Sunday, May 14, 2006

what is a hybrid / blended threat?

a malware hybrid is a combination of 2 or more types of malware... for example, osx/leap.a is an instant messaging worm and a type of executable file infecting virus known as an overwriting infector...

although it isn't generally well known, a piece of malware can be a virus and a worm and a rat and a rootkit and any number of other malware types all at the same time - the various malware types are not mutually exclusive in any way... anti-malware vendors (anti-virus vendors in particular) don't generally do a great deal to make this obvious to the general computer using public, often preferring to treat one type as taking precedence over the others... occasionally one may see a write-up that lists something as a "spyware worm" or something like that but generally not...

this may be one of the more detrimental things that the industry practices because it misrepresents the breadth and scope of the threat that a particular pigeon-holed piece of malware poses... no malware type is an island unto itself, they can all be combined with one another and that is an important point to remember when dealing with the issue of what type of malware something is...

another (better known) term for this, at least the way some people (like kaspersky) use it, is "blended threat"... symantec, on the other hand, reserve the term blended threat for those hybrids that include exploit code as one of the malware types in the combination... according to nick fitzgerald, symantec coined the term to mean just that so that is the more formal meaning - however i can see no reason why exploit code should be so special as to deserve a special term for it's hybrids and clearly others agree...

back to index

0 comments: