Malware action – security reaction. In most cases, security researchers and professionals are bound to this vicious cycle, but there are some that have taken steps to break it.
A number of computer scientists from the University of Calgary (Canada) have begun developing their own malware so that they can study it, understand it and establish successful strategies to stop it when such an attack is performed “in the wild”.
The scientists developed a piece of adware that doesn’t show any signs on the host computer but shows ads on adjacent computers, and they dubbed it “Typhoid adware” (a nod to “Typhoid Mary”, an Irish woman who became known as one of the first persons who were healthy carriers of an infectious disease).
Associate professor John Aycock, assistant professor Mea Wang and students Daniel Medeiros Nunes de Castro and Eric Lin have started working on typhoid adware last year, and they have published their results in a paper in March.
You may think that adware does not present such a great danger to warrant this kind of attention, but Aycock points out to Government Technology that “the underlying attack mechanism could be used to do a number of things”. Think about about the extent of damage this piece of malware could do if the ads were made to inject malicious code into the users’ systems or prompt them to install any number of malicious software under false pretenses (fake anti-virus solutions and scareware come to mind).
Its modus operandi is very similar to a man-in-the-middle attack: unbeknown to the users, it intercepts the communication between two endpoints and alters their network traffic. Since the malware in question is adware, the uninfected users are targeted with advertisements inserted into the content they are perusing. And the problem with this type of attack is that the infected users aren’t aware of the infection because there are no symptoms, and consequently, they do not search for the culprit, and the users that do see the symptoms aren’t able to locate the offending malware on their computer because it’s not there.
“We have developed three proofs of concept to demonstrate that this is a viable threat, tested it on wired and wireless networks, and inserted advertisements into both HTML and streaming video. The general idea can be extended for other types of network and applications,” say the researchers in the paper. “With Internet access becoming increasingly available in public spaces, threats like typhoid adware taking advantage of the physical proximity of victims are likely to become more prevalent.”
As regards the possible defenses to prevent or minimize the risk this type of malware represents, the researchers recommend techniques that prevent ARP spoofing and content modification, and the use of encryption and signed checksum lists. For more in-depth details about their research, I would recommend reading their paper.