Wednesday, 27 February 2013

Types of Malware

The word Malware is a term derived by mixing the words “malicious” and “software” and can be described as any form of software, script or code which is designed to cause damage to computer systems or to intrude on the privacy of computer system users.

Types of malware include the following:
  • Computer Viruses - A computer virus is a software program that has an ability to replicate itself and spread from one computer to another.
  • Adware - Adware is a software package which automatically displays unwanted advertisements on the user’s electronic device.
  • Backdoors- A backdoor is a way of bypassing the usual authentication process of a computer system which grants an unauthorised user of software application access to that computer.
  • Malicious BHOs - Malicious Browser Helper Objects (BHOs) use their unrestricted access to Microsoft Internet Explorer as a gateway to implement other forms of malware.
  • Dialers - Dialers from a malware perspective take advantage in security flaws in operating systems to make outbound phone calls to premium rate numbers without the user’s knowledge.
  • Fraudtools - Fraudtools pretend to be a well known and trusted software application (most likely masquerading as an antivirus) to steal data or money.
  • Browser Hijackers - Malware which changes the user’s web-browser settings without the user’s permission.
  • Keyloggers - A Keylogger records the keystokes on the user’s keyboard without the user’s knowledge.
  • Malicious LSPs - Whilst not actually malware, an LSP (Layered Service Provider) is a Microsoft Windows function which intercepts and modifies inbound and outbound Internet traffic which malware might exploit.
  • Spyware - Spyware is a form of malware which can gather personal information on the user’s computer without their knowledge or consent. Spyware can also take control over certain computer functions and programs.
  • Ransomware - Ransomware restricts the access to the infected computer system and as the name suggests, holds the system to “ransom” until the user pays the extortionist to remove the restrictions.
  • Trojan Horses - A Trojan horse is a form of malware which grants unauthorised access to a user’s computer system.
  • Worms - Computer worms are a standalone computer program designed to replicate themselves and spread to other electronic devices on a computer network.
  • Rootkits - A rootkit is a piece of software with administrative system privileges which can hide certain processes or programs on the user’s electronic device.


Computer Viruses 

Definition: "A computer virus is a software program that has an ability to replicate itself and spread from one computer to another."There is a misconception that most types of malware and computer viruses are the same thing however computer viruses are limited to the above definition.  Types of malware which are not classed as computer viruses are computer worms, ransomware, trojan horses, keyloggers, most rootkits, spyware, dishonest adware, malicious BHOs and other malicious software. Whilst worms and Trojan Horses also have the ability to replicate themselves, the way they do so is different to that of a computer virus. See Worms , and Trojan Horses for more details.
Resident and Non-Resident Viruses
Viruses are unable to replicate themselves unless they have been permitted to execute code and write to memory. For this reason, many viruses write themselves to legitimate programs (Known as code injection) and wait to be executed.  Viruses can be divided into 2 classes based on the way they replicate themselves when executed. The ways that viruses replicate themselves can be classed as resident viruses or non-resident viruses. 
resident virus resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.
A non-resident virus is like a resident virus however the way they spread is different. Instead of waiting for another program to access the host program like a resident virus does, a non-resident virus actually actively seeks out other applications to infect.
Derivative source - Wikipedia/Computer Virus

Adware

Adware is a software package which automatically displays unwanted advertisements on the user’s electronic device. The most common form of adware is by the way of annoying pop-ups. Other forms of adware are advertisements prevalent in the software interface or the installation of an unrelated application.  The usual reason that adware is written is to generate pay-per-click income for the adware author.
Most adware can be more of an annoyance than an actual threat to the user’s electronic device however some adware may be coupled with spyware. The spyware associated with the adware may have the ability to monitor the user’s computer habits (e.g. which websites they visit, what applications are running on a user’s device and even any security flaws on the user’s device which the spyware author can exploit).

Derivative source - Wikipedia/Adware



Backdoors (Malware)

backdoor is a way of bypassing the usual authentication process of a computer system which grants an unauthorised user access to that computer. The unauthorised user is usually undetected and can access the host computer’s data in plain text.Whilst backdoors are not technically malware in the sense a computer virus is, they are the by-product of certain rootkits, worms and Trojan Horses.
One of the most common ways that back doors are used now days are to use compromised computers to send unsolicited spam emails.


Derivative source - Wikipedia/Backdoors


Malicious BHOs (Browser Helper Object)

A Browser Helper Object (BHO) is a plugin used to add functionality to Microsoft Internet Explorer. Toolbars which can be added to your browser or have the functionality to open PDF files in the browser window are examples of BHOs. As BHOs have unrestricted access to Internet Explorer it is no wonder that malicious BHOs have been written to take advantage of the security flaw. BHOs have the ability to make visible and invisible changes to Internet Explore. Visible changes may include the addition of a toolbar to your browser window or redirection to pages containing adverts (A form of adware). Invisible BHOs could record the keystokes on the user’s keyboard (A keylogger) whenever it detects that the user is on a financial institution’s website. This is done in an attempt to steal the user’s passwords with the aim of stealing the user’s money.Since this form of malware has become apparent, Microsoft have included an “add on manager” to their browsers from Microsoft Internet Explorer 6 onwards.Derivative source - Wikipedia/BHOs

Dialers (Malware)

Although not a problem for broadband internet connections, a dialer is a form of malware which affects computers connected to the internet via an analogue modem or has an active telephone line connected to their computer by other means.Dialers from a malware perspective take advantage in security flaws in operating systems to make outbound phone calls to premium rate numbers without the user knowing. If the user is aware of a dialer making the call or initiated the call, it is likely that there has been very little or no mention of the costs incurred.Dialers can be recognised by the following:
  • “A download popup opens when opening a website.
  • On the website there is only a small hint, if any, about the price.
  • A download starts even if the cancel button has been clicked.
  • The dialer installs as default connection without any notice.
  • The dialer creates unwanted connections by itself and without user interaction.
  • The dialer does not show any notice about the price (only few do) before dialing in.
  • The high price of the connection is not being shown while connected
  • The dialer cannot be uninstalled, or only with serious effort.”  - Quotation Source – Wikipedia/Dialer
  • Another obvious way of recognising that you may have a dialer installed on your computer is by receiving very high phone bill or by noticing unknown numbers on your itemised billing.
Derivative source – Wikipedia/Dialer

Fraudtools

Fraudtools pretend to be a well known and trusted software application (most likely masquerading as a free antivirus) to steal data or money.  Fraudtools often also include adware.They way a fraudtool pretending to be a “free” antivirus (Also known as Rouge Security Software) works is by performing a fake antivirus scan of your electronic device and then pretending that malware has been found. The fraudtool then prompts for a credit card payment to be processed in order to buy the paid-for full version of the antivirus which doesn’t actually exist so that the fake malware can be removed. The user is then charged for a product that they don’t receive or worse yet, the user’s credit card information is stolen.
Derivative source – Wikipedia/Fraudtools

Keyloggers (Malware)

A Keylogger records the keystokes on the user’s keyboard without the user’s knowledge.  The “log” is then transferred to the malware writer or their associate’s computer where the key stokes can be “harvested” for passwords. The most common form of Keyloggers can be found in Trojan Horses and some computer viruses.As sifting through lines and lines of keystrokes can be tedious, many keyloggers are designed to only become active when they sense that the user is on a financial institution’s website so that that they may steal the user’s online banking passwords. Once the password has been stolen, the fraudster will have access to the user’s bank account and be in a position to steal the user’s money.
There a numerous methods that keyloggers work. They could be software based, hardware based or even involve acoustic analysis (The sound that each keystroke makes and be analysed and deciphered). From an antivirus point of view, only software based keyloggers can be detected.
As well as recording your keystrokes and recording it as computer code, some malware take screenshots of what the user is doing (known as screen-logging) and transmits images of the screenshots taken back to the malware creator or associate.
This post was written with the lay-man in mind and the technical jargon associated with the applications and methodology of keylogging is beyond the scope of this article. If you would however like to know more about keyloggers, please visit Wikipedia/Keylogger.
Derivative source: Wikipedia/Keylogger

Spyware

Spyware is a form of malware which serves to gather personal information on the user’s electronic device without their knowledge or consent. Spyware can also take control over certain aspects and applications on a person’s computer.  It is often installed on the electronic device by “piggy backing” on a legitimate application which the user installs or through infected websites.The most common use of spyware is to track a user’s Internet browsing habits and in turn serve up targeted pop-up ads or redirecting Web browsers based on those habits. More malicious forms of spyware may install keyloggers on the user’s system in an attempt to steal passwords; be it to hack into email accounts or even steal internet banking logins.
Spyware can be classed into four types:
  1. System Monitors
  2. Trojan Horses
  3. Adware
  4. Tracking Cookies
Infection Methods


Unlike a computer virus or a worm, spyware does not usually make an attempt to duplicate itself to other computers but rather use deception techniques to infect the user’s computer. Spyware is commonly coupled to genuine software by the spyware author/user and then installed along with this genuine software in the background without the user’s knowledge.
The other main way that spyware may infect a user’s device is through the use of a Trojan Horse Insrt hyper. When the user visits a webpage or uses an online application infected by a Trojan Horse, the spyware is automatically downloaded onto the user’s system without their knowledge. This is known as a drive-by download.
Signs of Spyware Infection
Spyware infections are normally not limited to single infections but they rather hunt in packs for maximum effectiveness and to evade antivirus software. When a user inadvertently downloads spyware they may download various different types of spyware at once. This may result in a dramatic slowdown on the user’s electronic device.
Signs of a potential spyware infection may include:
  • Increased CPU activity, disk use and network traffic
  • Application freezing and/or crashes
  • Unexpected system reboots or failure to boot
  • Inability to connect to the internet
  • Slow user experience
  • Inexplicable application behaviour
  • Windows installation problems
  • Antivirus and/or firewall deactivation
For more information, please visit the Derivative source – Wikipedia/Spyware

Trojan Horse (Malware)

A Trojan horse is a form of malware which grants unauthorised access to a user’s computer system. Trojan horses are currently the most common form of malware in the world. Trojan horses are not self-replicating like a computer virus or worm and are often classed as a form of Spyware.  Just like the Trojan horse from Greek mythology, the Trojan horse in malware terms pretends to be something beneficial like a free screensaver or be embedded on a site that offers free software.
When the user visits a webpage or uses an online application infected by a Trojan horse, the malware is automatically downloaded onto the user’s system without their knowledge. This is known as a drive-by download. Trojan horses are normally controlled by hackers who wish to obtain remote access to your computer system to steal data or cause system damage. Hackers may also turn your computer into a “zombie” or “slave” device, allowing the hacker to use your computer’s resources to commit fraud anonymously.

Purposes of Trojan horses
  • “Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
  • Crashing the computer
  • Computer running slow
  • Blue screen of death
  • Take over computer
  • Electronic money theft
  • Data theft (e.g. retrieving passwords or credit card information)
  • Installation of software, including third-party malware and ransomware
  • Downloading or uploading of files on the user's computer
  • Modification or deletion of files
  • Keystroke logging
  • Watching the user's screen
  • Viewing the user's webcam
  • Controlling the computer system remotely
  • Anonymizing internet viewing” Quotation Source – Wikipedia/Trojan horse
Derivative source – Wikipedia/Trojan horse

Worms (Malware)

Computer worms are a computer program designed to replicate themselves and spread to other electronic devices on a computer network. The difference between a worm and a computer virus are that computer viruses “piggyback” on other applications whilst worms are normally a standalone computer application.
Worms spread by exploiting security flaws on computer networks; either by exploiting common network flaws or my making use of backdoors hyper created by other worms or malware. Most worms don’t really have a purpose other than to replicate and spread themselves which can cause network disruption. However, some worms can carry payloads.  A Payload is code that has been added to the worm in order to perform functions beyond just replicating and spreading themselves. A payload may delete files or install backdoors which can be exploited by other malware.
Derivative source – Wikipedia/Worms

Rootkits (Malware)

A rootkit is a piece of software with administrative system privileges which can hide certain processes or programs on the user’s electronic device. Rootkits can get on a user’s system either by automatic installation via a worm hyper or directly by a hacker with administrative privileges. Rootkits are difficult to remove from your system and can cause complete system failure resulting in the need for your entire operating system to be re-installed.Uses of Rootkits
Common ways rootkits are used without the user’s knowledge:
  • Provide an attacker backdoor access to a user’s computer system in order to bypass passwords. The hacker then uses this unauthorized access to steal or modify user data.
  • Hide other malware from regular detection methods.
  • Turn the user’s device into a “zombie computer” in order to commit fraud anonymously
  • The enforcement of Digital Rights Management (DRM)
Sometimes however rootkits are voluntarily installed on a system by the user themselves to bypass copyright laws or break social rules:
  • Hide the fact that a user is cheating on an online games.
  • The detection of other rootkits.
  • Bypass copyright management software to make pirated copies of copyrighted material like software, music or movies (And other video based media)
  • Bypass product license key activation.
One positive reason for a user to voluntarily install a rootkit on their device is for theft prevention. For example, if a user’s laptop is stolen they may access their stolen laptop via the rootkit to delete any confidential information.

Ways to detect Rootkits
Because rootkits have administrative-level permissions they can hide their existence on a user’s device. Special, often complicated, methods have been created to detect rootkits:
  • "Alternative trusted medium
  • Behavioural-based
  • Signature-based
  • Difference-based
  • Integrity checking
  • Memory dumps" - Quotation source Wikipedia/Rootkits
Descriptions of these rootkit detection methods are beyond the scope of this article. If you would like to read more, please visit: Wikipedia/Rootkits
Derivative source – Wikipedia/Rootkits

Creative Commons License
The above definitions are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

2 comments:

  1. So now you know. Just because your computer is infected, it doesn't mean that you have a "virus." The field of malware is a complex subject so hopefully the above blog simplifies things.

    ReplyDelete
  2. Nicely written information in this post.Computer viruses affect systems in different ways. Some wipe out or corrupt data in the system while others steal sensitive user information. Hp Side Covers

    ReplyDelete