Professional Documents
Culture Documents
150582
150582
150582
o Compiled viruses that o Network service worms • Tracking cookies are persistent
are executed by an that take advantage of cookies that are accessed by
operating system. These vulnerabilities in many websites, allowing a third
include file infector network services to party to create a profile of a
viruses, which attach propagate and infect user’s behavior. Tracking cookies
themselves to executable other systems. are often used in conjunction with
programs; boot sector web bugs, which are tiny graphics
viruses, which infect the o Mass mailing worms on websites and which are
master boot records of that are similar to e- referenced within the HTML
hard drives or the boot mail–borne viruses but content of a web page or e-mail.
sectors of removable are self-contained, rather The purpose of the graphic is to
media; and multipartite than infecting an collect information about the user
viruses, which combine existing file. viewing the content.
the characteristics of file
infector and boot sector • Trojan horses are self-contained,
viruses. non-replicating programs that Who We Are
appear to be benign, but that The Information Technology Laboratory
o Interpreted viruses that actually have a hidden malicious (ITL) is a major research component of the
are executed by an purpose. Trojan horses either National Institute of Standards and
application. These replace existing files with Technology (NIST) of the Technology
include macro viruses Administration, U.S. Department of
malicious versions or add new
Commerce. We develop tests and
that take advantage of malicious files to systems. They measurement methods, reference data,
the capabilities of the often deliver other attacker tools proof-of-concept implementations, and
macro programming to systems. technical analyses that help to advance
language to infect the development and use of new
application documents • Malicious mobile code is information technology. We seek to
and document templates; software with malicious intent overcome barriers to the efficient use of
and scripting viruses that that is transmitted from a remote information technology, and to make
infect scripts and are systems more interoperable, easily usable,
system to a local system. The
scalable, and secure than they are today.
understood by scripting inserted programs are executed Our website is http://www.itl.nist.gov.
languages processed by on the local system, usually
services on the operating without the user’s explicit
system. instruction. Programs delivered in
this way can be used by many • Attacker tools might be
• Worms are self-replicating, self- different operating systems and delivered to a system as part of a
contained programs that usually applications, such as web malware infection or other system
perform without user browsers and e-mail clients. compromises. These tools allow
intervention. Worms create fully Although the mobile code may be attackers to have unauthorized
functional copies of themselves, benign, attackers use it to access to or use of infected
and they do not require a host transmit viruses, worms, and systems and their data, or to
program to infect a system. Trojan horses to the user’s launch additional attacks.
Attackers often insert worms workstation. Malicious mobile Popular types of attacker tools
because they can potentially code does not infect files or include:
infect many more systems in a attempt to propagate itself, but
short period of time than a virus exploits vulnerabilities by taking o Backdoors are
can. Worms include: advantage of the default malicious programs that
privileges granted to mobile code. listen for commands on
Languages used for malicious a certain TCP or UDP
ITL Bulletins Via E-Mail mobile code include Java, port. Most backdoors
We now offer the option of delivering your ITL ActiveX, JavaScript, and allow an attacker to
Bulletins in ASCII format directly to your e-mail VBScript. perform a certain set of
address. To subscribe to this service, send an
e-mail message from your business e-mail
actions on a system,
• Blended attacks use multiple such as acquiring
account to listproc@nist.gov with the message
subscribe itl-bulletin, and your name, e.g.,
methods of infection or passwords or executing
John Doe. For instructions on using listproc, transmission. A blended attack arbitrary commands.
send a message to listproc@nist.gov with the could combine the propagation Backdoors include
message HELP. To have the bulletin sent to methods of viruses and worms. zombies (also known as
an e-mail address other than the FROM bots), which are installed
address, contact the ITL editor at on a system to cause it to
301-975-2832 or elizabeth.lennon@nist.gov
3 December 2005
attack other systems, and types of utilities and achieve consistent and effective results.
remote administration scripts that can be used Policies should include provisions that are
tools, which are installed to probe and attack applicable to remote workers, both those
on a system to enable a systems, such as packet using systems controlled by the
remote attacker to gain sniffers, port scanners, organization and those using systems
access to the system’s vulnerability scanners, outside of the organization’s control such
functions and data. password crackers, as contractor computers, home computers,
remote login programs, computers of business partners, and
o Keystroke loggers and attack programs and mobile devices.
monitor and record scripts.
keyboard use. Some Incorporate malware incident
require the attacker to • Common non-malware threats prevention and handling into awareness
retrieve the data from associated with malware include programs and provide guidance and
the system, while other phishing, which uses computer- training to users. Users should be alerted
loggers actively transfer based means to trick users into to the ways that malware spreads, the risks
the data to another revealing financial information that malware poses, the inability of
system through e-mail, and other sensitive data. Phishing technical controls to prevent all incidents,
file transfer, or other attacks frequently place malware and the role of users in preventing
means. or attacker tools on systems. incidents. Users should be aware of
Virus hoaxes, which are false policies and procedures for incident
o Rootkits are collections warning of new malware attacks, handling, including how to detect malware
of files that are installed are another common threat. on a computer, how to report suspected
on a system to alter its infections, and what can be done to assist
standard functionality in Recommendations for Preventing the incident handlers.
a malicious and stealthy Malware Incidents
way. A rootkit can make Establish capabilities to mitigate
many changes to a Organizations should protect their vulnerabilities and to help prevent
system to hide the information and information systems from malware incidents through documented
rootkit’s existence, malware through their ongoing IT security policy, technical processes, and
making it very difficult planning, management, and procedures. Appropriate techniques or
for the user to determine implementation activities. NIST combinations of techniques should be used
that the rootkit is present recommends that organizations take the for patch management, application of
and to identify what following actions to prevent malware security configuration guides and
changes have been incidents and to respond effectively and checklists, and host protection to address
made. efficiently to any attacks that might occur. vulnerabilities effectively.
o Web browser plug-ins Develop and implement an approach to Establish threat mitigation capabilities
provide a way for certain malware incident prevention, based on to assist in containing malware incidents
types of content to be the attack methods that are most likely to by detecting and stopping malware before
displayed or executed be used, both currently and in the near it can affect systems. NIST strongly
through a web browser. future. Choose prevention techniques that recommends that organizations install
Attackers often create are appropriate to the computing antivirus software on all systems when
malicious web browser environment and system, and provide for such software is available. Other technical
plug-ins that act as policy statements, awareness programs for controls that can be used are intrusion
spyware and monitor the users and IT staff, and vulnerability and prevention systems, firewalls, routers, and
use of the browser. threat mitigation efforts. certain application configuration settings.
o E-mail generators are Ensure that policies support the Establish a robust incident response
programs that can be prevention of malware incidents and process capability that addresses
used to create and send provide for user and IT staff awareness, malware incident handling through
large quantities of e- vulnerability mitigation, and security tool preparation, detection and analysis,
mail, such as malware, deployment and configuration. Malware containment/eradication/recovery, and
spyware, and spam, to prevention should be stated clearly in post-incident activities.
other systems without policies, which should be as general as
the user’s permission or possible to allow for flexibility in • Preparation. Develop malware-
knowledge. implementation and to reduce the need for specific incident handling
frequent updates. At the same time, policy policies and procedures.
o Attacker toolkits statements should be specific enough to Regularly conduct malware-
include several different make their intent and scope clear and to oriented training and exercises;
4 December 2005