Your Guide to Understanding Malware

May 17, 2009 at 07:05:34 AM, by Gilberto J. Perera

Learn what separates viruses from worms, bots from Trojans and other nasty creatures in Gilberto J. Perera's guide to malware.

The term computer virus is often misused to describe malware or malicious software that can cause digital and/or physical damage to computers where the malware's code is executed. In this article we will define malware along with virus and attempt to highlight some of the most common malware and discuss the problems that arise when a computer or network is not appropriately secured.

What is Malicious Software and How Does it Work?

Malicious software or malware is any, "...hostile, interfering or otherwise unwanted and annoying software or code that is installed on your computer without your permission or knowledge…" Below we will list all forms of know Malware and how each operates along with examples.

Malware includes the following;

Viruses (Traditional Virus)

A virus is a malware type that infects other files and potentially computers. It is termed a virus because like a biological virus that requires a host to inject its genetic code (software code) for replication, a computer virus does essentially the same. It requires a host (an executable) so that it can run and spread itself, when it runs it can attach itself to other executables and run whenever they are execute, essentially causing havoc. Viruses are usually designed to corrupt files and information.

Worms

Unlike viruses, worms do not need to be transferred as part of a host to spread themselves; in other words, they don't require a program to execute in order for them to spread themselves. Worms are designed to take advantage of security vulnerabilities so that they can automatically spread themselves from one computer to another. For instance when there is a vulnerability identified in any system, the programmer designs the worm to take advantage of that vulnerability and to duplicate itself so that it may spread.

The problem with worms is that administrators and computer users do not act fast enough to apply patches/fixes that address those security holes and so they're system are left in the open. Users usually discover the vulnerability when it is too late.

One of the negative side effects arising from worms is the amount of traffic they generate, when hundreds and thousands of computers are compromised a slew of information is sent back and forth as the worm I scanning for other victims and running its payload.

An example of a recent worm is the Conficker worm which has caused a great deal of trouble with computer systems around the world (see 5 Most Infectious Computer Viruses Ever) other known worms include the Morris Worm and the MyDoom worm.

Trojans

Trojans get their name from the Greek story of the Trojan horse which was given to the Trojans by the Greeks during a siege as gift of surrender. The Trojans, happy with victory against the Greeks accepted the enormous horse as a gift without realizing that it was filled with Greek soldiers. While the Trojans partied over their victory the Greeks exited the horse and opened the gates which allowed their entire army inside impenetrable walls of Troy. Needless to say Troy was wiped off the map.

Trojan malware works much the same way, it pretends to be something it is not and fools you into accepting it into your computer, where it will run and do whatever it is intended to do, sometimes without your knowledge. Trojans are usually used to delete files from your computer, access and distribute personal information, and even allowing hackers to use your computer for other exploitation, all of this without your knowledge.

Macro Viruses

Although not as prevalent as they once were (Microsoft has made leaps towards the prevention of Macro viruses), they are still a threat for those who don’t take security seriously or simply don’t understand it. Macros are small programs that are native to Microsoft Office applications (Word (.doc/x), Excel (.xls/x), Access (.mdb/x they are designed to save time and to allow developers to create interactive databases, spreadsheets, and documents and automate tasks. However if they fall in the wrong hands they can be designed to delete and corrupt important data files and their effects can cost a lot time and money.

Macro viruses are essentially viruses that are limited in scope because the can only be executed when an infected Word, Excel, or Access file is open. Don’t get me wrong macros are a great tool for Office users; however one should take precaution when opening those files.

There are several ways that these files make it to your computer. One of the most common is through email attachments from other computers. They can also be spread from file downloads and from working and saving files on an infected computer.

Bots

Similar to worms, bots duplicate inside computer networks and can cause 'traffic jams' in those networks. Unlike worms that exploit existing vulnerabilities, bots create their own by opening up backdoors (holes in your security) in order to control your computer so that the hacker can steal your information, spy on you, relay spam email using your IP address, and launch those same attacks on other computers in the network.

Virus Hoaxes

A virus hoax is quite deceiving because in some instances it appears as a warning notifying you that your computer is not protected and it recommends that you run an antivirus scan by performing a specified action. That action usually turns out to be falsely represented and results in a program being executed that contains the virus infection.

The worst part about these hoaxes is that the authors make the messages look real and for those who are not experienced with antivirus software or computers can easily fall prey to this type of malware.

Adware

There are two types of adware; the first is legitimate software that is free and is supported with advertising. Users typically install this software knowing that they will be subjected to ads when they use it (Examples include Eudora, Gmail, Hotmail, and other free programs).

The other type of adware is illegitimate programs that install without the users knowledge and display ads without the users consent. This type of adware is considered a malware because it was installed without the user’s authorization and can cause problems due to use of resources and network bandwidth.

Spyware/Keyloggers

This category of malware is one of the most disturbing and intrusive forms of malware. Spyware is any malware that is designed to 'spy' or collect information from your computer. Spyware can be found in two forms, software that collects and distributes information located in your computer or a keylogger which records any keystrokes entered on the keyboard.

Keyloggers can also be hardware based (see image above), this means that software isn't necessary and the keylogger can run off an attachment inside or outside the computer. The keylogger illustrated above plugs into the keyboard’s PS2 port and the keyboard plugs into the keylogger. The keylogger in this case acts as a pass through that collects information. So next time you use a public computer, make sure you check it for items like these that could compromise your personal information.

Keyloggers can be installed by attacker directly on the computer or via distribution with other types of malware like Trojans, Worms, and/or blended attacks.

Dialers

Unlike other malware programs that seek to destroy files and steal information, dialers can cost you hundreds of dollars. Dialers are designed to use the modem on your computer to make phone calls to toll 900-numbers. Calls to toll-900 numbers will run up your long distance bill and make the toll-900 number owner rich at your expense. With the proliferation of broadband access and the diminished use of dial-up this malware is less pronounced than it once was.

Hijacker

A hijacker is usually a piece of software that takes over your computer and changes settings to meet their commands. Most hijackers focus on internet browsers. They modify your homepage, they modify default search engines, add bookmarks and links, no matter how many times you revert to original settings the software will automatically change everything again. The only way to solve this problem is to remove the hijacker using a special detection and removal tool.

Blended Threats

One of the most common attacks is usually a combination of several malware. These types of attacks are often referred to as blended attacks.

Below you will find some examples of blended threats;

• Virus/ worm hybrids sent via e-mail, these worms can self replicate infecting network computers, servers, and other devices. In turn the devices accessing this network (website or private) would be infected by the virus.

• The same combination of virus and worms described above could carry other malware designed to exploit existing system vulnerabilities as part of the attack.

• Automated attacks that do not require user action to infect targets.

Ransomware

A newer and different approach to the use of malware is that of Ransomware. The name says it all, Ransomware is designed to take a user’s computer hostage in exchange for money or some other action. If the user does not comply with the request the malware may cause some adverse action like deleting files and/or stealing information.

What Can You Do?

With all of this malware bombarding your computer and your network 24/7, what can you do? Like everything in life take precautions and follow the guidelines below. They should keep you in the clear.

Make sure that Windows is set to automatically download and install the latest security updates. Usually when worms exploit network and computer vulnerabilities, they are able to do so because users fail to install updates as they are released.

Make sure that your anti-virus software is up to date and that your subscription service has not expired. Many users let their subscriptions expire and don't realize how important those updates and virus definitions are.

Make sure that your office applications are configure to notify if there is a macro present and that it gives you the ability to decide whether or not to run it.

Install browser add-ons that increase awareness like AVG's security toolbar, WOT (Web of Trust), and others.

Use Windows Defender or similar adware and spyware detection and removal tools to defend your computer against those threats (Windows Vista ships with Windows Defender by default).

Defender for other Windows versions can be downloaded from Microsoft via Microsoft.com

Once all of this software is installed and up to date you need to make sure that you schedule automatic and frequent scans of all files on your computer. This will help detect any threats that have inadvertently made their way to your computer.

Other than the items described above if you're willing to go the extra mile you can try some less conventional but worthwhile countermeasures to avoid being affected by malware.

• Avoid using public computers altogether

• If you must use a public computer then use a Live CD or a bootable USB installation.

• If that neither option is feasible then use an onscreen keyboard to enter sensitive information.