Malware: Can Virus Writers be Psychologically Profiled?

Malware: Can Virus Writers be Psychologically Profiled?

Gráinne Kirwan (Dun Laoghaire Institute of Art, Design and Technology, Ireland) and Andrew Power (Dun Laoghaire Institute of Art, Design and Technology, Ireland)
Copyright: © 2012 |Pages: 20
DOI: 10.4018/978-1-61350-350-8.ch005

Chapter Preview



An early computer virus type program was known as ‘cookie monster’. This relatively benign virus would prevent the user from using the computer by requesting a cookie. If the user typed in the word ‘cookie’, the message would disappear, only to reappear a while later requesting another treat. The ‘cookie monster’ virus was an irritation, but more modern viruses can have considerably more serious consequences.

In September 2010, the Stuxnet worm inflicted damage on computers and networks, mostly in Iran. While it was first detected in June 2010, it was in September 2010 that it was revealed that the worm had infected computers at Iran’s first nuclear power station (BBC News, 2010a). The Stuxnet worm specifically targets systems used to manage utilities such as water, oil rigs and power plants. It is a highly tailored worm, and is thought to be the first worm designed to target such facilities. Instead of using the Internet to distribute itself it infects Windows via portable memory devices such as USB keys. Because of this it can target systems that are not connected to the Internet for security reasons. Once infected, the worm can reprogram the software which gives instructions to industrial machinery, such as motors and coolers, telling them to turn on or off at given signals. As this worm looks for very specific configurations, and does not actively affect the system unless it finds them, this case has obvious implications for the potential of cyberterrorism (see Chapter 11), although at the time of writing, there is insufficient evidence to determine who wrote the worm or what its intended target was (BBC News, 2010b). However, Ralph Langner (an industrial computer expert) is quoted by BBC News (2010b) as saying that “With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge” (no pagination).

Definitions and Categories of Malware

Edgar-Nevill and Stephens (2008) define malware as “any piece of software devised with malicious intent” (p. 91). The term is taken from the phrase ‘malicious software’ and is used to describe any software program that spreads from one computer to another and that interferes with computer operation. Kramer and Bradfield (2010) indicate that while malware is intuitively considered to be “software that harmfully attacks other software, where to harmfully attack can be observed to mean to cause the actual behaviour to differ from the intended behaviour” (p. 105). However, Kramer and Bradfield claim that this definition is insufficient, as the intended behaviour is infrequently defined, and so a more accurate definition of malware needs to also consider the concept of “software system correctness” (p. 105), and proceed to define this in technical terms. They go on to define other related concepts including ‘benware’ (benign software) and ‘anti-malware’ (‘antibodies’ against malware).

Important terms relating to malware include ‘payload’ and ‘in the wild’. ‘In the wild’ refers to how widespread the malware is. Malware such as viruses are not always released, and may be developed as a ‘proof of concept’ which remains limited to a small network of computers or devices. When a piece of malware escapes or is intentionally released so that it spreads to unsuspecting users on other systems, it is considered to be ‘in the wild’. ‘Payload’ is what the malware will actually do – its raison d’etre, and according to Furnell (2010) it is the least predictable aspect of the program. In the ‘cookie monster’ example above, the payload refers to the application’s demand for a ‘cookie’, thus preventing the user from continuing their work. The payload for the Stuxnet worm appears to be the program’s ability to gain access over the industrial plant. Furnell (2010, p. 189) identifies three main categories of payload. These include ‘damage and disruption’ (such as corrupting or deleting files), ‘stealing information’ (such as using a keylogger to capture information, or copying files to the computer), and ‘hijacking systems’ (enabling remote control of the system, perhaps to create a botnet – a distributed network of computers controlled by an unauthorized user). It is likely that different motives underlie each of these types of payload. A piece of malware may use several types of software in order to deliver the payload, a brief description of some of these is provided below.

Complete Chapter List

Search this Book: