The continuous evolution of information security threats, coupled with increasing sophistication of malicious codes and the greater flexibility in working practices demanded by organizations and individual users, have imposed further burdens on the development of effective anti-malware defenses. Despite the fact that the IT community is endeavoring to prevent and thwart security threats, the Internet is perceived as the medium that transmits not only legitimate information but also malicious codes. In this cat-and-mouse predicament, it is widely acknowledged that, as new security countermeasures arise, malware authors are always able to learn how to manipulate the loopholes or vulnerabilities of these technologies, and can thereby weaponize new streams of malicious attacks. From e-mail attachments embedded with Trojan horses to recent advanced malware attacks such as Gozi programs, which compromise and transmit users’ highly sensitive information in a clandestine way, malware continues to evolve to be increasingly surreptitious and deadly. This trend of malware development seems foreseeable, yet making it increasingly arduous for organizations and/or individuals to detect and remove malicious codes and to defend against profit-driven perpetrators in the cyber world. This article introduces new malware threats such as ransomware, spyware, and rootkits, discusses the trends of malware development, and provides analysis for malware defenses. Keywords: Ransomware, Spyware, Anti-Virus, Malware, Malicious Code, Background Various forms of malware have been a part of the computing environment since before the implementation of the public Internet. However, the Internet’s ubiquity has ushered in an explosion in the severity and complexity of various forms of malicious applications delivered via increasingly ingenious methods. The original malware attacks were perpetrated via e-mail attachments, but new vulnerabilities have been identified and exploited by a variety of perpetrators who range from merely curious hackers to sophisticated organized criminals and identify thieves. In an earlier manuscript (Luo & Warkentin, 2005), the authors established the basic taxonomy of malware that included various types of computer viruses (boot sector viruses, macro viruses, etc.), worms, and Trojan horses. Since that time, numerous new forms of malicious code have been found “in the wild.”
Malware Threat Statistics: A Revisit
The Web is perceived to be the biggest carrier transmitting threats to security and productivity in organizations, because Web sites can harbor not only undesirable content but also malicious codes. The dilemma for organizations is that the Web is an indispensable strategic tool for all the constituents to collaboratively communicate, though it is also an open route for cybercriminals to seek possible victims. Unlike the past in which most malicious code writers were motivated by curiosity or bragging rights, today’s IT world is experiencing the transition from traditional forms of viruses and worms to new and more complicated ones perpetrated by active criminals intent on financial gain. This trend is due to the capitalization of the malware industry where most malicious code writers tend to exploit system vulnerabilities to capture such high profile information as passwords, credentials for banking sites, and other personal information for identify theft and financial fraud. The trend of virus attacks is that new blended attacks that combine worms, spyware, and rootkits are the major infective force in the cyber world and will likely become more frequent in years ahead. In general, such malware are spreading via increasingly sophisticated methods and are capable of damaging more effectively. Such blended malware’s invention is driven by their writers’ pursuit for financial fraud.
According to Vass (2007), from a hacker’s perspective, the motivation for employing malware attacks has moved from “let me find a vulnerability” to “let me find an application vulnerability and automate it and put it into a bot, load up pages and reinfect the client, which I can then use to populate my bot network.” Furthermore, malware writers have paid increased attention to applications and have aimed at the application layer to seek and exploit system vulnerabilities. As such, IT anti-virus teams have encountered extremely difficult predicaments regarding how to proactively prevent the malware disaster and eventually eliminate any malware infection or breach. Table 1 lists the systems and applications most often targeted for attack, and Figure 1 entails the top 10 malware attacks by December of 2006.
Key Terms in this Chapter
Virus Definition File (subscription service): This is a file that provides information to antivirus software to find and repair viruses. The definition files tell the scanner what to look for to spot viruses in infected files. Most scanners use separate files in this manner instead of encoding the virus patterns into the software, to enable easy updating.
Spyware: This is a client-side software component that monitors the use of client activity and sends the collected data to a remote machine.
Morphing Virus/Polymorphic Virus: These are viruses that are undectable by virus detectors because they change their own code each time they infect a new computer; some change their code every few hours. A polymorphic virus is one that produces varied but operational copies of itself. A simple-minded, scan string-based virus scanner would not be able to reliably identify all variants of this sort of virus. One of the most sophisticated forms of polymorphism used so far is the “Mutation Engine” (MtE) which comes in the form of an object module. With the Mutation Engine, any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules. The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more scan strings to simple scanners will not adequately deal with these viruses.
Ransomware: This is a piece of pernicious software that exploits a user’s computer vulnerabilities to sneak into the victim’s computer and encrypt all files until the victim agrees to pay a ransom.
Virus Signature: This is a unique string of bits, or the binary pattern, of a virus. The virus signature is like a fingerprint in that it can be used to detect and identify specific viruses. Anti-virus software uses the virus signature to scan for the presence of malicious code.
Rootkits: This is a set of software tools or programs that can be used by an intruder after gaining access to a computer system. Rootkits are designed to allow an intruder to maintain access to the system without the user’s knowledge.