Studying and Classification of the Most Significant Malicious Software

1 Studying and Classification of the Most Significant Malici ous Software Dr. Wajeb GHAR IBI, Computer Science & Infor mation Systems College, J azan University, Jazan, KSA. gharibi@jazanu.edu.sa Abstract — As the cost of information processing and Internet accessibility falls, most o rganizations are beco m ing increasingly vulnerable to po tential cyber threats which its rate has been dra matically increasing every year i n recent times. In this paper, we study, discuss and classify the most significant malicious software: v iruses, Trojans, worms, adware and pornware w hich have made step forward in t he science of Virology. Keywords: Informatics; information Security; Virolog; Cyber threats. I. I NTRODUCTI ON Nowaday s , there is a hu ge varie ty of cy ber threats that can b e quite dangerous not only for big companies but als o for ordina ry us er, who can be a potential victim for cybercrim inals when using unsafe system for entering confidenti al data , such as l ogin, passw ord, credit ca rd numbers, etc. Among p opular computer threats it is possible to distingu ish seve ral ty pes of them depending on the m eans and w ay s th ey are realized. T hey ar e: m alicious softw are (malw are), DDoS at tacks (Distribut ed Denial- of - Service), phishing, bankin g, exploi ting vu lnerabili ties, bo tnets , threats for mobile phones, IP -comm unication threats, social netw orking threats and even spam. All of these threats try to v iolate one of the follow ing cr iteria: confidenti ality , integrity and accessibility . Lately , malicious software has turne d into a big business. Cyber criminals became profitable organizations and able to perform any t ype of attack. An understanding of today ‘s cyber th reats is vital part for safe computing an d ability to counteract the cy ber in vaders . The rest of our paper is organized as follow s: Section 2 demonstrates the theory o f co mpute r viruses . Section 3 proposes the history: from t he first viruses till the last epidem ics. Section 4 defines and classifies Malw are . Conclusi ons have been m ade in Sec tion5 . II . T HEORY OF C O MPUTER V IRUSES The history begins in 1 983, wh en American scientist Fred Cohen in the dissertati onal work devoted to research o f self-rep roducing computer program s for the first time has proposed the te rm ‗computer virus‘ and later on publish ed the articl e « Computer Vi ruses: th eory an d exper imen ts» [1]. Len Eidelmen first coined the term 'virus' in co nnecti on with self-replic ating computer pro gram s. On November 10 th , 1983, at a seminar on computer safety at Lehigh University , this grandfath er of modern compute r virol ogy, demonstrate d a virus-like program on a VAX11/750 system [2]. Neverthel ess, th e i dea for com puter viruses actually appeared much earlier. Many consider the starting p oint to be the work of J ohn Von Neumann in his studies on self- reproducing mathem atical automata, famous in the 1 940s. By 1951, Neumann had already proposed methods for demonstratin g how to create such automata. In 1959, the British mathem atician Lionel Penrose presented his view on autom ated self-repli cati on in his Scientifi c American article 'Self-Repro ducing Ma chines'. Unlike Neumann , Penrose described a simple two dimensional model o f this structure which could be activate d, multiply , mutate and attack. Shortly after Penrose's article appeare d, Frederick G. Stahl reprodu ced this model in machine code on an IBM 650 [3]. It should be noted that these studies were never intended to providin g a basis for the future d evelopm ent o f computer viruses. On the c ontrary , these sci entists w ere striving to perfect this world and make it more suitable for human life. Afterwar ds, these works establish ed the foundation for many later studies such as robotics and artifici al intel ligenc e. III . H I STORY : FROM THE FI RST VI RUSES TILL THE LA ST EPIDEMI CS Sometim e in the ea rly 1970s, the Creeper virus was detected o n ARPANET, a US military computer netw ork which was the forerunner o f the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system . As computers gaine d in popularity , more and more individuals started w riting their own programs. Advances in telecomm unications provided con venient ch annels for sharing program s through open-access servers such as BBS - the Bulletin Board System . Elk Cloner virus infecte d the boot sect or for Apple II computers and spread b y infecting the operating system , stored on f lop py disks. Brain was the first glob al IBM-compatible virus epidemic , which inf ected the boot sector, and was able to spread practically worldw ide within a few months. It was written by a 19-year-old Pakistani programm er, Basit Farooq Alvi, and his brother Amjad, and included a text string 2 containing their names, address and telephone number. Interest ingly enough, Brain was the first 's tealth virus.' ; when one attempts to read the detected infecte d sector, the virus w ould dis play th e origin al, u ninfect ed data. Another such hoax was r eleased by Robert Morris about a virus spreading over networks and changing port and drive configura tions. Accordin g to the warnin g, the alleged virus infected 3 00,00 0 compute rs in the Dakotas in under 1 2 minutes. November 1988: a netw ork epidemic caused by the Morris Worm. The virus infected over 600 computer system s in the US (includ ing the NASA research center) and almost brought some to a complete standstill. In order to mu ltiply, th e Mo rris Worm exploit ed vuln erability in UNIX operating systems on VAX and Sun Microsystem s platform s. As w ell as exploit ing the UNIX vulnerabili ty, the virus used sev eral inn ovative methods to gain system access su ch as h arves ting passwords. The overall l osses caused by the 'Mor ris Wor m' viru s were estim ated at US$96 milli on dollars - a signi ficant sum at that tim e. CodeRed, Nimda, Aliz and BadtransII were the Malicious program s that exploited v ulnera biliti es in applications and operatin g systems and caused serious epidem ics in 2001. The large-scale epidemics caused by these worms changed the face of com puter security and set trends for malw are evolution for several years to come. Moreover, 2001 was also the year that instant messaging services, such as ICQ and MS Instant Messenger, were first used as channels for spreading m aliciou s co de [ 4] . Email worms , such as Klez and Lentin had already been popular prio r to 2002. However, a new breed of emai l worms superseded the older versions: these new email worms spread by connecting directly to built -in SMTP servers on infected machines. Worms multiply ing in other environm ents, such as LA Ns, P2P, IRC and so for th, disappear ed alm ost entire ly in th is year. Though Klez caused the m ost seriou s out break durin g 2002, sev eral other worms provided som e stiff competition: Lentin and Tanatos ( aka Bug bear). In 2003 two global I nternet att acks took place that could be called the biggest in the histor y of the Internet. The Internet Worm Slammer laid the f oun dation for the attacks, and used vulnerabilit y in the MS SQL Server to spread. Slamm er was the first classic fileless worm , wh ich fully illustrat ed the capabiliti es of a flash-w orm - capabilitie s which had been f oreseen several years before. The worm attacked computers throug h ports 1433 and 1434 and on penetrating machin es did not copy itself on any disk, but simply remained in co mpute r memory . If we analyze the dynamics of the ep idemic, we can assert that the w or m originat ed in th e Far East. The second, more important epidemic was cause d b y the Lovesan Wo rm, w hich ap peared in A ugust 2 003. T he worm demonstrated just how vulnerable Window s is. J ust as Slamm er did, Lovesan exploited vulnerability in Windows in orde r to replic ate itself. T he difference was that Loves an used a loophole in the RPC DCOM service workin g under Window s 2000/XP. This le d to alm ost every Internet user being at tacked by the w orm. In February 2004 appeare d Bizex (also kno wn as Exploit) - the first ICQ-Worm. The unauth orized distribution of ICQ messag e «http://w ww .jokeworld .biz/ind ex.htm l:)) LOL» was used to spread widely . After installing into the system , Bizex closed running ICQ-client and connected to ICQ server with the data of the in fected user and started up delivery to all contacts from the lis t. At the sam e tim e, there was the theft of co nfi dential data - bankin g data, various user logins an d passw ords. In the same in 2004 the so-called war o f malware writers is occured. Several crim inal gangs are k now n for w orms Bagle, Mydoom and Netsky released new versions of their program s literally every hour. Each new program carries a regular m essage to the opposing faction, full of threats, Netsky even removed any found worm s copies of Mydoom and Bagle. Mail W orm Bagle was firstly detecte d on 18 January 2004. To spread, it used its own SMTP -client, the worm code are sent as an attachment w ith a random name and extension .exe. Delivery w as m ade to addresses found o n infect ed machin e. Bagle also contained a built-backdoor- procedur e that opened port 6777 to run commands and download any files. Mydoom is primarily known by a massive 12 -day DDo S- attack on the Web site of SCO co mpany , which began on the first of February 2004. In response, leade rs of SC O announced a reward o f $250 thousand dollars for inform ation on the author of the worm. To sprea d, Mydoom uses mail delivery through its own SMTP -client , as well as P2 P-network ( Kazaa)[ 5] . Sasser (May 2004) - struck more than 8 milli on computers , the loss from this worm are estim ated in $ 979 millions. For penetrati on Sasse r used a vulnerability in Service LSASS Microsoft Window s. Cabir (June 2 004) - the first network worm which propagates via Bluetooth and infects mobile phones running OS Symbian . The viruses for Pocket PC are appeared soon (August 2 004), - classic virus Duts and Trojan Horse Brador. Ho wev er, malicious softw are - is not only viru ses and Tro jans. This class is als o included adw are - program s that perform unauthorize d display ing on -screen advertism ent, and pornware - programs that self-in itiate a connecti on to paid p ornogr aphic websites. Since 2004 indicated widespre ad use of viral technol ogy to install adware/p ornware on ta rget computers. Next e pidem ic o f netw ork Worm Kido/Conficker/ Down adup (November 2008) - has struck more than 10 milli on co mpute rs, using vulnerabil ity in service "Server " (MS08-067). T he new variant Kido loaded at night from 8 to 9 of April , 2009 (Net-Worm . Win32 . Kid o.js) . One m ore very dangerous threat 2008/ 09 became bootkit Backdoor.Win 32.Sinow al. Bootkit 2009 is distribute d through the cracked sites, porno resources and sit es from which it is possibl e to download pirate s oftw are [6]. IV . M ALWARE DEFI NITION AND CLA SSIFICATION Computer virus definition is a complicated problem , because it‘s q uite difficu lt to give an efficient virus 3 definition by sh owing properti es attri butable t o virus es only and not concerning the other program systems. Let us give the foll owin g definiti ons: Definitio n 4.1. T he opportunity of makin g duplicates (the copies could not match with the original) and theirs embedding into the computer network and/or files, system computer areas an d oth er executive objects, is the most require d computer virus property . Meanwhile the duplicates can be dist ributed . The othe r pr oblem associated w ith computer virus definition is misappreh ension of a viru s. So any malware could be a virus. This leads to confus ion in terminol ogy, which is complicate d by the abili ty o f m odern antivirus program s to detect specif ied types of malware. T hat is why the association ―malware - virus‖ is gettin g more settled. Hence, malic ious p rogram s could m ean vi ruses. Definitio n 4.2. Malware is a computer program or a portable code wh ich aimed to damage the information , stored in computer network or hidden use of computer netw ork resources , or the o ther impact, which interrupt normal o peration of c omputer netw ork. Computer vi ruses, Tro jans and Worm s are the malw are fundam ental types. Every malware includes subclass es of malicious program s wh ich nam ed according those functions, w hich were des cribed above. Viruses can be classifie d according to distribution metho ds because the distinctiv e feature is the ability to proliferat e within the computer. Distribution process could be divided into seve ral stag es: o Penet ration into computer o Virus activat ion o Objects search for in fecti on o Prepa ration of vi rus duplic ates o Distr ibution of virus du plicate s It is necess ary for virus ac tivation th at inf ected o bject gets a control. So viruses divided acc ording to the objects types that can be infe cted: Boot viruses – viruses which infect boot sectors of ha rd and removable disks. For exam ple, malicious program Virus.Boot .Snow .a writes its code into HDD MBR or into floppy d isc bo ot sectors . File viruses – viruses that infe ct files. This group is divide d to three subgroups , depend ing o n the environm ent wh ere the code is execu ting. Actually file virus es – viruses that work directly with OS resources . For exam ple, the virus: Virus.Win 9x.CIH also known as ―Chernobyl‖. I t has lit tle size (about 1 kb) this virus inf ects PE -files (Portable Exe cutabl e) un der Windows 95/98 contro l in the way that size o f the infected files is n ot chan ged. Macro viruses – viruses that are create d by using the macro command language and executable in the envi ronment of any ap plication. It is talked of Microsoft Office M acro in most cases . For exam ple, Macro. Word97. Script viruses – viruses wh ich are executa ble in the certain command frame environm ent: firstly bat -files in the command frame DOS, nowadays VBS and JS – scripts in the command frame Windows Scr iptin g Ho st (WSH). For example, Virus.VBS .Sling has been written b y using VBScript (Visual Basic Script) language. Once launched it searches files w ith .VBS and .VBE extension and infects them. On June, 16 o r July , 16 t his virus dele tes all files w ith .VBS and . VBE extens ion in cluding itself . Definitio n 4.3. Worm (net-worm) is a type of m alicious program s which can d istri bute b y network channels . Worms can run independently through security system s of au tomate d and com puter net w orks. T hey can create and distribute their duplica tes which are not coincid ing with the original and re alize d ifferen t harm ful ope rations . Worm Lif e Cycle can be div ided t o the f ollow ing s tages: o Penet ration into compute r o A ctivation o ― Victims‖ sea rch o Prepa rati on of dup licates o Distr ibution of duplicates The stages 1 and 5 are symmetric and defined by the used of protocols and applicati ons. T here is no diff erence between stage 4 and the stage in virus distribution process. This conception is applica ble to worm s which can be divided by the ty pes of the use d proto col [7 ]: Network worms – worm s t hat use Internet and local netw orks protocols. Usually, the worm s of this type can be distribute d by mistake in processing of base packets in TCP/IP by some a pplicati ons. Email worms – worm s tha t are distributed b y e mail messag es. IRC worms – worms that are spread b y IRC (Internet Relay Chat) chann els. P2P worms – worms that are spread by P2P (peer- to -peer) netw orks. IM worms – worms that are distributed by using instant messag ing applications (IM, Instant Messenger – I CQ, MSN Messenge r, AIM etc.) Definitio n 4.4. Trojan (Trojan Horse) is such type of malicious program s which goal is harm ful effect to computer network. Trojan s have no the mechanism o f its duplicates creation. Some T rojans can bypass computer netw ork security system to penetrate and infect system . In general case Trojan gets into system with virus or worm by active intruder‘s acts or b y heedless user‘s operation s. Trojans have no distribution function and its life cycle is short – only thr ee stages : o Penet ration to com puter o A ctivation o Perf ormin g malicious funct ions Let us consider the Trojan classif ication by Kaspersky Lab grouped according to three types of information threat that may violate (Figu re 1): 4 Type 1. Co nfidenti ality Backdoor – remote adminis tration utilities that open infected machines to ex terna l cont rol via a LAN o r the Internet . PSW Troj an – steals passw ords f rom th e system . Trojan-Spy – includes a variety of spy programs and key loggers, all o f which track and save user activity on the victim machine and then forw ard this inf ormati on to the master. Trojan-GameT hief – steals the user information pertainin g to onlin e gam es. Trojan-Ban ker – steals the user inform ation pertaining to the bankin g sy stem, the elect ronic mon ey and pl astic cards. Trojan-Mail finder – p rovides unauthorize d collection of user email addresses w ith the subsequent transfer to the attacker [3]. Trojan Classification Confidentiality Integrity Availability Backdoor Trojan-PSW Trojan-Spy Trojan- Banker Trojan- Clicker Trojan- Downloader Trojan-DDOS Trojan- Ransom ArcBomb Trojan- GameThief Trojan- Mailfinder Trojan- Droper Trojan-Proxy Trojan- Notifier Trojan-IM Trojan-SMS Rootkits Fig.1. Trojan cl assific ation Type 2. Integr ity Trojan Clicker – redirects victim machines to specifie d websites or othe r Intern et res ources . Trojan Downloader – downloads and installs new malware or adw are on the victim mach ine. Trojan Dropper – used to install other malware on victim machin es without th e know ledg e of the user. Trojan Pr oxy – fu nction as a proxy server and provide anonym ous access to the Inter net from victim m achines. Trojan-Noti fier – inform the 'master' about an infecte d machin e. Trojan- IM – steals us er‘s account (l ogin and passw ord ) from the Internet-page r (e.g., ICQ, MSN Messenger, AOL Instant Mess enger , Yahoo Pager, Sk ype, etc.) Trojan-SM S – used for unau thorized sending SMS- messag es from the compromised mobile devices to expensive paid numbers that are stored in the malware body. Rootkits – a collection of programs used by a hacker to evade detection while trying to gain unautho rized access to a compute r. Type 3. A vailabilit y Trojan-DDoS – performs an unauthorized DoS (Denial of Service) att ack from infect ed computers to a computer- sacrific e with the spe cified a ddress . Trojan-Rans om - used for unautho rized data modification on victim‘s computer to make it impossible to work with it or block the no rmal f unctionin g of th e com puter. ArcBomb - archive d files coded to s abotag e the de- compresso r when it attempts to open the infected archived file. Other malw are includes a range of programs that do no t threaten computers directly, but are used to create viruses or Trojans , or used to carry out illegal activiti es such as Do S attacks and breakin g into other c omputers [8 ]. V. C ONCLUSIONS The given inform ation canno t cover all variety of global inform ation threats, however shows the most actual trends in area of cybercrim inal. It is ob vious the co ntin uous improvem ent of "white" and "black" technologies in struggle of the anti-virus companies against army of hackers. In the triangle « a hacker - AV company - a user » the weak part still rem ains the user which should know the inform ation about existe d cyber threats to be able to use the installed protec tion sy stem effectiv ely. R EFERENCES [1] Alexander Adamov, «Computer Threats: Methods of Detection and Analy sis», Kasper sky Lab, Mosco w 2009. [2] www .securelist.com [3] I nfosecurity Magazine: Phishing and the eco nomics of e-crime, Sep 2007. (http://w ww .infosecurity-magazine.com /). [4] Z. Chen and C. Ji, ―A self -learning worm using importance scanning,‖ in ACM CCS Workshop on Rapid Malcode (WORM‘05), 2 005. [5] C. C. Zou, W. Gong, and D. Towsley, ―Code red worm propa gation modeling and a naly sis,‖ in 9th ACM Conference on Computer and Comm unication Se curity (CCS‘02), 2002. [6] C. Shannon and D. Moore, ―The spread of t he witty worm,‖ IEEE Security and Priva cy Magazi ne, 2004. [7] C. Zou, L. Gao, W. Gong, a nd D. Tow sley, ―Monit or ing and early warning of inter net worms,‖ in ACM Conference o n Computer and Communications Security (CCS‘03), 2003. [8] M. Rajab, F. Monrose, and A. Terzis, ―Fast and evasive attacks: Highlighting the chal lenge s ahead,‖ in 9th International Symposium on Rece nt A dvances in I ntrusion Detection (RAID ‘04), 2006 5 Brief Biography Wajeb Gharibi is an Associate Professor, Chairman, Department of Computer Networks, College of Computer Science & Information S ystems, Jazan University, J azan, Kin gdom of Saudi Arabia. He obtained his P h. D degree in Informatics fro m I nstitute o f Mathematics and Computer Science, B yelorussian Acade my of Sciences, USSR in 1990. Dr. Wajeb worked in Aleppo University, Syria (1990 - 1994, 19 98-2001), T aiz University, Ye men (19 95 -1998), Saudi A rabia; Ki ng Khalid University (200 1 -2009), an d Since October 2009, he has b een teaching at the College of Computer Science & Information Systems, Jaza n University, Jazan, Kingdo m of Saudi Arabia. His resear ch i nterests i nclude Information Sec urity, Mi croelectronics; embed ded systems, De sign & a nalysis of network algorith ms.. Combinatorial optimization, computational geometry, di screte convexity, operations research and data anal ysis. He has published more tha n 53 resear ch papers in natio nal and international jo urnals and conference s. Dr. Wajeb Gharibi got many prizes:  Proclamation of Great Mi nds of 21st Century; American Biograp hical Instit ute, USA (200 8 and 2010)  2008 Man of the Year i n Scie nce Award; American Biographical I nstitute, US A  2000 Outstanding Intellectuals of the 21 st Century Aw ard, International Biograp hical Centre, Cambridge, Engla nd (2008)  TWAS (Third World Academy o f Sciences) Prize for the year 2001 , Italy; (Supr eme Council of Sciences, Syria).