Malware Triangle

Discussion in 'Computer Security' started by Richard S. Westmoreland, Nov 19, 2004.

  1. Originally I called this the "Internet Threats Triangle". I posted this
    same critique request on a discussion forum I'm a member of, and the main
    argument was that there are more Internet threats than what I had on that
    diagram. My argument was that I'm only looking at the objects that can
    cause harm - not password policies, ping sweeps, or script kiddies, etc.
    They pointed out that what I was really refering to was what they tend to
    group as Malware. So I considered that and renamed it the Malware Threats
    Triangle because that made sense to me.

    The triangle started out as scribbles. I took the 3 problems I deal with on
    a regular basis, and that my site was designed for. Viruses, Spam, and
    Spyware. I realized that these had characteristics that I thought related
    to other blended threats (which is still up for debate) - Worms, Adware, and
    Trojans. I added Phishing and Zombies soon after. Once I did this, I
    noticed that the proximity of these threats formed their own triangles that
    were solved by the 3 solutions - Antivirus, Antispam, Antispyware.

    With the exception of 1 person that has contributed to this thread, everyone
    has agreed about the associations between the primary threats (the 3 corners
    of the triangle) and the blended threats that fall between. The biggest
    objection so far is identifying emails as software.

    So really that is all I'm looking for - a classification of this triangle.

    Richard S. Westmoreland, Nov 25, 2004
    1. Advertisements

  2. Richard S. Westmoreland

    Bart Bailey Guest

    I think of "trojans" as merely a surreptitious vector method, rather
    than any executable code, but it's such a catchy term it gets applied to
    almost as many situations as the term virus. <g>
    Bart Bailey, Nov 25, 2004
    1. Advertisements

  3. Richard S. Westmoreland

    Leythos Guest

    But you're talking two different things here - filters and spam have
    only a little to do with each other. Filters are needed because of spam,
    but spam did not keep you from getting the email. We NEED email to
    communicate with clients, but, as much as you may not like it, spam,
    even in mass bombing, is not a security threat when it fills your pipe
    or email box to the limit, it's merely a resource abuse. If the spam
    email's contain no malicious content, are just plain text, then they are
    no different than any other form of email. What if you looked at it like
    this - your email account permits 10MB of email (I know that's small),
    and you have 30 clients each sending you 1MB of email every 2 hours, but
    you only check your email every 2 hours - chances are that some email
    will bounce, and that's not due to a virus - it's a resource problem.
    Leythos, Nov 25, 2004
  4. Richard S. Westmoreland

    Leythos Guest

    You say "I'm only looking at the objects that can cause harm" and then
    you exclude items that can cause harm?
    Leythos, Nov 25, 2004
  5. Richard S. Westmoreland

    Leythos Guest

    No, it was an exploit.
    Leythos, Nov 25, 2004
  6. Which objects am I missing?

    Richard S. Westmoreland, Nov 25, 2004
  7. Richard S. Westmoreland

    Leythos Guest

    You excluded the other items that can cause a system hard - right in the
    post you made - "not password policies, ping sweeps, or script kiddies,

    All of those things are part of malware and security threats.
    Leythos, Nov 25, 2004
  8. Richard S. Westmoreland

    Leythos Guest

    Sorry, need to watch what I type "can cause a system HARM" not hard :)
    Leythos, Nov 25, 2004
  9. I was thinking that must be some new technical term I haven't heard before.

    What I mean by objects is "files" - since I'm trying to exclude data from
    the definition of software for the sake of the discussion, it's hard for me
    to express what I'm thinking.

    Richard S. Westmoreland, Nov 25, 2004
  10. Richard S. Westmoreland

    Leythos Guest

    Rick, rather than try and isolate a minimal set of threats to three
    sides of a triangle, how about listing all the known threats by type,
    after you get all known types of threats, you can list them in a octagon
    and then label one side UNKNOWNS.
    Leythos, Nov 25, 2004
  11. Richard S. Westmoreland

    Ant Guest

    and some people would call it that.
    When you unpack a zip file you don't expect execution of content. When
    you render html containing embedded scripts, you may.
    Ant, Nov 25, 2004
  12. Richard S. Westmoreland

    kurt wismer Guest

    hold on, what kind of security are we focusing on here? i thought we
    were interested in computer security, not business security... look
    availability *can* be a security issue, but it isn't automatically a
    security issue... it depends on what kind of security we're talking
    about and the kind of asset/resource whose availability is in
    question... otherwise someone call the cops, the availability of sexy
    naked ladies in my bedroom isn't high enough so there must have been a
    security breach...
    kurt wismer, Nov 26, 2004
  13. Richard S. Westmoreland

    GEO Me Guest


    GEO Me, Nov 26, 2004
  14. Here is a very good summary of the three:

    And another good source:

    Which includes the following diagram:

    Richard S. Westmoreland, Nov 26, 2004
  15. Richard S. Westmoreland

    kurt wismer Guest

    no, i think someone else said that... however they can all fall under
    the classification of trojan under the right circumstances...
    'inject' isn't right... overwriting infectors don't inject their code
    into a host (that would be like trying to shoot up with a sledge
    hammer)... neither to companion infectors...
    not necessarily... more often than not it will not run until the user
    runs it...

    not necessarily - blaster didn't require user intervention... nor did
    not all of them spread themselves to locations in the sense that most
    people would expect... for example, slammer never got written to disk
    (except maybe in the swap space)...

    not necessarily - you're assuming mutual exclusivity between malware
    sets for no good reason...

    ummm, no... trojan horse programs predate viruses by a wide margin,
    they don't need to be dropped by them...
    ?? that's pretty fuzzy, what exactly do you mean?
    absolutely not - i already covered this the first time... you're
    thinking of just one subset of trojans (remote access trojans)...


    a virus is a self-replicating program that attaches itself to a host
    program in such a way that when an attempt is made to execute the host,
    the virus is executed as well as or instead of the host...

    a worm is a self-replicating program that doesn't necessarily attach
    itself to a host program (but some can - see klez.h)...

    spyware is software that surreptitiously sends personal data about a
    victim to a remote party...

    a trojan is any program that does something undesirable as well as or
    instead of the desirable thing the user was expecting it to do...

    there is nothing that says any of these sets of objects are disjoint -
    viruses and worms overlap in practice (and even in theory, the
    mathematical definition of virus included worms), there have been
    viruses that send personal information (pgp keys, keystroke logs, etc)
    back to a remote party, and it seems pretty obvious that a virus
    infected program can qualify as a trojan...
    kurt wismer, Nov 26, 2004
  16. Richard S. Westmoreland

    kurt wismer Guest

    Richard S. Westmoreland wrote:
    what puzzles me is why the fact that you're still looking hasn't made
    you more suspicious about the validity of results...

    if there was a clear-cut classification it should be fairly obvious -
    that it is not should suggest that something is wrong and somehow those
    things do not belong together the way you have arranged them...
    kurt wismer, Nov 26, 2004
  17. Richard S. Westmoreland

    kurt wismer Guest

    ok, finally we're getting somewhere...

    you're talking about information systems security...

    malware is actually just a small part of the picture for information
    systems security (as the second link rightfully indicates)... malware
    is a computer security threat and it is part of ISS because information
    systems generally rely on computers... spam can also be an ISS issue
    (depending on the information system), but that doesn't make it a
    computer security threat, and it certainly doesn't make it malware...

    to include spam in the class of malware because it affects the
    available of the email service necessitates calling unwanted packets in
    an actual DoS malware also... we can't call everything that gets in the
    way of us doing our jobs 'malware'... i'm ok with calling spam
    generating software 'malware', but the spam itself is just the means by
    which it exacts it's malice...
    kurt wismer, Nov 27, 2004
  18. Richard S. Westmoreland

    kurt wismer Guest

    that's an embellishment... it says "here's a script", i'll give you
    that, but that's about it...

    markup languages don't tell their associated readers what to do, they
    label various sections of data in a document as being of type X and/or
    having property Y... the associated reader decides what to do with the
    data in part based on the semantic meaning those labels (or tags)
    add... tags don't instruct, they describe...

    only because the convention for 'rendering html' in practice includes
    handing scripts and other embedded objects off to their associated
    handlers/subsystems/etc in addition to straight html rendering...
    kurt wismer, Nov 28, 2004
  19. Richard S. Westmoreland

    Ant Guest

    And those embelishments contribute to the whole, and are the problem
    with respect to malware issues.
    The effect is the same, as far as a permissively configured browser is
    concerned, when it interprets html with embedded executable content.
    This is why I originally said it should be considered a programming
    language, although you and I know that in its pure form it is not.
    Html has evolved to allow all sorts of constructs and active content
    which we might think inappropriate for a text markup language, but
    was thought necessary to enhance hypertext for the web experience.

    An html text file with the "embelishments" effectively becomes one
    script containing not only layout and display descriptions, but
    references to executable objects, and program source code which will
    be interpreted and run in a suitably configured browser. Perhaps I
    should not have called this conglomeration "html" in my original post
    to this thread.
    Ant, Nov 28, 2004
  20. Richard S. Westmoreland

    kurt wismer Guest

    i actually meant that it was an embellishment on your part, not the
    designers part, nor html's part...
    browsers don't define html... the 'effect' may very well be the same
    but the fact is that html does not have instructions, it has tags... if
    tags were instructions they'd be called instructions...
    i reiterate - those are *not* part of html... what html has is the
    ability to act as a container for non-html content, nothing more... it
    is no different than an archive format in that respect...
    that conglomeration is an html document, but it is not html...

    here's an obvious distinction - it is possible to have a browser that
    fully complies with the html standard and yet does not (even can not)
    execute the additional content contained within html documents they
    display (think lynx, or maybe arachne), just as there are email clients
    that do not (even can not) execute the additional content contained
    within the emails they display...

    would you condone emails being called programs in spite of the fact
    that the specifications for email do not include mention of
    instructions to be carried out when encountered in the email body? why
    should html documents be considered any different? they are containers
    of arbitrary content and their respective readers may be (often are)
    configured to execute some of that content automagically...
    kurt wismer, Nov 30, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.