What malware needs to thrive

An operating system or an application can be attacked by malware if they can run a program that is not part of the system or the application. This requirement is satisfied by all popular desktop operating systems, many office applications, image editing programs, design software and other software environments with embedded scripting languages.

Computer viruses, worms, and Trojans have been written for dozens of operating systems and applications. However, a vast number of other operating systems and applications exist for which no malware has been detected yet. So what is the difference between these two groups?

Malware for a specific operating system or an application emerges when the following three conditions are simultaneously met:

  • popularity or wide-spread use of a specific operating system;
  • availability of documentation: the operating system must be adequately and sufficiently documented;
  • vulnerability of the system: the operating system must be unprotected, or known vulnerabilities in its protection and/or applications must exist.

Each of the above conditions is necessary, and a simultaneous fulfillment of all three is sufficient for various malicious programs to emerge in the system.

The operating system must be popular so as it catches the eye of at least one cybercriminal or a hacker. If a system exists in a handful of copies only, it is very unlikely to get attacked. However, if the manufacturer of an operating system has achieved its mass distribution, it is most likely that one day hackers or virus-writers try to use it their interests.

This naturally brings us to the conclusion that the more popular an operating system or an application is, the more often it will fall under virus attacks. Practice supports this conclusion – the amount of malicious programs created for Windows, Linux and MacOS closely correlates to the market shares taken up by these operating systems.

Availability of complete documentation is required for a natural reason: a virus-writer (or, generally, a programmer) needs to have a technical description in order to know how to use the services of the operating system and write applications executable in that system. For example, manufacturers of regular mobile phones at the turn of the century did not disclose documentation, so software producers and hackers could not create programs for these devices. Telephones supporting Java and smartphones have documentation on how to develop applications, so malware emerges created specifically for these types of devices.

Vulnerabilities in the software can be either programming-related (an error in the program code that allows a virus to sneak into the program and gain control over the system) or logical (legal or even documented ways to penetrate into the system). If vulnerabilities are known to exist in an operating system or its applications, such a system is open to malicious programs no matter how well protected it is.

An operating system’s protection is the architectural solutions that do not allow a new or unknown application to gain complete or sufficiently broad access to files stored in the disk (including other applications) and to potentially hazardous services of the system. This restriction in effect blocks any malicious activity, but simultaneously imposes significant restrictions to regular programs.

Unfortunately, there are no examples of widely known open multifunctional operating systems or applications. The Java machine partially satisfies the protection condition – this machine runs Java applications in the sandbox mode, i.e. strictly control all the actions of the application that may be potentially hazardous. Indeed, no “real” viruses or Trojans in the form of Java applications have occurred for quite long, with the exception of test viruses that were practically unviable in real life. Malicious Java applications only occurred when methods have been discovered to bypass the security system embedded into the Java machine.

The operating systems in regular mobile phones (rather than smartphones, and not supported by external Java programs) can be an example of widely used protected systems. However, new programs cannot be installed in these systems, and documentation exists on how to create new programs for them. So, these systems are severely limited in their functionality, and it cannot be expanded. The good side of that is that there are no viruses in threes systems.

The BREW platform is another example of a platform that is closed for viruses. Mobile phones running this platform only allow installation of certified applications with crypto signatures and strictly through mobile service providers. Third-party software producers are contracted, and detailed documentation exists. However, each application must be certified, which slows down software development and complicates its business processes. As a result, this system cannot boast great popularity or a large selection of applications, as compared to its competitors.

It is hard to imagine what it could be like if desktop operating systems like Windows or MacOS would be based on the same principles. In this case, software development by independent companies would become much more difficult if at all possible, the range of Web-services would become much narrower, the business processes would become much slower. The world would be a very different place – slower, duller and deprived. Thus, the damages caused by malware attacks can be seen as the price we pay for living in a dynamic world of high technologies.


Roaming Mantis uses DNS hijacking to infect Android smartphones

In March 2018, Japanese media reported the hijacking of DNS settings on routers located in Japan, redirecting users to malicious IP addresses. The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker. During our research we received some invaluable information about the true scale of this attack, we decided to call it ‘Roaming Mantis’. Read Full Article


DDoS attacks in Q4 2017

Q4 2017 represented something of a lull: both the number and duration of DDoS attacks were down against the previous quarter. At the same time, the increase in the number of attacks on honeypot traps in the runup to holiday sales indicates that cybercriminals are keen to expand their botnets at the most opportune moment by pressuring owners of online resources and preventing them from making a profit. Read Full Article


IT threat evolution Q3 2017

Our growing dependence on technology, connectivity and data means that businesses present a bigger attack surface than ever. Targeted attackers have become more adept at exploiting their victims’ vulnerabilities to penetrate corporate defences while ‘flying under the radar’. Read Full Article


DDoS attacks in Q3 2017

In the third quarter of 2017, we registered a considerable increase in the number of both DDoS attacks and their targets. Traditionally, China is the country with the largest number of attack sources and targets. It was followed by the United States and South Korea. The popularity of Windows OS as a basis for creating a botnet has fallen noticeably, while the share of Linux-based botnets increased proportionally. Read Full Article