This tip was submitted to the searchSecurity Tip Exchange Contest by user Robert Bagnall. Let other users know how useful it is by rating the tip below.
Just as the industry of hostile code has evolved, so too must the definitions and terms that describe it. Not long ago, virii, Trojans and worms were separated by clearly delineated factors. This is no longer the case.
Today, malware is more parasitic in its behavior than it is under any previous descriptor. This is because the parasite not only infects its host like a virus, spreads itself like a worm and can pose as something it is not like a Trojan, it can also control the behavior of the host after infection. This is one important factor often overlooked by the antivirus (AV) industry. For a more in-depth analysis, one must turn to nature itself.
Science always seeks to explain things, to categorize all events, items and force them into clean and neat little boxes. This truth is no more evident than in the AV industry, where we have chosen to categorize hostile code under the same auspices as natural infectious agents (virii, Trojans and worms). We use grand terms such as "infection," "inoculation," and "antivirus" to describe the goings on of malicious computer code and how we combat it. Keeping in that vein, as the hostility and potency of malware evolves, our scientific terms for describing it must as well.
In nature, the lancet fluke, for example, infects its host through
a common portal. In this case, the fluke uses cow manure to transmit itself to ants and infect them. If we were to relate that to computer code, we would say that our computer parasite uses e-mail as an example of a common portal for infection. Nothing surprising there.
By using the manure as a transmission medium, the lancet fluke also acts as a Trojan by posing as something completely acceptable and normal to the ant. Hostile code has evolved in much the same way, where Melissa and the Love Bug appear to us in e-mail that comes from people we know. Thus, the code carries the behavioral characteristics of both a virus and a Trojan.
Next, the lancet fluke actually has the capability, as a true parasite, to control its host. The fluke takes control of the victim ant, making it climb a blade of grass where it will sit until eaten by another cow. Once eaten by the cow, the cycle begins anew. This step not only encompasses the typical behavior of a parasite, it mimics the behavior of a worm through replication and transmission. In the case of Melissa, the user opened the attachment, which triggered the hostile code. The code then took control of the host computer long enough to replicate itself and send itself to other users in the victim's address book, who then repeated the step because of the Trojan-like behavior. The simple reception of e-mail from a familiar and accepted address is a Trojan-like behavior because it caused the user to open the attachment, activate the code and repeat the process.
The parasite in nature also mimics the current trends in computer malware in another way: The payload does not have to be harmful to the host in order to be effective. The lancet fluke does nothing to the cow. No harm is done regardless of how many times the process is repeated. This was also the case with Melissa, where the data contained on the victim host computer was never altered, damaged or destroyed. It was simply an annoyance.
Yet also like Melissa, the lancet fluke can cause harm. In the case of the ant, the fluke takes control of the host and causes its death by forcing it to climb the blade of grass where it waits to be eaten by a cow again. Victim host computers during Melissa, although not damaged, were brought down because service was denied at mail servers and local mailboxes, which were filled beyond a sustainable level in a very short period of time. With the Love Bug, the harm was a bit more immediate. Files were actually overwritten, though the basic transmission process was quite similar. Although the parasite can cause irreparable harm to its victim host, it does not have to cause such harm to accomplish its goal. Today's malware works in much the same way.
Hybris, the latest effort in the "smart virus" genre, is the most current example of the evolution of hostile code technology, as well as how the classic definitions within the AV industry are becoming more obsolete. Hybris appears as an attachment to an e-mail message from someone the victim knows, like Melissa and Love Bug. But the e-mail's subject line, body and attachment name can now be written in English, French, Spanish or Portuguese. Hybris infects the Windows Winsock32.dll networking software and will store a copy of itself in the Windows system directory. It then essentially wiretaps the host computer, looking for e-mail messages to send itself to next.
Hybris also has support for up to 32 encrypted plug-ins that it can
download from the Internet, a highly advanced feature. With these plug-ins, any of its attributes can be changed, including how it infects the e-mail and from where it downloads new updates. Even from such a basic description, it quickly becomes apparent that the current crop of malware is anything but easily defined through the classic means. Hybris operates not simply like a virus, worm or trojan, but like all three and more. Hybris is a parasite.
Although the term parasite may not ultimately be accepted as a replacement for the current lexicon of the AV industry, it should at least be included as an evolutionary addition to that lexicon. The lines between the old delineators of hostile code have not merely been blurred, in many cases they no longer exist. People must therefore evolve with the technologies they create, or face becoming slaves to them.
This was first published in May 2001