this guide is not designed to capture and explain all malware elements and possible variations. However, it does provide a significant first step in trying to understand the nature of the various elements that comprise malware. The guidance also discusses and defines other things that are not malware, such as spyware (programs that conduct certain activities on a computer without obtaining appropriate consent from the user), spam (unsolicited e-mail), and adware (advertising that is integrated into software).

The Evolution of Computer Viruses

The first computer viruses were introduced in the early 1980s. These first attempts were largely experimental and relatively simple self-replicating files that would display simple taunts or jokes when executed.

Note: It should be noted that providing a definitive history of virus evolution is all but impossible. The illegal nature of malware means that it is in the interests of the perpetrators to hide the origins of the malicious code. This guidance distills the commonly accepted history of malware from virus researchers and the antivirus industry.

By 1986, the first viruses to attack Microsoft MS-DOS personal computers had been reported; the Brain virus was generally thought to be the first of these computer viruses. However, other firsts in 1986 included Virdem (the first file virus) and PC-Write (the first Trojan horse, a program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run.) In the case of PC-Write, the Trojan horse masqueraded as a popular shareware Word Processor application of the same name.

As more people began exploring virus technology, the number of viruses, platforms being targeted, and virus complexity and diversity all began to increase substantially. Viruses focused on boot sectors for some time, and then began to infect executable files. In 1988, the first Internet worm (a type of malware that uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections.) appeared. The Morris Worm caused Internet communications to slow substantially. In response to this and the growing number of outbreaks, the CERT Coordination Center at: http://www.cert.org/, was founded to help ensure the stability of the Internet by assisting in the coordination of responses to outbreaks and incidents.

In 1990, the Virus Exchange BBS went online as an exchange for virus writers to collaborate and share their knowledge. Also, the first book on virus writing was published, and the first polymorphic virus (commonly referred to as Chameleon or Casper) was developed. A polymorphic virus is a type of malware that uses an unlimited number of encryption routines to prevent detection. Polymorphic viruses have the ability to change themselves each time they replicate, which makes them difficult to detect by signature-based antivirus software programs that are designed to "recognize" viruses. Shortly thereafter, Tequila, the first major polymorphic virus attack, was released. Then in 1992, the first polymorphic virus engine and virus writing toolkits emerged.

Since then, viruses have become more sophisticated: viruses started accessing e-mail address books and sending themselves to contacts; macro viruses attached themselves to various office-type application files to and attack them; and viruses written specifically to exploit operating system and application vulnerabilities were released. E-mail, peer-to-peer (P2P) file-sharing networks, Web sites, shared drives, and product vulnerabilities are all exploited for virus replication and attack. Backdoors (secret or hidden network entry points introduced by malware) are created on infected systems to enable virus writers, or hackers, to return and run whatever software they choose. A hacker in the context of this guidance is a programmer or computer user who attempts illegal access to a computer system or network. Malware is discussed in detail in the next section of this chapter.

Some viruses come with their own embedded e-mail engines that enable an infected system to propagate the virus directly via e-mail, bypassing any settings in the user's e-mail client or server. Virus writers have also begun carefully architecting their attacks and using social engineering to develop e-mail messages with an authentic "look and feel." This approach seeks to engage users' trust to open the attached virus file, and dramatically increases the likelihood of a large-scale infection.

Throughout this malware evolution, antivirus software has continued to evolve as well. However, the majority of current antivirus software is almost entirely reliant on virus signatures, or the identifying characteristics of malicious software to identify potentially harmful code. An opportunity still exists between the initial release of a virus and the time when its signature files are broadly distributed by antivirus vendors. As a result, many viruses released today demonstrate a dramatically rapid infection rate in the first few days, and are then followed by a sharp decline once the signature files are distributed to counteract them.

What Is Malware?

This guide uses the term malware (an abbreviation of the phrase "malicious software") as a collective noun to refer to viruses, worms, and Trojan horses that intentionally perform malicious tasks on a computer system.

So what exactly is a computer virus or a worm? How are these different from Trojan horses? And will antivirus applications only work against worms and Trojan horses or just viruses?

All these questions stem from the confusing and often misrepresented world of malicious code. The significant number and variety of existing malicious code makes it difficult to provide a perfect definition of each malware category.

For general antivirus discussions, the following simple definitions of malware categories apply:

Trojan horse. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run. Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function. Also called Trojan code. A Trojan horse does this by delivering a malicious payload or task when it is run.

Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread. Worms may also deliver a payload in addition to replicating.

Virus. A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.

For the purpose of this guide, a payload is a collective term for the actions that a malware attack performs on the computer once it has been infected. These definitions of the various categories of malware make it possible to illustrate the differences between them in a simple flowchart. The following figure illustrates the elements that help to determine if a program or script falls into one of these categories:

Figure 2.1 A malicious code decision tree

Figure 2.1 A malicious code decision tree

This figure makes it possible to distinguish between each of the common malicious code categories for the purposes of this guide. However, it is important to understand that a single attack may introduce code that fits into one or more of these categories. These types of attack (referred to as blended threats that consists of more than one type of malware using multiple attack vectors) can spread at rapid rates. An attackvector is a route that malware can use to mount an attack. For these reasons, blended threats can be especially difficult to defend against

In the following sections a more detailed explanation of each malware category is provided to help illustrate some of the key elements of each.

Trojan Horses

A Trojan horse is not considered a computer virus or worm because it does not propagate itself. However, a virus or worm may be used to copy a Trojan horse on to a target system as part of the attack payload, a process referred to as dropping. The typical intent of a Trojan horse is to disrupt the user's work or the normal operations of the system. For example, the Trojan horse may provide a backdoor into the system for a hacker to steal data or change configuration settings.

There are two other terms that are often used when referring to Trojan horses or Trojan-type activities that are identified and explained as follows:

Remote Access Trojans. Some Trojan horse programs allow the hacker or data thief to control a system remotely. Such programs are called Remote Access Trojans (RATs) or backdoors. Examples of RATs include Back Orifice, Cafeene, and SubSeven.

For a detailed explanation of this type of Trojan horse, see the article "Danger: Remote Access Trojans" on Microsoft TechNet at:
http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx.

Rootkits. These are collections of software programs that a hacker can use to gain unauthorized remote access to a computer and launch additional attacks.. These programs may use a number of different techniques, including monitoring keystrokes, changing system log files or existing system applications, creating a backdoor into the system, and starting attacks against other computers on the network. Rootkits are generally organized into a set of tools that are tuned to specifically target a particular operating system. The first rootkits were identified in the early 1990s, and at that time the Sun and Linux operating systems were the main targets. Currently, rootkits are available for a number of operating systems, including the Microsoft Windows platform.

Note: Be aware that RATs and some of the tools that comprise rootkits may have legitimate remote control and monitoring uses. However, the security and privacy issues that these tools can introduce raise the overall risk to the environments in which they are used.

Worms

If the malicious code replicates it is not a Trojan horse, so the next question to address in order to more clearly define the malware is: "Can the code replicate without the need for a carrier?" That is, can it replicate without the need to infect an executable file? If the answer to this question is "Yes," the code is considered to be some form of worm.

Most worms attempt to copy themselves onto a host computer and then use the computer's communication channels to replicate. For example, the Sasser worm relies on a service vulnerability to initially infect a system, and then uses the infected system's network connection to attempt to replicate. If you have installed the latest security updates (to stop the infection), or enabled the firewalls in your environment to block the network ports the worm uses (to stop the replication), the attack will fail. In the case of Windows XP, once Service Pack 2 has been applied both the infection and replication methods are blocked. This is because the service vulnerability has been removed and the Windows firewall is enabled by default. Additionally if the Automatic Updates option is set to Automatic (recommended) any future issues will be addressed as the updates become available.

Viruses

If the malicious code adds a copy of itself to a file, document, or boot sector of a disk drive in order to replicate it is considered a virus. This copy may be a direct copy of the original virus or it may be a modified version of the original. See the "Defense Mechanisms" section later in this chapter for more details. As mentioned earlier, a virus will often contain a payload that it may drop on a local computer, such as a Trojan horse, which will then perform one or more malicious acts, such as deleting user data. However, a virus that only replicates and has no payload is still a malware problem because the virus itself may corrupt data, take up system resources, and consume network bandwidth as it replicates.

Malware Characteristics

The various characteristics that each category of malware can exhibit are often very similar. For example, a virus and a worm may both use the network as a transport mechanism. However, the virus will look for files to infect while the worm will simply attempt to copy itself. The following section explains the typical characteristics of malware.

Target Environments

As malware attempts to attack a host system, there may be a number of specific components that it requires before the attack can succeed. The following are typical examples of what malware may require to attack the host:

Devices. Some malware will specifically target a device type, such as a personal computer, an Apple Macintosh computer, or even a Personal Digital Assistant (PDA), although it should be noted that PDA malware is currently rare.

Operating systems. Malware may require a particular operating system to be effective. For example, the CIH or Chernobyl virus of the late 1990s could only attack computers running Microsoft Windows 95 or Windows 98.

Applications. Malware may require a particular application to be installed on the target computer before it can deliver a payload or replicate. For example, the LFM.926 virus of 2002 could only attack if Shockwave Flash (.swf) files could execute on the local computer.

Carrier Objects

If the malware is a virus, it will attempt to target a carrier object (also known as a host) to infect it. The number and type of targeted carrier objects varies widely among malware, but the following list provides examples of the most commonly targeted carriers:

Executable files. This is the target of the "classic" virus type that replicates by attaching itself to a host program. In addition to typical executable files that use the .exe extension, files with extensions such as the following can also be used for this purpose: .com, .sys, .dll, .ovl, .ocx, and .prg.

Scripts. Attacks that use scripts as carriers target files that use a scripting language such as Microsoft Visual Basic Script, JavaScript, AppleScript, or Perl Script. Extensions for files of this type include: .vbs, .js, .wsh, and .prl.

Macros. These carriers are files that support a macro scripting language of a particular application such as a word processor, spreadsheet, or database application. For example, viruses can use the macro languages in Microsoft Word and Lotus Ami Pro to produce a number of effects, ranging from mischievous (switching words around in the document or changing colors) to malicious (formatting the computer's hard drive).

Boot sector. Specific areas of computer disks (hard disks and bootable removable media) such as the master boot record (MBR) or DOS boot record can also be considered carriers because they are capable of executing malicious code. Once a disk is infected, replication is achieved if it is used to start other computer systems.

Note: If the virus targets both files and boot sectors for infection it may be referred to as a multipartite virus.

Transport Mechanisms

An attack can use one or many different methods to try and replicate between computer systems. This section provides information about a few of the more common transport mechanisms malware uses.

Removable media. The original and probably the most prolific transmitter of computer viruses and other malware (at least until recently) is file transfer. This mechanism started with floppy disks, then moved to networks, and is now finding new media such as Universal Serial Bus (USB) devices and Firewire. The rate of infection is not as rapid as with network-based malware, yet the threat is ever present and hard to eradicate completely because of the need to exchange data between systems.

Network shares. Once computers were provided a mechanism to connect to each other directly via a network, malware writers were presented with another transport mechanism that had the potential to exceed the abilities of removable media to spread malicious code. Poorly implemented security on network shares produces an environment where malware can replicate to a large number of computers connected to the network. This has largely replaced the manual method of using removable media.

Network scanning. Malware writers use this mechanism to scan networks for vulnerable computers or randomly attack IP addresses. For example, the mechanism can send an exploit packet using a specific network port to a range of IP addresses with the aim of finding a vulnerable computer to attack.

Peer-to-peer (P2P) networks. In order for P2P file transfers to occur, a user must first install a client component of the P2P application that will use one of the network ports that are allowed though the organization's firewall, such as port 80. The applications use this port to get though the firewall and transfer files directly from one computer to another. These applications are readily available on the Internet, and they provide a transport mechanism that malware writers can use directly to help spread an infected file onto a client's hard disk.

E-mail. E-mail has become the transport mechanism of choice for many malware attacks. The ease with which hundreds of thousands of people can be reached via e-mail without the need for malware perpetrators to leave their computers has made this a very effective transport. It has been relatively simple to trick users into opening e-mail attachments (using social engineering techniques). Therefore, many of the most prolific malware outbreaks have used e-mail as their transport mechanism. There are two basic types of malware that use e-mail as a transport:

Mailer. This type of malware mails itself to a limited number of e-mail addresses, either by using mail software installed on the host (for example, Microsoft Outlook Express), or using its own built-in Simple Mail Transfer Protocol (SMTP) engine.

Mass mailer. This type of malware searches the infected computer for e-mail addresses, and then mass mails itself to those addresses, using either mail software installed on the host or its own built-in SMTP engine.

Remote exploit. Malware may attempt to exploit a particular vulnerability in a service or application in order to replicate. This behavior is often seen in worms; for example, the Slammer worm took advantage of a vulnerability in Microsoft SQL Server™ 2000. The worm generated a buffer overrun that allowed a portion of system memory to be overwritten with code that could run in the same security context as the SQL Server service. A buffer overrun is a condition that results from adding more information to a buffer than it is designed to hold. An attacker may exploit this vulnerability to take over a system. Microsoft identified and fixed this vulnerability months before Slammer was released, but few systems had been updated so the worm was able to spread.

Payloads

Once malware has reached the host machine via the transport, it will generally perform an action that is referred to as the payload, which can take a number of forms. Some of the more common payload types are identified in this section:

Backdoor. This type of payload allows unauthorized access to a computer. It can provide full access but also may be limited to access such as enabling File Transfer Protocol (FTP) access via port 21 on the computer. If the attack was to enable Telnet, a hacker could use the infected computer as a staging area for Telnet attacks on other computers. As stated earlier, a backdoor is sometime referred to as a Remote Access Trojan.

Data corruption or deletion. One of the most destructive types of payload can be malicious code that corrupts for deletes data, rendering the information on the user's computer useless. The malware writer has two choices here: the first option is to design the payload to rapidly execute. While potentially disastrous for the computer it infects, the malware design will lead to faster discovery from it and therefore limit the chance of it replicating undetected. The other option is to leave the payload on the local system (in the form of a Trojan horse) for a period (see the "Trigger Mechanisms" section later in this chapter for examples of this) to allow the malware to spread before an attempt is made to deliver the payload, and therefore alert the user to its presence.

Information theft. A particularly worrying type of malware payload is one designed to steal information. If a payload can compromise the security of a host computer, it is possible for it to provide a mechanism to pass information back to the malware perpetrators. This can happen in a number of ways; for example, a transfer could be automated so that the malware simply captures local files or information such as keys the user is pressing (in the hope of obtaining a user name and password). Another mechanism is to provide an environment on the local host that allows the attacker to control the host remotely or gain access to the files on the system directly.

Denial of Service (DoS). One of the simplest types of payload to deliver is a denial of service attack. A DoS attack is a computerized assault launched by an attacker to overload or halt a network service, such as a Web server or a file server. DoS attacks simply aim to render a particular service unusable for a period of time.

Distributed Denial of Service (DDoS). These types of attacks typically use infected clients that are usually completely unaware of their role in such an attack. A DDoS attack is a type of denial of service attack in which an attacker uses malicious code installed on various computers to attack a single target. An attacker may use this method to have a greater effect on the target than is possible with a single attacking computer. The semantics of how an attack happens vary from attack to attack, but they usually involve sending large amounts of data to a particular host or Web site that causes it to stop responding (or become unable to respond) to legitimate traffic. This floods the available bandwidth to the victim site and effectively takes the site offline.

This type of attack can be extremely hard to defend against, because the hosts responsible for the attacks are in fact unwitting victims themselves. DDoS attacks are usually conducted by bots (programs that perform repetitive tasks), such as Internet relay chat (IRC) Eggdrop bots, which a hacker can use to control “victim” computers via an IRC channel. Once those computers are under the control of the hacker they become zombies that can affect a target on command from the attacker without the knowledge of the computers' owners.

Both DoS and DDoS approaches can involve a number of different attack techniques, including:

System shutdowns. If malware is able to shut down or crash the host system, it can succeed at disrupting one or more services. Attacking the host system requires the malware to find a weakness in an application or the operating system that can cause the system to shut down.

Bandwidth flooding. Most services provided to the Internet are linked through a network connection of limited bandwidth that connects them to their clients. If a malware writer can deliver a payload that fills this bandwidth with false network traffic, it is possible to produce a DoS simply by stopping the clients from being able to connect directly to the service.

Network DoS. This type of payload attempts to overload the resources available to the local host. Resources such as microprocessor and memory capacity have been overrun by SYN flood attacks, where an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server and deny legitimate network traffic to and from the host. E-mail bomb attacks also fill up storage resources to create a DoS attack in which an excessively large amount of e-mail data is sent to an e-mail address in an attempt to disrupt the e-mail program or to prevent the recipient from receiving further legitimate messages.

Service disruption. This type of payload also can cause a DoS. For example, if an attack on a Domain Name System (DNS) server disables the DNS service this DoS attack technique would have been achieved. However, all other services on the system may remain unaffected.

Trigger Mechanisms

Trigger mechanisms are a characteristic of malware that the malicious software uses to initiate replication or payload delivery. Typical trigger mechanisms include the following:

Manual execution. This type of trigger mechanism is simply the execution of the malware conducted directly by the victim.

Social engineering. Malware will often use some form of social engineering to help trick a victim into manually executing the malicious code. The approach may be relatively simple, such as those used in mass mailing worms where the social engineering element focuses on selecting text in the subject field of the e-mail message that is most likely to be opened by a potential victim. Malware writers may also use e-mail spoofing to attempt to trick the victim into believing an e-mail is from a trusted source Spoofing is the act of impersonating a Web site or data transmission to make it appear genuine. For example, the original Dumaru worm first seen in 2003 modified the From: field of e-mails to falsely claim it was sent from security@microsoft.com. (See the "Hoaxes" section in the next section of this chapter for more details on this characteristic).

Semi-automatic execution. This type of trigger mechanism is started initially by a victim and then automatically executed from that point on.

Automatic execution. This type of trigger mechanism requires no manual execution at all. The malware executes its attack without the need for a victim to run any malicious code on the target computer.

Time bomb. This type of trigger mechanism performs an action after a certain period. This period may be a delay from the first execution of the infection or some pre-ordained date or date range. For example, the MyDoom.B worm would only start its payload routines against the Microsoft.com Web site on February 3, 2004, and against the SCO Group Web site on February 1, 2004. It would then stop all replication on March 1, 2004, although the time bomb's backdoor component would still stay active after this time.

Conditional. This type of trigger mechanism uses some predetermined condition as the trigger to deliver its payload. For example, a renamed file, a set of keystrokes, or an application starting up. Malware that uses this type of trigger is sometimes referred to as a logic bomb.

Defense Mechanisms

Many malware examples use some kind of defense mechanism to help reduce the likelihood of detection and removal. The following list provides examples of some of these techniques that have been used:

Armor. This type of defense mechanism employs some technique that tries to foil analysis of the malicious code. Such techniques include detecting when a debugger is running and trying to prevent it from working correctly, or adding lots of meaningless code to make it difficult to determine the purpose of the malicious code.

Stealth. Malware uses this technique to hide itself by intercepting requests for information and returning false data. For example, a virus may store an image of the uninfected boot sector and display it whenever an attempt is made to view the infected boot sector. The oldest known computer virus, called “Brain,” used this technique in 1986.

Encrypting. Malware that uses this defense mechanism encrypts itself or the payload (and sometimes even other system data) to prevent detection or data retrieval. Encrypted malware contains a static decryption routine, an encryption key, and the encrypted malicious code (which includes an encryption routine). When executed, the malware uses the decryption routine and key to decrypt the malicious code. The malware then creates a copy of its code and generates a new encryption key. It uses that key and its encryption routine to encrypt the new copy of itself, adding the new key with the decryption routine to the start of the new copy. Unlike polymorphic viruses, encrypting malware always uses the same decryption routines, so although the key value (and thus the encrypted malicious codes signature) usually changes from infection to infection, antivirus software can search for the static decryption routine to detect malware that uses this defense mechanism.

Oligomorphic. Malware that exhibits this characteristic uses encryption as a defense mechanism to defend itself and is able to change the encryption routine only a fixed number of times (usually a small number). For example, a virus that can generate two different decryption routines would be classified as oligomorphic.

Polymorphic. Malware of this type uses encryption as a defense mechanism to change itself to avoid detection, typically by encrypting the malware itself with an encryption routine, and then providing a different decryption key for each mutation. Thus, polymorphic malware uses an unlimited number of encryption routines to prevent detection. As the malware replicates, a portion of the decryption code is modified. Depending on the specific malware code, the payload or other actions performed may or may not use encryption. Typically, there is a mutation engine, which is a self contained component of the encrypting malware that generates randomizes encryption routines. This engine and the malware are then both encrypted, and the new decryption key is passed along with them.

What Is Not Malware?

A variety of threats exist that are not considered malware because they are not computer programs written with malicious intent. However, these threats can still have both security and financial implications for an organization. For these reasons, you may wish to understand the threats they represent to your organization's IT infrastructure and the productivity of your IT users.

Joke Software

Joke applications are designed to produce a smile or, at worst, a waste of someone's time. These applications have existed for as long as people have been using computers. Because they were not developed with malicious intent and are clearly identified as jokes, they are not considered malware for the purposes of this guide. There are numerous examples of joke applications, producing everything from interesting screen effects to amusing animations or games.

Hoaxes

Generally, it is easier to trick someone into doing something for you than it is to write software that does it without their knowledge. Therefore, a large number of hoaxes are seen in the IT community.

Like some other forms of malware, a hoax uses social engineering to attempt to trick computer users into performing some act. However, in the case of a hoax there is no code to execute; the hoaxer is usually simply trying to trick the victim. Hoaxes have taken many forms over the years. However, a particularly common example is an e-mail message that claims a new virus type has been discovered and to warn your friends by forwarding the message. These hoaxes waste peoples time, take up e-mail server resources, and consume network bandwidth.

Scams

Virtually every form of communication has been used, at one time or another, by criminals in an attempt to trick people into acts that will provide the criminal some financial gain. The Internet, Web sites, and e-mail are no exception. An e-mail message that attempts to trick the recipient into revealing personal information that can be used for unlawful purposes (such as bank account information) is a common example. One particular type of a scam has become known as phishing (pronounced “fishing,” and is also referred to as brand spoofing or carding).

Examples of phishing include cases in which senders mimic well-known companies such as eBay to try and gain access to user account information. Phishing scams often use a Web site that copies the look of a company's official Web site. E-mail is used to redirect the user to the fake site and trick them into entering their user account information, which is saved and used for unlawful purposes. These types of cases should be handled seriously and reported to local law enforcement authorities.

Spam

Spam is unsolicited e-mail generated to advertise some service or product. This phenomenon is generally considered a nuisance, but spam is not malware. However, the dramatic growth in the number of spam messages being sent is a problem for the infrastructure of the Internet that results in lost productivity for employees who are forced to wade through and delete such messages every day.

The source for the term spam is disputed, but regardless of its origin there is no doubt that spam has become one of the most persistent irritations in Internet-based communications. Many consider spam to be so significant an issue that it now threatens the health of e-mail communications around the world. However, it should be noted that except for the load endured by e-mail servers and anti-spam software, spam is not actually capable of replicating or threatening the health and operation of an organization's IT systems.

Malware has often been used by spam originators (so called spammers) to install a small SMTP e-mail server service on a host computer, which is then used to forward spam messages to other e-mail recipients.

Spyware

This type of software is sometimes referred to as spybot or tracking software. Spyware uses other forms of deceptive software and programs that conduct certain activities on a computer without obtaining appropriate consent from the user. These activities can include collecting personal information, and changing Internet browser configuration settings. Beyond being an annoyance, spyware results in a variety of issues that range from degrading the overall performance of your computer to violating your personal privacy.

Web sites that distribute spyware use a variety of tricks to get users to download and install it on their computers. These tricks include creating deceptive user experiences and covertly bundling spyware with other software users might want, such as free file sharing software.

Adware

Adware is often combined with a host application that is provided at no charge as long as the user agrees to accept the adware. Because adware applications are usually installed after the user has agreed to a licensing agreement that states the purpose of the application, no offense is committed. However, pop-up advertisements can become an annoyance, and in some cases degrade system performance. Also, the information that some of these applications collect may cause privacy concerns for users who were not fully aware of the terms in the license agreement.

Note: While the terms spyware and adware are often used interchangeably, it is only unauthorized adware that is on a par with spyware. Adware that provides users appropriate notice, choice, and control is not deceptive and should not be classified as spyware. You should also note a spyware application that claims to perform a particular function, while it is in fact doing something else, is acting like a Trojan horse.

Internet Cookies

Internet cookies are text files that are placed on a user's computer by Web sites that the user visits. Cookies contain and provide identifying information about the user to the Web sites that place them on the user computer, along with whatever information the sites want to retain about the user's visit.

Cookies are legitimate tools that many Web sites use to track visitor information. For example, a user might shop for an item in an online store, but once he or she has placed the item in their online shopping cart, they may want to move to another Web site for some reason. The store can choose to save the information about what products were in the shopping cart in a cookie on the user's computer so that when the user returns to the site, the item is still in the shopping cart and ready for the user to buy if he or she wishes to complete the sale.

Web site developers are only supposed to be able to retrieve information stored in the cookies they created. This approach should ensure user privacy by preventing anyone other than the developers of these sites from accessing the cookies left on the users' computers.

Unfortunately, some Web site developers have been known to use cookies to gather information without the user's knowledge. Some may deceive users or omit their policies. For example, they may track Web surfing habits across many different Web sites without informing the user. The site developers can then use this information to customize the advertisements the user sees on a Web site, which is considered an invasion of privacy. It is difficult to identify this form of targeted advertising and other forms of "cookie abuse," which makes it difficult to decide if, when, and how to block them from your system. In addition, the acceptable level of shared information varies among computer users, making it difficult to create an "anti-cookie" program that will meet the needs of all of the computer users in your environment.

Antivirus Software

Antivirus software is specifically written to defend a system against the threats that malware presents. Microsoft strongly recommends using antivirus software because it will defend your computer systems against all forms of malware, not just viruses.

There are a number of techniques that antivirus software uses to detect malware. This section discusses how some of these techniques work, including:

Signature scanning. The majority of antivirus software programs currently use this technique, which involves searching the target (host computer, disk drive, or files) for a pattern that could represent malware. These patterns are generally stored in files referred to as signature files, which are updated by the software vendors on a regular basis to ensure the antivirus scanners recognize as many known malware attacks as possible. The main problem with this technique is that the antivirus software must already be updated to counteract the malware before the scanner can recognize it.

Heuristic scanning. This technique attempts to detect both new and known forms of malware by looking for general malware characteristics. The primary advantage of this technique is that is does not rely on signature files to identify and counteract malware. However, heuristic scanning does have a number of specific problems, including:

False positives. This technique uses general characteristics, and is therefore prone to reporting legitimate software as malware if the characteristic is similar in both cases.

Slower scanning. The process of looking for characteristics is more difficult for the software to achieve than looking for a known malware pattern. For this reason, heuristic scanning can take longer than signature scanning.

New characteristics may be missed. If a new malware attack presents a characteristic that has not been previously identified, the heuristic scanner is likely to miss it until it is updated.

Behavior blocking. This technique focuses on the behavior of a malware attack rather than the code itself. For example, if an application attempts to open a network port, a behavior blocking antivirus program could detect this as typical malware activity, and then flag the behavior as a possible malware attack.

Many antivirus vendors are now using a mixture of these techniques in their antivirus solutions in an attempt to improve the overall protection level of their customers' computer systems.

Antivirus software is available from a variety of Microsoft partners. For a complete and up-to-date list, see the Microsoft Antivirus Partners page on Microsoft.com at: http://www.microsoft.comhttp://www.windowsmarketplace.com/category.aspx?bcatid=326&tabid=2.

A Typical "In the Wild" Malware Timeline

A pattern has emerged to define the lifetime of new malware attacks that are available on public networks or when the malware goes into the wild. A review of this pattern can help you understand the risk new malware attacks pose after they are released.

A new timeline begins when malware is first developed and ends when all traces of it are removed from monitored networks. The timeline stages are defined as follows:

1.

Conceive. Malware development often starts when a new method of attack or exploit is suggested and then shared among hacker communities. Over time these methods are discussed or explored until an approach is discovered that can be developed into an attack.

2.

Develop. Malware creation used to require an understanding of both computer assembly language and the intricate working of the system being attacked. However, the advent of toolkits and Internet chat rooms has made it possible for almost anyone with malicious intent to create malware.

3.

Replicate. After new malware has been developed and released into the wild, it typically has to replicate to potential host devices for some time before it can perform its primary function or deliver its payload.

Note: Although there are tens of thousands of known malware programs, only a tiny fraction currently exist in the wild. The vast majority of malware programs are never released to the public, and are often referred to as Zoo viruses.

4.

Deliver payload. After malware has successfully infected a host it may deliver a payload. If the code has a conditional trigger for its payload, this stage is the point when the conditions for the delivery mechanism are met. For example, some malware payloads are triggered when a user performs a certain action or when the clock on the host machine reaches a particular date. If the malware has a direct action trigger it will simply start to deliver the payload at the point when the infection is complete. For example, in the case of data logging payloads the malware program will simply start recording the required data.

5.

Identify. At this point in the timeline the malware is identified by the antivirus communities. In the vast majority of cases this step will occur before stage 4 or even before stage 3, but not always.

6.

Detect. After the threat has been identified, antivirus software developers need to analyze the code to determine a reliable detection method. Once they have determined the method, they then update the antivirus signature files to allow existing antivirus applications to detect the new malware. The length of time this process takes is crucial in helping to control an outbreak.

7.

Removal. After the update is available to the public, it is the responsibility of antivirus application users to apply the update in a timely manner to protect their computers against the attack (or to clean systems that are already infected).

Note: Failure to update local signature files in a timely manner can lead to the high-risk scenario of users believing they are protected by their antivirus product when in fact they are not.

As more users update their antivirus software the malware will slowly become less of a threat. This process rarely removes all instances of the malware in the wild, because some computers connected to the Internet with little or no antivirus protection remain in which the malware can reside. However, the threat from the attack as a whole is lessened.

Although this timeline repeats for each newly developed malware attack, it is not typical of all attacks. Many attacks are simply modified versions of an original portion of malware code. So the basic code and approach are the same, but small changes are made to help the attack avoid detection and therefore removal. Typically, a successful malware attack will spawn a number of revisions over the following weeks and months. This situation leads to a type of "arms race" in which malware writers attempt to avoid detection for their own gain whether the gain is for financial purposes, notoriety, or simply curiosity. The antivirus defenses are again updated, patched or changed as needed to mitigate the renewed threat.

Summary

Malware is a complex and constantly evolving area of computer technology. Of all the problems that are encountered in IT, few are as prevalent and costly as malware attacks and the associated costs of dealing with them. Understanding how they work, how they evolve over time, and the attack vectors that they exploit can help you deal with the issue proactively. And this in turn can provide you with a more efficient and effective reactive process when they do affect you or your organization.

As malware uses so many techniques to create, distribute, and exploit computer systems, it can be difficult to see how any system can be made secure enough to withstand such attacks. However, once the risks and vulnerabilities are understood it is possible to manage your system in a manner that makes the possibility of a successful attack highly unlikely.

The next step is to analyze the risks at various points in your IT infrastructure to design a suitable defense, which is the subject of the following chapter. Designing an effective recovery plan is the subject of the final chapter in this guide.


**
**

Download

Get the Antivirus Defense-in-Depth Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions