Malware Triangle

  • Thread starter Thread starter Richard S. Westmoreland
  • Start date Start date
kurt wismer said:
Ant wrote:
[snip]
While HTML is not a programming language, for the purpose of this
discussion it should be considered as such. It can contain scripts,
and interpreting it in a browser could have the same effect as running
a compiled executable file.
Click to expand...

shame on you... if you can't make a program with it,
Click to expand...

Well you can, in a way. It's a set of instructions to tell a browser
what to do, and is rather like a script to be interpreted. So you
could call the markup in a document a program for displaying that
document.
it's not a programming language... period...
Click to expand...

Not in the classical sense, and I'd prefer not to call it one.
an html document can act as a container, so can a zip file... that
doesn't make html a programming language anymore than it makes winzip a
compiler...
Click to expand...

Opening a zip file with Winzip doesn't cause its content to be
executed; whereas opening an html file with a browser may (depending
on what it contains, and your configuration).
 
Richard S. Westmoreland said:
But HTML isn't even why I put Spam on the triangle. Even 100% harmless (in
content) spam, is still a threat to Availability, which is 1 of the three
pillars of Security.
Click to expand...

Then instead of spam you should have any form of DoS. Spam clogs the arteries and performs a denial of mailservice like
any other flooder - and it is the flooder not the flood that is (or could be considered) the malware. I'm sure the users of
spam programs don't consider it malware. Flooders are only one kind of DoS and some exploit code is only to perform
DoS but not do much else. Some threats come in as "code" and some as "data" that is to say the "code" is data that is
expected to be executed and "data" is data that is not. When data that is not expected to be executed ("data") gets
executed it is both an ingress threat (incoming exploit data) and an internal threat (broken program mishandling the data).
While "code" is an ingress threat only, because it is "supposed" to execute - there is nothing "broken".

Some spyware is not malware, but a useful security tool. Some adware is not malware, but a useful advertising method
for add supported programs. Worms and viruses are always malware in the current sense, and trojans are deceitful so
could be considered malware despite what functions they might perform.

In the end, I have to say that your triangle needs a new name, and it may be futile to insist on there being tangible
relationships between the items comprising it - for example, in many ways worms and viruses are identical from
your perspective because they enter (somehow) and execute somehow and can vring any other programmatical
function with them.
 
Richard said:
Would you say that all software = programs?
Click to expand...

with a suitably broad definition of program (ie. not constrained to exe
and com files), yes that is the convention i follow...

once upon a time software was everything that wasn't hardware...
nowadays when talking about a system we consider a number of things
that weren't considered back then so the convention has moved away from
using 'software' as a catch-all term...
 
Jack said:
kurt wismer wrote:
Click to expand...

y'know it would be nice if you marked where you snipped so that readers
might see that there is context (possibly relevant, possibly not) that
is no longer present...
Well, it's really language that is democratic.
Click to expand...

conversational language is, yes... technical terminology, not so much...
If you use words in the
manner of Humpty Dumpty, communication failures are guaranteed. Humpty
Dumpty was in error; the meaning of a word arises from consensus - it
means what most well-informed people think it means, at any particular
time, and not what Humpty Dumpty chooses for it to mean.
Click to expand...

unfortunately there are enough not-so-well-informed people involved
that the well-informed ones don't form the majority... further to that
the well-informed ones often have better things to do than wrangle with
the unwashed masses over every single instance of a misused term from
their field of expertise...

you should hear some of the crazy definitions i've heard for 'computer
virus'... and some of them from people who actually do have technical
knowledge (from a field other than computer viruses)...
Wrong. We were recently informed of a security alert involving malicious
images, that can cause a buffer-overflow in Internet Explorer. That is
an example of malicious data.
Click to expand...

it is said that all programs are also data, but not all data can be
considered a program... my mistake for not being specific enough when i
meant pure (non-programmatic) data... i guess i thought the context i
was using made it clear what kind of data i was referring to...

consider this example carefully - a buffer overflow does what, exactly?
a successful exploit causes a vulnerable application to *execute*
_code_ that it should not have executed... that is not an example of
pure data...
 
Jack wrote:
[snip]
Email is safest with HTML rendition disabled.

Do you disagree?
Click to expand...

no disagreement here... but not because html is a threat, rather
because html rendering typically includes a bunch of other things
unrelated to pure html... if there were a rendering engine that *only*
rendered plain old html then it would be about big a security risk as
an xml parser (which are not totally safe, but what is)...
 
Richard S. Westmoreland wrote:
[snip]
For the sake of the critique, let's
all pretend that Spam is both Malware and a Threat (security or resource).
Accepting that, would you agree with the way the Triangle is laid out? Do
you think this triangle can be useful in any way?
Click to expand...

no... i criticized practically every relationship depicted there and so
far the only criticism that has been contentious was whether or not
spam qualified as malware...
 
Richard said:
I would consider that a threat to the Availability of incoming email, yes.
Click to expand...

you might as well call it a threat to the pleasurability of incoming
email...

it's not a security issue unless you construct a system where a
particular email address is part of the critical security
infrastructure... which would be dumb... otherwise, not being able to
properly use email address A is convenience/cost issue, not a security
issue...
 
Richard S. Westmoreland wrote:
[snip]
Is DoS (regardless if it was intentional) a security threat or a resource
threat?
Click to expand...

it's always a resource threat... it may also be a security threat
depending on the resource it's threatening...
 
Richard said:
You may have already commented on this earlier in the thread - but would you
classify a JPEG using the GDI+ exploit as malware?
Click to expand...

a container of malware, possibly...
If not, would you classify a VBS script as malware?
Click to expand...

since scripts are programs, if the vbs script does something malicious
it is definitely malware...
Would you classify a Macro (virus?) as malware?
Click to expand...

since macros are programs, if the macro does something malicious it is
definitely malware...
 
Richard S. Westmoreland wrote:
[snip]
Based on what a few others are saying, a VBS Script would not be a program
because it is just data that is being interpreted by another program
Click to expand...

then you're misinterpreting what those others are saying or those
others don't know what they're talking about... vbs is a programming
language, ergo vbs files are programs...
- after
all they are just ascii text files.
Click to expand...

technically they're more than just a text file... they are the subset
of ascii text files that contain one or more vbs instructions and can
be successfully interpreted by a vbs interpreter...
 
Richard said:
I see what's going on here. One one side we have Systems Administrators
that deal with these malware/exploits/threats on a regular basis, arguing
that Spam is indeed malware (or at least a threat). Then on the other side
we have Programmars and Developers that deal with the code on a regular
basis (hopefully not writing viruses!). So it's basically "real world
experience" fighting against "text book education" (only in reference to
dealing with the systems part first hand - programmers have just as much
real world experience just at a different level).
Click to expand...

gosh, somehow i just don't fit into either of those pigeonholes... i
have the textbook education *and* 15 years of experience helping people
get rid of viruses...
 
Some adware is not malware, but a useful advertising method
for add supported programs
Click to expand...

No, adware is a plague on the world. I can't think of anyone that would
rather have ads if they had a choice :)
 
Ant said:
kurt wismer said:
Ant wrote:
[snip]
While HTML is not a programming language, for the purpose of this
discussion it should be considered as such. It can contain scripts,
and interpreting it in a browser could have the same effect as running
a compiled executable file.
Click to expand...

shame on you... if you can't make a program with it,
Click to expand...


Well you can, in a way. It's a set of instructions to tell a browser
what to do, and is rather like a script to be interpreted.
Click to expand...

i'm unaware of any html tags that tell a browser what to do... html
tags are not instructions... they tell a browser where things go and
what properties those things have... they even tell a browser were
addition resources (images, etc) can be found... but that's not the
same as telling the browser what to do...
So you
could call the markup in a document a program for displaying that
document.
Click to expand...

and that would make xml a programming language...

[snip]
Opening a zip file with Winzip doesn't cause its content to be
executed; whereas opening an html file with a browser may (depending
on what it contains, and your configuration).
Click to expand...

there have been versions of zip file unpackers which did execute things
they unpacked... i think that's mostly be fixed for some time (like
maybe a decade or so - maybe less)...
 
Roger said:
Then instead of spam you should have any form of DoS.
Click to expand...

except that his diagram showed agents (viruses, worms, spyware, etc),
and a DoS is an effect rather than an agent...
 
Maybe we should rename this thread the "Malware Octopus" since it's got
tentacles all over the place?

When they taught me how to fight fires in the service they talked about
the fire triangle, it was simple Fuel, Heat, Oxygen - take away any one
and you can't have fire.

In security, with the many different angles/types/levels, there is
nothing as simple as a triangle that can represent all of the threat
types and their transports.

I could see something more in the order of a octagon, but not anything
as simple as a triangle.
 
Leythos said:
No, adware is a plague on the world. I can't think of anyone that would
rather have ads if they had a choice :)
Click to expand...

[raises hand]

i have, in the past, intentionally installed software that displayed
advertisements... free isps (when there were such a thing) generally
made their money off advertising served by proprietary dial up
connection software...

also, the free version of opera has advertising in it... icq has
advertising in it... some of the more recent versions of the divx codec
were bundled with gator, for crying out loud... i could go on...
 
Leythos said:
Maybe we should rename this thread the "Malware Octopus" since it's got
tentacles all over the place?

When they taught me how to fight fires in the service they talked about
the fire triangle, it was simple Fuel, Heat, Oxygen - take away any one
and you can't have fire.

In security, with the many different angles/types/levels, there is
nothing as simple as a triangle that can represent all of the threat
types and their transports.

I could see something more in the order of a octagon, but not anything
as simple as a triangle.
Click to expand...

well, if you want something like that fire triangle for malware it's
actually pretty simple...

computer, user, connectivity...

the OP's triangle isn't like your fire triangle, though... the entities
weren't interdependent, they were interrelated... however the
relationships between various forms of malware aren't so easy to depict
graphically...
 
also, the free version of opera has advertising in it... icq has
advertising in it... some of the more recent versions of the divx codec
were bundled with gator, for crying out loud... i could go on...
Click to expand...

And that doesn't make it proper or right. I quit using Opera because of
that. I also don't used codec's that have SPYWARE in them. I even block
most gator servers - at least the ones that I can find.
 
Leythos said:
And that doesn't make it proper or right. I quit using Opera because of
that. I also don't used codec's that have SPYWARE in them. I even block
most gator servers - at least the ones that I can find.
Click to expand...

previously you said you couldn't think of anyone who would rather have
ads if they had the choice... i'm merely pointing out to you that there
is in fact a working business model that allows people to choose
between paying money and looking at ads and some people choose looking
at ads...
 
kurt wismer said:
Richard S. Westmoreland wrote:
[snip]
For the sake of the critique, let's
all pretend that Spam is both Malware and a Threat (security or
resource).
Accepting that, would you agree with the way the Triangle is laid out?
Do
you think this triangle can be useful in any way?
Click to expand...

no... i criticized practically every relationship depicted there and so
far the only criticism that has been contentious was whether or not
spam qualified as malware...
Click to expand...

Yes, I remember you saying something about viruses, worms, spyware, were all
trojans (did I get that right?).

So let's put the Spam issue aside for now and look at that. Let's try to
clearly define them.

Virus:
An executable code that injects itself into other executable codes as a
means of replicating itself. It executes without user intervention. When
the infected executable code is ran, it then starts the process over. This
includes EXEs, BATs, VBSs, Macros, Boot Sectors, etc. The primary damage is
to the Integrity of the system (since code has been tampered).

Worm:
An executable code that creates copies of itself. It's execution requires
user intervention. It spreads itself to other locations, i.e. file shares,
or via smtp to people's email addresses, or just other folders. Both
integrity and availability has been damaged (since the worm has infiltrated
the file system and also taken up resources).

Spyware:
An executable code that does not create copies of itself. It's execution
may or may not require user intervention. It typically stays as a single
copy. The sole purpose of spyware is to gather information about the user's
computer system and his/her activities. The primary damage is
confidentiality.

Trojan:
An executable code that does not create copies of itself, but tends to work
in conjunction with viruses (which drop them). Trojans tend to mimick
legitimate programs to avoid detection. They open remote access to an
attacker or other automated program to pass commands to the system. Both
integrity and confidentiality has been damaged (since the trojan is posing
as legitimate programs and also allowing unauthorized access to the system).

Is there any fault in these definitions?

Rick
 
Back
Top