Malware Triangle

Discussion in 'Computer Security' started by Richard S. Westmoreland, Nov 19, 2004.

  1. I have developed a new theorem on the associations of the various malware we
    deal with on a regular basis. It started out as a way to classify the
    primary Internet threats, such as viruses, spam, and spyware, and then I
    realized that the other threats were just blended characteristics of those
    3. Then once this was mapped out on the triangle, I saw another
    association - 3 smaller triangles formed the solutions that combat those
    threats - antivirus, antispam, and antispyware. They tend to overlap.

    I have been studying another triangle - the 3 pillars of security
    (Confidentiality, Integrity, and Availability), and notice that those match
    up with the Malware Triangle. (That comparison is not on the site yet)

    Please share your opinions/comments on this:

    http://www.antisource.com/staticpages/index.php/malware-triangle

    It's a work in progress - I still have to add a better demonstration of
    images and go into more depth on the description.
     
    Richard S. Westmoreland, Nov 19, 2004
    #1
    1. Advertisements

  2. Richard S. Westmoreland

    optikl Guest

    I like your thought process, but I'm not sure I agree 100% with your thesis.

    1. Why is Spam considered malware? Spam might be a vector for malware
    (some malware even spreads Spam) and is clearly a nuisance, but I
    wouldn't call Spam in and of itself malware. It's not a program, for
    one. Definition: (mal´wãr) (n.) Short for malicious software, software
    designed specifically to damage or disrupt a system, such as a virus or
    a Trojan horse.

    2. Why are Zombies and Trojans considered to be a synthesis of Viruses
    and Spyware? Or, is that how mean this? Can you elaborate on your model.
     
    optikl, Nov 19, 2004
    #2
    1. Advertisements

  3. I agree on the malware definition - but once I had the triangle setup, it
    was hard to separate it from the rest of the threats. Originally I called
    this the Internet Threats Triangle - but someone pointed out that there are
    more than just those 3 primary threats, what about Hackers, and password
    policies, power outages, etc. So I caved in and changed it to Malware
    Threats Triangle. I might make an expection on the definition of Malware -
    perhaps Spam should be considered malware, because it does use an electronic
    medium to invoke disruption within the 3 pillars of security.

    Viruses disrupt Integrity - they are meant to change or delete the data.
    Spyware disrupts Confidentiality - they steal private information to be used
    against you. I think Trojans/Zombies fall between these two extremes
    because they do replace files or at least mock other legitimate files, while
    also opening up the machine for remote control/access.
     
    Richard S. Westmoreland, Nov 19, 2004
    #3
  4. You discuss this like some discuss religion -- "the three pillars of...." :)

    Maybe your geometry is off and a triangle is not a good model.
    Maybe a "Quad Threat Matrix" where email (spam and phishing) are another angle of the
    equation.

    Dave



    | I agree on the malware definition - but once I had the triangle setup, it
    | was hard to separate it from the rest of the threats. Originally I called
    | this the Internet Threats Triangle - but someone pointed out that there are
    | more than just those 3 primary threats, what about Hackers, and password
    | policies, power outages, etc. So I caved in and changed it to Malware
    | Threats Triangle. I might make an expection on the definition of Malware -
    | perhaps Spam should be considered malware, because it does use an electronic
    | medium to invoke disruption within the 3 pillars of security.
    |
    | Viruses disrupt Integrity - they are meant to change or delete the data.
    | Spyware disrupts Confidentiality - they steal private information to be used
    | against you. I think Trojans/Zombies fall between these two extremes
    | because they do replace files or at least mock other legitimate files, while
    | also opening up the machine for remote control/access.
    |
    | --
    | Richard S. Westmoreland
    | http://www.antisource.com
    |
    |
     
    David H. Lipman, Nov 19, 2004
    #4
  5. Richard S. Westmoreland

    GEO Me Guest

    Like in...
    'The Seven Pillars of Wisdom'
    by Lawrence of Arabia


    Geo
     
    GEO Me, Nov 20, 2004
    #5
  6. Richard S. Westmoreland

    kurt wismer Guest

    well, on the positive side i like the number 3...

    other than that the relationships seem to be overly simplistic or in
    some cases just plain wrong...

    for example, spam doesn't belong anywhere near a malware diagram... it
    is not a threat to anything other than your time and/or your pocketbook
    (if you happen to get suckered into buying something)... in the grander
    sense i suppose it's also a threat to the usefulness of email in
    general, but it's no more a threat than being exposed to advertising on
    tv or in a magazine or on the side of the highway...

    then there's this supposed relationship between spyware and adware,
    only they aren't related... adware, by its very nature, 'advertises'
    it's presences and it's actions while spyware does pretty much the
    opposite... their only real commonality is that they're both (usually)
    non-replicating malware... by the way, adware doesn't necessarily
    gather any information, that's more of a spyware trait - any adware
    that does so happens to also be spyware...

    phishing is spam with spyware-like intent but that's about as close as
    it gets...

    this juxtaposition of "zombie" and "trojan" seems pretty telling as to
    what you think trojans are supposed to be, but i assure you the class
    is much broader than just remote administration tools... furthermore
    RAT's are not closely related to either viruses or spyware - the
    distinguishing characteristic of spyware is that it surreptitiously
    sends information to a 3rd party (effectively providing a one-way
    transmission) whereas a RAT allows the 3rd party to control the pc
    (which is a 2-way transmission or at the very least a one-way
    transmission in the opposite direction)... the distinguishing
    characteristic of a virus is that it self-replicates however there
    aren't that many self-replicating RATs....

    the relationship between worms and viruses is another misfire as one is
    generally considered to be a subset of the other (though which is the
    subset and which is the superset is debatable)... worms are definitely
    not viruses + spam... there's even a good argument to be made for virus
    = worm...
     
    kurt wismer, Nov 20, 2004
    #6
  7. Richard S. Westmoreland

    kurt wismer Guest

    Richard S. Westmoreland wrote:
    [snip]
    you're letting your supposed pattern dictate your definitions - it's
    supposed to be the other way 'round...
    all malware is software (that's where the 'ware' part of malware comes
    from), spam is not software, therefor spam is not malware...
    no, the thing that falls in the middle between viruses and spyware are
    viruses that steal private information (like caligula, the macro virus
    that stole pgp keys)...
     
    kurt wismer, Nov 20, 2004
    #7
  8. Richard S. Westmoreland

    Rodney Kelp Guest

    Don't forget Homland Secutiry. They can use any tool at their discretion
    without court order to scan, spy and invade you. Everyone is a potential
    terrorist threat.
     
    Rodney Kelp, Nov 20, 2004
    #8
  9. Richard S. Westmoreland

    Roger Wilco Guest

    People have been equating virus to spam for some time now because of the e-mail vector worms they have to filter out
    of their e-mail stream. Both the spam and the worms share in the flooding effect although the filtering for each may be
    different. Its egocentric, but who can blame them for seeing these things only as they affect them.
     
    Roger Wilco, Nov 20, 2004
    #9
  10. Richard S. Westmoreland

    Jack Guest

    That is arguable. HTML spam contains HTML, which is a language, and
    therefore it could be said to be software. If it contains 1x1-pixel
    'web-bugs', it is spyware. If the spam is designed for no other purpose
    than address-verification, as some spam is, then it's an element of a
    hacking system.

    But I don't personally see the 'triangle' as a particularly useful way
    of modelling internet threats; I can't see what new insights it throws up.
     
    Jack, Nov 21, 2004
    #10
  11. Richard S. Westmoreland

    --Mike Guest

    e-mail vector worms they have to filter out
    effect although the filtering for each may be
    A Worm is not really a class of malware or threat. It suggests a type of
    behavior: self replicating/self e-mailing. Worm-type behavior can be a
    characteristic of almost any threat, whether it's a virus, trojan horse,
    spyware, adware, zombie, etc.

    --Mike
     
    --Mike, Nov 21, 2004
    #11
  12. Richard S. Westmoreland

    Roger Wilco Guest

    If the program self-replicates, it will be considered malware until someone actually does find the elusive "good virus" or
    "beneficial worm" program. Also bear in mind that the "benjamin" worm didn't send itself to other hosts, it only made itself
    highly available in shared infospace. Right on about worm being behavioral - and it is not always behavior that can be seen
    in the program code itself.
     
    Roger Wilco, Nov 21, 2004
    #12
  13. Richard S. Westmoreland

    kurt wismer Guest

    english is a language, does that make the words coming out of my mouth
    software? no...

    html is a markup language, not a programming language...

    [snip]
    that much we agree on...
     
    kurt wismer, Nov 22, 2004
    #13
  14. Richard S. Westmoreland

    Jack Guest

    HTML can download and execute code. HTML can contain Javascript. HTML
    can be used to do things like hijacking your browser and installing
    trojans. English can't. HTML is much more like a programming language
    than English; and anyway, as far as discussion of malware is concerned,
    HTML spam can and does get used to access the victim's computer without
    authorisation.
     
    Jack, Nov 22, 2004
    #14
  15. A threat to your time/pocketbook; your bandwidth, your storage space,
    difficultuly of regulation compliance - all a disruption to Availability.
    If you work in a corporate environment that has to deal with this, it is a
    costly annoyance. Spam is malicious, and electronic, so I very well can
    classify it as malware.

    The definition of malware is still a relatively new term in our language, I
    don't have a problem with extending it's definition to meet the needs of
    now. Malware is a compound of Malicious Software, and the definition of
    Software is:

    Computer instructions or data. Anything that can be stored electronically is
    software.
    http://www.webopedia.com/TERM/s/software.html

    Rick
     
    Richard S. Westmoreland, Nov 22, 2004
    #15
  16. Richard S. Westmoreland

    Bart Bailey Guest

    Isn't the critical difference, if it is a difference, the fact that
    classic programming languages get interpreted by your command
    interpreter, whereas HTM languages get pre-interpreted by your browser?
     
    Bart Bailey, Nov 22, 2004
    #16
  17. Richard S. Westmoreland

    Ant Guest

    From my viewpoint, as a programmer, "programming languages" come in
    two flavours; those which are compiled into executable files, and
    those which are interpreted and executed on the fly.

    The pre-compiled files contain a memory image, or images, of machine
    instructions. The loader (which may be invoked from a command
    interpreter when you type the file name) places this code in memory,
    sets the CPU instruction pointer to the start address, and the
    processor is off and running it.

    The interpreted ones include languages like Java, and many versions of
    Basic. They have access to a library of pre-compiled routines which
    they will load and execute as the interpreter parses the source.
    Scripting languages like Javascript, DOS batch files, and Unix shell
    scripts are also interpreted.

    While HTML is not a programming language, for the purpose of this
    discussion it should be considered as such. It can contain scripts,
    and interpreting it in a browser could have the same effect as running
    a compiled executable file.
     
    Ant, Nov 23, 2004
    #17
  18. Richard S. Westmoreland

    kurt wismer Guest

    no it can't, you're thinking of scripts...
    yes, html can be a container for (actual) programs written in other
    (actual programming) languages like java, javascript, etc...

    zip files can be containers for programs to, does that make zip files
    programs? no...
    no, it can't... again, you're thinking of scripts and various other
    forms active content (activex for example)...
    oh, i agree that html is much more *like* a programming language than
    english, but it still remains a non-programming language...
    html itself is not a threat...the scripts that html documents can
    contain can be a threat but they can also be ignored by properly
    hardening your browser settings...

    feel free to blame the worlds biggest browser vendor for making the
    default action 'run everything we encounter'... notice how the same
    vendor has produced an operating system that treats CDs exactly the
    same way...
     
    kurt wismer, Nov 23, 2004
    #18
  19. Richard S. Westmoreland

    kurt wismer Guest

    HTM languages?

    anyways, activex controls are native code... java is interpreted by the
    java virtual machine (and i don't know any browser that has a jvm built
    into it)...

    none of them bear any relation to html, nor are they a part of html...
    they are something that clever (and sometimes not so clever - activex,
    'nuff said) people figured out how to sneak into html containers...
     
    kurt wismer, Nov 23, 2004
    #19
  20. Richard S. Westmoreland

    kurt wismer Guest

    Ant wrote:
    [snip]
    shame on you... if you can't make a program with it, it's not a
    programming language... period...

    an html document can act as a container, so can a zip file... that
    doesn't make html a programming language anymore than it makes winzip a
    compiler...
     
    kurt wismer, Nov 23, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.