What is malware? Malware is exactly what its name implies: mal (meaning bad, in the sense of malignant or malicious rather than just poorly done) + ware (short for software). More specifically, malware is software that does not benefit the computer's owner, and may even harm it, and so is purely parasitic.
Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other malicious and unwanted software or program. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U.S. states, including California and West Virginia.
Let’s review the most common types of malware:
Adware is any type of advertising-supported software that will play, display, or download advertisements automatically on a user's computer once the software has been installed on it or while the application is in use. Some adware can also be spyware due to its privacy-invasive characteristics.
A backdoor in a computer system (or cryptosystem or algorithm) is a means of circumventing regular authentication, securing remote computer access, accessing plaintext, etc., while remaining to be undetected. A backdoor may appear to be an installed program or a modification to a program or hardware device that's already installed.
Baiting uses tangible media and relies on the curiosity or greed of the victim. Baiting involves an attacker leaving a malware infected media such as a CD ROM or USB flash drive in a public place where it is likely to be found, appearing to be legitimate and appealing, and waits to be used by the victim. Baiting is easy to perform as in this example where an attacker might create a malware loaded CD with a company logo on it, and the words "Company Reorganization Plan" on the front. The media is left on the lobby floor of the targeted company. An employee could find it and then insert it into a computer to satisfy their curiosity. By inserting the CD into a computer to view its contents, the user unknowingly installs malware on it, allowing the attacker access to his computer and possibly, the company's computer network. If there is no mechanism to block the malware, then computers set to "auto-run" inserted media could be immediately compromised when the CD is inserted.
Botnet is a collection of software robots, or bots, that are automatic and self-directed. Botnet is often associated with malware but can refer to the network of computers using distributed computing software.
Botnet generally refers to a group of compromised computers called zombie computers running software that is usually installed via worms, trojans or backdoors, under a common command-and-control infrastructure.
- Browser plugin
A browser plugin is a software program that extends the capabilities of your Internet browser in a specific way. Not all browser plugins are harmful and some may be helpful. This category contains mostly dubious browser plugins such as "Search Assistant", toolbars, etc. that have been known to transmit user data to their creators or have been installed using covert means.
Crimeware is a distinct type of malware designed to automate financial crime by performing identity theft to access online accounts of users at financial institutions and online retailers for the express purpose of stealing funds from those accounts or performing unauthorized transactions to the benefit of the thief controlling the crimeware. Crimeware is often used to export private information from a network for financial exploitation. Crimeware is viewed as a growing concern in network security as this type of threat seeks to steal confidential information.
- Computer virus
A computer virus is computer software that has the ability to replicate itself and infect a computer without the informed consent or knowledge of the computer user. Certain malware, adware and spyware have been incorrectly termed as a “virus” because they lack the ability to copy themselves. A real virus spreads from one system to another through an executable code when its host is transferred to a target computer; such as being sent over a network or the Internet, email or transported via removable media such as a CD, DVD or USB drive. Infected files residing in a network file system or any instance where a computer can be accessed by another one increases the chances of spreading a virus infection.
The term "computer virus" is considered to be malware, a much broader term which also encompasses several types of malicious software including worms, trojans, and others. Although technically different, viruses are often confused with computer worms and trojans. Unlike a virus, a worm can take advantage of security holes in order to spread itself among other systems, while a trojan appears to be harmless but has an underlying plan. A worm, trojan or virus, once executed, can endanger a computer’s data, operation, or network ability. User awareness of some computer viruses and other malware may be readily apparent while many other types go unnoticed.
The increasing number of computers being connected to local area networks and the Internet is creating an environment for computer viruses to spread. Increased use of email and instant messaging are additional ways computer viruses spread.
- Computer worm
A computer worm is a self-replicating computer program that sends copies of itself within a computer network and it can do so without any involvement by the user. A worm doesn’t need to attach itself to an existing program in order to spread. Worms typically cause some harm to the network, most notably by consuming bandwidth.
- Data miner
A data miner's primary function is to gather data about an end user. Some adware applications may employ data mining abilities.
- Email bomb
An email bomb is a form of network abuse by sending enormous amounts of emails to an address in an attempt to overflow the mailbox or overwhelm the mail server where the email address is hosted in what is called a denial-of-service attack.
- Email spoofing
Email spoofing is a fraudulent email activity in which parts of the email header and the sender address are modified, appearing as if the email was sent from another source. This technique is commonly used for spamming and phishing to conceal the origin of an email message. By altering certain properties of the email header, such as the From, Return-Path and Reply-To fields, fraudulent users can make the email appear to have been sent from someone other than the real sender.
Sometimes the source of the spam email is indicated in the Reply-To field. If the initial email is replied to, it will be delivered to the address specified in the Reply-To field, which might be the spammer's address. But most spam emails, especially malevolent ones carrying a trojan or virus, or those advertising a website, falsify this email address, sending the reply to another potential victim.
An exploit is a portion of software, data, or string of commands that take advantage of a computer bug, glitch or vulnerability disrupting normal behavior on computer software, hardware or other electronic device. Usually this includes seizing control of a user's computer system or attacks that allow privilege escalation or a denial of service.
- Fast flux
Fast flux, DNS technique, is used by botnets to conceal phishing and malware distribution sites behind a continuously changing network of compromised host systems utilized as proxies. Fast flux can also refer to a combined peer-to-peer network, distributed command and control, web-based load balancing and proxy redirection to make malware networks less detectable and more resistant to counter-measures.
Fast flux may be seen by Internet users in phishing attacks linked to crime organizations, including attacks on social networks.
- Fraudulent dialers
Dialers are used to connect computers to the Internet but fraudulent dialers are designed to connect to premium-rate numbers. Fraudulent dialers are often installed through security holes in a computer's operating system and will change the computer settings to dial up through the premium-rate number. The additional monies are collected by the provider of the fraudulent number. Some dialers inform the user of benefits for using the special number to access special content which is usually illegal materials or downloads.
Users that have DSLs or other broadband connections are usually not affected since a dial is dependent on regular phone lines. But, if an ISDN adapter or additional analog modem is installed, the dialer may be able to connect.
Malicious dialers can be identified by:
- A download popup opens when a website is opening.
- The website may or may not discreetly display a price.
- The download initiates even if the cancel button has been clicked.
- Without any notice, the dialer installs as a default connection.
- The dialer perpetuates unwanted connections without any user action.
- No notice about the price is presented before dialing in.
- While connected, the high price of the connection is not shown.
- The dialer cannot be easily uninstalled if at all.
Hijacker is an application that attempts to take control of the user's homepage and replace it with one that the hijacker chooses. It is a low security threat, but is annoying. Most hijackers use stealth techniques or trick dialog boxes to perform installation.
Browser hijackers commonly do one or more of the following:
- Change your "search" page and passes all searches to a pay-per-search site
- Change your default home page to the company page. Sometimes the software changes them to a portal featuring porn sites.
- May transmit URLs viewed toward the company server
A keylogger is surveillance software capable of recording all the keystrokes a user makes and saving that to a log file, which is usually encrypted. A keylogger recorder captures information entered on a keyboard including instant messages, email and any other type of information. Some keyloggers record email addresses the user uses and URLs that are visited. The log file created by the keylogger can then be sent to a designated receiver.
As a surveillance tool, keyloggers, are often used in the workplace by employers ensuring work computers used by employees are for business purposes only. However, keyloggers can be embedded in spyware allowing the user's information to be sent to an unauthorized third party.
Loyaltyware is a sub-form of adware. Loyaltyware is a type of software that works around the concept of user loyalty by providing incentives in the form of cash, points, airline miles, or other type of goods while shopping.
Parasiteware is the term for any adware that by default overwrites certain affiliate tracking links. These tracking links are used by webmasters to sell products and to help fund websites. The controversy is centered on companies like WhenU, eBates, and Top Moxie, popular makers of adware applications. These companies release their software to assist users in getting credit for rebates, cash back shopping, or contributions to funds. To the end user, parasiteware represents little in the way of a security threat.
Phishing is a criminally fraudulent process of collecting sensitive information such as usernames, passwords and credit card details by pretending to be a trustworthy entity in an electronic communication. Communications supposedly from well known social networks, auction sites, online payment processors or IT administrators are common fronts to bait the unsuspecting computer user. Phishing is commonly performed by email or instant messaging, directing users to enter details at a fake website that mimicks a legitimate one. Even when using server authentication, it may not be apparent that it is a fake website. An example of social engineering techniques, phishing is used to trick users, exploiting the weaknesses of web security technologies. The rising number of phishing scams has prompted and increase of legislation, training for the user, public awareness, and technical security procedures.
Rogue security software uses malware or malevolent tools to advertise or install itself or forces computer users to pay to remove nonexistent malware. A trojan is often installed by rogue software when downloading a trial version, or it will run other unwanted actions. Rogue software makers want users to install and purchase their product. A common tactic to install their program, is to display fake Windows dialog boxes or other browser pop-up with messages that entice the user to click on them. Usually a message is displayed such as "WARNING! Your computer is infected with Spyware/Adware/Viruses! Buy [software name] to remove it!", another message is "Click OK to scan your system" without asking to buy the software. Yet another example is "Computer/Internet Connection/OS is not optimized and to Click Here to scan now". Once the user clicks the OK button ing the dialog box, he will be directed to a malicious website, which installs the program. Sometimes, clicking close window or X button in an attempt to close the dialog box will have the same effect. (To circumvent that trick, Press Alt+F4 or use Ctrl-Alt-Delete to access the Task Manager). Some rogue software will download the trial version automatically without any user interaction. In addition to rogue programs being installed, many sites now use a technique to install multiple trojans at once by downloading a dropper first, loading various malware to the unsuspecting user's computer.
A rootkit is a software system containing one or more programs designed to show no indication that a system has been compromised. A rootkit is used to replace essential system executables, which can then conceal processes and files installed by the attacker as well as rootkit itself. A rootkit's intention is to control the operating system. Rootkits obscure their presence on the system through by evading standard operating system security mechanisms. Rootkits can also be trojans, tricking the user into thinking they can be safely run on their systems. This can be achieved by concealing running processes from monitoring programs, or hiding files or system data from the operating system. Rootkits are also capable of installing a "back door" in a system by changing the login mechanism (such as /bin/login) with an executable that accepts a secret login combination, allowing the system to be accessed by an attacker, even if changes are made to the actual accounts on the system.
Originally, rootkits may have been normal applications, designed to take control of a faulty or unresponsive system, but more recently have been produced as malware allowing attackers to gain access to systems undetected. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Linux, Mac OS, and Solaris. Rootkits often install themselves as drivers or kernel modules or modify parts of the operating system, depending on the internal elements of an operating system's mechanisms.
Smishing is a criminal activity that utilizes social engineering techniques similar to that of phishing. The name originated from "SMs phISHING". SMS or Short Message Service, is the technology behind text messaging on cell phones. Like phishing, smishing uses text messages on cell phones to lure a user into revealing personal information. The method used to actually "capture" user's information, or "hook", in the text message could be a website URL, although it is more typical that a phone number is displayed that connects to an automated voice response system.
- Smurf attack
The Smurf attack is a means of producing a large amount of traffic on a computer network. This is a type of denial-of-service attack that overwhelms a target system via spoofed broadcast ping messages. In this case, an attacker sends a large volume of ICMP echo requests, or pings, to IP broadcast addresses, all having a spoofed source IP address of the targeted victim. If the routing device that delivers traffic to those broadcast addresses sends the IP broadcast to all the hosts, then many of the hosts on that IP network will take the ICMP echo request and send an echo reply, thus multiplying the traffic by the number of hosts that respond. Hundreds of machines on a multi-access broadcast network could reply to each packet.
Spamware is software designed by or for use by spammers. Spamware can include the capability to import thousands of email addresses, generate random email addresses, insert fraudulent headers into messages, use multiple mail servers at once, and use open relays. Spamware can also be used to locate email addresses to build lists for spamming or to sell to spammers.
Spyware is computer software that is installed on a user's computer without the user's express consent with the purpose of collecting information about the user, their computer or browsing habits.
As the term implies, spyware is software capable of secretly monitoring the user's behavior, but can also collect various types of personal information, including web surfing habits and websites visited. Spyware can also impede the user's control of his computer by installing additional software, and redirecting web browser activity. Spyware is known to cause other interference by changing computer settings that slow connection speeds, load different home pages, and lose Internet connectivity or program functionality.
With the proliferation of spyware, an antispyware industry has sprung up. Use of antispyware software is now a widely accepted practice for the security of Microsoft Windows and desktop computers. A number of anti-spyware laws have been passed, targeting any software that is surreptitiously installed with the intent to control a user's computer. Due to its privacy-invasive characteristics, the US Federal Trade Commission has placed a page on their website advising consumers on how to lower the risk of being infected by spyware.
- Trojan horse
The Trojan horse, or trojan, is a type of malware that appears to have a normal function but actually conceals malicious functions that it performs without authorized access to the host system. A Trojan can allow the ability to save their files on the user's computer or monitor the user's screen and control his computer.
A trojan is not technically a virus but can be easily and unknowingly downloaded by the computer user. One example might be a computer game, when executed by the computer user, allows a hacker to control the user's computer. In this case the computer game is a trojan.
Wabbits are in fact rare, and it's not hard to see why: they don't do anything to spread to other machines. A wabbit, like a virus, replicates itself, but it does not have any instructions to email itself or pass itself through a computer network in order to infect other machines. The least ambitious of all malware, it is content simply to focus on utterly devastating a single machine.
Sources and Additional Information: