Viruses & Malware:Effects on Enterprise Networks Diane M. Duhé July 5, 2011
AbstractMalware poses a significant threat to computer networks of all sizes.This paper will provide a summarization of three of the key components of malwareinfection as it pertains to enterprise networks: Detection, Disinfection and RelatedCosts.The “Detection” element comprises a synopsis of two types of malware,metamorphic and polymorphic, and discusses three popular models of heuristic,behavioral malware detection: signature-based, file emulation, and file analysis.Two new emerging models of detection, “traffic aggregation” (communication), andnetwork vulnerability scanning are also discussed.The papers “Disinfection” component includes an overview of the two types ofsystem infection (memory-file- registry infectors, and memory-only infectors) andthe current methods of disinfection, including malware-specific removal tools, realtime scanners, cloud-based technologies, and pro’s and con’s of each.Methods for quantifying costs of direct and indirect malware attacks, the importanceof utilizing “value calculators” and creating/implementing security budgets areoutlined in “The Related Costs of Malware”.
IntroductionMalware, simply defined, is software that is not beneficial, and may in fact beharmful, to a computer. It poses a significant threat to all computer networks,whether large or small, public or private.Some forms of malware; such as botnets, trojans, root kits, and spyware, are oftendifficult to detect and/or isolate, because they’re non-disruptive in their course ofaction.This paper will provide a summarization of three of the key components of malwareinfection as it pertains to enterprise networks: Detection, Disinfection and RelatedCosts.The term “Malware” once referred to viruses and worms, but current malware hasevolved into a very selective type of tool. Malware is no longer written usingamateur scripts, or using “copy and paste” methods, by “script kiddies.” Instead,highly trained programmers are authoring today’s malware, being covertly trainedand supported, via political syndicates, organized crime, government sanctioned-unacknowledged (“dark”) ops, and some nation-states. What was once considered to be rebellious behavior or pranks has progressed intoserious criminal activity. Malware is now used for crimes such as industrialespionage: “transmitting digital copies of trade secrets”  such as customer names,business plans, contracts…virtually any and all private or personal information.As cell phones are increasingly used as mobile computing devices, and areattached to networks, they are also at risk for malware infection. They are includedin this discussion as well.In order to discuss current and emerging detection and disinfection techniques, it isnecessary to have a basic understanding of how malware infection occurs and howit avoids detection in order to carry out its’ functions.
.Rogue InfectionRogue infections are “fake” virus pop-up alerts, that are installed via a compromisedweb page that exploits security holes, much like “drive-by” infections. Rogues“notify” users that their computer is “infected” or that it has “critical errors”. Theseare realistic looking alerts and usually appear as if generated by the installedoperating system. Whether the user closes the pop-up window, or clicks “cancel” or“OK”, the result is always the same: malware is installed (usually trojans). The userthen continues to be prompted, via pop-ups, to purchase anti-virus software that willremove the malware. With these types of infections, network settings are oftenchanged, proxies are installed, or homepages are redirected (“hijacked”).Peer-to-peer (P2P), torrent and file sharing programsWhen using file sharing programs, it is difficult to verify that the source of the files istrustworthy, because the users that are sharing their files remain anonymous. Manytimes, file sharing applications are used to pass on malicious code, such asspyware, viruses, trojans, or worms, via the shared files.E-mailTwo common ways that email is used to deliver malware, are the use ofattachments as well as the use of links within the body of the email.The attachment may contain embedded malware. Opening the attachment willlaunch the malware program.Clicking on a link contained in an email could exploit security holes in the webbrowser, or use exploits to activate a malware program that’s embedded in the e-mail message. Or, the link may open an infected web page that holds embeddedmalware.USB devicesThere were an estimated 3.75 million malware attacks via USB devices in the firstquarter of 2010. “ USB devices, which include portable gaming units, digitalcamera memory cards, cell phones, MP3 players, portable USB CD/DVD drives,FireWire and eSATA devices, and digital picture frames, are extremely susceptibleto becoming carriers of malware, and reinfecting other machines.
USB malware transmission begins by inserting the device into an infected machine,whereby the malicious software copies itself to all storage locations and devices -network shares, local drives, and removable media such as USB drives. By alteringthe autorun.inf file and copying hidden malware files to the drive, the autorun.inf filewill launch and execute the malware when the portable drive is inserted into adifferent machine. The malware copies itself into Windows operating system filesand are able to replicate every time the computer is booted. Disabling the “auto run” feature in Windows operating system, to prevent theautorun.ini file from automatically launching ,seems like good preventative measure,but in reality, even just browsing to the root folder of an infected USB stick can stilltrigger the infection by taking advantage of Windows processes.Malware Types and Subsequent DetectionMalware detection has been accomplished, until very recently, mainly by using“signatures”.Signature based malware detection requires malware to be identified by way ofanalysis of it’s’ code; searching for and finding code that is unique to that specificmalware program. The discovered code is then used to create anti- malwaresoftware that is based on recognizing that code.Once created, the anti-malware software must then be installed onto the computersystem, and allowed to scan, detect and remove the malware. This entire processmust be repeated anew for every novel instance or variant of malware. As malware continues to evolve in ways that avoid detection, it is simply notpractical to continue detection in this manner, even when a single signature isconstant within a large proportion of malware.The main way that malware avoids detection by signature based antivirus scannersis by using “obfuscation” which is a technique which changes malware into newand different versions of itself, all while maintaining functionality.“Obfuscation” actually uses encryption in the main body of the malware program.Once the malware is launched, a built-in decryptor recoups the main body. Becausethe decryptor itself remains constant, it can be detected by antivirus scanners thathave been developed to detect decryptor patterns. In this “reverse” way, thepresence of the obfuscated malware is detected.Polymorphic malware was created in response to this decryptor constancy problem.Polymorphic malware is able to create limitless encryptors, thereby increasing thedifficulty for signature based scanners to detect it. There is a variation of
Polymorphic malware called “Metamorphic” malware, which takes this a stepfurther. Metamorphic malware can recognize, parse and mutate itself as it spreads,and it does not utilize encryption at all.In response to these types of malware adaptations, proactive, heuristic, dynamic,anti-malware scanning has been developed. Heuristic scanning compares the source code of a file to the source code of known malware. If the detected code matches a certain percentage of the known malware code, it is labeled as a possible threat. Dynamic scanning is real-time scanning that allows code to be run in a virtual environment, or “sand-box” while it is observed. “File Emulation” is a type of dynamic scanning that analyzes the characteristics and behavior of code in this virtual environment, and if the code behaves like malware, it is considered to actually be malware  and is treated as such. “File Analysis” is a scanning method that works in real-time, (dynamic) and utilizes behavioral analysis of files in order to determine their intent (heuristic). Both of these methods (File Emulation and File Analysis) assess the effects of a particular application. They monitor for activities like replication and file overwriting. In this manner, many types of Polymorphic and Metamorphic malware can be detected with a sole behavioral specification. Malware that infects mobile phones is usually spread through SMS/MMSmessaging and Bluetooth. Because cell phones are limited in CPU capacity as wellas memory capacity and battery power, detection methods for these devices needto carry a small footprint.  Dynamic, heuristic scanning methods as outlinedabove, work best for these types of devices. “Traffic aggregation” detection is based on the idea that malware usually infects multiple systems on a network, and that the malware communicates with external networks, (to export data, or receive commands). By analyzing network flow, identifying communications that share common characteristics (aggregates) including payload, flow to a common external network, or identifying internal hosts that share similar software platforms , malware infections can be detected.
The final type of detection to be discussed is “Network Vulnerability Scanning.” This type of scanning is an event-driven approach that looks at network context. Network activity is monitored and triggers/alerts result from particular changes in network activity. DisinfectionThe purpose of “Disinfection” is to restore the system to its’ previous state offunctionality, prior to infection, ideally, without having to reinstall software.To understand the concept of Disinfection, this section includes an overview of thetwo types of system infection: memory-file-registry infectors, and memory-onlyinfectors. The disinfection method utilized will depend upon the type of malware thatis infecting the system.1. Memory-File- Registry InfectorsMemory-File- Registry Infectors use any combination of the memory, file and /orRegistry in order to control the system. These infections can reside in memory as aprocess or service, add or modify registry entries, or modify an existing or droppedfile. If the modified file resides in memory, then that complicates the process,because operating systems will not allow the deletion of a file as long as anassociated process or service is residing in memory.Memory scanners, file scanners and registry scanners are all used to detect thistype of infection.2. Memory Only InfectorsMemory only infectors don’t use files, or the registry. They exist as either a processor a service and because of that, are more difficult to detect.Memory resident malware is the most damaging type of malware because itbecomes active when a malware application, or infected program, is launched, or atsystem boot. It remains active until the machine is rebooted, turned off, or power tothe machine is otherwise disrupted.
As mentioned above, operating systems will not allow the deletion of a file as longas an associated process or service is residing in memory, so any memory residentprocesses associated with the malware must first be killed and/or the associatedresident services stopped. Doing this takes control away from the malware, andprevents the malware from reinfecting the machine, or restoring its physicalcounterpart. (That is, unless the malware has started another process or service, orreplicated itself before the process or service has been stopped. Disinfection MethodsRemoval Tools“Removal Tools” are popular solutions during large outbreaks of infection.They have advantages, such as being small, quickly downloadable, and that theyare executed separately from other scans.Removal Tools are malware-specific, which is a disadvantage. Each tool will onlydisinfect a system of specific malware or family of malware. Another disadvantageis that often they cannot be deployed from a central location, making it nearlyimpossible to use them in large organizations.Real time scannersReal time scanners (also called resident scanners) provide automatic protection byMonitoring for suspicious activity while data is flowing into the computer or when afile is opened. It runs in active (resident) memory. Because monitoring is doneis real time, malware is able to be detected before it installs or propagates on themachine. When the scanner identifies a potential malware infection, it takesappropriate action by quarantining or deleting the program and alerting the user.On-Demand ScannersOn-Demand Scanners examine the contents of the hard drive. The user can chooseto examine a portion of the drive, certain types of files, for example “documents”only, or the entire drive. This type of scan is relatively slow, since every file on themachine is examined, and it tends to utilize computer resources such as memory.Once the scan is finished, additional scans will not be performed unless they havebeen auto-scheduled or the scanner is launched manually.
“Cloud Based” ScannersOnline scanners provide an additional option for malware detection and disinfection.Many times, when a computer is infected with malware, the existing protection isdisabled, or because the network settings have been reconfigured, the anti-malwaresoftware cannot update. By utilizing an online scanner, an infected machine can bediagnosed and disinfected quickly, on-the-fly. They typically have user-friendlyinterfaces, do not require scheduling, updating or configuring . They use very fewsystem resources because they are running via powerful servers. They have up-to-date databases and the latest file definitions.The Related Costs of MalwareDetermining and balancing the cost of malware is actually an exercise in riskanalysis. The first step to determining this expense, is assigning values to allinformation assets. The second step is to estimate the potential lossThe assigned asset and loss values are then used to determine the single lossexpectancy (SLE), which is defined as the expense of recovering from a singlemalware attack.Calculating the SLE includes a summation of the following costs:  The cost of purchasing/maintaining anti-malware products The ongoing cost for maintaining anti-malware ie: subscriptions for updates/other related services Assigning a value to the companys data (calculated by determining how much it would cost to restore or re-create different types of lost information, such as sales records, tax information, contact information, emails) Lost revenue Potential cost of fines and penalties for violating confidentiality/privacy agreements Loss of employee productivity Cost of repairing damaged systems Hardware overhead (all anti-malware products consume resources such as processing power, memory and disk space) Determine the annual loss expectancy (ALE) of a single malware attack based on average number of previous attacks per year
Multiply the SLE by the ALE to determine the annual cost of malware for the business. Setting a Security Budget After determining the annual cost of malware, it is crucial to plan an anti- malware budget accordingly. The figures from the above calculations will provide a rough estimation for the planned yearly expenditure for anti- malware protection. Assess the amount of risk that the company is willing to take. For example, some companies might choose to accept a higher level of risk of infection, because it’s been determined that the actual probability of attack is very low, or because the organization has lowered some risks in other ways, such as by purchasing insurance, or the use of offsite backup solutions. These calculations can be used in creating a security budget, and /or for calculating the value of the particular anti-malware tools already in place. CalculatorsThere are many risk calculators available online as shareware. They are easy touse, and will generate an estimate of various risks, using several of the variablesmentioned above.One such calculator was used to estimate the financial risk for a fictitiousorganization of 1,000 employees.The calculator located at http://www.cmsconnect.com/Marketing/viruscalc.htm,analyzed the organizations’ workplace and email environment, (using number ofemployees with email access, number of minutes of email usage per employee perday, and average employee salary) along with the number of IT staff, and averagesalary The effects of an email malware attack in regards to salary and productivityare found as follows:It was determined that a fictitious organization of 1,000 employees earning anaverage e of $25/hr, and using email for approximately 30 minutes per day, wouldcost the company 524 hours, which translates into $13,700.00 in lost salaries perday (or $570.83 per hour)
Conclusion:Malware is comprised of several types of harmful applications. It affects networks of allsizes, and is installed via various means, many times without a users consent orknowledge. It is costly to businesses in regard to prevention as well as recovery.Malware is no longer viewed as a prank created by script kiddies. Malware is nowdeveloped by professional programmers who are paid for their work, and is used tosteal information of all kinds. New types of malware are continuously being developed inorder to avoid detection.Malware is installed on systems via several methods, some of which require userinteraction and some of which do not. Educating users about means such as socialengineering, and phishing is a pro-active way to help carry out prevention.Disinfection methods have for the most part, been reactive, although new, proactivemethods of detection and disinfection are being developed. Detection and disinfectioncan be costly.Risk analysis and assessment must be performed and are a necessary element inassessing the necessary expenditures that a business should prepare to incur. Creatingand implementing a security budget are essential in order to protect information assets,privacy, confidentiality, and the network infrastructure.
References1. George Ledin, Jr, ( (February 2011 vol. 54 - 2)The Growing Harm of Not TeachingMalware, Communications of the ACM2. Steve Lohr, January 17, 2010, Companies Fight Endless War Against ComputerAttacks, NYTimes.com, retrieved 05/27/2011 from:http://www.nytimes.com/2010/01/18/technology/internet/18defend.html3. Ilsun You, Kangbin Yim, (2010) Malware Obfuscation Techniques: A Brief Survey,ACM Digital Library, retrieved on June 07, 2011 from:https://connect.spsu.edu/plugins/dl/pdf/proceedings/bwcca/2010/4236/00/,DanaInfo=.aoskjmsE345Jn0z399v9S8A2+4236a297.pdf?template=1&loginState=2&userData=Southern%2BPolytechnic%2BState%2BUniversity%253ASouthern%2BPolytechnic%2BState%2BUniversity%253AAddress%253A%2B220.127.116.11%252C%2B%255B18.104.22.168%252C%2B22.214.171.124%255D4 Jerri Ledford, Social Engineering, Identity Theft, About.com retrieved on 06/30/11from: http://idtheft.about.com/od/glossary/g/Social_Engineer.htm5. Prague, Czech Republic (2010) Auto Run for malware:One out of every eight attacks comes via a USB device, Avast retrieved on 06/21/11from: http://www.avast.com/pr-autorun-for-malware-one-out-of-every-eight-attacks-come-via-a-usb-device6. Lumension Security Inc, Unruly USB: Devices Expose Networks to Malware,lumension.com7.Ellen Messmer, (2008) Security vendors leaving old school malware detectionmethods behind, NetworkWorld, retrieved on 06/06/11 from:http://www.networkworld.com/news/2008/121208-crystal-ball-antivirus.html8. http://www.webopedia.com/TERM/D/dropper.html
9. Karl, (2010) USB Top Method for Spreading Malware, Computer TLC, retrieved on06/21/11 from: http://computertlc.net/whats-hot/usb-top-method-for-spreading-malware10. Abhijit Bose, Xin Hu ,Kang G. Shin,Taejoon Park, (2008) Behavioral Detection ofMalware on Mobile Handsets, ACM Digital Library, retrieved on 06/16/11 from:https://connect.spsu.edu/10.1145/1380000/1378626/,DanaInfo=.adfnlzjx5HjmxL15v+p225-bose.pdf?ip=126.96.36.199&CFID=29653738&CFTOKEN=77369117&__acm__=1308579214_d19c9d6878a170ad7496e95dd6796ec911. Ting-fang Yen, Michael K. Reiter, Traffic Aggregation for Malware Detection, ACMDigital Library, retrieved on 06/03/11 from: http://portal.acm.org/citation.cfm?id=142833712. Yunjing Xu, Michael Bailey, Eric Vander Weele, Farnam Jahanian CANVuS:context-aware network vulnerability scanning (2010) ACM Digital Library, retrieved on06/18/2011 from:https://connect.spsu.edu/,DanaInfo=.apptweqFhkvJz3t+citation.cfm?id=1894166.1894177&coll=DL&dl=GUIDE&CFID=29653738&CFTOKEN=77369117&preflayout=flat#source13. Jong Purisima and Vincent Tiu, System Disinfection,GovernmentSecurity.Org,Network Security Resources retrieved on 06/18/2011 from:htttp://www.governmentsecurity.org/forum/index.php?showtopic=27614 http://support.kasperskyamericas.com/15. Pros and Cons of Free Online Virus Scanners , ProductivtyPortfolio, retrieved on07/02/11 from:http://www.timeatlas.com/web_sites/general/pros_and_cons_of_free_online_virus_scanners
16. John Edwards, April 30, 2009, Money for Nothing: The Real Cost of Malware,Focus, retrieved 06/028/11 from: http://www.focus.com/briefs/it-security/money-nothing-real-cost-malware/17. John Edwards, (2008) The Malware Burden, Network Security Journal,retrieved onJune 28, 2011 from: http://www.networksecurityjournal.com/features/malware-burden-012208/18. Balancing the cost and benefits of countermeasures, SearchSecurity.com, retrievedon June29 2011 from: http://searchsecurity.techtarget.com/feature/Balancing-the-cost-and-benefits-of-countermeasuresOther References:Vinod P, V.Laxmi, M.S.Gaur, Survey on Malware Detection Methods,retrieved 06/02/11from:http://www.security.iitk.ac.in/contents/events/workshops/iitkhack09/papers/vinod.pdfAubrey-Derrick Schmidt · Frank Peters · Florian Lamour · Christian Scheel · SeyitAhmet Çamtepe · ¸ Sahin Albayrak, (November 2008) Monitoring Smartphone’s forAnomaly Detection, ACM Digital Library , retrieved on 06/18/11 from:https://connect.spsu.edu/,DanaInfo=.apptweqFhkvJz3t+citation.cfm?id=1503496.1503504&coll=DL&dl=GUIDE&CFID=29700256&CFTOKEN=40903672Linda Musthaler, Google says the scope of drive-by malware is Significant (Mar 3,2008) Networkworld, retrieved on 06/5/2011 from:http://www.networkworld.com/newsletters/2008/0303techexec1.html