Malware is the term that is coined a lot today. You will hear it quite often whose infection results in the compromised computer system up to the large network of a corporate systems. Also included in list the compromised smart mobile phones and emerging technology devices IoT. If we want to define malware , it can be termed as a Software that
“deliberately fulfills the harmful intent of an attacker/hacker”
Related terminologies, like worms, virus or Trojan horse are used to identify malware into classes that exhibit similar malicious behavior. You should know that the first instances of known malicious software were viruses. The motivation for the creators of such early malware was usually to highlight some security vulnerabilities or simply to show off technical ability. For example, “the cleaning of Bagle worm infected hosts by instances of the Netsky worm could be considered as rivalry between different authors as reported by Tanachaiwiwat and Helmy in 2006”.
However like nature malicious programs are also under consistent evolution.As time passed on, the attackers motivations changed from showoff of technical abilities to the ever wanted need ,the money. Today, there is a fast flourishing underground economy based on malware and exploits they are causing. No doubt it can be said that it is no longer the fun factor that drives the development in the hacker community, but the perspective of the money that can be made from such attacks and exploits.
Malware Attack Scenario
Let us now consider the following scenario which illustrates the distribution of malware and its effects. It is stated that the information presented here is only for educational purpose to aware the user about how an attack might took place , so that the necessary defense mechanism can be adopted to secure assets and data.
Introduce Bot and Botnets
A malicious bot is a remotely-controlled piece of malware that has a potential to infect an Internet\Network-connected computer system. Bot allows an external entity, the so called “bot master”, to remotely control the compromised systems. The pool of machines that are under control of the bot master is called a “botnet”. The bot master might rent this botnet to a spammer who misuses the bots to send spam emails containing links to a manipulated web page or can also perform the coordinated DDoS attack.
Here comes the Spyware
Now the manipulated and modified web page, in turn, might surreptitiously install a spyware component on a visitors system which may collects personal information, such as credit card numbers and online banking credentials. This information is sent back to the attacker who is now able to misuse the stolen information by purchasing goods online or other mischeifs. All involved criminals make money at the expense of the infected user, or his/her bank respectively. With the rise of the Internet and the number of attached hosts, it is now possible for a sophisticated attacker to infect thousands of hosts within hours after releasing the malware into the wild. Recently, a study by Stone-Gross in 2009 revealed that the Torpig botnet consists of more than 180,000 infected computer systems.
RISK and Remedy : The Antivirus
The risk described above motivates the need to create tools and techniques that support the detection and mitigation of malicious software. Now a days, the weapon of choice in combat against malicious software are signature-based anti-virus scanners that match a per-generated set of signatures against the files of a user. These signatures are created in a way so that they only match malicious software. This approach has at least two major drawbacks. First, the signatures are commonly created by human analysts. This is a tedious and error-prone work.
Second, the usage of signatures inherently prevents the detection of unknown threats for which no signatures exist. Thus, whenever a new threat is detected, it needs to be analyzed, and signatures need to be created for this threat. After the central signature database has been updated, the new information needs to be deployed to all clients that rely on that database. Because the signatures are created by human analysts, unfortunately, there is room for error. Multiple Anti Virus vendors released signature updates that mistakenly identified legitimate executable as being malware like happened in case of Symantec, thus, rendering the operating system they were designed to protect, inoperative and user dissatisfied.
Also closely related to the second drawback (i.e., not being able to detect unknown threats), is the inability to detect specifically tailored malware. Besides the mass phenomenon of Internet worms and malicious browser plug-ins, one can observe the existence of specifically tailored malware that is created for targeted attacks. Spyware programs might be sent via email to the executive board of a company with the specific intent to capture sensitive information regarding the company. Because these malware samples usually do not occur in the wild, it is unlikely that an anti-virus vendor receives a sample in time to analyze it and produce signatures. This means that the spyware could be operational in the company for a long time before it is detected and removed, even if anti-virus software is in place. The inability to detect unknown threats is an inherent problem of signature based detection techniques.
Now a days Behavioral analysis is conducted. It overcomes shortcomings of techniques that base their decision of identifying a piece of code as being malicious or not ,to the observation of the software’s behavior. Although these techniques allow for the detection of previously unknown threats to a certain extent, they commonly suffer from false positives. That means, legitimate samples are falsely classified by the detection system as being malicious due to the detector’s inability to distinguish legitimate from malicious behavior under all circumstances.