30
SPAM-like spreading.
In this scenario, a malware send by e-mail like a SPAM. Malware has not self-
spreading functionality at all.
Adjustment to the network environment.
To bypass behavior-based network protection, which analyze network traffic, a
malware could wait and fist analyze the network environment. The malware will
check protocol usage patterns and then adjust itself to use specific protocols for
communications (through covert channels), setting threshold for these protocols
and other similar tricks.
Utilizing various network protocols.
As I already wrote, a malware that exploits various protocols such as ARP, DNS
DHCP and other in a corporate LAN - could pose a significant threat.
Using mix network and onion routing.
The idea to use mix network in malware was discussed in various publications
and books [b3]. Mix network with its onion routing is a good solution for
anonymity, safety and privacy. The idea behind such network is to send
encrypted message through many hops, thus making harder to track the source
and the destination of this massage. Malware could use mix network such as
Tor [22] to protect its communications.
2.12 The Code MetaMorphism
2.12.1 Source code obfuscators
Some classes of malware spread in a source code form and then executed on a
victim computer. This class includes malware written in HTML, JavaScript,
 |
 |
 |