Evolution of Malicious Code

Tuesday 27 February 2007

Ross Patel, Director of Security, AFENTIS


A virus is defined as a program that performs actions on a user’s computer without the user’s knowledge or permission. Viruses are spread by files. Initially, viruses were spread by users exchanging infected files from computer to computer on floppy disc. With the advent of widespread use of the Web, viruses tend to spread via email or file-sharing.

Other forms of malware are worms and trojan horses:

Worms are self-replicating programs. A worm uses a network to send copies of itself to other nodes; it is different to a virus in that it does not need to be attached to an existing file. Worms harm networks (if only by degrading performance because of extra bandwidth usage) whereas viruses infect or corrupt files on a targeted computer.

Trojan horses are malware pretending to be software with a legitimate purpose. These can be legitimate executables that have been tampered with to include malicious code that will execute when the software is run, or standalone malicious code that has been disguised as something else, such as a game or a desktop accessory.

While the situation concerning malware is bad, it is nevertheless over-hyped by some sections of the press. Incidents of malware are rising, but the number of incidents that are reported is falling.

There are several reasons why organisations are reluctant to report malware incidents, including the cost of follow-up investigations, impact on the business, and possible damage to the organisation’s reputation. In the UK in 2006, according to the Department of Trade and Industry, around 20% of reported cybercrime incidents involved infection with viruses.

Malware originates from a large number of countries around the globe. It is a myth that certain countries such as Russia are ‘principal’ exporters of malware; in fact, the only significant malware attack known to have originated from Russia is the Bagle mass-mailing worm. Malware has been traced back to many countries across Europe and Asia, and also the USA. Recently, increasing numbers of malware attacks have been traced to China, Brazil and Turkey.


The motivation for producing malware has changed over the years. In the 1970s and 1980s virus writers were motivated by the challenge of defeating security mechanisms, the desire to cause loss of or damage to data, or just as a practical joke.

Many earlier viruses made their presence known by displaying messages on screen or playing sounds, sometimes in response to certain events or on certain dates. Such ‘benign’ viruses can still cause problems by consuming machine resources, leading to degraded performance or even system crashes.

Many of today’s malware threats are motivated by financial gain. A particular example of this is the large number of so-called ‘phishing’ attacks that occur, aiming to gain access to users’ bank accounts and hence steal money from them.

Ross presented a timeline of viruses “in the wild” from the early 1980s. Also discussed were ways in which malware can be transmitted and hosted on a target machine. For example, malware can be transmitted in executable files, document macros, script files.

It is difficult to host malware in media files like JPEG and MP3 files, and HTML files are unlikely to contain malicious code if they do not make use of client-side scripting; however they may contain links to other malicious code.

Evolution of malware

Malware writers are constantly looking for ways to circumvent anti-malware solutions. Methods used in recent malware have included polymorphic code (code that changes its structure, but not the original algorithm) and metamorphic code (where the malware code re-writes itself with each infection in an attempt to avoid detection by antivirus scanners).


There was a discussion on the relative levels of threat presented by malware to different operating systems. Compared to Windows systems, the number of security exploits targeting Apple Mac and Unix systems is relatively small; there are around 63 known viruses that target MacOS, for example.

This can partly be explained by the fact that malware produced for financial gain will target the more commonly-used platforms. Also, Unix-based systems (including the later incarnations of MacOS) natively block access to the operating system, and make much more use of tiered privileges to restrict what executable code can do.

Ross rounded off his talk by listing the ways in which malware attacks can be countered. It is important that software should be secure by design, to limit opportunities for it to be compromised, and security holes in operating systems should be patched when they are identified.

Secure backups of data will also minimise or avoid data loss in the event of a malware attack. The presentation closed by stressing that if there is a ’silver bullet’, it is user education and awareness. Many malware attacks could be avoided if users had a better understanding of the risks, and of what to look out for.