Definition
A blended attack is "malicious code that uses multiple methods to spread."[1]
Overview
The well-known Nimda "worm" is actually an example of a blended attack. It used four distribution methods:
- E-mail. When a user on a vulnerable host opened an infected e-mail attachment, Nimda exploited a vulnerability in the Web browser used to display HTML-based e-mail. After infecting the host, Nimda then looked for e-mail addresses on the host and then sent copies of itself to those addresses.
- Windows shares. Nimda scanned hosts for unsecured Windows file shares; it then used NetBIOS as a transport mechanism to infect files on that host. If a user ran an infected file, this would activate Nimda on that host.
- Web servers. Nimda scanned Web servers, looking for known vulnerabilities in Microsoft Internet Information Services (IIS). If it found a vulnerable server, it attempted to transfer a copy of itself to the server and to infect the server and its files.
- Web clients. If a vulnerable Web client visited a Web server that had been infected by Nimda, the client's workstation would become infected.
In addition to using the methods described above, blended attacks can spread through such services as instant messaging and peer-to-peer file sharing. Many instances of blended attacks, like Nimda, are incorrectly referred to as worms because they have some worm characteristics. In fact, Nimda has characteristics of viruses, worms, and malicious mobile code.
Another example of a blended attack is Bugbear, which acted as both a mass mailing worm and a network service worm. Because blended attacks are more complex than single-method malware, they are considerably harder to create. Blended attacks do not have to use multiple methods simultaneously to spread; they can also perform multiple infections in sequence. This is becoming more popular, primarily as a way of delivering and installing Trojan horses on systems. For example, a virus, a worm, or malicious mobile code that successfully enters a system can install and run a copy of a Trojan horse. The Trojan horse can then perform additional malicious acts, such as installing spyware on the system.
References
- ↑ NIST, Computer Security Incident Handling Guide (NIST Special Publication 800-61, rev. 1), Glossary, at D-1 (Mar. 2008) (full-text).