Malware Guide: Malware Definitions < [1/7] >
Table of Contents
The fatal flaw of many computer users is that they mistake their computer as a common tool such as a television. They expect to be able to turn it on, surf the web, download stuff, play games, listen to music and then be done with it. The truth of the matter is that it would be great if your computer had the same simplistic nature of a television, but it does not. Your computer will often crash, your software will do things you didn't anticipate it doing, and the interface will change according to the software. But, it is this complexity of the computer that gives it the dynamic nature of being able to perform any task given to it by the software.
Your computer operates on the software installed. Every program you have is meant for a specific task. Your operating, such as Windows, is meant to be an umbrella application that enables other programs to interface with your computer in an easier and more standard way that allows the applications to use features of the operating system so they don't have to "reinvent the wheel" (that is to say, reduce redundancy from the programmers perspective through the use of APIs) and without having to manipulate the very low level subsystems of the computer. Then you have communication programs such as your web browser (Internet Explorer, Netscape, Opera, Mozilla), chat programs (AIM, Windows Messenger, Yahoo Messenger, ICQ, Odigo), and office productivity applications (Microsoft Office, Star Office / Open Office, Wordperfect Suite), and thousands and thousands of other applications.
Due to the complexity of the entire computer hardware-software system and of the open nature of most computers a few problems present themselves. The first are problems that everyone seems to have a fairly firm grasp on, and these are bugs. Programmers are humans and as such they make errors when writing their applications. Writing software requires using a programming language to interact with a computer on a particular level (low to high level, meaning the crudeness of the language applied). Programs require writing tons of functional rules that basically describe events to take place under specific situations. Because of the complexity and clumsiness of programming bugs are introduced. This applies to your operating system, all the programs that run under it, and even the hardware (in fact, digital hardware is programmed using a state of rules called boolean logic that is just as susceptible to problems as software is). Because of this most software developers release product updates known as patches that fix problems as the programmers become aware of them, or at least when they consider it economically reasonable to do so. Often a software company will realize there is a bug in their software but they will neglect to fix it because they feel the cost/benefit is too high. This usually means they don't feel enough people are affected by the bug, or that it is an extremely costly problem to fix.
The second set of problems have existed almost as long as computers have, but have evolved along the way to keep us all on our toes. I call this group malware, because they're bad software. Going back to our free and open computer system concept, you should be able to see a problem. And that is, what keeps people from writing ill-intentioned software? Well, besides a few pathetic laws and morality ... not much. Your computer has no way to determine a good application from a bad application. And superficially from the perspective of the user, they look the same. And in fact the difference is just a matter of semantics.
But, who would write such things? Well, most malware is written by bored and attention deprived individuals, or sometimes groups of this type of people. These people are usually called script kiddies because they normally rely on simple scripts instead of writing robust compiled programs. The same group of people are responsible for lame web site "hacks". As that web site owner put it after he found his web site defaced, "sure, I could easily go to the local library with a box of crayons and start scribbling on book covers. That isn't always true though, and in fact that just accounts for the majority, but that does not include the people that really matter. The more severe of these people find devious new ways to take advantage of computer and user flaws, and exploit them. The malware programs they create normally either want to destroy your computer or to take your computer over so they can use it to hijack other computers.
The rest of the malware is written by people trying to make a profit off your ignorance. These are the same type of people that flood your email inbox with spam, and the same people that cover your cars in fliers in large parking lots. This has become very common in the recent years, thanks to the Internet connecting all of our computers. While the first type of malware is destructive for the sake of being destructive, this makes their actions illegal; the second is in more of a gray area that places them in an undetermined zone.
Return to top.
This is perhaps the most well known of the malware, and the most improperly used term. A virus (plural viruses, although virii can be used) is an application that self replicates by injecting its code into other data files on your computer. Like an organic virus, a computer virus spreads throughout your computer in an attempt to consume specific targets, and these are normally executables. Transfer of viruses from one computer to another is accomplished normally through manual means, such as mistakenly (or purposely) giving an infected program to a friend by disk or by email, although it is possible for them to spread to other computers over a network, such as through a mapped file share. The purpose of a virus is to replicate and spread and to infect as many people as possible. Often viruses will come with a payload, such as wiping a user's hard-disk. Normally the payload will either occur at a particular date (such as on the author's birthday or on some themed event like Halloween) or from doing a particular task. Often the virus will not damage 100% of computers it infects as that would terminate its chances to spread. However, of all malware viruses are statistically the most damaging.
Infection from viruses almost always occurs from executing a program file. This means that in order to get infected someone must give you an active virus infected file and then you must run it. This means that a virus cannot be spread from music files, from movies, from text files, etc.. In fact, this means that most viruses end with the file extension of .exe or .com, but it is theoretically possible that scripts could be viruses too (.bat, .js, .cmd, etc.). In technical terms a virus can only occur from data that is fed to the processor as executable code.
Viruses are often confused with worms (see section b). But, the two are very different. Whereas a virus spreads by injecting itself in files, a worm copies itself over a network. When a virus is executed it places itself in memory. It then searches your computer for a particular set of files to infect (most likely .exe, .com). It then takes the virus code from memory and injects that into the data files it located. This means that the data files it injected itself in are now infected, and they often become larger if it didn't overwrite any data in that file. Viruses often employ a virus programming technique known as polymorphism that uses an intelligent injection routine that makes all injections different from the data level perspective, making it hard to identify programs that have been infected. Since memory is volatile (meaning that when you turn your computer off your RAM is erased) a virus will often seek to infect programs on your computer that are executed on startup, normally components of your operating system are primary candidates. In this way if you turn your computer off you will be sure to reinfect your memory when you turn the computer back on.
The good news about viruses is they are very rare now. Back in the days of DOS (before Windows was used as the primary operating system of PCs) they were quite common and many people had viruses without ever knowing it. In fact, many people had dozens without knowing it. People would give programs to their friends and then they would infect them too. This was a time when very few people had virus scanners, and the ones that did could never update them because they had no network connection such as we have for the Internet today. Within the past few years I have seen 0 (yes, none) viruses in the wild. I have found no one with a single one. That isn't to say there haven't been any. There are certainly a few people left writing viruses. However, since viruses have to spread so manually and most people possess a virus scanner these viruses never get too far before going extinct. But, before you rejoice there is a downside. Even though I have seen no viruses, I have seen hundreds if not thousands of common worms, trojans, and other malware types. So, one problem has just been replaced with another.
Return to top.
These are often mistakenly identified as viruses, but in conversation even those that know the difference will often call these as such. The reason for this is that viruses have become so rare, that differentiating them seems pointless at this point. A worm is a program that views the infection point as another computer rather than as other executable files on an already infected computer. In simplistic terms this normally means when infected you will only have a single infected program on your computer rather than thousands of the programs you have installed being infected. A worm is much more sneaky at infecting a computer, but thankfully they are also much easier to identify once infected. The reason I consider them to be more sneaky is because a worm has many more tools at its disposal that it can use to infect you than a virus has. They not only use infected files to lure you, but they take advantage of the fact that programs have bugs that allow them to wiggle into your computer. This means that a worm can infect your computer without you ever having to execute a program infected with a worm, instead they can gain entrance through an open communications port on your computer (which is a virtual port that has no physical self). An important note though is that worms, like viruses, still are required to be executed in order to infect your machine. However, the difference is that worms not only can trick you into infecting yourself, but they can trick your computer into thinking you want to execute them. Once you are infected with a worm then your computer becomes a zombie that attempts to infect other computers, normally without you ever knowing anything ever happened. The rate of infections have dramatically increased over the years thanks to the popularity of the Internet. And the situation has increased more thanks to always-on broadband that leaves your computer vulnerable to the zombie computers.
Thankfully the majority of worms are written by very poor programmers with little want more than to make a statement to the world. For this reason worms are rarely destructive from a permanent perspective and often are not anywhere as successful as they should be if they were written properly. Often a mistake in programming will mean the payload of the worm will never begin, or the infection rate isn't as high as it should be. It has been especially popular for programmers to write their worms to Distributed Denial of Service (DDoS) attack a particular web site as a symbol. An example of this would be the MSBlast virus that attacked the Microsoft web site by using all the of the zombie infected computers to use their bandwidth to effectively drown the web site www.windowsupdate.com. However, this was never accomplished because Microsoft simply removed that domain name because it was only a backup for their real web site windowsupdate.microsoft.com. So, thanks to a mistake of the programmer little was accomplished other than millions of computers being infected with the worm, and a ton of wasted Internet bandwidth. Oh, and it gave IT people a bunch of headaches trying to clean all infected computers on their networks. Another very good example is a research project (of sorts) by Steve Gibson. His website is perhaps a little sensational but covers a very good example of DDoS attacks.
Return to top.
This type of malware is merely a script that embeds itself in macro enabled files. If you are not aware of a macro then it is device to speed up data input. The kind that we are talking about are scripts that perform a set of repetitive tasks. An example is within Microsoft Word you can create a macro to replace specific words in your documents with other words based on a set of rules that you define. These macros can then be saved within the document for future use, especially if it has an ongoing task to perform. This opens up the ability for people to write malicious macros that once executed will attempt to affect other documents. But, even though this is the most common with Microsoft Word (and other Microsoft Office programs) it is possible within any program that uses a similar technology (such as mIRC scripts). Macro viruses are rarely destructive and they tend not to spread too fast thanks to antivirus programs. In fact they normally are just a pain and do silly things like disable menu items.
Return to top.
Trojans (Trojan Horses)
A trojan is simply a program that once executed performs a task other than expected. That task is usually defined as malicious, but it could be a prank also. Trojans unlike worms and viruses do not replicate or copy themselves (and if they do they are considered a trojan worm or a trojan virus). These are usually given to you by someone you trust (unless you're extremely trusting). And once you execute the trojan it will perform a specified task such as wiping all of your files, wiping particular files, open up your computer to remote administration, join a chat channel without your knowing, reveal your Internet protocol (IP) address, etc.. In this way a trojan is more like an adware or spyware application (see section e or f). Trojans are very hard to differentiate from real applications, and often real applications will carry the trojan so that the program will do what you thought it would, but it also did stuff you didn't realize. Also, trojans are generally easier to throw together than a real application so it is quite often that an antivirus scanner will not detect all trojans.
There are many types of trojans, but there is a couple types that are important. The first is called a backdoor trojan. This means that the trojan opens some type of alternate entry into your computer. Normally this backdoor allows a master to control the infected computer (zombie). The other type of trojan is a keylogger trojan. This is a program that monitors keystrokes you make and records them. They usually save them to a file on the infected computer and is retrieved through some type of backdoor trojan, but it could be manually retrieved from an inperson visit (if the person knows you), sent via email automatically, etc. This type of trojan is very dangerous because it potentially could catch you entering your passwords, a credit card number, etc..
Return to top.
Adware is normally grouped along with spyware (see section f), but sometimes differentiated from viruses, worms and trojans. However, they are all similar in the fact that you don't (normally) mean to install them. The truth is that the thing that makes adware (and spyware) different is that they never mean to damage your computer (unless it's some type of insane hybrid), as their purpose is to make a profit from your computer or how you use your computer. To define adware, simply it is an application that displays ads. It will either do this by displaying popup ads, inserting ads into web pages that shouldn't have them, add search bars to your web browser or even to your operating system, or other similar annoying behaviors.
Normally users do not want to install adware, and most often it is done unintentionally. For example many applications (such as KaZaA) come bundled with software that is considered adware. Most likely the software was called free, but as everyone knows; nothing is free. But, sometimes you will mistakenly install adware and this isn't always bad. Any program that displays ads is considered adware. So, the web browser Opera could be considered adware, but most people wouldn't care about those ads because they realize they could get rid of the ads by paying for the application. Other times you will install an application that claims it can speed up your Internet connection, and it will install itself and then begin showing ads.
So, is adware ever actually bad? That depends on you. Because they're free and the companies need to make money somehow. However, sometimes the program isn't worth having the ads. Sometimes the ads are vulgar. Often the programs are written so poorly they make your computer unstable. Sometimes the programs are insanely annoying. And sometimes the programs won't even let you uninstall them. Not to mention that you may not have wanted the program in the first place, that it may have tricked you into installing it. It also depends on where you draw the line between adware and trojans. A porn dialer (a program used to use a dial-up modem in your computer to connect to 1-900 numbers) could in theory deliver you desired porn, but normally they just rack up huge bills to offshore phone numbers without you receiving anything.
Return to top.
Spyware is normally grouped along with adware (see section e), but sometimes differentiated with viruses, worms and trojans. However, they are all similar in the fact that you don't (normally) mean to install them. The truth is that the thing that makes spyware (and adware) different is that they never mean to damage your computer, as their purpose is to make a profit from your computer or how you use your computer. To define spyware simply, it is an application that passively monitors your computer usage and then reports it back to the company that designed it. It will normally monitor such things as web viewing habits, what type of programs you have installed, what games you play most often, your favorite choice in music, etc..
Normally users do not want to install spyware because they're so intrusive, and most often it is done unintentionally. For example many applications (such as KaZaA) come bundled with software that is considered spyware. Most likely the software was called free, but as everyone knows; nothing is free. But, sometimes you will mistakenly install spyware and this isn't always bad. Any program that reports usage back to the designing company is considered spyware. So, you could consider Windows Media Player spyware because it sends back usage information to Microsoft, but most likely you won't care because the information is anonymous and the program is free.
So, is spyware ever actually bad? That depends on you. Because the program they're normally bundled with are free and the companies need to make money somehow. However, sometimes the program isn't worth having the program spy on you. Often the programs will report back very personal information. Often it won't be confidential. Often it will result in massive amounts of spam. Often the programs are written so poorly they make your computer unstable. Often the information can be traced back to you. And sometimes the programs won't even let you uninstall them. Not to mention that you may not have wanted the program in the first place, that it may have tricked you into installing it. It also depends on where you draw the line between spyware and trojans.
This is a term that applies to a group that contains spyware and adware.
Return to top.
This is a term that applies to all bad software. In the case of junkware (spyware, adware) there could be features provided by the programs or associated programs that are desireable.
Return to top.
Rootkits are tools used by ill-intentioned computer users to take over a computer that executes them. These are similar to trojans in the way that they programs that do things without you knowing, but normally rootkits are not given to you by someone with the intention of you executing them. Normally they are delivered to your computer by a worm or a trojan and then your computer is instructed to execute the rootkit that then installs backdoors, keyloggers, file sharing servers, etc.. The reason these are differentiated from worms, trojans, etc. is that they are often quite large and are separate files from the worm or trojan executables.
So a classic example is a worm that exploits a bug on a remote computer. The remote computer is instructed to connect to a file share on the computer doing the infecting and download a rootkit. Then the remote computer is instructed to execute the root kit that it downloaded. Sometimes you will discover rootkits left on a computer after being infected because they were never deleted by the malware, often these will be left in the root (c:\ most likely) of your system drive, and sometimes they will not even be detected as malware because they're a collection of normally unoffensive programs. A common set of programs in a rootkit are Cygwin for running Linux programs, FireDaemon for running hidden services, mIRC for distributing files on IRC, and an FTP daemon such as Serv-U FTP that also is used for sharing files.
Return to top.