CACroll Small LANs
Hacking Redefined
This article is an attempt to decribe malware, its delivery mechanisms, its payloads, and its detection and prevention, in a canonical and objective format. Modern malware is taking on new forms that it's hard to comprehend how aggressively it's developed and deployed.

And even though it's malware, it's hard NOT sometimes to admire how professionally it's developed and deployed (as an IT professional only, NOT as a computer owner). Computer owners, who become victime of hacking, will NOT admire the tools, or the attackers.

One of the problem is how you describe what's happening? Which came first - the chicken or the egg? How do you define hacking, other than what a hacker does?

For the purpose of this article, I make the following definitions.

Malware includes:

The people performing the Hacking Attacks have been formerly referred to as, variously:

In the past, this cross-referencing was not necessarily done. Classically, Malware was of a distinct nature, and one type of malware was not used by another type, or group, of Attackers. Today, we have combined Attacks, where:

The term Trojan refers classically to the ancient story of the Trojan Horse in Greece. A Trojan is software which travels, as a separate component, in a package of Host software that is requested by, and intentionally installed by, the Victim.

A Trojan can be anything as innocent as an extra toolbar, installed as a part of the Victims browser, and used to "enhance the browsing experience", to software that makes the Victims computer act in a three role Spam delivery capacity. A Trojan typically requires action (wilfull or otherwise) by the victim to install.

A virus is software that travels as an integral part of Host software, that is intentionally installed by the Victim. A virus installs itself into an innocuous Host file, which is passed from Victim 1 to Victim 2. Both Victims intentionally pass the file, without either being aware of the total nature of its contents.

A worm is software that travels from Host to Host in a trusted media, such as the computer network (with no firewalls in place), or in email (with no malware malware / virus scanning software in place). A worm typically requires no action, or intentional action anyway, by the Victim, for propagation.

The classical Hacker was a disenfranchised teenager, hiding in his bedroom, attacking an individual computer owned by a single Victim, for amusement.

See, for instance, War Games, one of the earliest movies about Hackers.

Today, Hackers use programs that they may release as Trojans, as Viruses, or as Worms. The Hack, which when installed on the Victims computer, may make that computer part of a Botnet. A Botnet, or entire army of computers controlled by a Hacker, can be sold to individuals or corporations for delivery of Spam, for hosting of Adware or Spyware, or for the creation of even more Botnets. As of June 2005, the reported value of ONE bot was $.55 USD, thus a 10,000 member Botnet (a not at all abnormal number) could net the Hacker $5,000 or so.

So let's classify the malware.

We can classify it by delivery mechanism.

We can classify it by payload.

Malware Detection

So, if there's malware out there, how do we know what's out there? More importantly, how do we describe what's out there? And how do we remove what's on our computers, and then hopefully, keep it from coming back?

You have to know what's there before you can fight it. Knowing what's there is a matter of detecting it. Basic malware detection is based upon two alternate processes.

Behaviour analysis, also known as heuristic analysis, takes a suspect file (or a computer system), opens it (operate it), and sees what it does. Sophisticated heuristics are used by some antivirus / antitrojan products, which contain a sandbox, which is a replica of the operating system, within the AV / AT product code. A suspect file is copied into the sandbox, opened from within, and observed. If its opening makes suspicious references to the system services provided by the (replica) operating system, it is suspected to be malware, and examined further.

Signature analysis takes the actual contents of the various bytes in a suspicious file, and mathematically calculates a hash of the contents. The hash becomes the signature, which is compared against a database listing known malware. If suspected malware has a hash matching known malware, it is determined to be malware.

Malware analysis can be done heuristically against the entire system. Note the difference between adware and spyware. The first will typically generate incoming network traffic; the second, outgoing.

By statefully looking for incoming or outgoing traffic, compared against what should be expected, malicious activity can be detected. Software designed to look for malicious incoming traffic will be better at detecting adware, software designed to look for malicious outgoing traffic will be better at detecting spyware.

Signature analysis is a much simpler process, but demands more work. To do a signature analysis of the system (a trojan or virus scan) requires taking each file, one at a time, on the entire system, generating a signature from the file, and comparing each against each entry in a very long list (database) of known malware. Multiply the number of files in your typical system, against the number of possible (known) malware, and you see what a massive effort that is. And each time a new set of signatures is produced (and with some antivirus products, it's multiple times / day), a rescan could be appropriate.

Some malware is encrypted, to fool the signature scanners. Malicious code is taken, and subjected to rearrangement (packing), with some packing containing random operations which makes unpredictable results. Simple signature checking (and the bad guys, in some cases, know what procedures are followed to produce the signatures) won't detect packed code, which follows no known pattern. So suspect files have to be examined for unpacking code embedded in the code, and in some cases, the unpacking has to be allowed to execute so the signature checking can take place. This makes signature checking even more complex, and more time consuming.

On the other hand, its somewhat possible that having unpacking code in a file indicates that it's malware. Most legitimate code (excepting openly compressed files) does not use unpackers, as most legitimate code is already in an executable state. So when an AV / AT scan finds a file with an embedded unpacker, it's a strong possibility that the file contains malware. Of course, the malware still has to be analysed, to determine just what malware it is. But the scanner doesn't have to continue the heuristic analysis, just switch to the signature check.

Comments: Post a Comment

<< Home

Powered by Blogger

Please Sign my guestbook!