are helping others by distributing these warnings. Although the hoaxes usually do not cause damage,
some virus hoaxes are malicious and direct users to alter OS settings or delete files, which could cause
security or operational problems. Virus hoaxes can also be time consuming for organizations, because
many hoax recipients contact technical support staff to warn them of the new threat or to ask for
guidance. One well-known virus hoax is Good Times.
2.9 History of Malware
To understand the relative importance of different types of malware, it is useful to know the relevant
history of malware.
The concept of the computer virus was actually formed in the early days of computing. The earliest
viruses were benign pranks; malicious viruses did not surface publicly until the early 1980s. The first
worms, created in the late 1970s, were also benign, intended to perform system maintenance. Malware
did not become common until the late 1980s. In that period, its most common form was compiled
viruses, particularly boot sector viruses. At that time, virus writers also created several obfuscation
techniques so that their viruses could avoid detection. In 1988, the infamous Morris worm was released,
disrupting thousands of networked computers. Trojan horses began to surface in the mid-1980s.
During the early 1990s, the malware situation remained largely unchanged, with compiled viruses
continuing to be the prevalent form of malicious code. However, during the latter half of the 1990s,
several important changes in computing created new opportunities for malware. First, the number of
personal computers greatly increased. In addition, the use of e-mail clients and software with macro
languages, such as word processors and spreadsheets, became widespread. Accordingly, virus writers
began developing interpreted viruses and spreading them through e-mail, as well as developing self-
contained worms with similar capabilities. Interpreted viruses had the advantage of being generally easier
to write and modify than compiled viruses, allowing less skilled programmers to create viruses. Two
interpreted malware attacks, the Melissa virus (in 1999) and the LoveLetter worm (in 2000), each affected
millions of systems. Trojan horse and RAT combinations, such as BackOrifice, also became popular in
the late 1990s.
Since 2000, worms have been the prevalent form of malware. Virus writers often favor worms over
viruses because worms can spread much more quickly. Among viruses, boot sector viruses have become
relatively uncommon, primarily because of the declining usage of floppy disks
; in contrast, macro
viruses have become the most common virus type. In 2001, the first major blended attack, Nimda, was
released, causing major disruptions. Nimda had characteristics of viruses, worms, and malicious mobile
code. More recently, malicious mobile code attacks have become increasingly common, largely because
of the prevalence of Web browsers and HTML-based e-mail; however, malicious mobile code is still not
as common as worms. Another trend is that more instances of malware, including worms, Trojan horses,
and malicious mobile code, deliver attacker tools, such as rootkits, keystroke loggers, and backdoors, to
14 The sources of information for this section are Threat Assessment of Malicious Code and Human Threats by Lawrence E.
Bassham and W. Timothy Polk of NIST (http://csrc.nist.gov/publications/nistir/threats/subsubsection3_3_1_1.html
); A Short
History of Computer Viruses and Attacks by Brian Krebs of the Washington Post (http://www.washingtonpost.com/ac2/wp-
); and Computer Virus Timeline by Infoplease
Boot sector viruses were most prevalent in the early 1990s, when floppy disks were the most common medium for storing
files and transferring files between systems. As faster methods of transferring files became more popular, such as e-mail
and file sharing software, attackers started developing other types of malware that took advantage of these faster methods to
spread much more rapidly. However, boot sector viruses still do occur, and CDs, DVDs, and other removable media present
in systems during boot can infect systems with such viruses.
Malware has become the greatest external threat to most systems, causing damage and requiring extensive
recovery efforts within most organizations. Malware is divided into the following major categories:
Viruses. A virus self-replicates by inserting copies of itself into host programs or data files.
Viruses are often triggered through user interaction, such as opening a file or running a program.
Viruses can be divided into the following two subcategories:
Compiled Viruses. A compiled virus is executed by an operating system. Types of
compiled viruses include file infector viruses, which attach themselves to executable
programs; boot sector viruses, which infect the master boot records of hard drives or the boot
sectors of removable media; and multipartite viruses, which combine the characteristics of
file infector and boot sector viruses.
Interpreted Viruses. Interpreted viruses are executed by an application. Within this
subcategory, macro viruses take advantage of the capabilities of applications’ macro
programming language to infect application documents and document templates, while
scripting viruses infect scripts that are understood by scripting languages processed by
services on the OS.
Worms. A worm is a self-replicating, self-contained program that usually executes itself without
user intervention. Worms are divided into two categories:
Network Service Worms. A network service worm takes advantage of a vulnerability in a
network service to propagate itself and infect other systems.
Mass Mailing Worms. A mass mailing worm is similar to an e-mail–borne virus but is self-
contained, rather than infecting an existing file.
Trojan Horses. A Trojan horse is a self-contained, nonreplicating program that, while appearing
to be benign, actually has a hidden malicious purpose. Trojan horses either replace existing files
with malicious versions or add new malicious files to systems. They often deliver other attacker
tools to systems.
Malicious Mobile Code. Malicious mobile code is software with malicious intent that is
transmitted from a remote system to a local system and then executed on the local system,
typically without the user’s explicit instruction. Popular languages for malicious mobile code
Blended Attacks. A blended attack uses multiple infection or transmission methods. For
example, a blended attack could combine the propagation methods of viruses and worms.
Tracking Cookies. A tracking cookie is a persistent cookie that is accessed by many Web sites,
allowing a third party to create a profile of a user’s behavior. Tracking cookies are often used in
conjunction with Web bugs, which are tiny graphics on Web sites that are referenced within the
HTML content of a Web page or e-mail. The only purpose of the graphic is to collect
information about the user viewing the content.
Attacker Tools. Various types of attacker tools might be delivered to a system as part of a
malware infection or other system compromise. These tools allow attackers to have unauthorized
access to or use of infected systems and their data, or to launch additional attacks. Popular types
of attacker tools are as follows:
Backdoors. A backdoor is a malicious program that listens for commands on a certain TCP
or UDP port. Most backdoors allow an attacker to perform a certain set of actions on a
system, such as acquiring passwords or executing arbitrary commands. Types of backdoors
include zombies (also known as bots), which are installed on a system to cause it to attack
other systems, and remote administration tools, which are installed on a system to enable a
remote attacker to gain access to the system’s functions and data as needed.
Keystroke Loggers. A keystroke logger monitors and records keyboard use. Some require
the attacker to retrieve the data from the system, whereas other loggers actively transfer the
data to another system through e-mail, file transfer, or other means.
Rootkits. A rootkit is a collection of files that is installed on a system to alter its standard
functionality in a malicious and stealthy way. A rootkit typically makes many changes to a
system to hide the rootkit’s existence, making it very difficult to determine that the rootkit is
present and to identify what the rootkit has changed.
Web Browser Plug-Ins. A Web browser plug-in provides a way for certain types of content
to be displayed or executed through a Web browser. Attackers often create malicious Web
browser plug-ins that act as spyware and monitor all use of the browser.
E-Mail Generators. An e-mail generating program can be used to create and send large
quantities of e-mail, such as malware, spyware, and spam, to other systems without the user’s
permission or knowledge.
Attacker Toolkits. Many attackers use toolkits containing several different types of utilities
and scripts that can be used to probe and attack systems, such as packet sniffers, port
scanners, vulnerability scanners, password crackers, remote login programs, and attack
programs and scripts.
In addition to malware, there are also a few common non-malware threats that are often associated with
malware. Phishing uses computer-based means to trick users into revealing financial information and
other sensitive data. Phishing attacks frequently place malware or attacker tools on systems. An
additional malicious content threat is virus hoaxes—false warnings of new malware threats.
Table 2-1 compares viruses, worms, Trojan horses, malicious mobile code, tracking cookies, and attacker
tools on the basis of key characteristics. Because blended attacks may combine features of any
combination of the other malware categories, their specific characteristics cannot be defined using these
Table 2-1. Differentiating Malware Categories
Is it self-contained?
Is it self-replicating?
What is its propagation
3. Malware Incident Prevention
This section presents recommendations for preventing malware incidents within an organization. The
four main elements of prevention are policy, awareness, vulnerability mitigation, and threat mitigation.
Ensuring that policies address malware prevention provides a basis for implementing preventive controls.
Establishing and maintaining general malware awareness programs for all users, as well as specific
awareness training for the IT staff directly involved in malware prevention–related activities, are critical
to reducing the number of incidents that occur through human error. Expending effort on vulnerability
mitigation can eliminate some possible attack vectors. Implementing a combination of threat mitigation
techniques and tools, such as antivirus software and firewalls, can prevent threats from successfully
attacking systems and networks. Sections 3.1 through 3.4 address each of these areas in detail and
explain that organizations should implement guidance from each category of recommendations to create
an effective layered defense against malware.
When planning an approach to malware prevention, organizations should be mindful of the attack vectors
that are most likely to be used currently and in the near future. They should also consider how well-
controlled their systems are (e.g., managed environment, non-managed environment); this has significant
bearing on the effectiveness of various preventive approaches. In addition, organizations should
incorporate existing capabilities, such as antivirus software deployments and patch management
programs, into their malware prevention efforts. However, organizations should be aware that no matter
how much effort they put into malware incident prevention, incidents will still occur (e.g., previously
unknown types of threats, human error). For this reason, as described in Section 4, organizations should
have robust malware incident handling capabilities to limit the damage that malware can cause and
restore data and services efficiently.
Organizations should ensure that their policies address prevention of malware incidents. These policy
statements should be used as the basis for additional malware prevention efforts, such as user and IT staff
awareness, vulnerability mitigation, and threat mitigation (described in Sections 3.2 through 3.4,
respectively). If an organization does not state malware prevention considerations clearly in its policies,
it is unlikely to perform malware prevention activities consistently and effectively throughout the
organization. Malware prevention–related policy should be as general as possible to provide flexibility in
policy implementation and reduce the need for frequent policy updates, but also specific enough to make
the intent and scope of the policy clear. Although some organizations have separate malware policies,
many malware prevention considerations belong in other policies, such as acceptable use policies, so a
separate malware policy might duplicate some of the content of other policies.
related policy should include provisions related to remote workers—both those using systems controlled
by the organization and those using systems outside of the organization’s control (e.g., contractor
computers, employees’ home computers, business partners’ computers, mobile devices).
Common malware prevention–related policy considerations include the following:
Requiring the scanning of media from outside of the organization for malware before they can be
16 For example, many acceptable use policies state that the organization’s computing resources should be used only in support
of the organization. Personal use of computing resources is a common source of malware incidents; however, because there
are several other reasons why an organization might not want to permit personal use of computing resources, this policy
consideration is more appropriately addressed in the organization’s acceptable use policy than a malware policy.
17 Although all of these considerations are intended to help organizations prevent malware incidents, many of them could also
be helpful in detecting or containing incidents.
Requiring that e-mail file attachments, including compressed files (e.g., .zip files), be saved to
local drives or media and scanned before they are opened
Forbidding the sending or receipt of certain types of files (e.g., .exe files) via e-mail and allowing
certain additional file types to be blocked for a period of time in response to an impending
Restricting or forbidding the use of unnecessary software, such as user applications that are often
used to transfer malware (e.g., personal use of external instant messaging, desktop search engine,
and peer-to-peer file sharing services), and services that are not needed or duplicate the
organization-provided equivalents (e.g., e-mail) and might contain additional vulnerabilities that
could be exploited by malware
Restricting the use of administrator-level privileges by users, which helps to limit the privileges
available to malware introduced to systems by users
Requiring that systems be kept up-to-date with OS and application upgrades and patches
Restricting the use of removable media (e.g., floppy disks, compact discs [CD], Universal Serial
Bus [USB] flash drives), particularly on systems that are at high risk of infection, such as publicly
Specifying which types of preventive software (e.g., antivirus software, spyware detection, and
removal utilities) are required for each type of system (e.g., file server, e-mail server, proxy
server, workstation, personal digital assistant [PDA]) and application (e.g., e-mail client, Web
browser), and listing the high-level requirements for configuring and maintaining the software
(e.g., software update frequency, system scan scope and frequency)
Permitting access to other networks (including the Internet) only through organization-approved
and secured mechanisms
Requiring firewall configuration changes to be approved through a formal process
Specifying which types of mobile code may be used from various sources (e.g., internal Web
servers, other organizations’ Web servers)
Restricting the use of mobile devices on trusted networks.
An effective awareness program explains proper rules of behavior for use of an organization’s IT systems
and information. Accordingly, awareness programs should include guidance to users about malware
incident prevention, which can help reduce the frequency and severity of malware incidents. All users
within an organization should be made aware of the ways in which malware enters systems, infects them,
and spreads; the risks that malware poses; the inability of technical controls to prevent all incidents; and
the importance of users in preventing incidents. Awareness activities should also take into account the
characteristics of different environments, such as those encountered by telecommuters and traveling
employees in hotels, coffee shops, and other external locations. In addition, the organization’s awareness
program should cover the malware incident prevention considerations in the organization’s policies and
procedures, as described in Section 3.1, as well as generally recommended practices for avoiding malware
incidents. Examples of such practices are as follows:
Not opening suspicious e-mails or e-mail attachments from unknown or known senders
Not clicking on suspicious Web browser popup windows
Not visiting Web sites that are at least somewhat likely to contain malicious content
Not opening files with file extensions that are likely to be associated with malware (e.g., .bat,
.com, .exe, .pif, .vbs)
Not disabling the additional security control mechanisms (e.g., antivirus software, spyware
detection and removal utility, personal firewall)
Not using administrator-level accounts for regular system operation
Not downloading or executing applications from untrusted sources.
As described in Section 4, organizations should also make users aware of policies and procedures that
apply to malware incident handling, such as how to identify if a system may be infected, how to report a
suspected infection, and what users might need to do to assist with incident handling (e.g., updating
antivirus software, scanning systems for malware). Users should be made aware of how notices of major
malware incidents will be communicated and given a way to verify the authenticity of all such notices. In
addition, users should be aware of changes that might be temporarily made to the environment to contain
an incident, such as disconnecting infected systems from networks and blocking certain types of e-mail
As part of awareness activities, organizations should educate their users on the techniques that criminals
use to trick users into disclosing information. Organizations should also provide users with
recommendations for avoiding phishing attacks, which are described in Section 2.8.1. Examples of such
recommendations are as follows:
Never reply to e-mail requests for financial or personal information. Organizations should not
ask for such information by e-mail, because e-mail is susceptible to monitoring by unauthorized
parties. Instead, call the organization at its legitimate phone number, or type the organization’s
known Web site address into a Web browser. Do not use the contact information provided in the
Do not provide passwords, PINs, or other access codes in response to e-mails or unsolicited
popup windows. Only enter such information into the organization’s legitimate Web site.
Do not open suspicious e-mail file attachments, even if they come from known senders. If an
unexpected attachment is received, contact the sender (preferably by a method other than e-mail,
such as phone) to confirm that the attachment is legitimate.
Do not respond to any suspicious or unwanted e-mails. (Asking to have an e-mail address
removed from a malicious party’s mailing list confirms the existence and active use of that e-mail
address, potentially leading to additional attack attempts.)
Although user awareness programs help to reduce the frequency and severity of malware incidents, their
impact is typically minor compared to that of the technical controls for vulnerability and threat mitigation
described in Sections 3.3 and 3.4. An organization should not rely on user awareness as its primary
method of preventing malware incidents; instead, the awareness program should supplement the technical
controls to provide additional protection against incidents.
The awareness program for users should also serve as the foundation for awareness activities for the IT
staff involved in malware incident prevention, such as security, system, and network administrators. All
IT staff members should have some basic level of awareness regarding malware prevention, and
individuals should be trained in the malware prevention–related tasks that pertain to their areas of
responsibility. In addition, on an ongoing basis, some IT staff members (most likely, some members of
the security or incident response teams) should receive and review bulletins on new malware threats,
assess the likely risk to the organization, and inform the necessary IT staff members of the new threat so
that infections can be prevented. IT staff awareness activities related to malware incident handling are
discussed in Section 4.
3.3 Vulnerability Mitigation
As described in Section 2, malware often attacks systems by exploiting vulnerabilities in operating
systems, services, and applications. Consequently, mitigating vulnerabilities is very important to the
prevention of malware incidents, particularly when malware is released shortly after the announcement of
a new vulnerability, or even before a vulnerability is publicly acknowledged. A vulnerability can usually
be mitigated by one or more methods, such as applying patches to update the software, or reconfiguring
the software (e.g., disabling a vulnerable service).
Because of the challenges that vulnerability mitigation presents, including handling the continual
discovery of new vulnerabilities, organizations should have documented policy, processes, and
procedures for vulnerability mitigation and should also consider creating a vulnerability management
program to assist in mitigation efforts.
They also should evaluate their vulnerabilities constantly so that
vulnerability mitigation efforts are prioritized properly. Information on new vulnerabilities and major
new malware threats should be collected through a combination of sources, such as advisories from
incident response teams and organizations (e.g., the U.S. Computer Emergency Readiness Team [US-
CERT]), vendor security bulletins, and malware advisories from antivirus software vendors.
Organizations also should establish a mechanism for evaluating the new vulnerability and threat
information, determining appropriate mitigation methods, and distributing the information to the
appropriate parties. Organizations should also have a method for tracking the progress of mitigation
Organizations should approach mitigation of vulnerabilities using the principle of layered defense, since
no single measure will be sufficient to mitigate most vulnerabilities. Sections 3.3.1 through 3.3.3
describe three general categories of vulnerability mitigation techniques—patch management, least
privilege, and other host hardening measures.
In addition to vulnerability mitigation, organizations
should also perform threat mitigation actions that focus on stopping malware from having the opportunity
to attempt to exploit vulnerabilities. Security tools such as antivirus software can detect and stop malware
before it reaches its intended targets. Threat mitigation is particularly important for instances of malware
that do not exploit vulnerabilities, such as attacks that rely on tricking users into running malicious files.
Threat mitigation is also critical for situations where a major new threat is likely to attack an organization
soon and the organization does not have an acceptable vulnerability mitigation option. For example, there
might not be a patch available for a new vulnerability. Section 3.4 focuses on security tools that are
useful for threat mitigation.
More information on vulnerability mitigation, including patch management, is available from NIST SP 800-40, Creating a
Patch and Vulnerability Management Program, available from http://csrc.nist.gov/publications/nistpubs/index.html
19 In October 2005, the MITRE Corporation announced its Common Malware Enumeration (CME) project, which establishes
a standard identifier for each major new malware threat. Antivirus vendors often use different names to refer to the same
malware, which can be confusing to people reading vendor bulletins or receiving alerts from multiple antivirus products.
The intent of the CME project is to provide standard identifiers that can be used by all antivirus products. More information
on CME is available at http://cme.mitre.org/
20 There are many other steps that can also be helpful in mitigating vulnerabilities. The techniques listed here could apply to
securing nearly any system, but are particularly helpful for protecting against malware.
Documents you may be interested
Documents you may be interested