chapter 2 definitions and timeline
DESCRIPTION
Chapter 2 Definitions and Timeline. Categorizing Malware. No agreed upon definitions Even for “virus” and “worm” Consider categories based on… Self-replicating Population growth Parasitic Then we name the different types As defined by Aycock. Self-replicating Malware. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/1.jpg)
Chapter 2
Definitions and Timeline
![Page 2: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/2.jpg)
Categorizing Malware No agreed upon definitions
o Even for “virus” and “worm” Consider categories based on…
o Self-replicatingo Population growtho Parasitic
Then we name the different typeso As defined by Aycock
![Page 3: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/3.jpg)
Self-replicating Malware Self-replicating malware Actively attempts to propagate by
creating new copies May also propagate passively
o But this isn't self-replication Called these “worms” (in CS 265)
![Page 4: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/4.jpg)
Population Growth Population growth Describes change in the number of
instances due to self-replication Malware that doesn't self-replicate
will have a zero population growth o But malware with a zero population
growth may self-replicate
![Page 5: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/5.jpg)
Parasitic Parasitic malware Requires some other executable
code "Executable” taken very broadly
o Boot block code on a disko Binary code in applicationso Application scripting languageso Source code that may require
compilation before executing, etc.
![Page 6: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/6.jpg)
Types of Malware Logic Bomb Trojan Back Door Virus Worm Rabbit Spyware/Adware Other
![Page 7: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/7.jpg)
Logic Bomb Self-replicating: no Population growth: 0 Parasitic: possibly Consists of 2 parts
o Payload --- action to be performedo Trigger --- event to execute payload
Donald Gene Burleson case (CS 265)
![Page 8: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/8.jpg)
Trojan Horse Self-replicating: no Population growth: 0 Parasitic: yes Name comes from ancient world
o Pretends to be innocent, but it’s not Example: fake login prompt that
steals passwords
![Page 9: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/9.jpg)
Back Door Self-replicating: no Population growth: 0 Parasitic: possibly Bypasses normal security checks
o So enables unauthorized access Example: Remote Administration
Tool, or RAT
![Page 10: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/10.jpg)
Virus Self-replicating: yes Population growth: positive Parasitic: yes When executed, tries to replicate
itself into other executable codeo So, it relies in some way on other
code Does not propagate via a network Nice virus history given by Aycock
![Page 11: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/11.jpg)
Worm Self-replicating: yes Population growth: positive Parasitic: no Like a virus, except…
o Spreads over networko Worm is standalone, does not rely on
other code Good history in Aycock’s book
![Page 12: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/12.jpg)
Rabbit Self-replicating: yes Population growth: 0 Parasitic: no Two kinds of rabbits
o One uses up system resourceso One uses up network resources
(special case of a worm)
![Page 13: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/13.jpg)
Spyware Self-replicating: no Population growth: 0 Parasitic: no Collects info and sends it to
someoneo Username/password, bank info, credit
card info, software license info, etc. First mention is about 1995 May arrive via “drive-by download”
![Page 14: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/14.jpg)
Adware Self-replicating: no Population growth: 0 Parasitic: no Similar to spyware but focused on
marketing
![Page 15: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/15.jpg)
Hybrids, Droppers, etc. Hybrid is combination of different
types of malwareo Worm that is a rabbit, trojan that acts
like a virus, etc., etc. Dropper is malware that deposits
other malwareo For example, a worm might leave
behind a back door…
![Page 16: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/16.jpg)
Zombies Compromised machines that can
be used by an attackero Spamo Denial of service (DoS)o Distributed denial of service (DDoS)
Today, usually part of a botnet
![Page 17: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/17.jpg)
Naming No agreed on naming convention Virus writer might suggest a name
o “Your PC is now stoned!” Different vendors might use
different names Different variants might get
different names, etc.
![Page 18: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/18.jpg)
Naming Factors related to naming
o Malware typeo Family nameo Varianto Modifiers (e.g., “mm” for “mass
mailer”) But many different names applied
to same virus (or family)o See book for examples
![Page 19: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/19.jpg)
Authorship Author and distributor may differ Is malware author a “hacker” or
“cracker”?o It depends on your definitions…
So, Aycock does not use terms like hacker or crackero Instead, uses boring terms like
malware author, malware writer, virus writer, etc.
![Page 20: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/20.jpg)
Malware Writers Botnet hacker caught in Slovenia
(2010) Japanese Virus Writer Arrested for th
e Second Time (2010)o "I wanted to see how much my
computer programming skills had improved since the last time I was arrested."
Teen Arrested in Blaster Case (2003) No 'sorry' from Love Bug author
(2005)
![Page 21: Chapter 2 Definitions and Timeline](https://reader036.vdocuments.site/reader036/viewer/2022062521/5681693e550346895de0bbda/html5/thumbnails/21.jpg)
Timeline