Malware Applications

Malware can arguably be used in many areas, for better or worse. We'll briefly looks at a number of "applications" for malicious software, for want of a better word. The applications are roughly grouped in order of increasing gravity: good (benevolent malware), annoying (spam), illegal (access-for-sale worms and cryptovirology), and martial (information warfare and cyberterrorism).

Benevolent Malware

"Benevolent malicious software" is obviously a contradiction in terms. Normally specific types of malware would be named - a benevolent virus, a benevolent worm. The generic term benevolent malware will be used to describe software which would otherwise be classified as malware, yet is intended to have a "good" effect.

Real attempts at benevolent malware have been made. For example:

  • Den Zuk, a boot-sector infecting virus in 1988, did no damage itself but removed the Pakistani Brain and Ohio viruses from a system. Later variants had the nasty habit of reformatting disks.
  • In 2001, the Cheese worm circulated, trying to clean up after the Lion (1 iOn) worm that had hit Linux systems. The problem was that Cheese's operation produced a lot of network traffic.
  • The Welchia worm tried to clean up Blaster-infected machines in 2003, even going so far as to automatically apply an official Microsoft patch for the bug that Blaster exploited. - Again, Welchia produced so much network traffic that the cure was worse than the disease.

These latter two can be thought of as "predator" worms. Such a predator worm could both destroy existing instances of its target worm, as well as immunize a machine against further incursions through a particular infection vector. Studies have been done simulating the effect that a well-constructed predator worm would have on its worm "prey."

Simulations predict that, if a predator worm and immunization method are ready in advance, then a predator worm can significantly curtail the spread of a target worm. However, a number of hurdles remain, legal, ethical, and technical. Legally, a predator worm is violating the law by breaking into machines, despite its good intentions.

It may be possible to unleash a predator worm in a private network, in which the predator worm's author has permission for their worm to operate, but there is a risk of the worm escaping from an open network.

Ethically, releasing a predator worm on the Internet at large affects machines whose owners haven't permitted such an activity, and past examples have inspired no confidence that a predator worm's impact would be beneficial in practice.

Even if a predator worm's network activity were controlled, unexpected software interactions could be expected on machines that are infected. A worm's effect would have to be incredibly damaging to society, far more so than any seen to date, before a predator worm's actions could be seen to contribute to a universal good.

Technically, there are the issues of control, compatibility, and consumption of resources mentioned above. There is also the thorny issue of verification: what is a predator worm doing, and how can its behavior be verified? Has a predator worm been subverted by another malware writer, and how can antivirus software distinguish good worms from bad?

Of all the possible applications for benevolent malware, including predator worms, there has been no "killer application," a problem for which benevolent malware is clearly the best solution. Everything doable by benevolent malware can also be accomplished by other, more controlled means.

One possible niche for benevolent malware is the area of mobile agents. A mobile agent is a program that transfers itself from one computer to another as it performs one or more tasks on behalf of a user. For example, a user's mobile agent may propagate itself from one airline site to another, in search of cheap airfares.

From the point of view of malware, mobile agents bear more than a passing resemblance to rabbits, and serious questions have been raised about mobile agent security.

As was the case for benevolent malware, mobile agents may be a solution in search of a problem: one analysis concluded that mobile agents had overall advantages, but 'With one rather narrow exception, there is nothing that can be done with mobile agents that cannot also be done with other means.'

Spam

An infected computer may just be a means to an end. Malware can install open proxy servers, which can be used to relay spam. It can also turn infected machines into zombies that can be used for a variety of purposes, like conducting DDoS attacks.

In either case, the malware writer would use the infected computer later, with almost no chance of being caught. A zombie network can be leveraged to send more effective spam: infected computers can be viewed as repositories of legitimate email corpora.

Malware can mine information about a user's email-writing style and social network, then use that analysis to customize new spam messages being sent out, so that they appear to originate from the user.

For example, malware can use saved email to learn a user's typical habits for email capitalization, misspellings, and signatures. The malware can then automatically mimic those habits in spam sent to people the user normally emails; these people are also discovered through malware mining saved email.

Cyberterrorism

The United Nations has been unable to agree on a definition of terrorism. A definition of cyberterrorism that is universally agreed-upon is equally elusive. This lack of a standard cyberterrorism definition makes the classification of individual acts hard to pin down.

Is malware that launches a DDoS attack against a government web site cyberterrorism? What about malware that simply carries a string with an anti-government slogan?

Terrorism has been compared to theater, in that terrorists want to maximize the emotional impact of their attacks. From the terrorists' point of view, an effective terrorist act is one that puts people in constant fear of their lives.

Terrorist acts that merely irritate people are not effective. By this token, cyberterrorist acts cannot be useful as terrorist tools unless their effect tangibly protrudes into the real world.

Being unable to electronically access a bank account is inconvenient, but doesn't strike the fear of death into victims as would a cyberterrorist attack against nuclear facilities, the power grid, or hospitals. Luckily, no one is colossally stupid enough to connect such vital systems to the Internet.

In lieu of such attacks against critical systems, cyberterrorist acts might play the same role as malware does in information warfare. Cyberterrorism can be used as a complement to traditional, real-world physical attacks, to confuse an enemy by disrupting computer-based communications for rescue efforts, or by sowing disinformation during a terrorist attack.

Prior to an attack, misleading intelligence traffic can be generated. Terrorists have unfortunately shown themselves to be very good at lateral thinking, and a cyberterrorist attack is likely to strike something unexpected and undefended. Are stricter laws and standards needed for these new weapons, these Internetconnected computers?

Cryptovirology

Using viruses and other malware for extortion is called cryptovirology. After a virus has deployed its payload and been discovered, the effects of its payload should be devastating and irreversible for the victim, but reversible for the virus writer. The virus writer can then demand money to undo the damage.

For example, such a virus - a cryptovirus - could strongly encrypt the victim's data such that only the virus author can decrypt it. The cryptovirus can employ public-key cryptography to avoid having to carry a capturable, secret decryption key with it to each new infection.

The victim's data is encrypted using the virus writer's public key, and the virus writer can supply their private key to decrypt the data once a ransom is paid. Even on fast computers, public-key encryption would be slow to encrypt large directories and filesy stems. There are faster options for a crypto virus:

  • The cryptovirus can randomly generate a unique secret key for each infection. This secret key is used to strongly encrypt the victim's data using a faster, symmetric strong encryption algorithm.

The cryptovirus then strongly encrypts the random secret key with the virus writer's public key and stores the result in a file. The victim transmits the file along with the ransom money; the virus writer is then able to recover the unique secret key without revealing their private key.

  • Hardware mechanisms can be used. Some ATA hard drives have a rarelyused feature which allows their contents to be password-protected, rendering the contents unusable even if the computer is booted from different media.

A cryptovirus can set this hard drive password if the feature is available. This can be used in conjunction with the randomly-generated unique key scheme above, but the cryptovirus couldn't store the encrypted secret key file on the encrypted hard drive.

If no other writable media is available, the cryptovirus could simply display the encrypted secret key on the screen for the victim to write down.

Both options avoid the virus writer needing a different public/private key pair for each new infection, lest a victim pay the ransom and publish the private decryption key for other victims as a public service. There are only a few known instances of malware using encryption for extortion.

The AIDS Trojan horse of 1989 was sent on floppy disks, mass-mailed worldwide via regular postal mail. It was an informational program relating to the (human) AIDS virus, released under a curious software license.

The license gave it leave to render a computer inoperable unless the user paid for the software ($189 or $378, depending on the leasing option). It was true to its word: after approximately 90 reboots, the Trojan encrypted filenames using a simple substitution cipher.

More recently, the PGPCoder Trojan encrypted files with specific filename extensions, roughly corresponding to likely user document types. A text file was left behind in each directory where files were encrypted, with instructions on how to buy the decryptor: a bargain at $200.