By Steve Hardwick, CISSP
In an allied article, I outline some of the best practices to evaluate antivirus programs. But what are the key elements needed for a virus attack?
Motive. The two predominant motives today are financial and political. In the financial case hackers can either gain direct results or indirect results. Direct would be in the case of ransomeware, the hacker receives payment directly from the target. Indirect would involve either selling information garnered from an attack, or simply renting out the compromised machine. There are many site on the Dark Web that provide markets for stolen credit cards, or just the sale of bot nets.
There is a lot of evidence that viruses are used for political purposes. Perhaps the most famous is Stuxnet. These types of viruses, they tend to be very sophisticated and difficult to detect and remove
Means. A virus needs a place to penetrate the operating system or applications to infect it. The hacker will review the detailed operation of these pieces of software and determine a method to circumvent their normal operation. This is an exploit. For an exploit to work, the compromised software must be on the machine. In many cases unpatched software can exist on machines for months. This leaves a fertile ground for the hackers. A significant portion of new viruses are merely varietals of a previous one continuing to use an existing exploit.
Opportunity. Since the virus is essentially a program in its own right, it must be downloaded and installed on the target computer. The first part is downloading the virus. There are several ways to do this. The easiest is to have the user do it through a click on something in a webpage. Email attachments are also virus vectors.
Conversely, the virus can go from one machine to the next via wireless networks or bluetooth connections. Once the program is on the machine, it needs to be installed and activated. This part is can either be done in background, especially on Windows systems. Or the user can be tricked into installing the program as it hides inside another program, a method known as a Trojan horse.
Good anti-virus programs prevent the means and opportunity, so malware cannot exploit them. Some exploits, especially in applications, may be independent of the operating system. As new exploits are discovered, the anti-virus application must also adapt. This is also true of the second function the anti-virus will perform. It will examine various files, often as they are downloaded, to detect viral payloads. The program is looking for patterns, or signatures, in the data that denote a virus. Typically the program will use a library of signatures, or dictionary, to scan for malicious content. Since it is constantly looking for viruses the program is running continuously.
Once a virus is discovered it needs to be removed. Some complex malware involves intricate steps to disable and remove it. More importantly, once the virus has been discovered it must be prevented from doing any more harm. This is quarantining. Having the ability to quarantine and then safety remove the malware is a critical attribute of any solution.