Malware Triangle

[Richard S. Westmoreland]

I have developed a new theorem on the associations of the various malware we
deal with on a regular basis. It started out as a way to classify the
primary Internet threats, such as viruses, spam, and spyware, and then I
realized that the other threats were just blended characteristics of those
3. Then once this was mapped out on the triangle, I saw another
association - 3 smaller triangles formed the solutions that combat those
threats - antivirus, antispam, and antispyware. They tend to overlap.

I have been studying another triangle - the 3 pillars of security
(Confidentiality, Integrity, and Availability), and notice that those match
up with the Malware Triangle. (That comparison is not on the site yet)

Please share your opinions/comments on this:

http://www.antisource.com/staticpages/index.php/malware-triangle

It's a work in progress - I still have to add a better demonstration of
images and go into more depth on the description.

 

[optikl]

I have developed a new theorem on the associations of the various malware we
deal with on a regular basis. It started out as a way to classify the
primary Internet threats, such as viruses, spam, and spyware, and then I
realized that the other threats were just blended characteristics of those
3. Then once this was mapped out on the triangle, I saw another
association - 3 smaller triangles formed the solutions that combat those
threats - antivirus, antispam, and antispyware. They tend to overlap.

I have been studying another triangle - the 3 pillars of security
(Confidentiality, Integrity, and Availability), and notice that those match
up with the Malware Triangle. (That comparison is not on the site yet)

Please share your opinions/comments on this:

http://www.antisource.com/staticpages/index.php/malware-triangle

It's a work in progress - I still have to add a better demonstration of
images and go into more depth on the description.

I like your thought process, but I'm not sure I agree 100% with your thesis.

1. Why is Spam considered malware? Spam might be a vector for malware
(some malware even spreads Spam) and is clearly a nuisance, but I
wouldn't call Spam in and of itself malware. It's not a program, for
one. Definition: (mal´wãr) (n.) Short for malicious software, software
designed specifically to damage or disrupt a system, such as a virus or
a Trojan horse.

2. Why are Zombies and Trojans considered to be a synthesis of Viruses
and Spyware? Or, is that how mean this? Can you elaborate on your model.

 

[Richard S. Westmoreland]

I like your thought process, but I'm not sure I agree 100% with your thesis.

1. Why is Spam considered malware? Spam might be a vector for malware
(some malware even spreads Spam) and is clearly a nuisance, but I
wouldn't call Spam in and of itself malware. It's not a program, for
one. Definition: (mal´wãr) (n.) Short for malicious software, software
designed specifically to damage or disrupt a system, such as a virus or
a Trojan horse.

2. Why are Zombies and Trojans considered to be a synthesis of Viruses
and Spyware? Or, is that how mean this? Can you elaborate on your model.

I agree on the malware definition - but once I had the triangle setup, it
was hard to separate it from the rest of the threats. Originally I called
this the Internet Threats Triangle - but someone pointed out that there are
more than just those 3 primary threats, what about Hackers, and password
policies, power outages, etc. So I caved in and changed it to Malware
Threats Triangle. I might make an expection on the definition of Malware -
perhaps Spam should be considered malware, because it does use an electronic
medium to invoke disruption within the 3 pillars of security.

Viruses disrupt Integrity - they are meant to change or delete the data.
Spyware disrupts Confidentiality - they steal private information to be used
against you. I think Trojans/Zombies fall between these two extremes
because they do replace files or at least mock other legitimate files, while
also opening up the machine for remote control/access.

 

[David H. Lipman]

You discuss this like some discuss religion -- "the three pillars of...."

Maybe your geometry is off and a triangle is not a good model.
Maybe a "Quad Threat Matrix" where email (spam and phishing) are another angle of the
equation.

Dave



| I agree on the malware definition - but once I had the triangle setup, it
| was hard to separate it from the rest of the threats. Originally I called
| this the Internet Threats Triangle - but someone pointed out that there are
| more than just those 3 primary threats, what about Hackers, and password
| policies, power outages, etc. So I caved in and changed it to Malware
| Threats Triangle. I might make an expection on the definition of Malware -
| perhaps Spam should be considered malware, because it does use an electronic
| medium to invoke disruption within the 3 pillars of security.
|
| Viruses disrupt Integrity - they are meant to change or delete the data.
| Spyware disrupts Confidentiality - they steal private information to be used
| against you. I think Trojans/Zombies fall between these two extremes
| because they do replace files or at least mock other legitimate files, while
| also opening up the machine for remote control/access.
|
| --
| Richard S. Westmoreland
| http://www.antisource.com
|
|

 

[optikl]

You discuss this like some discuss religion -- "the three pillars of...."

Maybe your geometry is off and a triangle is not a good model.
Maybe a "Quad Threat Matrix" where email (spam and phishing) are another angle of the
equation.

Dave

I'd suggest it's more like:

Threat Triumverate

1. Malware: Trojans, backdoors, viruses, worms, spyware

2. Spam

3. Phishing

BTW, IMO any virus, worm, backdoor or spyware program, disguised to
appear to be something other than it is, is a trojan.

 

[GEO Me]

You discuss this like some discuss religion -- "the three pillars of...."

Maybe your geometry is off and a triangle is not a good model.
Maybe a "Quad Threat Matrix" where email (spam and phishing) are another angle of the
equation.

Like in...
'The Seven Pillars of Wisdom'
by Lawrence of Arabia


Geo

 

[kurt wismer]

I have developed a new theorem on the associations of the various malware we
deal with on a regular basis. It started out as a way to classify the
primary Internet threats, such as viruses, spam, and spyware, and then I
realized that the other threats were just blended characteristics of those
3. Then once this was mapped out on the triangle, I saw another
association - 3 smaller triangles formed the solutions that combat those
threats - antivirus, antispam, and antispyware. They tend to overlap.

I have been studying another triangle - the 3 pillars of security
(Confidentiality, Integrity, and Availability), and notice that those match
up with the Malware Triangle. (That comparison is not on the site yet)

Please share your opinions/comments on this:

well, on the positive side i like the number 3...

other than that the relationships seem to be overly simplistic or in
some cases just plain wrong...

for example, spam doesn't belong anywhere near a malware diagram... it
is not a threat to anything other than your time and/or your pocketbook
(if you happen to get suckered into buying something)... in the grander
sense i suppose it's also a threat to the usefulness of email in
general, but it's no more a threat than being exposed to advertising on
tv or in a magazine or on the side of the highway...

then there's this supposed relationship between spyware and adware,
only they aren't related... adware, by its very nature, 'advertises'
it's presences and it's actions while spyware does pretty much the
opposite... their only real commonality is that they're both (usually)
non-replicating malware... by the way, adware doesn't necessarily
gather any information, that's more of a spyware trait - any adware
that does so happens to also be spyware...

phishing is spam with spyware-like intent but that's about as close as
it gets...

this juxtaposition of "zombie" and "trojan" seems pretty telling as to
what you think trojans are supposed to be, but i assure you the class
is much broader than just remote administration tools... furthermore
RAT's are not closely related to either viruses or spyware - the
distinguishing characteristic of spyware is that it surreptitiously
sends information to a 3rd party (effectively providing a one-way
transmission) whereas a RAT allows the 3rd party to control the pc
(which is a 2-way transmission or at the very least a one-way
transmission in the opposite direction)... the distinguishing
characteristic of a virus is that it self-replicates however there
aren't that many self-replicating RATs....

the relationship between worms and viruses is another misfire as one is
generally considered to be a subset of the other (though which is the
subset and which is the superset is debatable)... worms are definitely
not viruses + spam... there's even a good argument to be made for virus
= worm...

 

[kurt wismer]

Richard S. Westmoreland wrote:
[snip]

I agree on the malware definition - but once I had the triangle setup, it
was hard to separate it from the rest of the threats.

you're letting your supposed pattern dictate your definitions - it's
supposed to be the other way 'round...

Originally I called
this the Internet Threats Triangle - but someone pointed out that there are
more than just those 3 primary threats, what about Hackers, and password
policies, power outages, etc. So I caved in and changed it to Malware
Threats Triangle. I might make an expection on the definition of Malware -
perhaps Spam should be considered malware, because it does use an electronic
medium to invoke disruption within the 3 pillars of security.

all malware is software (that's where the 'ware' part of malware comes
from), spam is not software, therefor spam is not malware...

Viruses disrupt Integrity - they are meant to change or delete the data.
Spyware disrupts Confidentiality - they steal private information to be used
against you. I think Trojans/Zombies fall between these two extremes
because they do replace files or at least mock other legitimate files, while
also opening up the machine for remote control/access.

no, the thing that falls in the middle between viruses and spyware are
viruses that steal private information (like caligula, the macro virus
that stole pgp keys)...

 

[Rodney Kelp]

Don't forget Homland Secutiry. They can use any tool at their discretion
without court order to scan, spy and invade you. Everyone is a potential
terrorist threat.

 

[Roger Wilco]

the relationship between worms and viruses is another misfire as one is
generally considered to be a subset of the other (though which is the
subset and which is the superset is debatable)... worms are definitely
not viruses + spam... there's even a good argument to be made for virus
= worm...

People have been equating virus to spam for some time now because of the e-mail vector worms they have to filter out
of their e-mail stream. Both the spam and the worms share in the flooding effect although the filtering for each may be
different. Its egocentric, but who can blame them for seeing these things only as they affect them.

 

[Jack]

all malware is software (that's where the 'ware' part of malware
comes from), spam is not software, therefor spam is not malware...

That is arguable. HTML spam contains HTML, which is a language, and
therefore it could be said to be software. If it contains 1x1-pixel
'web-bugs', it is spyware. If the spam is designed for no other purpose
than address-verification, as some spam is, then it's an element of a
hacking system.

But I don't personally see the 'triangle' as a particularly useful way
of modelling internet threats; I can't see what new insights it throws up.

 

[--Mike]

People have been equating virus to spam for some time now because of the

e-mail vector worms they have to filter out

of their e-mail stream. Both the spam and the worms share in the flooding

effect although the filtering for each may be

different. Its egocentric, but who can blame them for seeing these things only as they affect them.

A Worm is not really a class of malware or threat. It suggests a type of
behavior: self replicating/self e-mailing. Worm-type behavior can be a
characteristic of almost any threat, whether it's a virus, trojan horse,
spyware, adware, zombie, etc.

--Mike

 

[Roger Wilco]

e-mail vector worms they have to filter out
effect although the filtering for each may be

A Worm is not really a class of malware or threat. It suggests a type of
behavior: self replicating/self e-mailing. Worm-type behavior can be a
characteristic of almost any threat, whether it's a virus, trojan horse,
spyware, adware, zombie, etc.

If the program self-replicates, it will be considered malware until someone actually does find the elusive "good virus" or
"beneficial worm" program. Also bear in mind that the "benjamin" worm didn't send itself to other hosts, it only made itself
highly available in shared infospace. Right on about worm being behavioral - and it is not always behavior that can be seen
in the program code itself.

 

[kurt wismer]

That is arguable. HTML spam contains HTML, which is a language, and
therefore it could be said to be software.

english is a language, does that make the words coming out of my mouth
software? no...

html is a markup language, not a programming language...

[snip]

But I don't personally see the 'triangle' as a particularly useful way
of modelling internet threats; I can't see what new insights it throws up.

that much we agree on...

 

[Jack]

english is a language, does that make the words coming out of my mouth
software? no...

html is a markup language, not a programming language...

HTML can download and execute code. HTML can contain Javascript. HTML
can be used to do things like hijacking your browser and installing
trojans. English can't. HTML is much more like a programming language
than English; and anyway, as far as discussion of malware is concerned,
HTML spam can and does get used to access the victim's computer without
authorisation.

 

[Richard S. Westmoreland]

for example, spam doesn't belong anywhere near a malware diagram... it
is not a threat to anything other than your time and/or your pocketbook
(if you happen to get suckered into buying something)... in the grander
sense i suppose it's also a threat to the usefulness of email in
general, but it's no more a threat than being exposed to advertising on
tv or in a magazine or on the side of the highway...

A threat to your time/pocketbook; your bandwidth, your storage space,
difficultuly of regulation compliance - all a disruption to Availability.
If you work in a corporate environment that has to deal with this, it is a
costly annoyance. Spam is malicious, and electronic, so I very well can
classify it as malware.

The definition of malware is still a relatively new term in our language, I
don't have a problem with extending it's definition to meet the needs of
now. Malware is a compound of Malicious Software, and the definition of
Software is:

Computer instructions or data. Anything that can be stored electronically is
software.
http://www.webopedia.com/TERM/s/software.html

Rick

 

[Bart Bailey]

HTML can download and execute code. HTML can contain Javascript. HTML
can be used to do things like hijacking your browser and installing
trojans. English can't. HTML is much more like a programming language
than English; and anyway, as far as discussion of malware is concerned,
HTML spam can and does get used to access the victim's computer without
authorisation.

Isn't the critical difference, if it is a difference, the fact that
classic programming languages get interpreted by your command
interpreter, whereas HTM languages get pre-interpreted by your browser?

 

[Ant]

Isn't the critical difference, if it is a difference, the fact that
classic programming languages get interpreted by your command
interpreter, whereas HTM languages get pre-interpreted by your browser?

From my viewpoint, as a programmer, "programming languages" come in
two flavours; those which are compiled into executable files, and
those which are interpreted and executed on the fly.

The pre-compiled files contain a memory image, or images, of machine
instructions. The loader (which may be invoked from a command
interpreter when you type the file name) places this code in memory,
sets the CPU instruction pointer to the start address, and the
processor is off and running it.

The interpreted ones include languages like Java, and many versions of
Basic. They have access to a library of pre-compiled routines which
they will load and execute as the interpreter parses the source.
Scripting languages like Javascript, DOS batch files, and Unix shell
scripts are also interpreted.

While HTML is not a programming language, for the purpose of this
discussion it should be considered as such. It can contain scripts,
and interpreting it in a browser could have the same effect as running
a compiled executable file.

 

[kurt wismer]

HTML can download and execute code.

no it can't, you're thinking of scripts...

HTML can contain Javascript.

yes, html can be a container for (actual) programs written in other
(actual programming) languages like java, javascript, etc...

zip files can be containers for programs to, does that make zip files
programs? no...

HTML
can be used to do things like hijacking your browser and installing
trojans.

no, it can't... again, you're thinking of scripts and various other
forms active content (activex for example)...

English can't. HTML is much more like a programming language
than English;

oh, i agree that html is much more *like* a programming language than
english, but it still remains a non-programming language...

and anyway, as far as discussion of malware is concerned,
HTML spam can and does get used to access the victim's computer without
authorisation.

html itself is not a threat...the scripts that html documents can
contain can be a threat but they can also be ignored by properly
hardening your browser settings...

feel free to blame the worlds biggest browser vendor for making the
default action 'run everything we encounter'... notice how the same
vendor has produced an operating system that treats CDs exactly the
same way...

 

[kurt wismer]

Isn't the critical difference, if it is a difference, the fact that
classic programming languages get interpreted by your command
interpreter, whereas HTM languages get pre-interpreted by your browser?

HTM languages?

anyways, activex controls are native code... java is interpreted by the
java virtual machine (and i don't know any browser that has a jvm built
into it)...

none of them bear any relation to html, nor are they a part of html...
they are something that clever (and sometimes not so clever - activex,
'nuff said) people figured out how to sneak into html containers...