Malware Triangle

[Norman L. DeForest]

On Wed, 24 Nov 2004, Leythos wrote:
[snip]

When it comes to security I don't have a problem with HTML directly, I
have a problem with applications that do not properly act on HTML
information where the application is compromised by poor coding of the
APPLICATION, not with HTML.

We agree that HTML email and sites can expose users to risks, but the
real exposure is not HTML, it's the exposure of using a flawed
application in the first place. Blame the program, not the text file it
reads.

It's not just application programs that can have flaws but also hardware
(OK, hardware based on built-in firmware).

Remember when including the string, "+++" in a message was able to knock
some people offline? Could that string be considered to be malware?

 

[Richard S. Westmoreland]

you might as well call it a threat to the pleasurability of incoming
email...

it's not a security issue unless you construct a system where a
particular email address is part of the critical security
infrastructure... which would be dumb... otherwise, not being able to
properly use email address A is convenience/cost issue, not a security
issue...

Security is not just about keeping unauthorized people and programs from
accessing your systems, or making sure that data stays intact. It's also
about keeping that data available to your users. How can I do work if I
can't get to my own data. If it takes me more time to get to the legitimate
email, then that is hurting availability. So far just an inconvenience.
But if my mail server freezes up because of too much incoming spam, or my
antispam blocks an important email because of a false positive, then that
really hurts my availability.

Maybe you guys work at companies where email is for occasional
communications or just casual non-work-related chat, or maybe you just
haven't been hit hard with spam - but at my company the email system is
VITAL. We've almost lost clients because their emails (containing sensitive
information) didn't get to us because of over-zealous filters, and we didn't
find out until weeks later.

Rick

 

[Richard S. Westmoreland]

In the end, I have to say that your triangle needs a new name,

Originally I called this the "Internet Threats Triangle". I posted this
same critique request on a discussion forum I'm a member of, and the main
argument was that there are more Internet threats than what I had on that
diagram. My argument was that I'm only looking at the objects that can
cause harm - not password policies, ping sweeps, or script kiddies, etc.
They pointed out that what I was really refering to was what they tend to
group as Malware. So I considered that and renamed it the Malware Threats
Triangle because that made sense to me.

The triangle started out as scribbles. I took the 3 problems I deal with on
a regular basis, and that my site was designed for. Viruses, Spam, and
Spyware. I realized that these had characteristics that I thought related
to other blended threats (which is still up for debate) - Worms, Adware, and
Trojans. I added Phishing and Zombies soon after. Once I did this, I
noticed that the proximity of these threats formed their own triangles that
were solved by the 3 solutions - Antivirus, Antispam, Antispyware.

With the exception of 1 person that has contributed to this thread, everyone
has agreed about the associations between the primary threats (the 3 corners
of the triangle) and the blended threats that fall between. The biggest
objection so far is identifying emails as software.

So really that is all I'm looking for - a classification of this triangle.

Rick

 

[Bart Bailey]

Trojan:
An executable code that does not create copies of itself, but tends to work
in conjunction with viruses (which drop them). Trojans tend to mimick
legitimate programs to avoid detection. They open remote access to an
attacker or other automated program to pass commands to the system. Both
integrity and confidentiality has been damaged (since the trojan is posing
as legitimate programs and also allowing unauthorized access to the system).

Is there any fault in these definitions?

I think of "trojans" as merely a surreptitious vector method, rather
than any executable code, but it's such a catchy term it gets applied to
almost as many situations as the term virus. <g>

 

[Leythos]

Maybe you guys work at companies where email is for occasional
communications or just casual non-work-related chat, or maybe you just
haven't been hit hard with spam - but at my company the email system is
VITAL. We've almost lost clients because their emails (containing sensitive
information) didn't get to us because of over-zealous filters, and we didn't
find out until weeks later.

But you're talking two different things here - filters and spam have
only a little to do with each other. Filters are needed because of spam,
but spam did not keep you from getting the email. We NEED email to
communicate with clients, but, as much as you may not like it, spam,
even in mass bombing, is not a security threat when it fills your pipe
or email box to the limit, it's merely a resource abuse. If the spam
email's contain no malicious content, are just plain text, then they are
no different than any other form of email. What if you looked at it like
this - your email account permits 10MB of email (I know that's small),
and you have 30 clients each sending you 1MB of email every 2 hours, but
you only check your email every 2 hours - chances are that some email
will bounce, and that's not due to a virus - it's a resource problem.

 

[Leythos]

My argument was that I'm only looking at the objects that can
cause harm - not password policies, ping sweeps, or script kiddies, etc.
They pointed out that what I was really refering to was what they tend to
group as Malware. So I considered that and renamed it the Malware Threats
Triangle because that made sense to me.

You say "I'm only looking at the objects that can cause harm" and then
you exclude items that can cause harm?

 

[Leythos]

Remember when including the string, "+++" in a message was able to knock
some people offline? Could that string be considered to be malware?

No, it was an exploit.

 

[Richard S. Westmoreland]

You say "I'm only looking at the objects that can cause harm" and then
you exclude items that can cause harm?

Which objects am I missing?

Rick

 

[Leythos]

Which objects am I missing?

You excluded the other items that can cause a system hard - right in the
post you made - "not password policies, ping sweeps, or script kiddies,
etc."

All of those things are part of malware and security threats.

 

[Leythos]

You excluded the other items that can cause a system hard - right in the
post you made - "not password policies, ping sweeps, or script kiddies,
etc."

All of those things are part of malware and security threats.

Sorry, need to watch what I type "can cause a system HARM" not hard

 

[Richard S. Westmoreland]

Sorry, need to watch what I type "can cause a system HARM" not hard

I was thinking that must be some new technical term I haven't heard before.
:-D

What I mean by objects is "files" - since I'm trying to exclude data from
the definition of software for the sake of the discussion, it's hard for me
to express what I'm thinking.

Rick

 

[Leythos]

What I mean by objects is "files" - since I'm trying to exclude data from
the definition of software for the sake of the discussion, it's hard for me
to express what I'm thinking.

Rick, rather than try and isolate a minimal set of threats to three
sides of a triangle, how about listing all the known threats by type,
after you get all known types of threats, you can list them in a octagon
and then label one side UNKNOWNS.

 

[Ant]

i'm unaware of any html tags that tell a browser what to do... html
tags are not instructions... they tell a browser where things go and
what properties those things have... they even tell a browser were
addition resources (images, etc) can be found... but that's not the
same as telling the browser what to do...


and that would make xml a programming language...

and some people would call it that.

there have been versions of zip file unpackers which did execute things
they unpacked... i think that's mostly be fixed for some time (like
maybe a decade or so - maybe less)...

When you unpack a zip file you don't expect execution of content. When
you render html containing embedded scripts, you may.

 

[kurt wismer]

Security is not just about keeping unauthorized people and programs from
accessing your systems, or making sure that data stays intact. It's also
about keeping that data available to your users. How can I do work if I
can't get to my own data. If it takes me more time to get to the legitimate
email, then that is hurting availability. So far just an inconvenience.
But if my mail server freezes up because of too much incoming spam, or my
antispam blocks an important email because of a false positive, then that
really hurts my availability.

Maybe you guys work at companies where email is for occasional
communications or just casual non-work-related chat, or maybe you just
haven't been hit hard with spam - but at my company the email system is
VITAL. We've almost lost clients because their emails (containing sensitive
information) didn't get to us because of over-zealous filters, and we didn't
find out until weeks later.

hold on, what kind of security are we focusing on here? i thought we
were interested in computer security, not business security... look
availability *can* be a security issue, but it isn't automatically a
security issue... it depends on what kind of security we're talking
about and the kind of asset/resource whose availability is in
question... otherwise someone call the cops, the availability of sexy
naked ladies in my bedroom isn't high enough so there must have been a
security breach...

 

[GEO Me]

I don't really care about the HTML, I think someone else in the thread
steered the debate in that direction.
========

Jack:
That is arguable. HTML spam contains HTML, which is a language, and
therefore it could be said to be software. If it contains 1x1-pixel
'web-bugs', it is spyware. If the spam is designed for no other purpose
than address-verification, as some spam is, then it's an element of a
hacking system.
But I don't personally see the 'triangle' as a particularly useful way
of modelling internet threats; I can't see what new insights it throws up.

========

Geo

 

[Richard S. Westmoreland]

hold on, what kind of security are we focusing on here? i thought we were
interested in computer security, not business security... look
availability *can* be a security issue, but it isn't automatically a
security issue... it depends on what kind of security we're talking about
and the kind of asset/resource whose availability is in question...

Here is a very good summary of the three:

http://privacy.med.miami.edu/glossary/xd_confidentiality_integrity_availability.htm

And another good source:

http://www.informit.com/guides/content.asp?g=security&seqNum=5

Which includes the following diagram:

http://www.informit.com/content/ima..._fogie/elementLinks/peikari_secguide_fig2.gif

Rick

 

[kurt wismer]

Richard S. Westmoreland wrote:
[snip]

For the sake of the critique, let's
all pretend that Spam is both Malware and a Threat (security or
resource).
Accepting that, would you agree with the way the Triangle is laid out?
Do
you think this triangle can be useful in any way?

no... i criticized practically every relationship depicted there and so
far the only criticism that has been contentious was whether or not
spam qualified as malware...

Yes, I remember you saying something about viruses, worms, spyware, were all
trojans (did I get that right?).

no, i think someone else said that... however they can all fall under
the classification of trojan under the right circumstances...

So let's put the Spam issue aside for now and look at that. Let's try to
clearly define them.

Virus:
An executable code that injects itself into other executable codes as a
means of replicating itself.

'inject' isn't right... overwriting infectors don't inject their code
into a host (that would be like trying to shoot up with a sledge
hammer)... neither to companion infectors...

It executes without user intervention.

not necessarily... more often than not it will not run until the user
runs it...

[snip]

Worm:
An executable code that creates copies of itself. It's execution requires
user intervention.

not necessarily - blaster didn't require user intervention... nor did
slammer...

It spreads itself to other locations, i.e. file shares,
or via smtp to people's email addresses, or just other folders.

not all of them spread themselves to locations in the sense that most
people would expect... for example, slammer never got written to disk
(except maybe in the swap space)...

[snip]

Spyware:
An executable code that does not create copies of itself.

not necessarily - you're assuming mutual exclusivity between malware
sets for no good reason...

[snip]

Trojan:
An executable code that does not create copies of itself, but tends to work
in conjunction with viruses (which drop them).

ummm, no... trojan horse programs predate viruses by a wide margin,
they don't need to be dropped by them...

Trojans tend to mimick
legitimate programs to avoid detection.

?? that's pretty fuzzy, what exactly do you mean?

They open remote access to an
attacker or other automated program to pass commands to the system.

absolutely not - i already covered this the first time... you're
thinking of just one subset of trojans (remote access trojans)...

[snip]

Is there any fault in these definitions?

lots...

a virus is a self-replicating program that attaches itself to a host
program in such a way that when an attempt is made to execute the host,
the virus is executed as well as or instead of the host...

a worm is a self-replicating program that doesn't necessarily attach
itself to a host program (but some can - see klez.h)...

spyware is software that surreptitiously sends personal data about a
victim to a remote party...

a trojan is any program that does something undesirable as well as or
instead of the desirable thing the user was expecting it to do...

there is nothing that says any of these sets of objects are disjoint -
viruses and worms overlap in practice (and even in theory, the
mathematical definition of virus included worms), there have been
viruses that send personal information (pgp keys, keystroke logs, etc)
back to a remote party, and it seems pretty obvious that a virus
infected program can qualify as a trojan...

 

[kurt wismer]

Richard S. Westmoreland wrote:
[snip]

So really that is all I'm looking for - a classification of this triangle.

what puzzles me is why the fact that you're still looking hasn't made
you more suspicious about the validity of results...

if there was a clear-cut classification it should be fairly obvious -
that it is not should suggest that something is wrong and somehow those
things do not belong together the way you have arranged them...

 

[kurt wismer]

Here is a very good summary of the three:

http://privacy.med.miami.edu/glossary/xd_confidentiality_integrity_availability.htm

And another good source:

http://www.informit.com/guides/content.asp?g=security&seqNum=5

Which includes the following diagram:

http://www.informit.com/content/ima..._fogie/elementLinks/peikari_secguide_fig2.gif

ok, finally we're getting somewhere...

you're talking about information systems security...

malware is actually just a small part of the picture for information
systems security (as the second link rightfully indicates)... malware
is a computer security threat and it is part of ISS because information
systems generally rely on computers... spam can also be an ISS issue
(depending on the information system), but that doesn't make it a
computer security threat, and it certainly doesn't make it malware...

to include spam in the class of malware because it affects the
available of the email service necessitates calling unwanted packets in
an actual DoS malware also... we can't call everything that gets in the
way of us doing our jobs 'malware'... i'm ok with calling spam
generating software 'malware', but the spam itself is just the means by
which it exacts it's malice...

 

[kurt wismer]

The <script> tag says "here's a script, you can run it if you like".

that's an embellishment... it says "here's a script", i'll give you
that, but that's about it...

markup languages don't tell their associated readers what to do, they
label various sections of data in a document as being of type X and/or
having property Y... the associated reader decides what to do with the
data in part based on the semantic meaning those labels (or tags)
add... tags don't instruct, they describe...

[snip]

When you unpack a zip file you don't expect execution of content. When
you render html containing embedded scripts, you may.

only because the convention for 'rendering html' in practice includes
handing scripts and other embedded objects off to their associated
handlers/subsystems/etc in addition to straight html rendering...