What is a malware ?
Malware is formally defined in Wikipedia as, “Software designed to secretly access a computer system without the owner’s informed consent”. According to Microsoft’s Technet as, “any software designed to cause damage to a single computer, server, or computer network”. So the term itself is generic for all types of malicious softwares that run stealthily without the user’s intervention which they cause damage to the CIA Triad, for example, stealing the users’ sensitive data (loss of confidentiality), modifying the contents of the executable files (loss
of integrity), or disabling services and crippling the OS (loss of availability).
Nevertheless, this definition should not be confused with Employee Monitoring and Computer Surveillance Software, which are software that can be stealthily deployed by the system administrators in the corporate to monitor and supervise all their employees computers. As these programs have some resemblance with the definition of malware, they are used to enforce the enterprise policies on the employees. These enterprise policies include monitoring and logging the application of the employees to reportthe installation of undesirable software if
that application somehow subverted the host policy , recording all documents and files opened by the users, or logging their web browsing activity, commonly known
examples are Nexthink , spectorsoft and Surveilstar .
Malware generally is divided into broad categories, among which are;
a. Viruses :
-A software designed to propagate through host files by attaching itself to other files. It can evade detection and destroy or damage systems automatically.
-Divided according to their detection evading techniques which are –but not limited to- :
i. Stealth Viruses which manipulate the operating systems by sending modified data to the virus scanners to indicate normal operation.
ii. Retroviruses which attack the antivirus software by damaging their virus signatures for example, Polymorphic Viruses which change their own content by encryption or modification in order to avoid detection.
iii. Armored Viruses which are coded to prevent their debugging/disassembling of engineering which slows or hinders the process of analyzing the virus internals.
iv. Encrypted Viruses which rely on encryption to change their look every time they infect a system.
v. Multipartite Viruses which utilize combinations of these detection evasion methodologies.
-Some of the famous viruses are CIH 1998 and Michelangelo 1991.
b. Worms :
-A software designed to propagate without host files to evade detection and completely consume the systems and networks resources automatically. They do not rely on attaching other files, bu rather, reside in the memory and utilise the network connections, emails or P2P programmes and exploiting applications vulnerable to propagation.
-Some worms contain and deliver viruses to the infected systems.
-Some of the famous worms are Conficker 2008 and SQL Slammer 2003.
-In fact, the bold boundaries between internet worms and viruses are blurring with some malware such as, Melissa virus which utilises the mass-mailing method of propagation.
– Due to the absence of the replicating ability of the viruses, worms are generally easier to be removed from infected systems than viruses.
c. Trojan Horses :
-A software designed to look like a legitimate and a useful software, but it contains malicious payload within it. It can propagate email attachments or downloaded files of unaware users.
They resemble worms in their standalone structure unlike viruses and differ from both worms and viruses by their dependency on the human intervention not on automatic propagation.
-It consists generally of two parts. The server part which is when downloaded and executed by the unaware users opens a specific port on the victim machine. The other part is the client part which is used by the cracker to connect to the victim machine using the already opened port and provides access to the infected system.
-Common examples are Back Orifice and Subseven.
-A software designed to monitor and steal the victims private and personal information like credit card numbers and online games passwords. They are unable to self-replicate, so they need human intervention to be installed on each victim. They propagate usually with freeware on the internet like toolbars or by visiting malicious websites which exploit the web browsers by tricking them to unintentionally download the spywares.
-They can log keystrokes to capture passwords aka stealware, monitor and report the web browsing activity, or redirect users to their websites .
-Examples are Bonzi Buddy and Xupiter.
-A type of spyware that monitors the users web browsing activity, send them to remote servers accompained with unsolicited pop-up advertisement.
-Examples are Cydoor, Gator and Comet Cursor.
-Aka Rogue Security software is a software designed to look like a legitimate and useful antivirus that
can be purchased, but it has malicious payload and completely useless.
-Scarewares rely on social engineering for propagation by falsely warning the users that their workstations are infected, and that they can remove the infecting malware if the user purchased their fake antivirus software.
-An example is SpySheriff.
g. Logic Bombs
-Malware that resembles viruses in attaching itself to other executable files. When the file is executed, the logic bomb is run first and checked if the trigger for its operation is achieved. If not, the control returns to the executable files. And if it successed, the logic bomb executes its malicious payload.
-One of the notable examples is the Chernobyl virus which attempts to overwrite the Bios on 26 April of every year.
-Malware that provides root level access to the victim operating system by modifying or replacing the basic blocks of then operating system.
-Rootkits are known to be difficult to be detected or removed by the antimalware scanners.
-One of which was Tornkit which is a linux rootkit.
-A bot is a software agent that is mostly associated with other malware mainly viruses, worms, trojans and rootkits. When installed, it informs a controller remote server and complies with its commands.
-Mostly used by the controller cracker aka operator as a network-for-rent, that is, a customer purchases a number of compromised machines and provides a spam message to the operator or a target IP to attack, and then the operator instructs the infected machines – mainly using IRC or webservers – to send spam messages, or initiate a massive
Distribute Denial of Service Attack on that targeted IP.
-An example is Mariposa Butterfly.
-A backdoor is any deliberate configuration or software that provides remote access
-with bypassing the normal authentication procedures- to a system.
-This not essentially a malware since not only trojans and rootkits leave backdoors in the infected system. Some legitimate programmes do so to
facilitate administration, recovery or even anonymous information collecting.
-The anti-malware scanners can only detect the malicious backdoors; however, firewalls can do a great job in blocking the remote connections to these backdoors by using clever configuration.
-Other examples include ransomware which is a worm-like malware. It holds a computer system or its date unusable by encryption or locking and demanding a ransom. A second example is Crimeware that focuses on the identity theft of the users’ bank accounts. A third example is Riskware that is not a malware, but a legitimate software which is able to perform
critical security functions like disabling/ enabling services and processes, and it can be misused by other malwares. A fourth example is Installware which is any software that is installed or downloaded on the users’ computer systems without their consent. Lastly Grayware which is a general term for undesirable software including spyware, adware, and joke programs.
About The Author :
Hafez Boghdadi ,Team Leader – Security & Network Professional Services at RAYA integration