Cisco Blogs

Cisco Blog > Threat Research

When Does Software Start Becoming Malware?

This post was authored by Earl Carter, Alex Chiu, Joel Esler, Geoff Serrao, and Brandon Stultz.

Defining what is malware relies on determining when undesirable behavior crosses the line from benign to clearly unwanted. The lack of a single standard regarding what is and what is not acceptable behavior has established a murky gray area and vendors have taken advantage of this to push the limits of acceptable behavior. The “Infinity Popup Toolkit” is a prime example of software that falls into this gray area by bypassing browser pop-up blocking, but otherwise exhibits no other unwanted behavior. After analyzing the toolkit, Talos determined that software exhibiting this type of unwanted behavior should be considered malware and this post will provide our reasoning.


Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the toolbar. Even though many users objected to the inclusion of the toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the toolbar as malware.

There is more to unwanted software than just browser toolbars or widgets. Suppose a piece of software exhibits the following characteristics. Would this be considered malware?

  • The user was not given a choice whether or not to execute this piece of software.
  • The software was designed to specifically bypass browser security and privacy controls using clickjacking techniques.
  • The software avoids detection by encrypting portions of its payload.
  • Extensive fingerprinting (browser, plugins, operating system, and device type) takes place and sent to a third party without user consent.

Read More »

Tags: , , , , , ,

Get Your WLAN Ready for Google Android L and Apple iOS 8

This fall your wireless networks will experience many devices upgrading to the new Android 5.0(L-release) and Apple iOS 8 releases (cue: IT managers groan). There have now been many blogs attempting to capture the enhancements expected with these releases. Today I am going to focus on describing how Android L and iOS 8 may affect customers deploying Cisco enterprise grade Wi-Fi networks based upon our research and testing of the Apple seed. Our verdict: Carry on with business as usual.

Here are four features we predict will have the most impact your networks:

1. Chromecast and Google Cast Enhancements (Android L)

Rishi Chandra, the Director of Chromecast Product Management announced that, starting with the Android L release, users have the ability to cast to your neighboring devices such as a TV without having to connect to your Wi-Fi network. In the demo, a phone used the cellular connection to connect to chromecast through the cloud. A variety of techniques are used to authenticate the users in the same room OR use a pin-code as an alternative. Users can Google Cast an ecosystem of applications or even their own applications over any Android or iOS device as well as Cloud based apps on Chrome.

Predicted Impact: Given that this feature works transparently to the Wi-Fi, it is expected that there is no impact on the WLAN in your classrooms or dorm rooms or auditoriums where this will most likely be used.

2. Peer-to-peer AirPlay discovery and playback (iOS 8)

Starting with the iOS 7.1 release, AirPlay devices will discover an AppleTV via the bluetooth network. Users could also secure their AppleTV via a 4 digit pin-code. With the iOS 8 release, Airplay devices can also mirror their content via Airdrop. This feature offers an alternative method for customers to discover and mirroring of Bonjour traffic without accessing the corporate Wi-Fi network.

Predicted Impact: Again this feature operates transparent to the Wi-Fi and therefore customers using this feature should not see any impact on the WLAN. Cisco wireless customers also have the ability to use the Service Discovery Gateway on Cisco IOS based switches, routers or wireless LAN controllers or the Bonjour Services Directory on AireOS controllers. Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,