Malware, short for malicious software, is software used or created by hackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. While it is often software, it can also appear in the form of scripts or code. ’Malware’ is a general term used to refer to a variety of forms of hostile, intrusive, or annoying software.
Malware includes computer viruses, worms, trojan horses, spyware, adware, most rootkits, and other malicious programs. In law, malware is sometimes known as a computer contaminant, as in the legal codes of several U.S. states. Malware is not the same as defective software, which is software that has a legitimate purpose but contains harmful bugs that were not noticed before release. However, some malware is disguised as genuine software, and may come from an official company website. An example would be software used for harmless purposes that also includes tracking software to gather marketing statistics for advertising by the software producer.
Therefore, some security programs may find “potentially unwanted programs” when scanning for malware. While a computer virus is malware that can reproduce itself, the term is sometimes used incorrectly to refer to the entire category. An example of a computer virus which is not a malware, but is benevolent is Fred Cohen’s compression virus.
Many early infectious programs, including the first Internet Worm, were written as experiments or pranks. They were originally intended to be used for amusement purposes rather than for malicious ones. In some cases, the perpetrator did not realize how much harm his or her creations would do.
Today, malware is used primarily to steal sensitive personal, financial, or business information for the benefit of others. Malware is sometimes used broadly against corporations to gather guarded information, but also to disrupt their operation in general. Malware is often used against individuals to gain similar personal information such as social security numbers, bank or credit card account information, and so on. Left un-guarded, personal and networked computers can be at considerable risk against these threats. (These are most frequently counter-acted by various types of firewalls, anti virus software, and network hardware).
Some programs are designed with hostile intent to disrupt operations by causing data loss. Many DOS viruses, and the Windows Explore Zip worm, were designed to destroy files on a hard disk, or to corrupt the file system by writing invalid data to them. Network- borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category.
Since the rise of widespread broadband Internet access, malicious software has been designed increasingly for profit (such as forced advertising). Since 2003, the majority of widespread viruses and worms have been designed to take control of users’ computers for black-market exploitation.Infected “zombie computers” are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged, called spyware. These programs are designed to monitor users’ web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally installed by exploiting security holes. They can also be packaged together with user-installed software, such as peer-to-peer applications.
2.Infectious malware: viruses and worms
The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any specific types of behavior. The term computer virus is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. Viruses may also contain a payload that performs other actions, often malicious. On the other hand, aworm is a program that actively transmits itself over a network to infect other computers. It too may carry a payload.
These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads itself automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms. Some writers in the trade and popular press misunderstand this distinction and use the terms interchangeably.
2.1. History of viruses and worms
Before Internet access became widespread, viruses spread on personal computers by infecting the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever a program is run or the disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot-able floppies, so they spread rapidly in computer hobbyist circles.
The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes (vulnerabilities) in network server programs and started itself running as a separate process. This same behavior is used by today’s worms as well.
With the rise of the Microsoft Windows platform in the 1990s, and the flexible macros of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and templates rather than applications (executables), but rely on the fact that macros in a Word document are a form of executable code.
Today, worms are most commonly written for the Windows OS, although a few like Mare-D and theLion worm are also written for Linux and Unix systems. Worms today work in the same basic way as 1988’s Internet Worm: they scan the network and use vulnerable computers to replicate. Because they need no human intervention, worms can spread with incredible speed. The SQL Slammer infected thousands of computers in a few minutes.
3. Concealment: Trojan horses, rootkits, and backdoors
3.1 Trojan horses
For a malicious program to accomplish its goals, it must be able to run without being detected, shut down, or deleted. When a malicious program is disguised as something normal or desirable, users may will fully install it without realizing it. This is the technique of the Trojan horse or Trojan. In broad terms, a Trojan horse is any program that invites the user to run it, concealing harmful or malicious code. The code may take effect immediately and can lead to many undesirable effects, such as deleting the user’s files or installing additional harmful software.
One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed as well. Spyware authors who attempt to act in a legal fashion may include anend-user license agreement that states the behavior of the spyware in loose terms, which users may not read or understand.
Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection. Techniques known as rootkits allow this concealment, by modifying the host’s operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system’s list of processes, or keep its files from being read.
A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised, one or more backdoors may be installed in order to allow easier access in the future. Backdoors may also be installed prior to malicious software, to allow attackers entry.
The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods.
4. Malware for profit: spyware, botnets, keystroke loggers, and “Ransom” Malware
During the 1980s and 90s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank. Since then, a greater share of malware programs have been written with a profit motive (financial or otherwise) in mind.
Spyware programs are commercially produced for the purpose of gathering information about computer users. Some examples being pop-up ads or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called “stealware” by the media, overwrite affiliate marketing codes so that revenue is redirected to the spyware creator instead of the intended recipient.
Another way that financially motivated malware creators can profit from infecting computers is to directly use the infected computers to work for them. The infected computers are used to send out spam messages (as proxies). A computer in this state is often known as a zombie computer. The advantage for spammers of using infected computers is anonymity, which can protect the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with attacks designed to stop their intervention (i.e. distributed denial-of-service attacks). In order to coordinate the activity of many infected computers, attackers sometimes use coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system.
5. Data-stealing malware
Data-stealing malware is a web threat that divest victims of personal and proprietary information with the purpose of monetizing stolen data through direct use or underground distribution. Content security threats that fall under this umbrella include keyloggers, screen scrapers, spyware, adware, backdoors, and bots. The term does not refer to activities such as spam, phishing, DNS poisoning, SEO abuse, etc. However, when these threats result in file download or direct installation, as most hybrid attacks do, files that act as agents to proxy information will fall into the data-stealing malware category.
5.1 Characteristics of data-stealing malware
Does not leave traces of the event
- The malware is typically stored in a cache that is routinely flushed
- The malware may be installed via a drive-by-download process
- The website hosting the malware as well as the malware is generally temporary or rogue
Frequently changes and extends its functions
- It is difficult for antivirus software to detect final payload attributes due to the combination(s) of malware components
- The malware uses multiple file encryption levels
Thwarts Intrusion Detection Systems (IDS) after successful installation
- There are no perceivable network anomalies
- The malware hides in web traffic
- The malware is stealthier in terms of traffic and resource use
Thwarts disk encryption
- Data is stolen during decryption and display
- The malware can record keystrokes, passwords, and screenshots
Thwarts Data Loss Prevention (DLP)
- Leakage protection hinges on metadata tagging, not everything is tagged
- Miscreants can use encryption to port data
5.2. Examples of data-stealing malware
- Bancos, an info stealer that waits for the user to access banking websites then spoofs pages of the bank website to steal sensitive information.
- Gator, spyware that covertly monitors web-surfing habits, uploads data to a server for analysis then serves targeted pop-up ads.
- LegMir, spyware that steals personal information such as account names and passwords related to online games.
- Qhost, a Trojan that modifies the Hosts file to point to a different DNS server when banking sites are accessed then opens a spoofed login page to steal login credentials for those financial institutions.
5.3. Data-stealing malware incidents
- Albert Gonzalez(not to be confused with the U.S. Attorney General Alberto Gonzalez) is accused of masterminding a ring to use malware to steal and sell more than 170 million credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the firms targeted were BJ’s Wholesale Club, TJX, DSW Shoes, OfficeMax, Barnes & Noble, Boston Market, Sports Authority and Forever 21.
- A Trojan horse program stole more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide Inc’s job search service. The data was used by cyber criminals to craft phishing emails targeted at Monster.com users to plant additional malware on users’ PCs.
- Customers ofHannaford Bros. Co., a supermarket chain based in Maine, were victims of a data security breach involving the potential compromise of 4.2 million debit and credit cards. The company was hit by several class-action law suits.
- TheTorpig Trojan has compromised and stolen login credentials from approximately 250,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.
5.4. Controversy about assignment to spyware
There is a group of software (Alexa toolbar, Google toolbar, Eclipse data usage collector, etc.) that send data to a central server about which pages have been visited or which features of the software have been used. However differently from “classic” malware these tools document activities and only send data with the user’s approval. The user may opt in to share the data in exchange to the additional features and services, or (in case of Eclipse) as the form of voluntary support for the project. Some security tools report such loggers as malware while others do not. The status of the group is questionable. Some tools like PDF Creator are more on the boundary than others because opting out has been made more complex than it could be (during the installation, the user needs to uncheck two check boxes rather than one). However, PDF Creator is only sometimes mentioned as malware and is still a subject of discussions.
6. Vulnerability to malware
In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application.
Various factors make a system more vulnerable to malware:
- Homogeneity: e.g. when all computers in a network run the same operating system; upon exploiting one, one can exploit them all.
- Weight of numbers: simply because the vast majority of existing malware is written to attack Windows systems, then Windows systems are more vulnerable to succumbing to malware attacks (regardless of the security strengths or weaknesses of Windows itself).
- Defects: malware using defects in the operating system design.
- Unconfirmed code: code from afloppy disk, CD-ROM or USB device may be executed without the user’s permission.
- Over-privileged users: some systems allow all users to modify their internal structures. This was the standard operating procedure for early microcomputer and home computer systems, where there was no distinction between anAdministrator or root, and a regular user of the system.
- Over-privileged code: some systems allow code executed by a user to access all rights of that user. Also standard operating procedure for early microcomputer and home computer systems.
7. Anti-malware Strategies
As malware attacks become more frequent, attention has begun to shift from viruses and spyware protection, to malware protection, and programs that have been specifically developed to combat malware.
7. 1. Anti-virus and Anti-Malware software
Anti-virus and anti-malware software commonly hooks deep into the operating system’s core or kernelfunctions in a manner similar to how malware itself would attempt to operate, though with the user’s informed permission for protecting the system. Any time the operating system does something, the anti-malware software checks that the OS is doing an approved task. This commonly slows down the operating system and/or consumes large amounts of system memory. The goal is to preempt any operations the malware may attempt on the system, including activities which might exploit bugs or trigger unexpected operating system behavior.
Anti-malware programs can combat malware in two ways:
- They can provide real time protection against the installation of malware software on a computer. This type of spyware protection works the same way as that of antivirus protection in that the anti-malware software scans all incoming network data for malware software and blocks any threats it comes across.
- Anti-malware software programs can be used solely for detection and removal of malware software that has already been installed onto a computer. This type of anti-malware software scans the contents of the Windows registry, operating system files, and installed programs on a computer and will provide a list of any threats found, allowing the user to choose which files to delete or keep, or to compare this list to a list of known malware components, removing files that match.
Real-time protection from malware works identically to real-time antivirus protection: the software scans disk files at download time, and blocks the activity of components known to represent malware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many malware components are installed as a result of browser exploits or user error, using security software (some of which are anti-malware, though many are not) to “sandbox” browsers (essentially babysit the user and their browser) can also be effective in helping to restrict any damage done.
7.2. Website security scans
As malware also harms the compromised websites (by breaking reputation, blacklisting in search engines, etc.), some companies offer the paid site scan service. Such scans periodically check the site, detecting malware, noticed security vulnerabilities, outdated software stack with known security issues, etc. The found issues are only reported to the site owner who can fix them. The provider may also offer the security badge that the owner can only display if the site has been recently scanned and is “clean”.
7.3. Academic research
The notion of a self-reproducing computer program can be traced back to initial theories about the operation of complex automata. John von Neumann showed that in theory a program could reproduce itself. This constituted a plausibility result in computability theory. Fred Cohen experimented with computer viruses and confirmed Neumann’s postulate and investigated other properties of malware such as delectability, self-obfuscation using rudimentary encryption, and others. His Doctoral dissertation was on the subject of computer viruses.
7.4. Web and spam
<iframe src=”http://example.net/out.php?s_id=11″ width=0 height=0 />
If an intruder can gain access to a website, it can be hijacked with a single HTML element. The World Wide Web is a criminals’ preferred pathway for spreading malware. Today’s web threats use combinations of malware to create infection chains. About one in ten Web pages may contain malicious code.
7.5. Wikis and blogs
Attackers may use wikis and blogs to advertise links that lead to malware sites. Wiki and blog servers can also be attacked directly. In 2010, Network Solutions was compromised and some hosted sites became a path to malware and spam.
7. 6. Targeted SMTP threats
Targeted SMTP threats also represent an emerging attack vector through which malware is propagated. As users adapt to widespread spam attacks, cyber criminals distribute crimeware to target one specific organization or industry, often for financial gain.