The IT Law Wiki

This wiki's URL has been migrated to the primary domain.Read more here


The IT Law Wiki


Crimeware is

software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software.
a broad category covering any use of malware to compromise systems such as servers and desktops.[1]

How it works[]

Fig. 1 Crimeware Propagation Techniques

Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via many mechanisms, including:

Once installed, crimeware can be used for financial benefit by the attacker in many ways, including:


Crimeware is distributed in many ways. The various distribution models include distribution leveraging social engineering (attachment, piggybacking), exploit-based distribution via server (web browser exploit, including content injection), exploit-based distribution via infected computer (internet worms), and distribution via human (hacking). Distribution of crimeware may blur these distinctions, such as a social engineering "phishing" attack that directs users to a web site that installs crimeware via a web browser exploit.

Anstomy of a crimeware attack[]

Fig 2. Anatomy of a Crimeware Attack

In this diagram, the stages of a crimeware attack are categorized as follows:

  1. Crimeware is distributed. Depending on the particular crimeware attack, crimeware may be distributed via social engineering (as is the case in malicious email attachments and piggyback attacks) or via an exploit of a security vulnerability (as is the case in web browser security exploits, internet worms, and hacking).
  2. The computing platform is infected. Infection takes many forms. In some cases, the crimeware itself is ephemeral and there may be no executableinfection” stage, as in immediate data theft or system reconfiguration attacks. In such cases, an attack leaves behind no persistent executable code.
  3. The crimeware executes, either as part of a one-time attack such as data theft or system reconfiguration, as a background component of an attack such as a rootkit, or by invocation of an infected component.
  4. Confidential data is retrieved from storage, in attacks such as data theft.
  5. Confidential information is provided by the user, in attacks such as keyloggers and web Trojans.
  6. The attacker misappropriates confidential data. Data may come from any of several sources depending on the type of crimeware involved.
  7. The legitimate server receives confidential data, either from the executing crimeware (in attacks in which data is explicitly compromised by the crimeware) or from the attacker (in man-in-the-middle attacks).


See also[]

  • ThreatConnect Glossary (full-text).
  • Advertisement