Malware
Malware, short for malicious software, is any software used to disrupt computer operation, gather
sensitive information, or gain access to private computer systems.
Malware is defined by its malicious intent, acting against the requirements of the computer user, and
does not include software that causes unintentional harm due to some deficiency. The term badware is
sometimes used, and applied to both true (malicious) malware and unintentionally harmful software.
Types of Malware
Adware
Adware (short for advertising-supported software) is a type of malware that automatically delivers
advertisements. Common examples of adware include pop-up ads on websites and advertisements
bundled with adware. Most adware is sponsored or authored by advertisers and serves as a revenue
generating tool.
While some adware is solely designed to deliver advertisements, it is not uncommon for adware to
come bundled with spyware that is capable of tracking user activity and stealing information. Due to
the added capabilities of spyware, adware/spyware bundles are significantly more dangerous than
adware on its own.
SpywareSpyware is a type of malware that functions by spying on user activity without their knowledge.
These spying capabilities can include activity monitoring, collecting keystrokes, data harvesting
(account information, logins, financial data), and more. Spyware often has additional capabilities as
well, ranging from modifying security settings of software or browsers to interfering with network
connections. Spyware spreads by exploiting software vulnerabilities, bundling itself with legitimate
software or in Trojans.
Bot
Bots are software programs created to automatically perform specific operations. While some bots
are created for relatively harmless purposes (video gaming, internet auctions, online contests, etc), it
is becoming increasingly common to see bots being used maliciously. Bots can be used in botnets
(collections of computers to be controlled by third parties) for DDoS attacks, as spambots that render
advertisements on websites, as web spiders that scrape server data, and for distributing malware
disguised as popular search items on download sites. Websites can guard against bots with
CAPTCHA tests that verify users as human.
Bug
In the context of software, a bug is a flaw produces an undesired outcome. These flaws are usually the
result of human error and typically exist in the source code or compilers of a program. Minor bugs
only slightly affect a program’s behaviour and, as a result, can go for long periods of time before
being discovered. More significant bugs can cause crashing or freezing. Security bugs are the most
severe type of bugs and can allow attackers to bypass user authentication, override access privileges,
or steal data. Bugs can be prevented with developer education, quality control and code analysis
tools.
Ransomware
Ransomware is a form of malware that essentially holds a computer system captive while demanding
a ransom. The malware restricts user access to the computer either by encrypting files on the hard
drive or locking down the system and displaying messages that are intended to force the user to pay
the malware creator to remove the restrictions and regain access to their computer. Ransomware
typically spreads like a normal computer worm (see below) ending up on a computer via a
downloaded file or through some other vulnerability in a network service.
Rootkit
A rootkit is a type of malicious software designed to remotely access or control a computer without
being detected by users or security programs. Once a rootkit has been installed it is possible for the
malicious party behind the rootkit to remotely execute files, access/steal information, modify system
configurations, alter software (especially any security software that could detect the rootkit), installconcealed malware, or control the computer as part of a botnet.
Rootkit prevention, detection, and removal can be difficult due to their stealthy operation. Because a
rootkit continually hides its presence, typical security products are not effective in detecting and
removing rootkits. As a result, rootkit detection relies on manual methods such as monitoring
computer behaviour for irregular activity, signature scanning, and storage dump analysis.
Organisations and users can protect themselves from rootkits by regularly patching vulnerabilities in
software, applications and operating systems, updating virus definitions, avoiding suspicious
downloads and performing static analysis scans.
Trojan Horse
A Trojan horse, commonly known as a “Trojan,” is a type of malware that disguises itself as a normal
file or program to trick users into downloading and installing malware. A Trojan can give a
malicious party remote access to an infected computer. Once an attacker has access to an infected
computer, it is possible for the attacker to steal data (logins, financial data, even electronic money),
install more malware, modify files, monitor user activity (screen watching, keylogging, etc), use the
computer in botnets, and anonymise internet activity by the attacker.
Virus
A virus is a form of malware that is capable of copying itself and spreading to other computers.
Viruses often spread to other computers by attaching themselves to various programs and executing
code when a user launches one of those infected programs. Viruses can also spread through script
files, documents, and cross-site scripting vulnerabilities in web apps. Viruses can be used to steal
information, harm host computers and networks, create botnets, steal money, render advertisements,
and more.
Worm
Computer worms are among the most common types of malware. They spread over computer
networks by exploiting operating system vulnerabilities. Worms typically cause harm to their host
networks by consuming bandwidth and overloading web servers. Computer worms can also contain
“payloads” that damage host computers. Payloads are pieces of code written to perform actions on
affected computers beyond simply spreading the worm. Payloads are commonly designed to steal
data, delete files, or create botnets.
Computer worms can be classified as a type of computer virus, but there are several characteristics
that distinguish computer worms from regular viruses. A major difference is that computer worms
have the ability to self-replicate and spread independently while viruses rely on human activity to
spread (running a program, opening a file, etc). Worms often spread by sending mass emails with
infected attachments to users’ contacts.
Key logger
A special kind of trojan that records the keyboard and/or mouse activity on a PC and relays the
information over the Internet to someone wishing to record passwords or other personal information.
Zombie Computer
A Trojan horse is used to plant malware on an unsuspecting PC owner's system that allows a remote
computer to use that system to send out spam or to perform other malicious tasks on the Internet
without the owner's knowledge.
Drive-by-Download
The automatic download of software to a user’s computer triggered simply by visiting a Web site or
viewing an HTML formatted email. The download occurs without the user’s consent and often
without any notice at all.
Scareware
Malware that pops up windows claiming your computer is infected and offers to clean it for a fee or
tries to get you to click a link that will install a trojan. The malware can come from a drive-by-
download or from a web page that has other malicious JavaScript on it.
Web beacon or web bug
A small, usually 1×1 pixel, transparent image that is placed somewhere in a web page or e-mail. Due
to its small size and transparency it is visually undetectable by the reader. Because the computer has
to make a request to an external server in order to load this image, whoever planted the image knows
that you have visited the web page or opened the e-mail. The server records the date and time of the
request, along with any other information it receives such as your IP address and browser version.
Backdoors
A backdoor is a method of bypassing normal authentication procedures, usually over a connection to
a network such as the Internet. Once a system has been compromised, one or more backdoors may be
installed in order to allow access in the future, invisibly to the user.
The idea has often been suggested that computer manufacturers preinstall backdoors on their systems
to provide technical support for customers, but this has never been reliably verified. It was reported
in 2014 that US government agencies had been diverting computers purchased by those considered
"targets" to secret workshops where software or hardware permitting remote access by the agency
was installed, considered to be among the most productive operations to obtain access to networksaround the world. Backdoors may be installed by Trojan horses, worms, implants, or other methods.
Malware Symptoms
While these types of malware differ greatly in how they spread and infect computers, they all can
produce similar symptoms. Computers that are infected with malware can exhibit any of the following
symptoms:
Increased CPU usage
Slow computer or web browser speeds
Problems connecting to networks
Freezing or crashing
Modified or deleted files
Appearance of strange files, programs, or desktop icons
Programs running, turning off, or reconfiguring themselves (malware will often reconfigure
or turn off antivirus and firewall programs)
Strange computer behaviour
Emails/messages being sent automatically and without user’s knowledge (a friend receives a
strange email from you that you did not send)
Vulnerability to Malware
Security defects in software
Malware exploits security defects (security bugs or vulnerabilities) in the design of the operating
system, in applications (such as browsers, e.g. older versions of Microsoft Internet Explorer
supported by Windows XP), or in vulnerable versions of browser plugins such as Adobe Flash
Player, Adobe Acrobat or Reader, or Java.
Sometimes even installing new versions of such plugins does not automatically uninstall old versions.
Security advisories from plug-in providers announce security-related updates.
Common vulnerabilities are assigned CVE IDs and listed in the US National Vulnerability Database.
Secunia PSI
is an example of software, free for personal use that will check a PC for vulnerable out-
of-date software, and attempt to update it.
Malware authors target bugs, or loopholes, to exploit. A common method is exploitation of a buffer
overrun vulnerability, where software designed to store data in a specified region of memory does
not prevent more data than the buffer can accommodate being supplied.
Malware may provide data that overflows the buffer, with malicious executable code or data after the
end; when this payload is accessed it does what the attacker, not the legitimate software, determines.
Insecure design or user error
Early PCs had to be booted from floppy disks; when built-in hard drives became common the
operating system was normally started from them, but it was possible to boot from another boot
device if available, such as a floppy disk, CD-ROM, DVD-ROM, or USB flash drive.
It was common to configure the computer to boot from one of these devices when available. Normally
none would be available; the user would intentionally insert, say, a CD into the optical drive to boot
the computer in some special way, for example to install an operating system. Even without booting,
computers can be configured to execute software on some media as soon as they become available,
e.g. to autorun a CD or USB device when inserted.
Malicious software distributors would trick the user into booting or running from an infected device
or medium; for example, a virus could make an infected computer add autorunnable code to any USB
stick plugged into it; anyone who then attached the stick to another computer set to autorun from USB
would in turn become infected, and also pass on the infection in the same way.
More generally, any device that plugs into a USB port - "including gadgets like lights, fans, speakers,
toys, even a digital microscope" can be used to spread malware. Devices can be infected during
manufacturing or supply if quality control is inadequate.
This form of infection can largely be avoided by setting up computers by default to boot from the
internal hard drive, if available, and not to autorun from devices. Intentional booting from another
device is always possible by pressing certain keys during boot.
Older email software would automatically open HTML email containing potentially malicious
JavaScript code; users may also execute disguised malicious email attachments and infected
executable files supplied in other ways.
Over-privileged users and over-privileged code
In computing, privilege refers to how much a user or program is allowed to modify a system. In
poorly designed computer systems, both users and programs can be assigned more privileges than
they should be, and malware can take advantage of this. The two ways that malware does this is
through overprivileged users and overprivileged code.
Some systems allow all users to modify their internal structures, and such users today would be
considered over-privileged users. This was the standard operating procedure for early
microcomputer and home computer systems, where there was no distinction between an administrator
or root, and a regular user of the system. In some systems, non-administrator users are over-
privileged by design, in the sense that they are allowed to modify internal structures of the system. In
some environments, users are over-privileged because they have been inappropriately granted
administrator or equivalent status.
Some systems allow code executed by a user to access all rights of that user, which is known as over-
privileged code. This was also standard operating procedure for early microcomputer and home
computer systems. Malware, running as over-privileged code, can use this privilege to subvert the
system. Almost all currently popular operating systems, and also many scripting applications allowcode too many privileges, usually in the sense that when a user executes code, the system allows that
code all rights of that user. This makes users vulnerable to malware in the form of e-mail attachments,
which may or may not be disguised.
Homogeneity
When all computers in a network run the same operating system; upon exploiting one, one worm can
exploit them all. For example, Microsoft Windows or Mac OS X have such a large share of the
market that concentrating on either could enable an exploited vulnerability to subvert a large number
of systems.
Instead, introducing diversity, purely for the sake of robustness, could increase short-term costs for
training and maintenance. However, having a few diverse nodes could deter total shutdown of the
network as long as all the nodes are not part of the same directory service for authentication, and
allow those nodes to help with recovery of the infected nodes. Such separate, functional redundancy
could avoid the cost of a total shutdown, at the cost of increased complexity and reduced usability in
terms of single sign-on authentication.
Malware prevention and removal
There are several general best practices that organisations and individual users should follow to
prevent malware infections. Some malware cases require special prevention and treatment methods,
but following these recommendations will greatly increase a user’s protection from a wide range of
malware:
Install and run anti-malware and firewall software. When selecting software, choose a program that
offers tools for detecting, quarantining, and removing multiple types of malware. At the minimum,
anti-malware software should protect against viruses, spyware, adware, Trojans, and worms. The
combination of anti-malware software and a firewall will ensure that all incoming and existing data
gets scanned for malware and that malware can be safely removed once detected.
Keep software and operating systems up to date with current vulnerability patches. These patches are
often released to patch bugs or other security flaws that could be exploited by attackers.
Be vigilant when downloading files, programs, attachments, etc. Downloads that seem strange or are
from an unfamiliar source often contain malware.
Website security scans
As malware also harms the compromised websites (by breaking reputation, blacklisting in search
engines, etc.), some websites offer vulnerability scanning. Such scans check the website, detect
malware, may note outdated software, and may report known security issues."Air gap" isolation or "Parallel Network"
As a last resort, computers can be protected from malware, and infected computers can be prevented
from disseminating trusted information, by imposing an "air gap" (i.e. completely disconnecting them
from all other networks). However, information can be transmitted in unrecognized ways; in
December 2013 researchers in Germany showed one way that an apparent air gap can be defeated.
Later in 2015, "BitWhisper", a Covert Signaling Channel between Air-Gapped Computers using
Thermal Manipulations was introduced. "BitWhisper" supports bidirectional communication and
requires no additional dedicated peripheral hardware.
Grayware
Grayware is a term applied to unwanted applications or files that are not classified as malware, but
can worsen the performance of computers and may cause security risks.
It describes applications that behave in an annoying or undesirable manner, and yet are less serious or
troublesome than malware. Grayware encompasses spyware, adware, fraudulent dialers, joke
programs, remote access tools and other unwanted programs that harm the performance of computers
or cause inconvenience. The term came into use around 2004.
Another term, PUP, which stands for Potentially Unwanted Program (or PUA Potentially Unwanted
Application), refers to applications that would be considered unwanted despite often having been
downloaded by the user, possibly after failing to read a download agreement. PUPs include spyware,
adware, fraudulent dialers. Many security products classify unauthorised key generators as grayware,
although they frequently carry true malware in addition to their ostensible purpose.
Software maker Malwarebytes lists several criteria for classifying a program as a PUP.
__________________________
No comments:
Post a Comment