Assessing the Intentions and Timing of Malware

In today’s online environment, computer systems now dominate our personal, business, and financial lives. However, our dependency on these systems also makes us vulnerable to cybercriminals. The cost of cybercrime now exceeds $110 billion USD and affects 566 million victims annually, which equates to 1.5 million victims per day or 18 victims per second (Semantec, 2012). Malware, which is short for "malicious software" and includes computer viruses, worms, trojan horses, and spyware (TechTerms, 2014), which are used for a range of illicit activities such as distributing spam email and stealing sensitive information.


Introduction
In today's online environment, computer systems now dominate our personal, business, and financial lives.However, our dependency on these systems also makes us vulnerable to cybercriminals.The cost of cybercrime now exceeds $110 billion USD and affects 566 million victims annually, which equates to 1.5 million victims per day or 18 victims per second (Semantec, 2012).Malware, which is short for "malicious software" and includes computer viruses, worms, trojan horses, and spyware (TechTerms, 2014), which are used for a range of illicit activities such as distributing spam email and stealing sensitive information.
Although there has been a lot of research on detecting malware (e.g., Baecher et al., 2006;Gu et al., 2007;Invernizzi et al., 2014;Jain & Bajaj, 2014;Jiang et al., 2007;Peng et al., 2013) and analyzing it from a technical perspective (e.g., Dinaburg et al., 2008;Jain & Bajaj, 2014;Moser et al., 2007;Willems et al., 2007;Yin et al., 2007), there is a lack of research on timing and categorizing malware based on its intentions.A greater understanding of the intentions of attackers will increase the defender's knowledge on how to mitigate attacks.This article examines an evolutionary timeline of malware based on eight examples of malware dating from the first computer virus in 1971 (Gatto, 2011) through to a recent example from 2012.These examples are used to develop an intention-based classification of malware, which is then combined with Axelrod and Iliev's (2013) optimal timing model.The optimal timing model deals with the question of when the malware should be used given that its use today may well prevent it from being available for use later.The optimal timing model is presented from the perspective of the offense -helping predict the best time to use a resource.However, the results are equally relevant to a defender who wants to estimate how high the stakes have to be in order for the offense to use their resource.When the optimal timing model is combined with the intentionbased classification, the new model helps clarify how the timing of malware can depend on the stakes involved in the present situation, as well as the characteristics of the resource for exploitation.Even further, the model helps predict the level of sophistication one could be facing, increasing the chances of mitigating the malware (Galarneau, 2002;Mell et al., 2005;Symantec, 2014).
Axelrod and Iliev test their optimal timing model on four individual case study examples.Combining the model on a broader class of malware samples will further test their model or allow new perspectives and theories to evolve.Because both models use the same definitions for a malware's stealth and persistence capabilities, they can be easily combined to provide a better understanding of the intentions and timing of the attacker's malware.
Malware has become a significant, complex, and widespread problem within the computer industry.It represents one of the most prevalent threats to cybersecurity and is increasingly able to circumvent current detection and mitigation techniques.To help better understand when a malware attack might happen, this article proposes an intention-based classification of malware and merges it with an optimal timing model to help predict the timing of malware based on its classification.The classification model is based on an examination of eight malware samples, and it identifies four malware classifications and commonalities based on the dimensions of persistence and stealth.The goal of the article is to provide a better understanding of when cyber-conflict will happen, and to help defenders better mitigate the potential damage.

" "
Assessing the Intentions and Timing of Malware

Brent Maheux
This article is structured as follows.The first section describes and analyzes eight examples of malware, from the first computer virus in 1971 to a case of cyberwarfare in 2012.Next, Axelrod and Iliev's (2013) optimal timing model is introduced and applied to the context of malware.Then, drawing upon the examples of malware analyzed earlier, an intention-based classification of malware is proposed and combined with the optimal timing model to illustrate how the optimal timing of malware can be determined depending on the attacker's intentions.The final section provides conclusions.

Examples of Malware
In this section, eight examples illustrate the evolution of malware, ranging from the first experimental computer virus from 1971 to a cyberespionage application that was discovered in 2012.These eight cases were selected as being noteworthy examples of malware based on a combination of timelines (Hansen, 2013;Infoplease, 2012;Khanse, 2014;Larsen, 2012;Malware Database, 2014;PC History, 2003;Standler, 2008).The eight examples are spread out over the history of malware and are generally representative of contemporary malware examples.
1. Creeper: The first virus.In 1971, the Creeper system, now considered to be the first computer virus, was an experimental self-replicating program that infected DEC PDP-10 computers running the TENEX operating system (Gatto, 2011).Creeper gained access via the ARPANET by searching for a machine within the network, transferring itself, displaying a message, then starting over, thereby hopping from system to system.It was developed for experimental purposes, as a proof of concept within an academic research context.

Elk Cloner:
The first outbreak.Elk Cloner was created in 1982 as a prank by a 15-year-old high school student.The virus attached itself to the operating system of Apple II computers and then spread itself via floppy disk to other computers, on which it would display a poem instead of loading a game.Elk Cloner is one of the first known viruses that spread beyond the computer system or laboratory in which it was written (Rouse, 2005).

Happy99:
The happy worm.As the name suggests, this worm was developed 1999 and usually arrived as an email attachment or new post that was named Happy99.exe.Once executed, Happy99 would display fireworks, then copy itself to the windows system folder and then email itself to all contacts listed on the system.Lacking any destructive payload, Happy99 would not cause damage to the actual affected computer; it was simply a prank (Elnitiarta, 2007).
4. Code Red: Vulnerable web servers.In 2001, Code Red infected web servers, where it automatically spread by exploiting a known vulnerability in Microsoft IIS servers.In less than one week, nearly 400,000 servers were infected, and the homepage of their hosted websites was replaced with the message "Hacked By Chinese!" Code Red had a distinguishing feature designed to flood the White House website with traffic from the infected servers, which likely makes it the first case of documented political "hacktivism" on a large scale (Lovet, 2011).As shown in Table 1, the eight examples of malware can be summarized along the following six dimensions:

Blaster
1. Year: date of first discovery.
2. Intention: the reason the malware was created.Types of intentions include experimental (including research, entertainment, demonstrations of skill), financial (including theft and fraud), political (including "hacktivists"), and cyberwarfare (including statesponsored attacks).
3. Initial access: how the malware gained access to the system or network.Means of initial access include social engineering (i.e., psychological manipulation), a zero-day vulnerability (i.e., a previously unknown vulnerability in a computer application), and a known vulnerability.
4. Stealth: the probability that, if you use a resource now, it will still be available to use later (Axlerod & Iliev, 2013).
5. Persistence: the probability that, if you refrain from using a resource now, it will still be available to use in the future (Axlerod & Iliev, 2013).
6. Extent: the number of computers affected.
As Table 1 shows, the number of computers affected by the malware increases over time, except in the recent case of Flame, which is malware for targeted espionage, not widespread impact.Early examples of malware were readily detected and did not persist for long, and tended to rely on known vulnerabilities and social engineering for initial access.Later examples, particularly in malware for cyberwarfare, show a trend toward more targeted attacks with increased stealth and persistence.

Modelling Malware Based on Intentions and Timing
The design and features of a particular malware application will depends on the creator's intentions, and its users must also take into account the optimal timing of its desired impact.In the general context of cybersecur-

Assessing the Intentions and Timing of Malware
Brent Maheux ity, Axelrod and Iliev (2013) developed an optimal timing model to help understand when a given attacker should exploit its capacity to do harm.Their model considers important assumptions about the stakes at hand and the resource characteristics in terms of stealth and persistence: 1. Stakes: their model assumes that the attacker knows the current stakes of how important the target currently is but does not know what the stakes will be at any future point -although they do know the distribution of stakes over time.
2. Stealth: the probability that, if you use a resource now, it will still be available to use later.
3. Persistence: the probability that, if you refrain from using a resource now, it will still be available to use in the future.
Thus, Axelrod and Iliev's (2013) optimal timing model can be used to predict the optimal time to maximize the value of a particular malware application if an attacker knows the current stakes and the application's capabilities in terms stealth and persistence.An attackvalue threshold can be calculated based on the malware's stealth and persistence and the capacity and vigilance of the intended target.For instance, the stealth of malware used against a well-protected target is likely to be less than the stealth of the same malware against a target that is not particularly attentive to security.Likewise, malware will typically have less persistence against a target that keeps its systems up-to-date with security patches than against a target that does not.
Thus, stealth and persistence depend on both the characteristics of the malware itself and the context of its use.Ideally, the attacker would have security knowledge of the systems they are trying to compromise.In the real world, and in Axelrod and Iliev's (2013) optimal timing model, the characteristics of stealth, persistence, and stakes can be weighted differently.However, for simplicity in this preliminary proposal, the model weighs each of the characteristics the same.
Overall, the optimal timing model predicts the three factors that favour attacker patience: low stealth, high persistence, and low stakes.However, when the stakes are high, the model favours high stealth and low persistence.Indeed, based on the analysis of the cases shown in Table 1, the attacker's intentions can be mapped along the two dimensions of stealth and persistence, as shown in Figure 1.The political malware examples would be found in the top left corner of Figure 1, which is characterized by high persistence and low stealth.For example, "hacktivist" malware often has high persistence and goes undetected until the group wants to raise awareness of a particular situation (Tarzey & Fernandes, 2013).Cyberwarefare malware uses high stealth and high persistence to stay undetected for as long as possible.
Financial malware has high stealth, enabling its creators to steal information through social engineering or misleading users; however, it has low persistence because cases of social engineering often have a limited lifespan because they are often based on current events (Conheady, 2012).The final classification is experimental, with low stealth and low persistence, experimental malware does not persist on computers nor does have a potential lifespan because they are often based off of publicly known weaknesses in a system and are created simply to show how an attacker can take advantage of the weakness.Within the set of malware samples studied in this article, all experimental malware displayed messages indicating that it was on the computer and then it would be deleted by users or the vulnerability would be patched.
The classification shown in Figure 1 can be enhanced by introducing variable stakes, as described in Axelrod and Iliev's (2013) model.Table 2 shows three scenarios of low, constant, and high stakes and the optimal timing for the use of malware depending on its intention.
When the stakes are low, the optimal timing model determines that the current time is not the optimal time to use the malware for any malware classification, except, potentially financial malware.

Brent Maheux
Under constant stakes, the results in Table 2 show that financial malware should be used immediately.The model suggests the use of financial malware because, as defined by the intention-based classification, financial malware has low persistence and high stealth, making it the exact candidate to use under the optimal timing model.For example, a setting where the stakes are constant over time is the exploitation of stolen credit card information.
Under high stakes, the results in Table 2 show that it is optimal to use the resource immediately, except perhaps when the intention is political.The famous political, or "hacktivist" group, Anonymous, continues to use their resources, but only to send a message relating to a particular event.There is likelihood that they believe their message should be voiced on a particular world event so their stakes are so large that they are willing to sacrifice their resources to do so.
It is important to note the limitations of these results using the same weight for each of the three variables: persistence, stealth, and stakes.In real world examples, and in Axelrod and Iliev's optimal timing model, these values can be weighted differently.

Conclusion
It has been more than 40 years since our first example of malware.Malware evolved, but some of the principles have remained the same.The purposes and motives for malware have changed from educational, protests, and pranks to profit then finally to espionage and sabotage.
Intention is an important part of understanding malware; originally, antivirus companies were looking for malware that had financial profit, so many systems were being skipped.Knowing that malware is also being used by governments and military, the search for potential malware activities can be broadened to other poten-

Assessing the Intentions and Timing of Malware
Brent Maheux tial systems.Understanding the intentions of malware enables the evaluation of the effectiveness of malware defenses.
The concept of initial access has changed slightly over the years.Many of the early examples of malware discussed here needed to be distributed, for instance through email, floppy disk, or USB device, or through a vulnerability in a web service that has an open port.However, the more recent examples -Stuxnet and Flame -were using zero-day exploits.This pattern may be a relatively new trend, because organizations are no longer telling the public or the vulnerable vendors about vulnerabilities; instead they are keeping or selling the techniques (Radianti & Gonzalex, 2007).Again, understanding the purpose of the malware helps in determining how many systems might be affected and how they originally became compromised.If the purpose is financial gain, then it seems likely that many systems will be infected.However, for cyberwarfare, or government-related instances, the examples studied show that only a small, unique set of systems will be infected.
Presented in this article is a model that represents the majority of malware today.The model was created to help understand the potential effectiveness of a malware application's stealth and persistence techniques based on their intentions.And, by combing the optimal timing model by Axelrod and Iliev (2013) with the results of studying the eight malware samples, Table 2 can help predict when an initial attack would likely happen.

Figure 1 .
Figure 1.An intention-based classification of malware

the Intentions and Timing of Malware
(Emerson, 2012)l, 2003), the Blaster worm spread on computers running the Microsoft operating systems Windows XP and Windows 2000, with damage totaling in the hundreds of millions(Dougherty et al, 2003).It was notable for the two hidden text strings, the first of which said "I just want to say LOVE YOU SAN!" and the second of which was a message to Microsoft CEO Bill Gates.6.Zeus: Malware as a service.Over $70 million USD was stolen from users who were infected with the Zeus malware.It was one of the first major botnet malware applications that would go undetected by updated antivirus and go unnoticed by people who were using infected computers.Zeus was capable of being used with a rootkit and start modifying the code, giving unexpected commands to the PLC while returning a loop of normal operating system values to the users.Multiple zero-day exploits were used on an estimated 16,000 computers that were infected by the Stuxnet virus, including Iran's nuclear enrichment plant at Natanz(Emerson, 2012).www.timreview.caAssessing

Table 2 .
The optimal timing of malware use depending on intentions, persistence, stealth, and stakes www.timreview.ca