2. Abstract
Malware poses a significant threat to computer networks of all sizes.
This paper will provide a summarization of three of the key components of malware
infection as it pertains to enterprise networks: Detection, Disinfection and Related
Costs.
The “Detection” element comprises a synopsis of two types of malware,
metamorphic and polymorphic, and discusses three popular models of heuristic,
behavioral malware detection: signature-based, file emulation, and file analysis.
Two new emerging models of detection, “traffic aggregation” (communication), and
network vulnerability scanning are also discussed.
The papers “Disinfection” component includes an overview of the two types of
system infection (memory-file- registry infectors, and memory-only infectors) and
the current methods of disinfection, including malware-specific removal tools, real
time scanners, cloud-based technologies, and pro’s and con’s of each.
Methods for quantifying costs of direct and indirect malware attacks, the importance
of utilizing “value calculators” and creating/implementing security budgets are
outlined in “The Related Costs of Malware”.
3. Introduction
Malware, simply defined, is software that is not beneficial, and may in fact be
harmful, to a computer. It poses a significant threat to all computer networks,
whether large or small, public or private.
Some forms of malware; such as botnets, trojans, root kits, and spyware, are often
difficult to detect and/or isolate, because they’re non-disruptive in their course of
action.
This paper will provide a summarization of three of the key components of malware
infection as it pertains to enterprise networks: Detection, Disinfection and Related
Costs.
The term “Malware” once referred to viruses and worms, but current malware has
evolved into a very selective type of tool. Malware is no longer written using
amateur scripts, or using “copy and paste” methods, by “script kiddies.” Instead,
highly trained programmers are authoring today’s malware, being covertly trained
and supported, via political syndicates, organized crime, government sanctioned-
unacknowledged (“dark”) ops, and some nation-states. [1]
What was once considered to be rebellious behavior or pranks has progressed into
serious criminal activity. Malware is now used for crimes such as industrial
espionage: “transmitting digital copies of trade secrets” [2] such as customer names,
business plans, contracts…virtually any and all private or personal information.
As cell phones are increasingly used as mobile computing devices, and are
attached to networks, they are also at risk for malware infection. They are included
in this discussion as well.
In order to discuss current and emerging detection and disinfection techniques, it is
necessary to have a basic understanding of how malware infection occurs and how
it avoids detection in order to carry out its’ functions.
4. Popular Methods of Infection
Exploits and “Drive-by downloads”
Although not a well-known fact, an extensive, highly developed “malware
distribution network” is in existence on the internet. Its structure is tree-like, with the
outer branches being the web pages that serve as “landing sites” which move users
further into a trunk system of web servers, which are actually malware “distribution
sites”. The Distribution Sites install malware by exploiting security holes in the
machines browsers or in applications such as Adobe and JavaScript. When this
type of exploit is successful, the hacker has complete control of the machine at the
system level.
By using the same exploits, programs called “file droppers” can be installed. A file
dropper is “a program that will continue to install malicious code”. Since it is not
itself an infected file-it simply carries code- it is not detected by virus-scanning
software [3].
Some droppers install applications that are able to record keystrokes, easily stealing
passwords, banking information, etc. Some droppers install software that will add
the PC to a larger group of exploited machines that are used as a group, for
carrying out malicious actions.
The ways to increase the number of these landing sites is continuously growing.
Utilizing security patches in order to prevent infection should be used whenever
possible, rather than “workarounds.”
The ideal solution to this type of infection would include identifying software
vulnerabilities, developing and issuing patches, implementing them, and educating
users.
Social engineering
A very common, and very old, but successful way of introducing infection is by using
“Social Engineering” techniques.
Social Engineering is defined in many ways- from “The practice of deceiving
someone, either in person, over the phone, or using a computer, with the express
intent of breaching some level of security either personal or professional” to “con
games performed by con artists.” [4] Social Engineering is basically a psychological,
manipulative tool that is dependent upon and takes advantage of a person’s natural
predisposition to be trusting. Social engineering techniques persuade unwary users
to perform actions, such as clicking on links, which result in malware being
downloaded and installed on their computer.
5. .
Rogue Infection
Rogue infections are “fake” virus pop-up alerts, that are installed via a compromised
web page that exploits security holes, much like “drive-by” infections. Rogues
“notify” users that their computer is “infected” or that it has “critical errors”. These
are realistic looking alerts and usually appear as if generated by the installed
operating system. Whether the user closes the pop-up window, or clicks “cancel” or
“OK”, the result is always the same: malware is installed (usually trojans). The user
then continues to be prompted, via pop-ups, to purchase anti-virus software that will
remove the malware. With these types of infections, network settings are often
changed, proxies are installed, or homepages are redirected (“hijacked”).
Peer-to-peer (P2P), torrent and file sharing programs
When using file sharing programs, it is difficult to verify that the source of the files is
trustworthy, because the users that are sharing their files remain anonymous. Many
times, file sharing applications are used to pass on malicious code, such as
spyware, viruses, trojans, or worms, via the shared files.
E-mail
Two common ways that email is used to deliver malware, are the use of
attachments as well as the use of links within the body of the email.
The attachment may contain embedded malware. Opening the attachment will
launch the malware program.
Clicking on a link contained in an email could exploit security holes in the web
browser, or use exploits to activate a malware program that’s embedded in the e-
mail message. Or, the link may open an infected web page that holds embedded
malware.
USB devices
There were an estimated 3.75 million malware attacks via USB devices in the first
quarter of 2010.[5] “ USB devices, which include portable gaming units, digital
camera memory cards, cell phones, MP3 players, portable USB CD/DVD drives,
FireWire and eSATA devices, and digital picture frames, are extremely susceptible
to becoming carriers of malware, and reinfecting other machines.
6. USB malware transmission begins by inserting the device into an infected machine,
whereby the malicious software copies itself to all storage locations and devices -
network shares, local drives, and removable media such as USB drives. By altering
the autorun.inf file and copying hidden malware files to the drive, the autorun.inf file
will launch and execute the malware when the portable drive is inserted into a
different machine. The malware copies itself into Windows operating system files
and are able to replicate every time the computer is booted.
Disabling the “auto run” feature in Windows operating system, to prevent the
autorun.ini file from automatically launching ,seems like good preventative measure,
but in reality, even just browsing to the root folder of an infected USB stick can still
trigger the infection by taking advantage of Windows processes.[6]
Malware Types and Subsequent Detection
Malware detection has been accomplished, until very recently, mainly by using
“signatures”.
Signature based malware detection requires malware to be identified by way of
analysis of it’s’ code; searching for and finding code that is unique to that specific
malware program. The discovered code is then used to create anti- malware
software that is based on recognizing that code.
Once created, the anti-malware software must then be installed onto the computer
system, and allowed to scan, detect and remove the malware. This entire process
must be repeated anew for every novel instance or variant of malware. [7]
As malware continues to evolve in ways that avoid detection, it is simply not
practical to continue detection in this manner, even when a single signature is
constant within a large proportion of malware.
The main way that malware avoids detection by signature based antivirus scanners
is by using “obfuscation”[8] which is a technique which changes malware into new
and different versions of itself, all while maintaining functionality.
“Obfuscation” actually uses encryption in the main body of the malware program.
Once the malware is launched, a built-in decryptor recoups the main body. Because
the decryptor itself remains constant, it can be detected by antivirus scanners that
have been developed to detect decryptor patterns. In this “reverse” way, the
presence of the obfuscated malware is detected.
Polymorphic malware was created in response to this decryptor constancy problem.
Polymorphic malware is able to create limitless encryptors, thereby increasing the
difficulty for signature based scanners to detect it. There is a variation of
7. Polymorphic malware called “Metamorphic” malware, which takes this a step
further. Metamorphic malware can recognize, parse and mutate itself as it spreads,
and it does not utilize encryption at all.
In response to these types of malware adaptations, proactive, heuristic, dynamic,
anti-malware scanning has been developed.
Heuristic scanning compares the source code of a file to the source code of
known malware. If the detected code matches a certain percentage of the
known malware code, it is labeled as a possible threat.
Dynamic scanning is real-time scanning that allows code to be run in a virtual
environment, or “sand-box” while it is observed.
“File Emulation” is a type of dynamic scanning that analyzes the
characteristics and behavior of code in this virtual environment, and if the
code behaves like malware, it is considered to actually be malware [9] and is
treated as such.
“File Analysis” is a scanning method that works in real-time, (dynamic) and
utilizes behavioral analysis of files in order to determine their intent
(heuristic). Both of these methods (File Emulation and File Analysis) assess
the effects of a particular application. They monitor for activities like
replication and file overwriting. In this manner, many types of Polymorphic
and Metamorphic malware can be detected with a sole behavioral
specification.
Malware that infects mobile phones is usually spread through SMS/MMS
messaging and Bluetooth. Because cell phones are limited in CPU capacity as well
as memory capacity and battery power, detection methods for these devices need
to carry a small footprint. [10] Dynamic, heuristic scanning methods as outlined
above, work best for these types of devices.
“Traffic aggregation” detection is based on the idea that malware usually
infects multiple systems on a network, and that the malware communicates
with external networks, (to export data, or receive commands). By analyzing
network flow, identifying communications that share common characteristics
(aggregates) including payload, flow to a common external network, or
identifying internal hosts that share similar software platforms [11], malware
infections can be detected.
8. The final type of detection to be discussed is “Network Vulnerability
Scanning.” This type of scanning is an event-driven approach that looks at
network context. Network activity is monitored and triggers/alerts result from
particular changes in network activity. [12]
Disinfection
The purpose of “Disinfection” is to restore the system to its’ previous state of
functionality, prior to infection, ideally, without having to reinstall software.
To understand the concept of Disinfection, this section includes an overview of the
two types of system infection: memory-file-registry infectors, and memory-only
infectors. The disinfection method utilized will depend upon the type of malware that
is infecting the system.
1.
Memory-File- Registry Infectors
Memory-File- Registry Infectors use any combination of the memory, file and /or
Registry in order to control the system. These infections can reside in memory as a
process or service, add or modify registry entries, or modify an existing or dropped
file. If the modified file resides in memory, then that complicates the process,
because operating systems will not allow the deletion of a file as long as an
associated process or service is residing in memory.
Memory scanners, file scanners and registry scanners are all used to detect this
type of infection.
2. Memory Only Infectors
Memory only infectors don’t use files, or the registry. They exist as either a process
or a service and because of that, are more difficult to detect.
Memory resident malware is the most damaging type of malware because it
becomes active when a malware application, or infected program, is launched, or at
system boot. It remains active until the machine is rebooted, turned off, or power to
the machine is otherwise disrupted.
9. As mentioned above, operating systems will not allow the deletion of a file as long
as an associated process or service is residing in memory, so any memory resident
processes associated with the malware must first be killed and/or the associated
resident services stopped. Doing this takes control away from the malware, and
prevents the malware from reinfecting the machine, or restoring its physical
counterpart. (That is, unless the malware has started another process or service, or
replicated itself before the process or service has been stopped. [13]
Disinfection Methods
Removal Tools
“Removal Tools” are popular solutions during large outbreaks of infection.
They have advantages, such as being small, quickly downloadable, and that they
are executed separately from other scans.
Removal Tools are malware-specific, which is a disadvantage. Each tool will only
disinfect a system of specific malware or family of malware. Another disadvantage
is that often they cannot be deployed from a central location, making it nearly
impossible to use them in large organizations.
Real time scanners
Real time scanners (also called resident scanners) provide automatic protection by
Monitoring for suspicious activity while data is flowing into the computer or when a
file is opened. It runs in active (resident) memory.[14] Because monitoring is done
is real time, malware is able to be detected before it installs or propagates on the
machine. When the scanner identifies a potential malware infection, it takes
appropriate action by quarantining or deleting the program and alerting the user.
On-Demand Scanners
On-Demand Scanners examine the contents of the hard drive. The user can choose
to examine a portion of the drive, certain types of files, for example “documents”
only, or the entire drive. This type of scan is relatively slow, since every file on the
machine is examined, and it tends to utilize computer resources such as memory.
Once the scan is finished, additional scans will not be performed unless they have
been auto-scheduled or the scanner is launched manually.
10. “Cloud Based” Scanners
Online scanners provide an additional option for malware detection and disinfection.
Many times, when a computer is infected with malware, the existing protection is
disabled, or because the network settings have been reconfigured, the anti-malware
software cannot update. By utilizing an online scanner, an infected machine can be
diagnosed and disinfected quickly, on-the-fly. They typically have user-friendly
interfaces, do not require scheduling, updating or configuring [15]. They use very few
system resources because they are running via powerful servers. They have up-to-
date databases and the latest file definitions.
The Related Costs of Malware
Determining and balancing the cost of malware is actually an exercise in risk
analysis. The first step to determining this expense, is assigning values to all
information assets. The second step is to estimate the potential loss
The assigned asset and loss values are then used to determine the single loss
expectancy (SLE), which is defined as the expense of recovering from a single
malware attack.
Calculating the SLE includes a summation of the following costs: [16]
The cost of purchasing/maintaining anti-malware products
The ongoing cost for maintaining anti-malware ie: subscriptions for
updates/other related services
Assigning a value to the company's data (calculated by determining how
much it would cost to restore or re-create different types of lost information,
such as sales records, tax information, contact information, emails)
Lost revenue
Potential cost of fines and penalties for violating confidentiality/privacy
agreements
Loss of employee productivity
Cost of repairing damaged systems
Hardware overhead (all anti-malware products consume resources such as
processing power, memory and disk space)
Determine the annual loss expectancy (ALE) of a single malware attack
based on average number of previous attacks per year
11. Multiply the SLE by the ALE to determine the annual cost of malware for the
business. [17]
Setting a Security Budget
After determining the annual cost of malware, it is crucial to plan an anti-
malware budget accordingly. The figures from the above calculations will
provide a rough estimation for the planned yearly expenditure for anti-
malware protection.
Assess the amount of risk that the company is willing to take. For example,
some companies might choose to accept a higher level of risk of infection,
because it’s been determined that the actual probability of attack is very low,
or because the organization has lowered some risks in other ways, such as
by purchasing insurance, or the use of offsite backup solutions.
These calculations can be used in creating a security budget, and /or for
calculating the value of the particular anti-malware tools already in place. [18]
Calculators
There are many risk calculators available online as shareware. They are easy to
use, and will generate an estimate of various risks, using several of the variables
mentioned above.
One such calculator was used to estimate the financial risk for a fictitious
organization of 1,000 employees.
The calculator located at http://www.cmsconnect.com/Marketing/viruscalc.htm,
analyzed the organizations’ workplace and email environment, (using number of
employees with email access, number of minutes of email usage per employee per
day, and average employee salary) along with the number of IT staff, and average
salary The effects of an email malware attack in regards to salary and productivity
are found as follows:
It was determined that a fictitious organization of 1,000 employees earning an
average e of $25/hr, and using email for approximately 30 minutes per day, would
cost the company 524 hours, which translates into $13,700.00 in lost salaries per
day (or $570.83 per hour)
12. Conclusion:
Malware is comprised of several types of harmful applications. It affects networks of all
sizes, and is installed via various means, many times without a users consent or
knowledge. It is costly to businesses in regard to prevention as well as recovery.
Malware is no longer viewed as a prank created by script kiddies. Malware is now
developed by professional programmers who are paid for their work, and is used to
steal information of all kinds. New types of malware are continuously being developed in
order to avoid detection.
Malware is installed on systems via several methods, some of which require user
interaction and some of which do not. Educating users about means such as social
engineering, and phishing is a pro-active way to help carry out prevention.
Disinfection methods have for the most part, been reactive, although new, proactive
methods of detection and disinfection are being developed. Detection and disinfection
can be costly.
Risk analysis and assessment must be performed and are a necessary element in
assessing the necessary expenditures that a business should prepare to incur. Creating
and implementing a security budget are essential in order to protect information assets,
privacy, confidentiality, and the network infrastructure.
13. References
1. George Ledin, Jr, ( (February 2011 vol. 54 - 2)The Growing Harm of Not Teaching
Malware, Communications of the ACM
2. Steve Lohr, January 17, 2010, Companies Fight Endless War Against Computer
Attacks, NYTimes.com, retrieved 05/27/2011 from:
http://www.nytimes.com/2010/01/18/technology/internet/18defend.html
3. Ilsun You, Kangbin Yim, (2010) Malware Obfuscation Techniques: A Brief Survey,
ACM Digital Library, retrieved on June 07, 2011 from:
https://connect.spsu.edu/plugins/dl/pdf/proceedings/bwcca/2010/4236/00/,DanaInfo=.ao
skjmsE345Jn0z399v9S8A2+4236a297.pdf?template=1&loginState=2&userData=South
ern%2BPolytechnic%2BState%2BUniversity%253ASouthern%2BPolytechnic%2BState
%2BUniversity%253AAddress%253A%2B168.28.177.10%252C%2B%255B140.98.196
.192%252C%2B168.28.177.10%255D
4 Jerri Ledford, Social Engineering, Identity Theft, About.com retrieved on 06/30/11
from: http://idtheft.about.com/od/glossary/g/Social_Engineer.htm
5. Prague, Czech Republic (2010) Auto Run for malware:
One out of every eight attacks comes via a USB device, Avast retrieved on 06/21/11
from: http://www.avast.com/pr-autorun-for-malware-one-out-of-every-eight-attacks-
come-via-a-usb-device
6. Lumension Security Inc, Unruly USB: Devices Expose Networks to Malware,
lumension.com
7.Ellen Messmer, (2008) Security vendors leaving 'old school' malware detection
methods behind, NetworkWorld, retrieved on 06/06/11 from:
http://www.networkworld.com/news/2008/121208-crystal-ball-antivirus.html
8. http://www.webopedia.com/TERM/D/dropper.html
14. 9. Karl, (2010) USB Top Method for Spreading Malware, Computer TLC, retrieved on
06/21/11 from: http://computertlc.net/whats-hot/usb-top-method-for-spreading-malware
10. Abhijit Bose, Xin Hu ,Kang G. Shin,Taejoon Park, (2008) Behavioral Detection of
Malware on Mobile Handsets, ACM Digital Library, retrieved on 06/16/11 from:
https://connect.spsu.edu/10.1145/1380000/1378626/,DanaInfo=.adfnlzjx5HjmxL15v+p2
25-
bose.pdf?ip=168.28.177.10&CFID=29653738&CFTOKEN=77369117&__acm__=13085
79214_d19c9d6878a170ad7496e95dd6796ec9
11. Ting-fang Yen, Michael K. Reiter, Traffic Aggregation for Malware Detection, ACM
Digital Library, retrieved on 06/03/11 from: http://portal.acm.org/citation.cfm?id=1428337
12. Yunjing Xu, Michael Bailey, Eric Vander Weele, Farnam Jahanian CANVuS:
context-aware network vulnerability scanning (2010) ACM Digital Library, retrieved on
06/18/2011 from:
https://connect.spsu.edu/,DanaInfo=.apptweqFhkvJz3t+citation.cfm?id=1894166.18941
77&coll=DL&dl=GUIDE&CFID=29653738&CFTOKEN=77369117&preflayout=flat#sourc
e
13. Jong Purisima and Vincent Tiu, System Disinfection,
GovernmentSecurity.Org,Network Security Resources retrieved on 06/18/2011 from:
htttp://www.governmentsecurity.org/forum/index.php?showtopic=276
14 http://support.kasperskyamericas.com/
15. Pros and Cons of Free Online Virus Scanners , ProductivtyPortfolio, retrieved on
07/02/11 from:
http://www.timeatlas.com/web_sites/general/pros_and_cons_of_free_online_virus_scan
ners
15. 16. John Edwards, April 30, 2009, Money for Nothing: The Real Cost of Malware,
Focus, retrieved 06/028/11 from: http://www.focus.com/briefs/it-security/money-nothing-
real-cost-malware/
17. John Edwards, (2008) The Malware Burden, Network Security Journal,retrieved on
June 28, 2011 from: http://www.networksecurityjournal.com/features/malware-burden-
012208/
18. Balancing the cost and benefits of countermeasures, SearchSecurity.com, retrieved
on June29 2011 from: http://searchsecurity.techtarget.com/feature/Balancing-the-cost-
and-benefits-of-countermeasures
Other References:
Vinod P, V.Laxmi, M.S.Gaur, Survey on Malware Detection Methods,retrieved 06/02/11
from:
http://www.security.iitk.ac.in/contents/events/workshops/iitkhack09/papers/vinod.pdf
Aubrey-Derrick Schmidt · Frank Peters · Florian Lamour · Christian Scheel · Seyit
Ahmet Çamtepe · ¸ Sahin Albayrak, (November 2008) Monitoring Smartphone’s for
Anomaly Detection, ACM Digital Library , retrieved on 06/18/11 from:
https://connect.spsu.edu/,DanaInfo=.apptweqFhkvJz3t+citation.cfm?id=1503496.15035
04&coll=DL&dl=GUIDE&CFID=29700256&CFTOKEN=40903672
Linda Musthaler, Google says the scope of drive-by malware is 'Significant' (Mar 3,
2008) Networkworld, retrieved on 06/5/2011 from:
http://www.networkworld.com/newsletters/2008/0303techexec1.html