CHAPTER 16

MALICIOUS CODE

Robert Guess and Eric Salveggio

16.1 INTRODUCTION

16.2 MALICIOUS CODE THREAT MODEL

16.2.1 Self-Replicating Code

16.2.2 Actors: Origin of Malicious Code Threats

16.2.3 Actors: Structured Threats

16.2.4 Actors: Unstructured Threats

16.2.5 Access versus Action: Vector versus Payload

16.3 SURVEY OF MALICIOUS CODE

16.3.1 Viruses

16.3.2 Worms

16.3.3 Trojans

16.3.4 Spyware

16.3.5 Rootkits

16.3.6 IRC Bots

16.3.7 Malicious Mobile Code

16.4 DETECTION OF MALICIOUS CODE

16.4.1 Signature-Based Malicious Code Detection

16.4.2 Network-Based Malicious Code Detection

16.4.3 Behavioral Malicious Code Detection

16.4.4 Heuristic Malicious Code Detection

16.5 PREVENTION OF MALICIOUS CODE ATTACKS

16.5.1 Defense in Depth

16.5.2 Operational Controls for Malicious Code

16.5.3 Human Controls for Malicious Code

16.5.4 Technical Controls for Malicious Code 1

16.6 CONCLUSION

16.7 FURTHER READING

16.8 NOTES

16.1 INTRODUCTION.

Malicious logic (or code) is “hardware, software, or firmware that is intentionally included in a system for an unauthorized purpose.”¹ In this chapter, we enumerate the common types of malicious code, sources of malicious code, methods of malicious code replication, and methods of malicious code detection.

Common types of malicious code include viruses, worms, Trojan horses, spyware, rootkits, and bots. Emerging malicious code threats include kleptographic code, cryptoviruses, and hardware-based rootkits. Present-day malicious code threats do not always fit into ...