Sandeep Mittal, I.P.S.,*
The term ‘Malware’ has become a fashionable word to throw around now days. However, it should not be thought of something very sophisticated only. In this paper, we would give a brief definition and description of the term ‘malware’ and the related concepts including the evolutionary and historical time line. The concept of the future of ‘malware’ would be dealt with from four perspectives which may be dependent upon one another at least at some point in space and time. The first being the ‘malware design’ as the malware experts are using increasingly complex designs, taking the ‘malware’, to the scale of ‘war- grade- weapon’ in the recent past. The second important perspective is the ‘terrain’ of the cyber domain where the malware operates or is deployed. The third important perspective would be the ‘technologies’ that are used to detect these malware. As the malware are becoming ‘multiplatform’ and complex, the technologies have to keep pace with the evolution of malware. However, it is made clear at the outset that this paper deals only with the basics of issues raised and technical details have been kept to the minimum, being beyond the scope of present work.
The Malware Understood
‘Malware’ is an ‘unitary’ term for the different types of software- codes which are called as ‘virus’, ‘Trojan horse’ and ‘worm’ at different stages of its evolution. It could be as simple in its design as ‘virus’ or could be extremely complex as some of the ‘worms’ discovered recently. It would be useful if we understand these terms clearly before we venture in to malware understanding. A ‘virus’ is a self-replicating program whose only purpose is to propagate itself by modifying another program to include itself through an act of the user of the system in which it exists (modified after Skardhamar, 1996). The Trojan- Horse (named after the wooden horse, the ancient Greek army used to conquer the city of Troy) is a simple program that purports to do one thing, but actually do something else entirely, often very destructive. A Trojan’s spreading potential is not very big, as once they are run, they cease to be Trojans. But its simplicity can be extremely deceptive in terms of damage. “A ‘worm’ is a type of non-parasitic- code (unlike virus) that purposely replicates a possibly evolved copy of itself by exploiting security vulnerabilities on systems. The vulnerability that a worm exploits need not be exclusively software faults. It may exploit configuration errors or operator errors. Unlike viruses, worms do not replicate by attaching themselves to a host executable or by modifying the system environment to execute the malicious code” (Symantec, 2014). In the present scenario, the malicious researchers are concentrating on worms and the term ‘worm’ has become synonymous with ‘malware’ and would be used interchangeably sometimes in this paper. A more crisp and modern definition of worm is “an independently replicating and autonomous infection agent, capable of seeking out new host systems and infecting them via a network” (Nazario, 2004). As the most of the malware encountered in recent past belong to the category of worms, let us have some deep introspection of the basic components of worms. A worm must have at least one of the following five components, the attack component being the minimum set of one (Nazario, 2004);
- Reconnaissance Component hunts down other network nodes to infect. This component is responsible for identifying the host on network that is capable of being compromised by the worm’s known methods.
- Attack component launches an attack against target. The attacks can be the old age buffer or heap overflow, string formatting attacks, Unicode misinterpretations and misconfigurations.
- Communication Components gives the worms the interface to send messages between nodes or some other central location.
- Command Components provides the interface to the worm node to issue and act on commands.
- Intelligence Components provides the intelligence required to contact various worm nodes.
An assembly of the components of a worm is depicted in following figure (Nazario, 2004).
Many of the characteristics of a worm can be used to defeat it, for example, predictable behavior and characteristic signatures in contrast to manual attacks, where tactics is changed now and then. However, the worms continue to be generated as majority of the malware due to ease of continuous and the malware due to ease of continuous and exponential propagation, capacity to penetrate even difficult networks, persistence in infecting the systems despite patching and sanitization, and broad base coverage of the networks in space and time.
Hence, the future malware will continue to be worm-based in view of the foregoing discussion.
The History and Evolution of Malware
The future of malware cannot be predicted, unless we have an introspection of the history of malware to understand the evolution of malware over time.
The historical time line is depicted in the following table (Lava Soft, 2013) in a generalist manner;
HISTORY OF MALWARE (modified after Lavasoft, 2013)
|S.No.||Year||Name of Malware||Details of malware|
|1.||1971||Creeper||First ever computer virus. ARPANET|
|2.||1981||Elk Clover||First known microcomputer virus attached itself to Apple DOS 3.3 operating system and spread by floppy.|
|3.||1986||Brain||Brain First computer virus for MS-DOS infected the boot sector of the storage media formatted with the FAT file –system. Written to demonstrate insecurity of computers.|
|4.||1987||Stoned||A boot sector computer virus.|
|5.||1988||Morris Worm||Infected around 6000 computers of University, military and NASA. Morris was a researcher, introduced the worm by accident and was the first person to be arrested for such crime.|
|7.||1995||Concept||First Macro virus, and hid itself in a word document and spreads by integrating itself into more files each time the host program is run.|
|8.||1999||Happy 99, Melissa, Kak||Advance malware spread quickly through Microsoft environments.|
|9.||2000||I Love You||Computer worm attacked millions of window PCs through email message. An estimated $15 Billion was spent to clean the mess up.|
|10.||2001||Code Red||Worm attacked computers running on Microsoft IIS server. It chose the targets pseudo-randomly on the same or different subnets as the infected machines in accordance with fixed probability distribution|
|11.||2001||Nimda||Computer worm and file infector, utilized several propagation techniques and thus become most widespread worm in 22 minutes.|
|12.||2003||Sol Slammer||Computer worm that caused DoS on internet hosts.|
|13.||2004||Cabir||First mobile phone virus attacking Symbian OS spread through Bluetooth.|
|14.||2007||Storm Botnet||A remote controlled botnet linked by storm worm spread through email and infected 50 million computers.|
|15.||2009||Koobface||Multiplatform work that attacked users of popular social networking websites and designed to infect windows, Mac OS and Linux platforms.|
|16.||2010||Geinimi||First Android Malware displaying botnet capability.|
An era of weaponization of software code heralded in the year 2010 with the discovery of ‘Stuxnet’ followed by ‘DuQu’ and ‘Flame’ malware which are distinctively different in stealth, design, complexity and deployed for fully targeted attacks. “The Stuxnet’ targeted Iranian Nuclear Facility at Natanz. The Stuxnet used four ‘Zero day vulnerabilities’ and employed Siemens’ default passwords to access window OS that run WinCC and PC57 programs. It would hunt down frequency-converter drives made by FaraPaya in Iran and Vacon in Finland. These drives were used to power centrifuges used in the concentration of the Uranium-235 isotope. Stuxnet altered the frequency of the electrical current to the drives causing them to switch between high and low speeds for which they were not designed. This switching caused the centrifuges to fail at a higher than normal rate” (Farwell & Rohozinski, 2011). In 2011, another worm ‘DuQu’, which contained components almost identical to stuxnet, was discovered. However, the ‘DuQu’ was not self- replicating and was devoid of a payload. It seemed to be designed to conduct reconnaissance on an unknown industrial control system (Zetter, 2011). ‘Flame’ was another ‘stuxnet’- type of malware designed primarily to spy on infected computers and detectedfrom the computers of Iranian Oil Ministry, (Zetter, 2012).
Thus, it is seen from the discussion in the foregoing that the malware has evolved over a period of time from a ‘simplistic-experimental-code’ to ‘highly complex and complicated codes’ synonymous with Internet-wide devastation.
The Future of Malware Design
The ‘Samhain Project’ (Zalewski, 2000), intended to design an intelligent malware, listed seven requirements and guidelines for the intelligent worm;
- Portability across hardware architectures and operating system to achieve the largest possible dispersal.
- Invisibility from detection.
- Independence from manual intervention. The worm must not only spread automatically but must be adaptable to its network.
- The worm should be able to learn new techniques. It’s ‘database of exploits’ should be updatable itself.
- The integrity of the worm host must be preserved. The worm’s executable instances should avoid analysis by outsiders.
- Avoid the use of static signatures. By using the polymorphism the malware can avoid detection methods that rely on signature based analysis.
- Overall worm net usability. The network created by worms should be able to be focused to achieve the specific task.
The researchers (Zalewski, 2000) have discussed various options for implementation of ‘Samhain Worm’ for its assembly, to form the worm system. the details of which are beyond the scope of this essay. However it would be pertinent to mention the flaws in ‘Samhain Worm Architecture’ which can fail the worm network.
Firstly the ability to update the database of known attack methods requires a distribution system which would be either central or hierarchical. An attack at this point may disrupt the growth and capabilities of worm. Secondly, the mechanism used to prevent repeated worm installation on the same host is a serious flaw. The worm executable, during its initialization, looks for other instances for itself. An attack on the worm system would require forgery of this signal to prevent the installation of the worm executable. In doing so, the worm is not installed on the host and thus its growth is stopped at this point.
In earlier part of this paper, we identified five components of a functional worm. However, there are several problems with the design and implementation of current worms (Nazario etal., 2001). The signatures of the remote attacks and reconnaissance traffic can be used to identify the source nodes; as the traffic associated with worms grow exponentially the life span of the worm is reduced and traffic growth leads to increasing worm profile thus detection; no direction of spread therefore making the directed attacks against specific target, a matter of chance; utilization of a central database of affected host by worm make it susceptible to exploitation (Nazario et al., 2001). Further Nazario and his associates used these components and problems associated with them in its implementation, to give considerations for future worms by proposing various adaptations.
- Instead of actively scanning the targets for exploitation, worm to simply observe network traffic to discover the hosts, remote operating system and applications in use and then launch an attack.
- Instead of central topology, use ‘guerilla’ and ‘directed tree’ topologies to achieve specificity of target attack.
- Instead of central communication topology, use a system where each node stores the messages and forward the messages to appropriate node one hop away to cut down the generation of traffic.
- Instead of encrypted communication methods, use steganography e.g., hiding data in media files.
- Attack new targets e.g., appliances with embedded technologies.
- Instead of static signatures, use polymorphic pay-loads. Using modular worm behavior where single basic component is skipped in design may give the worm added evasion capability.
- Design to support dynamic updates to the system.
Many of these adaptations have been observed in ‘stuxnet’, ‘duqu’ and ‘flame’ malwares. Many are yet to be seen or discovered by the world.
The Future of Malware Deployment
The deployment of a malware by an attacker depends upon the intention and motivation of the attacker, which in turn would define the sophistication of the attack and typical target groups as summarized in following figure(Zoller,2011);
Zoller further classified the attacks based on the attacker deploying the attacks as opportunists, targeting opportunists, professionals and state founded. The script- kiddies would continue to use their unsophisticated attacks in the ‘mass-malware-market’. The exploits of targeting opportunists and professional have resulted in emergence of ‘commercial-vulnerability-market.’ However, the cause of worry is the future malware like’ stuxnet’, ‘flame’ and ‘duqu’ which are considered as acts of the nation-states. Take a look at the ‘latest’ malware to join the list- ‘Mask’ or ‘Careto’ discovered recently (Kaspersky, 2014). The ‘Mask’ is learnt to have targeted so far, 380 unique victims, e.g., Government, Diplomatic, Institutes, Energy, Oil & Gas Sectors, Research Institutes, Private Commercial Establishments and Activists spread over 31 countries and learnt to be in active cyber espionage since 2007. The ‘Mask’ becomes a special malware in view of the complexity of tool set used by attackers. This includes an extremely sophisticated malware, a root kit, a boot kit, 32-64-bit windows versions, Mac OSX and Linux versions and possible the versions of Android and iPhone/iPad (Apple iOS). When active in a victim system, ‘The Mask’ can interrupt network traffic, keystrokes, Skype conversations PGP keys, analyze Wi-Fi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations. The malware collects a large set of data from infected systems e.g. the encryption keys, VPN configurations, SSH keys etc. The time, money and expertise required to design and deploy such an extremely sophisticated malware leave no doubt that it is the handwork of some ‘nation state’.
The complete dependence of a Nation’s Economy and Critical-Infrastructure presents an opportunity to the ‘Nation-States’ to deploy malware to gain information- dominance in cyber- domain to transmit information and denial/restriction of such information to the ‘enemy- state’. Further, the critical- infrastructure of a country can be crippled through deployment of stealthy and well- crafted tools to exploit the ‘zero-day-vulnerability’ is a matter of hours, if not minutes (Mittal, 2014). The concept of war-maneuvering has been compared with cyber-maneuver (Applegate, 2012), where it is realized that blatantly hostile acts in cyber space are characterized by rapidity, anonymity and difficulty in attribution and are dispersed disproportionately in space and time. Even the territory of enemy or one of his allies or adversaries can be used to deploy such malware attacks.
The Future of Malware Terrain
The author has a strong feeling that the future of malware isn’t so much about the design and sophistication in the engineering of malware as much as how and where the potential victim would be attacked, thus making the terrain of malware deployment a key factor in future attacks. The low level attacks would continue to exploit the small and old vulnerabilities to their advantage. The social networking sites would be the most sought after ‘terrain’, in foreseeable future, for deployment of malware (Athanasopoulos, 2008; Luo, 2009; Felt, 2011; Abraham, 2010, Irani, 2011). Recently a malware was deployed to target the top executives of a major corporation through their spouses. The presumption was that at least there would be a few non-tech-savvy spouses using a poorly secured home PC sharing the connection, and this would provide the backdoor needed to compromise the executive’s computer and gain access to the systems of target companies (Vance, 2011). The platform- agnostic, web-based malware represent a new frontier. As the developers re-engineer websites and applications to work on a variety of devices, the malware would target the commonalities like HTML, XML, JPEGs, etc., that run on any device. The pace with which the smart phones are becoming e-wallets, tools of m-commerce and repository of flight e-boarding passes and rail-tickets, would soon make the smart phones a favorable terrain for deployment of malware. But the worst is yet to be discussed. Consider a number of embedded devices available all around us, the microwaves, the refrigerators, the washing machines, the internet cameras, the automated heating and cooling systems, the cars, the routers, the environment monitors, and the animal/cattle- tags and so on. Soon, the connected devices would be part of our lives and thus come the concept of ‘Internet of Things’ or subsequently ‘Internet of Everything’ and finally the malicious ‘Botnet of Things’. Having chips embedded in our appliances make our life simple but imagine what would happen when the number of ‘internet-connected-devises’ reaches50 billion by the year 2020 (Kumar, 2014). The main problem with these things is that unlike computers, the security patches are not updated on these things. The embedded- device- security is a matter of grave concern (John & Thompson, 2012; Stantucci, 2011). I have never seen a company or a user applying security patches to printers, modems, routers, ovens cameras etc. as it require extra time and money. Most of the embedded chips are old versions manufactured even two to three years before the device is manufactured and therefore susceptible to malware attacks even by script- kiddies. The ‘Internet of Things’ would be the favorite terrain for the deployment of malware in future (Stammberger, 2009).As a number of such nano and micro devices are likely to be implanted in human body in future, malware could be deployed even to commit murder, which at present is committed through use of conventional means. These ‘Implantable Medical Devices ( IMDs )’ often work on software- defined radios so that it can operate on multiple frequencies and use various processors ( see figure below, Leavit, 2010).
Mostly, these devices have no direct connectivity with the internet but may have connectivity with a bedside monitor who in turn may be connected to internet thus enabling hackers to deploy malware to exploit communication channel between the device and external control units. Adding encryption capabilities to IMDs would add complexity and require more battery life and computing powers to handle algorithms (Leavit, 2010). This would be a great challenge in future to build defense against such vulnerabilities by designing zero- power- defense mechanisms for IMDs (Ransford, 2014).
The future of Malware Detection
Based on the discussions in earlier parts of this paper regarding components of worms and the future considerations of worm, we would try to understand the methods of detecting worms. The aim of our ‘detection strategies’ is to detect almost any type of worm with little effort, for which one need to focus on the common features of worms. The three methods of worm detection are, traffic analysis, use of honey pots and dark network monitors and the employment of signature based detection systems and form the core of detection strategies for detecting both the hackers and worms. It is to be kept in mind that no single method work for all of the worms, however a combination of more methods would produce near complete detection. We would briefly discuss the three methods of detection in following part of this essay (modified after Nazario, 2004).
- Traffic Analysis– It is the analysis of network’s communications and the inherent patterns. One need to monitor mainly three major features to detect the worms viz., volume of traffic at a network connection point like router or firewall, the number of type of scans occurring as most worms use active scans to identify new targets of attack, and change in the host traffic patterns when host is compromised. This method is a relatively simple yet powerful tool for worm detection. It uses the general properties seen in most of the worms like active reconnaissance and exponential growth. Even the worms using a variety of dynamic methods or polymorphic vectors can be detected in contrast to signature detection methods. However, this method may have difficulty in detection of ‘slow-worms’ and ‘worms using passive mechanisms’ for identifying and attacking targets. However these weaknesses would not prevent the use of traffic analysis in worm- detection in foreseeable future. Furthermore, the data generated by this analysis may also be useful to find some other network anomalies.
- Honey pots and Dark (Black Hole) Network Monitors – Ahoney pot could be understood as a functional system that responds to malicious probes in a manner that elicits the desirable response by the attack. This could be designed using an entire system, a single service, or even a virtual host. The ‘dark-network-monitoring’ monitors unused network segments for malicious traffic. These could be local, unused subnets or global unused networks. Together these tools can be used in the analysis of worms. However, placing the honey pots on a production network or using the black-hole monitor on a network where the routine traffic is routed as a destination would introduce Large Vulnerability and could be counterproductive. The details of the ‘honey pot’ and ‘black-hole monitor’ setup and functionality are beyond the scope of this discussion. It would suffice to say at this point that, the ‘Black-hole Monitors’ are a more effective means to monitor worm behavior due to their promiscuous nature and can capture wealth of data from a significant portion of the Internet. However, the honey pots, in contrast, are best used at a time of high worm activity when a copy of the worm’s executable is needed. A honey pot is then quickly crafted and exposed to the network. Upon compromise, a set of worm- binaries are obtained for study (Honeynet Project, 2002).
- Signature- based Detection – Adictionary of known fingerprints is used and run across a set of input. The dictionary typically contains a list of known bad signatures like ‘malicious network payloads’, or the ‘file contents of a worm executable’. The three types of signature analysis in worm detection are the ‘network payload signatures ’, ‘Log file analysis’ and ‘file signatures’. The most important weakness of the signature-based detection methods is that they are reactionary and rarely detect a new worm. They can be used only to detect only the known worms. They cannot detect the polymorphic and dynamically updatable worms.
A mix of all three technologies discussed would form a robust system to detect these worms. A detailed view of such system is well documented by NIST (Scarfone & Mell, 2007).
What is the direction of future research in this field? Off late, researchers have shown keen interest in application of principles of ‘Biological Immune Systems’ to Computer Systems, since both have to maintain their stability in ever changing environment. Numerous desirable features of the Biological Immune Systems (BIS) viz., diversity, self-tolerance, immune-memory, distributed computation, self-learning, self-organization, self-adaptation and robustness have inspired BIS based Artificial Immune Systems (AIS) for information security (Jin, 2013). This is based on the ‘danger model’ presented by many researchers (Aickelin & Cayzer, 2002, Matzinger, 2002). According to this model ‘adoptive immune systems’ are not able to distinguish self from non-self but immune response is triggered when danger signals are generated by damaged cells. The cells in the adaptive immune system are incapable of attacking their host. While the immune response of danger model is a reaction to the stimulus considered harmful by body and not reaction to non-self, the foreign and immune cells of danger model are allowed to exist together.
The following figure illustrates the main principle of danger model and its comparison with information system as shown in the accompanying table(Jin, 2013).
“The cells undergoing distress or unnatural death transmit an alarm signal to Antigen Presenting Cells (APCs), thus simulating the APCs who in term stimulate the adaptive immune system’s ‘B’ and ‘T’ – cells into action in accordance with signal 1 and 2. The signal 1 is the binding of an immune cell to an antigenic pattern presented by an APC and signal 2 is either a help signal to activate a B–Cell or a co-stimulation signal given by APC to activate T-cells (Jin, 2013). Attempts have been made by various researchers to apply this ‘danger model’ to the data processing, worm response and detection, computer network intrusion detection, security monitoring and so on. Multidisciplinary research is required to build a robust and self-healing system of malware detection and defense in foreseeable future.
The malware designs are becoming extremely complex and complicated and have evolved over a period from innocent ‘internet-joy-rides’ to ‘precision cyber-weapons’ of military grade. While the script-kiddies would continue to exploit even old vulnerabilities spread across multiple platforms, the nation-states are looking at the cyber-domain as a fifth domain of war. They would continue to deploy dangerous weaponised-malware to inflict harm in the physical world. The ‘things’ of the ‘Internet of Things ‘would act as a ‘watering hole’ for the attackers to deploy malwares to use ‘insecure-simple-embedded-chips’ to enter into relatively secure computer systems. ‘Malware as a Service’ (MaaS) would become a reality very soon. Despite all efforts, it seems that the malware is here to stay and would continue to be used in future by hacker, curious mind and the warrior of the information age.
Note: The views expressed in this paper are of the author and do not necessarily reflect the views of the organizations where he worked in the past or is working presently. The author convey his thanks to Chevening TCS Cyber Policy Scholarship of UK Foreign and Commonwealth Office, who sponsored part of this study.
- *Abraham, S. and I. Chengalur-Smith. n.d. “An Overview of Social Engineering Malware: Trends, Tactics, and Implications.” Technology in Society 32(3):183–93.
- Applegate, S., C. Cossack, R. Ottis , and K. Ziolkowski. n.d. “The Principle Of Maneuver in Cyber Operations.” The Principle of Maneuver in Cyber Operations. Retrieved March 2015 (http://www.academia.edu/1436096/the_principle_of_maneuver_in_cyber_operation).
- Athanasopoulos, E. et al. 2008. “Antisocial Networks: Turning a Social Network into a Botnet” Information Security. Springer.
- *Davis, M. 2010. Hacking exposed malware & rootkits : Malware & rootkits security secrets & solutions. New York: McGraw Hill.
- Farewell, P., & Rohozinsk, R. 2011. “Stuxnet and the Future of Cyber War”. Survival, 53(1), 23-40. April 2, 2014, http://dx.doi.org/10.1080/00396338.2011.555586
- Feder, B. 2008. “A Heart Device Is Found Vulnerable to Hacker Attacks.” New York Times, 12.
- *Felt,, A., Finifter, M., Chin, E., Hanna, S., & Wagner, D. 2011. “A survey of mobile malware in the wild”. Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile DevicesACM, 3-3.
- Honeynet Project, “Know Your Enemy: Passive Fingerprinting, Identifying Remote Hosts, Without them Knowing”. 2002. Retrieved April 5, 2014, from http://old.honeynet.org/papers/finger/
- *Irani, D., Balduzzi, M., Kirda, D., & Pu, C. 2011. “Reverse social engineering attacks in online social networks”. Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 55-74). Springer.
- Jin, X. 2013. “ENSREdm: E-government Network Security Risk Evaluation Method Based on Danger Model”. Research Journal of Applied Sciences, Engineering and Technology, 5(21), 4988-4993. Retrieved from http://maxwellsci.com/print/rjaset/v5-4988-4993.pdf
- Unveiling “ Careto – The Masked APT”. 2014. Retrieved September 3, 2015, from http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
- Kumar, A. 2014, March. “Internet of Things (IOT): Seven enterprise risks to consider”. Retrieved April 2, 2015, from http://searchsecurity.techtarget.com/tip/Internet-of-Things-IOT-Seven-enterprise-risks-to-consider
- History of Malware. (n.d.). Retrieved April 2, 2014, from http://www.lavasoft.com/mylavasoft/company/blog/history-of-malware
- *Leavitt, N. 2010. “Researchers fight to keep implanted medical devices safe from hackers”. Computer, 43(8), 11-14.
- Luo, W., Liu, J., & Fan, C. 2009. “An analysis of security in social networks”. Dependable, Autonomic and Secure Computing, 2009. DASC’09. Eighth IEEE International Conference OnIEEE, 648-
- Matzinger, A. 2002. “The danger model: A renewed sense of self”. Science, 2002(12), 301-305. Retrieved April 5, 2014, from http://maxwellsci.com/print/rjaset/v5-4988-4993.pdf
- Mittal, S. 2014. The Threats and Opportunities in Cyber Domain. Essay submitted to Cranfield University.
- Nazario, J. 2004. Defense and Detection Strategies against Internet Worms. USA: Artech House.
- Nazario, J. 2001. “The Future of Internet Worms”. Retrieved September 3, 2015, from http://www.blackhat.com/presentations/bh-usa-01/JoseNazario/bh-usa-01-Joes-Nazario.pdf
- *Ransford, B., Clark, S., Kune, D., & Burleson, W. 2014. “Design Challenges for Secure Implantable Medical Devices”. Security and Privacy for Implantable Medical Devices, 157-173.
- *Santucci, G. 2011. “The Internet of Things: The Way Ahead”. Internet of Things-Global Technological and Societal Trends From Smart Environments and Spaces to Green ICT, 53.
- Scarfone, K., & Mell, P. 2007. “Guide to Intrusion Detection And Prevention System”. NIST Special Publication, 80-94. Retrieved April 5, 2014, from http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
- Skardhamar, R. 1996. Virus Detection And Elimination (UK ed.). Academic Press.
- *Stammberger, K. 2009. “Current trends in cyber attacks on mobile and embedded systems”. Embedded Computing Design, 7(5), 8-12.
- Symantec. 2014. Worms. Retrieved September 3, 2015, from http://www.symantec.com/security_response/glossary/define.jsp?letter=w&word=worms
- Vance, J. 2011. “The Future of Malware”. Network World, (October). Retrieved April 5, 2014, from http://www.networkworld.com/news/2011/100311-malware-251426.html?page=1
- Viega, J., & Thompson, H. 2012. “The State of Embedded-Device Security (Spoiler Alert: It’s Bad)”. IEEE Security & Privacy, 10(5), 68-70.
- Zalewski, M. 2000. “I Don’ t think I Really Love you, or Writing Internet Worms for Fun and Profit”. Retrieved April 1, 2014, from http://lcamtuf.coredump.cx/worm.txt
- Zetter, K. 2012. “’Flame’ spyware infiltrating Iranian computers”. Wired. Retrieved April 1, 2014, from http://www.cnn.com/2012/05/29/tech/web/iran-spyware-flame
- Zetter, K. 2011. “Son of the Stuxnet in the Wild”. Wired. Retrieved April 1, 2014, from http://www.wired.com/2011/10/son-of-stuxnet-in-the-wild/
- Zoller, T. 2011. “Musings on Information Security – Luxembourg / A blog by Thierry Zoller.: Attacker Classes and Pyramid (Version 3)”. Retrieved April 1, 2014, from http://blog.zoller.lu/2011/10/attacker-classes-and-pyramid-version-1.html
* Indicates that the Abstract of this reference was read on Google Scholar as these references were not available to Author.
*Shri Sandeep Mittal, I.P.S., presently working as Deputy Inspector General of Police in LNJN National Institute of Criminology and Forensic Science, Ministry of Home Affairs, Government of India, Delhi since 2012, joined I.P.S. in 1995. He has served in various communally sensitive districts in Tamilnadu. He specializes in Cyber Security and was instrumental in neutralizing a number of ‘online-drug-trafficking-syndicates’ globally. He is Life Member of USI, Associate Member of IDSA and Life Member of Indian Society of Criminology. He is a Chevening Cyber Policy Scholar sponsored by Foreign & Commonwealth Office, United Kingdom.