Examining the Diffusion of Different Malware Types
While the internet has grown tremendously in both its scope and capability throughout the past few decades, a harmful and threatening aspect of this innovation has also grown alongside it: malware. Malware is the catch-all term that encompasses a wide variety of different exploitation methods which are often used to disrupt, steal, or profit from another’s computer. In this blog post I am going to examine the diffusion of different types of malware and why they differ in their diffusion. But first, it’s important to understand the general hierarchy of how a computer works.
An operating system acts as a computer’s basic level of functionality. An operating system, such as Windows, contains all of the core functions that you would expect on a basic computer — things like connecting to the internet, displaying pixels on a screen, and reading mouse movement. Software are programs that run on top of that operating system. Software developers take core functions that an operating system allows for and then builds a more advanced application with specific functionality. For example, Zoom implements core functions like microphone and video input and is built out into an application specifically for video conferences. Developers at every level (from operating systems to software and in-between) prioritize security in their programming. Malware is an interesting example of diffusion because the level at which it exploits a computer will determine what it can do and how far it will spread through diffusion.
One well-known classification of malware is viruses. A computer virus is essentially malicious code that is embedded in a file or program. The most common way of getting a virus is when a user accesses a webpage with malicious code on it and downloads an infected file. Then when the user opens this file, their computer is infected with the virus. The illustrations below demonstrate the diffusion effects when one computer on a network downloads and runs a virus.
In a network with other computers, only the computer that downloaded the virus would be infected. This is because viruses are embedded in software, and software is restricted to a certain set of capabilities by the operating system that it is running on top of. Therefore, a virus can’t diffuse to other computers connected to the same network and will only infect the computer that ran the malicious software. However, an exploitation at this level is still pretty bad and can still steal critical information from you.
Worms, however, are a classification of malware that exploit deeper-level flaws in operating systems and internet connections. Like viruses, the most common way to get infected with a worm is by accessing a webpage that has weak security or may even be designed for malicious intent. The illustrations below show how a worm can diffuse to an entire network of computers (given that they have the same exploitable vulnerability).
Similar to the virus example, Computer #1 would be infected first because it received malicious content from accessing a webpage. Unlike viruses however, worms often do not enter a computer as software that needs to be opened or ran first — by exploiting deeper-level flaws (usually in operating systems), worms are able to replicate across an entire network by themselves. By running at an operating system level, worms are not restricted to the same software-permissions as viruses, and can therefore spread throughout a network. This is often done by establishing connections with other computers on the same network and then replicating themselves. Most operating system, such as Windows, allow machines on the same network to establish peer-to-peer connections among each other; this would allow the worm to spread from Computer #1 to Computers #2 and #3.
The spread of malicious worms and viruses model an interesting intersection of the diffusion and epidemics units in class. As we learned in the epidemics unit, nodes that are further away from the initial infectious source are less likely to be infected. In fact, each additional edge of separation between a node and an infectious source will decrease the odds of that node getting infected. This idea is implemented as a strategy in cybersecurity known as a DMZ, which is short for demilitarized zone. A DMZ is a private sub-network that acts as a buffer between your router and the rest of the internet. Because DMZs are often built for security, they include Firewalls and security settings that decrease exploitable vulnerability to worms and viruses. The illustration below shows how adding secure DMZ could altogether stop the spread of a virus or worm throughout a network of computers.
Sources:
[1] https://www.kaspersky.com/resource-center/threats/computer-viruses-vs-worms
[2] https://blog.malwarebytes.com/threats/worm/
[3] https://www.nature.com/articles/srep42308
[4] https://searchsecurity.techtarget.com/definition/DMZ