Hello, my name is John Hays, I'm a security training engineer for Palo Alto Networks. What we're going to talk about for the next few minutes is what the difference between malware and exploits are or also malicious executables. To get started, most industries indicate that we have bad things that happen to our endpoints. Most of the industry indicates that these are known as malware. A specific definition of malware, malware is generally software that is designed to do bad things or malicious things to some endpoint PC server. Most people understand, that's what malware is. However, there's two sub-components of malware that you need to be aware of to effectively protect against your endpoint, and that's known as malicious executables and also as exploits. Let's talk about these two subjects here really quick. We'll do the first one, the easiest one first, we have malicious executables here. Now, malicious executables are fairly easy to explain, they're self-contained code that's designed to take over a compromise, an endpoint or system itself. They're self-contained, so they don't have any reliance or any external requirement to run. If a user double clicks on them or if that specific follows inadvertently downloaded and executed, then that execution of that machine is generally compromised. Malicious executables are basically files that are self-contained, for these include EXEs, screensavers or SCRs, com files that generally have that ability to perform self-contained executions. Now, in the industry, every year there are over millions of variances of specific malware. Those millions of variances generally do a lot of the same thing, however, the code is tweaked just a little bit so that it can hide itself from protection that generally is signature based. The underlying code does the same thing, it's just that we're tweaking that ability to hide that, that's why there are so many of them. Now, the other area that we have, as far as malware is concerned, is known as exploits. Now, exploits are a little bit different. Exploits have dependency, the dependency is based upon what's known as a software vulnerability. For me to run an exploit to be successful, we have to have a vulnerability first. An exploit takes advantage of a vulnerability, and what's a vulnerability? A vulnerability is a basically a bug in the software code where you're allowed to do something that the initial software developer did not intended the machine to do. Simple example would be a buffer overflow. For an exploit to be effective, the vulnerability has to exist. Now, vulnerabilities are tracked by specific company, and when they are known, they are assigned what's known as a CVE, Common Vulnerability and Exposure identification. These CVEs have been increasing significantly over the past few years, and they've actually increased the number of CVE numbers from thousands to 10 thousands. But for the sake of discussion here, let's say that we have thousands of different vulnerabilities that are available. Not all vulnerabilities will have exploits where the bad guys generally look for areas where I can take advantage of that to attempt to control the machine itself, we have these thousands of different vulnerabilities. Now, an exploit generally has to perform certain actions to be successful, and all of these actions have to take place, this is also known as an exploitation technique. Now, exploitation techniques, unlike malware or malicious executables, what they do is, is they are normally a small number. Generally, somewhere between 20-30 different techniques are used by all vulnerabilities within the system, think about this for a second. If I want to be able to prevent exploits from infiltrating or taking control of my system, do I want to go in and chase thousands of vulnerabilities, or would I rather go ahead and take a look at 20-30 different techniques? These are 20-30 techniques that are used by these thousands of vulnerabilities that get discovered every year. Now, the other important thing that we need to know, is that exploits require multiple techniques to be successful in an attack. On average an exploit technique or an exploit contain somewhere between 2-6 techniques to be effective. Why do we use or why do the bad guys use malicious executable versus exploits? Well, malicious executables, we have to get the user to run that specific application. They're easier, they're self-contained, they're more successful if we get them to run, but with the education nowadays, most of the users here don't run executables. What they do is they refer or back up to exploits to be able to trick the user into running exploitable code. Because an exploit here, one of the other things that we haven't mentioned, is that exploits do not use executable files, they're embedded in standard data files. We have PDFs, Doc files, Excel documents, flash files, those are non executable files. In other words, what I need for these files to run is to launch an application. Microsoft Office, Adobe Acrobat, Flash Player, the exploit contained in that specific file is the malicious code, it contains legitimate files. The file normally will open up, you can see something go on, but in the background, it's attempting to gain access to your system through the vulnerability for that specific technique. The effective way to prevent this, is instead of looking at the vulnerabilities, is to attempt to identify and block those techniques that are there. The two different attack vectors that we have here for malware, is broken down into two different areas. We have malicious executables and we have exploits that take advantage of exploit techniques and vulnerabilities within the operating system itself. For an effective defense, for your endpoint, your endpoint protection products needs to be able to handle both of these type of attack vectors on their enterprise endpoints. This is the best explanation of how you can handle or how you protect your endpoints against malware, regardless of if it is malicious executables or exploitation.
