Malware Triangle

Discussion in 'Computer Security' started by Richard S. Westmoreland, Nov 19, 2004.

  1. I have developed a new theorem on the associations of the various malware we
    deal with on a regular basis. It started out as a way to classify the
    primary Internet threats, such as viruses, spam, and spyware, and then I
    realized that the other threats were just blended characteristics of those
    3. Then once this was mapped out on the triangle, I saw another
    association - 3 smaller triangles formed the solutions that combat those
    threats - antivirus, antispam, and antispyware. They tend to overlap.

    I have been studying another triangle - the 3 pillars of security
    (Confidentiality, Integrity, and Availability), and notice that those match
    up with the Malware Triangle. (That comparison is not on the site yet)

    Please share your opinions/comments on this:

    http://www.antisource.com/staticpages/index.php/malware-triangle

    It's a work in progress - I still have to add a better demonstration of
    images and go into more depth on the description.

    --
    Richard S. Westmoreland
    http://www.antisource.com
    Richard S. Westmoreland, Nov 19, 2004
    #1
    1. Advertising

  2. Richard S. Westmoreland

    optikl Guest

    Richard S. Westmoreland wrote:
    > I have developed a new theorem on the associations of the various malware we
    > deal with on a regular basis. It started out as a way to classify the
    > primary Internet threats, such as viruses, spam, and spyware, and then I
    > realized that the other threats were just blended characteristics of those
    > 3. Then once this was mapped out on the triangle, I saw another
    > association - 3 smaller triangles formed the solutions that combat those
    > threats - antivirus, antispam, and antispyware. They tend to overlap.
    >
    > I have been studying another triangle - the 3 pillars of security
    > (Confidentiality, Integrity, and Availability), and notice that those match
    > up with the Malware Triangle. (That comparison is not on the site yet)
    >
    > Please share your opinions/comments on this:
    >
    > http://www.antisource.com/staticpages/index.php/malware-triangle
    >
    > It's a work in progress - I still have to add a better demonstration of
    > images and go into more depth on the description.
    >

    I like your thought process, but I'm not sure I agree 100% with your thesis.

    1. Why is Spam considered malware? Spam might be a vector for malware
    (some malware even spreads Spam) and is clearly a nuisance, but I
    wouldn't call Spam in and of itself malware. It's not a program, for
    one. Definition: (mal´wãr) (n.) Short for malicious software, software
    designed specifically to damage or disrupt a system, such as a virus or
    a Trojan horse.

    2. Why are Zombies and Trojans considered to be a synthesis of Viruses
    and Spyware? Or, is that how mean this? Can you elaborate on your model.
    optikl, Nov 19, 2004
    #2
    1. Advertising

  3. "optikl" <> wrote in message
    news:JLtnd.69755$5K2.49854@attbi_s03...
    > I like your thought process, but I'm not sure I agree 100% with your

    thesis.
    >
    > 1. Why is Spam considered malware? Spam might be a vector for malware
    > (some malware even spreads Spam) and is clearly a nuisance, but I
    > wouldn't call Spam in and of itself malware. It's not a program, for
    > one. Definition: (mal´wãr) (n.) Short for malicious software, software
    > designed specifically to damage or disrupt a system, such as a virus or
    > a Trojan horse.
    >
    > 2. Why are Zombies and Trojans considered to be a synthesis of Viruses
    > and Spyware? Or, is that how mean this? Can you elaborate on your model.


    I agree on the malware definition - but once I had the triangle setup, it
    was hard to separate it from the rest of the threats. Originally I called
    this the Internet Threats Triangle - but someone pointed out that there are
    more than just those 3 primary threats, what about Hackers, and password
    policies, power outages, etc. So I caved in and changed it to Malware
    Threats Triangle. I might make an expection on the definition of Malware -
    perhaps Spam should be considered malware, because it does use an electronic
    medium to invoke disruption within the 3 pillars of security.

    Viruses disrupt Integrity - they are meant to change or delete the data.
    Spyware disrupts Confidentiality - they steal private information to be used
    against you. I think Trojans/Zombies fall between these two extremes
    because they do replace files or at least mock other legitimate files, while
    also opening up the machine for remote control/access.

    --
    Richard S. Westmoreland
    http://www.antisource.com
    Richard S. Westmoreland, Nov 19, 2004
    #3
  4. You discuss this like some discuss religion -- "the three pillars of...." :)

    Maybe your geometry is off and a triangle is not a good model.
    Maybe a "Quad Threat Matrix" where email (spam and phishing) are another angle of the
    equation.

    Dave



    "Richard S. Westmoreland" <> wrote in message
    news:...
    | I agree on the malware definition - but once I had the triangle setup, it
    | was hard to separate it from the rest of the threats. Originally I called
    | this the Internet Threats Triangle - but someone pointed out that there are
    | more than just those 3 primary threats, what about Hackers, and password
    | policies, power outages, etc. So I caved in and changed it to Malware
    | Threats Triangle. I might make an expection on the definition of Malware -
    | perhaps Spam should be considered malware, because it does use an electronic
    | medium to invoke disruption within the 3 pillars of security.
    |
    | Viruses disrupt Integrity - they are meant to change or delete the data.
    | Spyware disrupts Confidentiality - they steal private information to be used
    | against you. I think Trojans/Zombies fall between these two extremes
    | because they do replace files or at least mock other legitimate files, while
    | also opening up the machine for remote control/access.
    |
    | --
    | Richard S. Westmoreland
    | http://www.antisource.com
    |
    |
    David H. Lipman, Nov 19, 2004
    #4
  5. Richard S. Westmoreland

    GEO Guest

    On Fri, 19 Nov 2004 22:21:22 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >You discuss this like some discuss religion -- "the three pillars of...." :)
    >
    >Maybe your geometry is off and a triangle is not a good model.
    >Maybe a "Quad Threat Matrix" where email (spam and phishing) are another angle of the
    >equation.
    >


    Like in...
    'The Seven Pillars of Wisdom'
    by Lawrence of Arabia


    Geo
    GEO , Nov 20, 2004
    #5
  6. Richard S. Westmoreland

    kurt wismer Guest

    Richard S. Westmoreland wrote:

    > I have developed a new theorem on the associations of the various malware we
    > deal with on a regular basis. It started out as a way to classify the
    > primary Internet threats, such as viruses, spam, and spyware, and then I
    > realized that the other threats were just blended characteristics of those
    > 3. Then once this was mapped out on the triangle, I saw another
    > association - 3 smaller triangles formed the solutions that combat those
    > threats - antivirus, antispam, and antispyware. They tend to overlap.
    >
    > I have been studying another triangle - the 3 pillars of security
    > (Confidentiality, Integrity, and Availability), and notice that those match
    > up with the Malware Triangle. (That comparison is not on the site yet)
    >
    > Please share your opinions/comments on this:


    well, on the positive side i like the number 3...

    other than that the relationships seem to be overly simplistic or in
    some cases just plain wrong...

    for example, spam doesn't belong anywhere near a malware diagram... it
    is not a threat to anything other than your time and/or your pocketbook
    (if you happen to get suckered into buying something)... in the grander
    sense i suppose it's also a threat to the usefulness of email in
    general, but it's no more a threat than being exposed to advertising on
    tv or in a magazine or on the side of the highway...

    then there's this supposed relationship between spyware and adware,
    only they aren't related... adware, by its very nature, 'advertises'
    it's presences and it's actions while spyware does pretty much the
    opposite... their only real commonality is that they're both (usually)
    non-replicating malware... by the way, adware doesn't necessarily
    gather any information, that's more of a spyware trait - any adware
    that does so happens to also be spyware...

    phishing is spam with spyware-like intent but that's about as close as
    it gets...

    this juxtaposition of "zombie" and "trojan" seems pretty telling as to
    what you think trojans are supposed to be, but i assure you the class
    is much broader than just remote administration tools... furthermore
    RAT's are not closely related to either viruses or spyware - the
    distinguishing characteristic of spyware is that it surreptitiously
    sends information to a 3rd party (effectively providing a one-way
    transmission) whereas a RAT allows the 3rd party to control the pc
    (which is a 2-way transmission or at the very least a one-way
    transmission in the opposite direction)... the distinguishing
    characteristic of a virus is that it self-replicates however there
    aren't that many self-replicating RATs....

    the relationship between worms and viruses is another misfire as one is
    generally considered to be a subset of the other (though which is the
    subset and which is the superset is debatable)... worms are definitely
    not viruses + spam... there's even a good argument to be made for virus
    = worm...

    --
    "maxwell can tell he's in hell
    just wants you to visit him there
    same old game that he's playin'
    his rules are never fair"
    kurt wismer, Nov 20, 2004
    #6
  7. Richard S. Westmoreland

    kurt wismer Guest

    Richard S. Westmoreland wrote:
    [snip]
    > I agree on the malware definition - but once I had the triangle setup, it
    > was hard to separate it from the rest of the threats.


    you're letting your supposed pattern dictate your definitions - it's
    supposed to be the other way 'round...

    > Originally I called
    > this the Internet Threats Triangle - but someone pointed out that there are
    > more than just those 3 primary threats, what about Hackers, and password
    > policies, power outages, etc. So I caved in and changed it to Malware
    > Threats Triangle. I might make an expection on the definition of Malware -
    > perhaps Spam should be considered malware, because it does use an electronic
    > medium to invoke disruption within the 3 pillars of security.


    all malware is software (that's where the 'ware' part of malware comes
    from), spam is not software, therefor spam is not malware...

    > Viruses disrupt Integrity - they are meant to change or delete the data.
    > Spyware disrupts Confidentiality - they steal private information to be used
    > against you. I think Trojans/Zombies fall between these two extremes
    > because they do replace files or at least mock other legitimate files, while
    > also opening up the machine for remote control/access.


    no, the thing that falls in the middle between viruses and spyware are
    viruses that steal private information (like caligula, the macro virus
    that stole pgp keys)...

    --
    "maxwell can tell he's in hell
    just wants you to visit him there
    same old game that he's playin'
    his rules are never fair"
    kurt wismer, Nov 20, 2004
    #7
  8. Richard S. Westmoreland

    Rodney Kelp Guest

    Don't forget Homland Secutiry. They can use any tool at their discretion
    without court order to scan, spy and invade you. Everyone is a potential
    terrorist threat.


    "Richard S. Westmoreland" <> wrote in message
    news:...
    >I have developed a new theorem on the associations of the various malware
    >we
    > deal with on a regular basis. It started out as a way to classify the
    > primary Internet threats, such as viruses, spam, and spyware, and then I
    > realized that the other threats were just blended characteristics of those
    > 3. Then once this was mapped out on the triangle, I saw another
    > association - 3 smaller triangles formed the solutions that combat those
    > threats - antivirus, antispam, and antispyware. They tend to overlap.
    >
    > I have been studying another triangle - the 3 pillars of security
    > (Confidentiality, Integrity, and Availability), and notice that those
    > match
    > up with the Malware Triangle. (That comparison is not on the site yet)
    >
    > Please share your opinions/comments on this:
    >
    > http://www.antisource.com/staticpages/index.php/malware-triangle
    >
    > It's a work in progress - I still have to add a better demonstration of
    > images and go into more depth on the description.
    >
    > --
    > Richard S. Westmoreland
    > http://www.antisource.com
    >
    >



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.799 / Virus Database: 543 - Release Date: 11/19/2004
    Rodney Kelp, Nov 20, 2004
    #8
  9. Richard S. Westmoreland

    Roger Wilco Guest

    "kurt wismer" <> wrote in message news:5AAnd.36628$...

    > the relationship between worms and viruses is another misfire as one is
    > generally considered to be a subset of the other (though which is the
    > subset and which is the superset is debatable)... worms are definitely
    > not viruses + spam... there's even a good argument to be made for virus
    > = worm...


    People have been equating virus to spam for some time now because of the e-mail vector worms they have to filter out
    of their e-mail stream. Both the spam and the worms share in the flooding effect although the filtering for each may be
    different. Its egocentric, but who can blame them for seeing these things only as they affect them.
    Roger Wilco, Nov 20, 2004
    #9
  10. Richard S. Westmoreland

    Jack Guest

    kurt wismer wrote:
    >
    > all malware is software (that's where the 'ware' part of malware
    > comes from), spam is not software, therefor spam is not malware...


    That is arguable. HTML spam contains HTML, which is a language, and
    therefore it could be said to be software. If it contains 1x1-pixel
    'web-bugs', it is spyware. If the spam is designed for no other purpose
    than address-verification, as some spam is, then it's an element of a
    hacking system.

    But I don't personally see the 'triangle' as a particularly useful way
    of modelling internet threats; I can't see what new insights it throws up.

    --
    Jack
    Jack, Nov 21, 2004
    #10
  11. Richard S. Westmoreland

    --Mike Guest

    "Roger Wilco" <> wrote in message
    news:...
    >
    > "kurt wismer" <> wrote in message

    news:5AAnd.36628$...
    >
    > > the relationship between worms and viruses is another misfire as one is
    > > generally considered to be a subset of the other (though which is the
    > > subset and which is the superset is debatable)... worms are definitely
    > > not viruses + spam... there's even a good argument to be made for virus
    > > = worm...

    >
    > People have been equating virus to spam for some time now because of the

    e-mail vector worms they have to filter out
    > of their e-mail stream. Both the spam and the worms share in the flooding

    effect although the filtering for each may be
    > different. Its egocentric, but who can blame them for seeing these things

    only as they affect them.
    >


    A Worm is not really a class of malware or threat. It suggests a type of
    behavior: self replicating/self e-mailing. Worm-type behavior can be a
    characteristic of almost any threat, whether it's a virus, trojan horse,
    spyware, adware, zombie, etc.

    --Mike
    --Mike, Nov 21, 2004
    #11
  12. Richard S. Westmoreland

    Roger Wilco Guest

    "--Mike" <> wrote in message news:zQ5od.253$%-kc.rr.com...
    >
    > "Roger Wilco" <> wrote in message
    > news:...
    > >
    > > "kurt wismer" <> wrote in message

    > news:5AAnd.36628$...
    > >
    > > > the relationship between worms and viruses is another misfire as one is
    > > > generally considered to be a subset of the other (though which is the
    > > > subset and which is the superset is debatable)... worms are definitely
    > > > not viruses + spam... there's even a good argument to be made for virus
    > > > = worm...

    > >
    > > People have been equating virus to spam for some time now because of the

    > e-mail vector worms they have to filter out
    > > of their e-mail stream. Both the spam and the worms share in the flooding

    > effect although the filtering for each may be
    > > different. Its egocentric, but who can blame them for seeing these things

    > only as they affect them.
    > >

    >
    > A Worm is not really a class of malware or threat. It suggests a type of
    > behavior: self replicating/self e-mailing. Worm-type behavior can be a
    > characteristic of almost any threat, whether it's a virus, trojan horse,
    > spyware, adware, zombie, etc.


    If the program self-replicates, it will be considered malware until someone actually does find the elusive "good virus" or
    "beneficial worm" program. Also bear in mind that the "benjamin" worm didn't send itself to other hosts, it only made itself
    highly available in shared infospace. Right on about worm being behavioral - and it is not always behavior that can be seen
    in the program code itself.
    Roger Wilco, Nov 21, 2004
    #12
  13. Richard S. Westmoreland

    kurt wismer Guest

    Jack wrote:
    > kurt wismer wrote:
    >
    >> all malware is software (that's where the 'ware' part of malware
    >> comes from), spam is not software, therefor spam is not malware...

    >
    > That is arguable. HTML spam contains HTML, which is a language, and
    > therefore it could be said to be software.


    english is a language, does that make the words coming out of my mouth
    software? no...

    html is a markup language, not a programming language...

    [snip]
    > But I don't personally see the 'triangle' as a particularly useful way
    > of modelling internet threats; I can't see what new insights it throws up.


    that much we agree on...

    --
    "maxwell can tell he's in hell
    just wants you to visit him there
    same old game that he's playin'
    his rules are never fair"
    kurt wismer, Nov 22, 2004
    #13
  14. Richard S. Westmoreland

    Jack Guest

    kurt wismer wrote:
    > Jack wrote:
    >
    >> kurt wismer wrote:
    >>
    >>> all malware is software (that's where the 'ware' part of malware
    >>> comes from), spam is not software, therefor spam is not malware...

    >>
    >>
    >> That is arguable. HTML spam contains HTML, which is a language, and
    >> therefore it could be said to be software.

    >
    >
    > english is a language, does that make the words coming out of my mouth
    > software? no...
    >
    > html is a markup language, not a programming language...


    HTML can download and execute code. HTML can contain Javascript. HTML
    can be used to do things like hijacking your browser and installing
    trojans. English can't. HTML is much more like a programming language
    than English; and anyway, as far as discussion of malware is concerned,
    HTML spam can and does get used to access the victim's computer without
    authorisation.

    --
    Jack.
    Jack, Nov 22, 2004
    #14
  15. "kurt wismer" <> wrote in message
    news:5AAnd.36628$...
    > for example, spam doesn't belong anywhere near a malware diagram... it
    > is not a threat to anything other than your time and/or your pocketbook
    > (if you happen to get suckered into buying something)... in the grander
    > sense i suppose it's also a threat to the usefulness of email in
    > general, but it's no more a threat than being exposed to advertising on
    > tv or in a magazine or on the side of the highway...


    A threat to your time/pocketbook; your bandwidth, your storage space,
    difficultuly of regulation compliance - all a disruption to Availability.
    If you work in a corporate environment that has to deal with this, it is a
    costly annoyance. Spam is malicious, and electronic, so I very well can
    classify it as malware.

    The definition of malware is still a relatively new term in our language, I
    don't have a problem with extending it's definition to meet the needs of
    now. Malware is a compound of Malicious Software, and the definition of
    Software is:

    Computer instructions or data. Anything that can be stored electronically is
    software.
    http://www.webopedia.com/TERM/s/software.html

    Rick
    Richard S. Westmoreland, Nov 22, 2004
    #15
  16. Richard S. Westmoreland

    Bart Bailey Guest

    In Message-ID:<cnsklj$nhv$1$> posted on Mon, 22
    Nov 2004 12:05:06 +0000, Jack wrote: Begin

    >HTML can download and execute code. HTML can contain Javascript. HTML
    >can be used to do things like hijacking your browser and installing
    >trojans. English can't. HTML is much more like a programming language
    >than English; and anyway, as far as discussion of malware is concerned,
    >HTML spam can and does get used to access the victim's computer without
    >authorisation.


    Isn't the critical difference, if it is a difference, the fact that
    classic programming languages get interpreted by your command
    interpreter, whereas HTM languages get pre-interpreted by your browser?

    --

    Bart
    Bart Bailey, Nov 22, 2004
    #16
  17. Richard S. Westmoreland

    Ant Guest

    "Bart Bailey" wrote:

    > Isn't the critical difference, if it is a difference, the fact that
    > classic programming languages get interpreted by your command
    > interpreter, whereas HTM languages get pre-interpreted by your browser?


    From my viewpoint, as a programmer, "programming languages" come in
    two flavours; those which are compiled into executable files, and
    those which are interpreted and executed on the fly.

    The pre-compiled files contain a memory image, or images, of machine
    instructions. The loader (which may be invoked from a command
    interpreter when you type the file name) places this code in memory,
    sets the CPU instruction pointer to the start address, and the
    processor is off and running it.

    The interpreted ones include languages like Java, and many versions of
    Basic. They have access to a library of pre-compiled routines which
    they will load and execute as the interpreter parses the source.
    Scripting languages like Javascript, DOS batch files, and Unix shell
    scripts are also interpreted.

    While HTML is not a programming language, for the purpose of this
    discussion it should be considered as such. It can contain scripts,
    and interpreting it in a browser could have the same effect as running
    a compiled executable file.
    Ant, Nov 23, 2004
    #17
  18. Richard S. Westmoreland

    kurt wismer Guest

    Jack wrote:
    > kurt wismer wrote:
    >> Jack wrote:
    >>> kurt wismer wrote:
    >>>
    >>>> all malware is software (that's where the 'ware' part of malware
    >>>> comes from), spam is not software, therefor spam is not malware...
    >>>
    >>> That is arguable. HTML spam contains HTML, which is a language, and
    >>> therefore it could be said to be software.

    >>
    >> english is a language, does that make the words coming out of my mouth
    >> software? no...
    >>
    >> html is a markup language, not a programming language...

    >
    >
    > HTML can download and execute code.


    no it can't, you're thinking of scripts...

    > HTML can contain Javascript.


    yes, html can be a container for (actual) programs written in other
    (actual programming) languages like java, javascript, etc...

    zip files can be containers for programs to, does that make zip files
    programs? no...

    > HTML
    > can be used to do things like hijacking your browser and installing
    > trojans.


    no, it can't... again, you're thinking of scripts and various other
    forms active content (activex for example)...

    > English can't. HTML is much more like a programming language
    > than English;


    oh, i agree that html is much more *like* a programming language than
    english, but it still remains a non-programming language...

    > and anyway, as far as discussion of malware is concerned,
    > HTML spam can and does get used to access the victim's computer without
    > authorisation.


    html itself is not a threat...the scripts that html documents can
    contain can be a threat but they can also be ignored by properly
    hardening your browser settings...

    feel free to blame the worlds biggest browser vendor for making the
    default action 'run everything we encounter'... notice how the same
    vendor has produced an operating system that treats CDs exactly the
    same way...

    --
    "maxwell can tell he's in hell
    just wants you to visit him there
    same old game that he's playin'
    his rules are never fair"
    kurt wismer, Nov 23, 2004
    #18
  19. Richard S. Westmoreland

    kurt wismer Guest

    Bart Bailey wrote:
    > In Message-ID:<cnsklj$nhv$1$> posted on Mon, 22
    > Nov 2004 12:05:06 +0000, Jack wrote: Begin
    >
    >>HTML can download and execute code. HTML can contain Javascript. HTML
    >>can be used to do things like hijacking your browser and installing
    >>trojans. English can't. HTML is much more like a programming language
    >>than English; and anyway, as far as discussion of malware is concerned,
    >>HTML spam can and does get used to access the victim's computer without
    >>authorisation.

    >
    > Isn't the critical difference, if it is a difference, the fact that
    > classic programming languages get interpreted by your command
    > interpreter, whereas HTM languages get pre-interpreted by your browser?


    HTM languages?

    anyways, activex controls are native code... java is interpreted by the
    java virtual machine (and i don't know any browser that has a jvm built
    into it)...

    none of them bear any relation to html, nor are they a part of html...
    they are something that clever (and sometimes not so clever - activex,
    'nuff said) people figured out how to sneak into html containers...

    --
    "maxwell can tell he's in hell
    just wants you to visit him there
    same old game that he's playin'
    his rules are never fair"
    kurt wismer, Nov 23, 2004
    #19
  20. Richard S. Westmoreland

    kurt wismer Guest

    Ant wrote:
    [snip]
    > While HTML is not a programming language, for the purpose of this
    > discussion it should be considered as such. It can contain scripts,
    > and interpreting it in a browser could have the same effect as running
    > a compiled executable file.


    shame on you... if you can't make a program with it, it's not a
    programming language... period...

    an html document can act as a container, so can a zip file... that
    doesn't make html a programming language anymore than it makes winzip a
    compiler...

    --
    "maxwell can tell he's in hell
    just wants you to visit him there
    same old game that he's playin'
    his rules are never fair"
    kurt wismer, Nov 23, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brad
    Replies:
    0
    Views:
    1,001
  2. Bartek

    2x2950 + 3745 in triangle

    Bartek, Oct 31, 2003, in forum: Cisco
    Replies:
    1
    Views:
    567
    Andre Beck
    Nov 1, 2003
  3. Will
    Replies:
    3
    Views:
    731
  4. Himselff
    Replies:
    4
    Views:
    941
    Himselff
    Jun 27, 2005
  5. DVD Verdict
    Replies:
    0
    Views:
    529
    DVD Verdict
    Mar 11, 2005
Loading...

Share This Page