malware definitions: book excerpt

[groovicus]

I just found this online. It is a smaple chapter from a book I have been reading, and gives good basic definitions of malware, and touches on the future of malware..

http://infosecuritymag.techtarget.co...art406,00.html

[Tiger Shark]

Nice post Groove.

It kind of echos what I have been telling people for a while. The major worms etc. that have gone around in the last couple of years have lacked the "destructive" capability of some of the virii of previous years. It is only a matter of time before we get one that is a combination app that does it's infection and at a preset point destroy's it's host..... Now, can you say "wake up call" for all those admins that "don't have time" to apply the patches that are usually available weeks before the actual worm "goes wild".....

[groovicus]

I've been doing some other snooping around, and from what I have seen so far, the Bugbear.B worm seems to show some "improved payload" characteristics. Basically, a combination worm, virus, and backdoor, all in one. Not that any of the techniques were particularly new, it's just that it put a bunch of them together.

The method of spread, E-mail and file sharing. No scanning engine, just plucked e-mail addresses. Firewall disabling, AV disabling...well, it's easier to read here: http://securityresponse.symantec.com...ear.b@mm.html.
Read it carefully, because this thing is a sign of things to come....

It's "downfall", so to speak, is that it spread so fast, that it essentially choked itself. Had there been a limit of how many times it could propogate in a given period, and added a timebomb feature, it could have done greater damage. It could have also been made to stealth itself (root kit properties)

I was also reading somewhere earlier today about an exploit being released for linux systems, and an actual attack with that exploit within 4 or 8 hours..I'll have to see if I can remember where I read that.

Hardly gives time for patching.

[Tiger Shark]

Groove: Oh, I'm not talking about the zero day or even ten day worms etc. I'm talking about the 4-6 week exploits that have, historically, done so well, (Blaster etc.). Had Blaster, for example, destroyed the machine after 50 successful infections, (thus destroying itself too), it would have been horribly destructive...... And the cost in time for all those admins that "don't have time" to patch their systems would prove that it _usually_ takes less time to patch than it does to rebuild...... Especially if they don't do effective backups.... Which, I have $5 says a lot of them don't.....

That's the "wake up call" I'm referring to..... When that worm comes out M$ will have to double their bandwidth when they release a patch.... because the DoS on their update systems will be incredible.

[groovicus]

It will be a good time to be in the Incident Response field...and I wouldn't want to be an admin

[Tiger Shark]

Yep..... Dead on..... And patching, for the most part, involves the publicly accessible machines. Furthermore, most of the recent exploits have been against services that shouldn't even be available publicly, so the admins need to pay a bit more attention to firewall management too.... Or maybe just the purchase of a firewall might help.....