Malware Threats

From CastleCopsWiki

Caution

The article below is currently in beta and has not been reviewed for factual errors.

"Malware" is the generic name software for malevolent software that can damage, disrupt or otherwise carry out other malicious activity if run on a computer. Though most people use "virus" as a catch-all to describe malicious software, this is not correct. Experts classify such malicious software along two dimensions - how they spread and their function (payload).

Contents 1 Distribution Methods 1.1 Virus 1.2 Worm 1.3 Trojan 1.4 Drive-by Downloads 1.5 Blending 1.6 Summary 2 Payload Types 2.1 Adware 2.2 Browser Hijackers 2.3 Spyware 2.4 Greyware/Potentially unwanted programs (PUP) 2.5 Tracking cookies/ Trackware /Spyware cookies 2.6 Rogueware, Rogue software 2.7 Keylogger 2.8 Password stealers 2.9 Backdoor and remote admin tools/Trojans 2.10 Rootkit 2.11 Dialers 2.12 Botnet 2.13 Dropper 2.14 Downloader 2.15 Leaktest 3 Others

[edit] Distribution Methods

Below we list the three traditional infection/distribution methods of malware. A fourth has recently emerged.^[1]

[edit] Virus

Viruses work by infecting a host file that is running at the same time the virus is in memory. Once a host file is infected, it can spread its infection to other files whenever it is run. Almost any executable file can be infected. Viruses were most common in the late 80s before the Internet and networking in general was common and was generally spread by people using diskettes. Today they are less common. The thing to note is that a classic virus cannot spread to another computer by itself. Instead the infected host file to which the virus has attached itself has to be transferred to another computer (by floppy, CD, downloading) and run by a human before it can replicate there.

Technical note

Traditionally viruses can also be sub-divided into whether they are Polymorphic, Metamorphic,overwriting virus,Stealth, Parasitic, Companion viruses, Logic bomb, boot sector virus, Macro virus etc ^[2]. However most of these are no longer or were never common (Boot sector virus, Companion viruses), while others are technical terms relating to how they protect themselves (Stealth , Polymorphic, Metamorphic), and the rest what their payload is (logic bomb). In general, despite their differences, they need to infect another host file before spreading.

[edit] Worm

Worms are independent standalone programs that do not infect other host files. Worms can spread through open network shares within the same LAN or even via the Internet (typically through port scanning for vulnerable computers and infecting the new computer via a security exploit) or most commonly they can email themselves to others using email addresses it finds on the infected computer. Typically this is through email addresses stored in an address book or in browser cache files.

[edit] Trojan

Trojan or Trojan horses are similar to viruses in that they cannot work without the user directly running them. Anyone familiar with the story of the Greek gift of the Trojan horse should be able to appreciate the idea of a trojan. A trojan tricks the user into running it, by pretending to be some other benign or useful program but does something else instead or in addition that is undesired and surprising. For example, one might be fooled into running a program thinking it is a game, but when actually it hides a keylogger/password stealer. Unlike a virus, trojans generally do not replicate or spread to other computers or files. Unlike a virus or a worm, the definition of a trojan is often not as clear because its definition is predicated on the concept of unexpected surprise which is somewhat subjective and is typically used as an "umbrella" term for any malware that is neither worm nor virus.

[edit] Drive-by Downloads

A drive-by download is not a piece of malware per se, but refers to the increasing popular infection technique where a user visits a malicious site and is infected due to an exploit of the browser (or browser plugin) vulnerability. This exploit causes a piece of malware to be downloaded and possibly even executed on the system.

Technical note

As explained in the article on "Understanding Computer Infections ", exploits are pieces of codes used to target identified vulnerabilities in software. Exploits are may be considered to be malware. They differ from other malware in that they are not always programs but can be simply bad input. Many malware like worms uses exploits to spread, though it is not necessary for malware to use them. Some simply work by tricking a computer user into running them.^[3]

[edit] Blending

Of course, most current malware threats are "blended threats". They are part worm, part trojan, part virus. Most worms that spread through email attachments are technically part trojan as well, since they rely on the user to open and run the attachment for infection to occur. Nimda is a typical example of a worm/trojan and virus. For more about viruses,worms and trojans refer to this link.

[edit] Summary

Of these three classes of threats, worms and viruses are handled reasonably well by anti-virus programs. Outbreaks of worms and viruses tend to spread widely and hence are quickly targeted by anti-virus programs and added to their signature database. Trojans on the other hand are fairly low profile because they do not replicate. While most anti-virus programs are able to detect the most common ones, it might be advisable to have a specialized anti-Trojan, especially if habitually running dubious files.

[edit] Payload Types

When describing viruses, Trojans and worms, we only talk about how it spreads, but what exactly is the malicious behavior it is designed to do (beyond replication)? Any classification done along this dimension is often vague and loose and as in the case of worms, viruses, and trojans; many malware threats resist easy classification because they have several different functions and payloads. Recently for example, adware programs have started using rootkit methods to hide in order to avoid easy detection and removal of their components. Similarly, both worms and trojans can be used to spread keyloggers.

[edit] Adware

Software designed to display advertisements (generally popups) on a computer. Subclasses include Browser hijackers (changes a browser homepage and search settings to drive traffic to certain sites) and drive-by downloads which are malware installed while browsing a webpage (technically, this describes how adware is installed and should belong to the first dimension). Note: Many adwares also track user behavior to help customize adverts or otherwise help market research and are often also considered spyware.

Technical note

Of all the definition arguments over the terms, "adware" and "spyware" are surely the most intense. Some adware is relatively well behaved (static popups) and/or is clearly disclosed with clear privacy policies so the user is aware that the software is ad-supported and what can be expected. Many other adware programs are less benign and use various deceptive practises (hiding in EULAs, installing by deceptive popups, security exploits etc) to get installed on a computer and resist removal by normal means. Initially, vendors fought to defend the validity of (some) adware and took pains to differentiate them from spyware. However because a large majority of adware were very malicious (CWS!), the term adware has acquired negative connotations and is often lumped with spyware.

[edit] Browser Hijackers

This can be classified as a type of adware. A browser hijacker alters your browser such that the homepage and/or search settings or default pages (404 page not found) are changed to a site of their choosing. The idea here is to drive traffic to sites they own (which often bombard you with popups), and increase advertisement views and hits. Browser Hijackers also make it difficult to change your browser settings back to normal.

[edit] Spyware

Using the broadest definition, spyware refers to any software capable of collecting or reporting information that might compromise privacy. There are several degrees of spying and anything from cookies, programs that report usage habits (such as browsing habits) and keyloggers have being considered spyware.

As mentioned above, in recent years, spyware has often become embroiled in a large definitional debate. In fact, the most malicious forms of adware are now often identified as the model form of spyware. There is also a push in some quarters to use spyware as a catch all term for malware, this is reflected for example in Ewido changing it names from Ewido anti-malware to Ewido anti-spyware.

[edit] Greyware/Potentially unwanted programs (PUP)

The term greyware alludes to the fact that sometimes classifying malware is not black and white. For instance, commercial keyloggers used by employers or parents to monitor users, might be desired to be used by the owners of the machines. On the other hand, if scanners chose to ignore detection of these keyloggers, attackers might start using these keyloggers! Similarly many user tools such as ftp, IRC, remote access programs can have both legitimate uses (you might want to remotely control your own computer from work), and malicious uses. To stretch a point, some users will not consider adware/spyware (of a limited variety) as malicious, as long as the behavior is disclosed. From the legal point of view, many vendors of such products (adware, keylogging programs, remote access programs) have also started law suites against companies that have classified their programs as malicious.

To avoid these programs, many security companies have began classifying such programs as "greyware" or "potentially unwanted programs", and allow detections for these as a class to be turned off.

[edit] Tracking cookies/ Trackware /Spyware cookies

Cookies are tokens of information held in your browser relating to specific websites. It is generally used to keep track of users. For example a cookie might be set for a certain website, so that the next time you view it will keep the same configuration or view you had set. It can also store passwords etc.

On the other hand, cookies can be used for tracking purposes, and third party cookies in particular can be used, so that sites in a certain advertising network, will be able to keep track of your behavior as you move across sites that use that third party cookie.

Nevertheless, even such cookies are relatively harmless, though they can be a minor threat to your privacy. Blocking all third party cookies and/or periodically clearly all cookies (except for trusted one) is sufficient most of the time.

[edit] Rogueware, Rogue software

"Rogue security software is software that uses malware (malicious software) or malicious tools to advertise or install itself or to force computer users to pay for removal of nonexistent spyware."^[4]

The most common rogueware are fake/useless anti-spyware programs. They display fake scary messages, telling the user he is "infected", or use exploits to download into the users system without permission. Many will scan and "detect" infections and demand the user pay to remove them. They also share many other characteristics with malicious spyware/adware in that they may bombard you with popups, have self-protective functions to fight removal etc.

[edit] Keylogger

Malware that logs keystrokes for important information such as passwords. For obvious reasons they are also considered spyware. Keyloggers these days not only log keystrokes but also take screen captures to defeat some common anti-keylogging features. Note: Many 'legitimate' commercial keyloggers are used by employers to keep track of employees, as a result, most well known Antivirus software do not detect them. Many keyloggers these days are also kernel based, and use rootkit-like behavior.

[edit] Password stealers

Password stealers collect information on the system and pass it on to the attacker. Many use keyloggers to collect passwords (credit card information, email passwords, online banking passwords, online gaming account passwords etc), but other methods can also be used, such as collecting information by sniffing network traffic, accessing files/registries.

[edit] Backdoor and remote admin tools/Trojans

The term Backdoor was popularized in the movie "Wargames". When a backdoor is established on a computer, it allows the attacker to gain access and control over a computer , bypassing most defenses. Most such packages include keyloggers and rootkit functions as well. Most often such "owned" or "zombied" computers are used by the hacker to carry out illegal activities like spamming or carrying out denial of service attacks or as a launch pad for hacking. Note: There are legitimate commercial Remote admin programs like remoteadmin or pcAnywhere™, that might be used by the user themselves to control their PC remotely. These may or may not be detected by your antivirus or anti-spyware depending on their targeting policy.

Technical note

Technically the difference between backdoor and remote admin tools (RAT), lies in that the former refers to any method that allow attackers access by unauthorized means (whether it is through a RAT, or through a security vulnerability), while RAT are specifically malicious programs that run on the machine and waits to receive commands from the attacker.

[edit] Rootkit

Software that hides itself or other objects, such as files, processes, and Registry keys, from view of standard diagnostic, administrative, and security software. Rootkits have come into the limelight for windows lately. Once a cracker has broken into any system (backdoor), steps will be taken to ensure that this access remains open. Steps will also be taken to ensure that any changes made are not detected. This is where a rootkit comes in handy.
A rootkit replaces part of the operating system (Windows in this case) itself , so that it can lie to any other program (even anti-virus programs). The rootkit is usually used to make itself and any other components the hacker wants effectively invisible. As of 2006, many spyware and adware incorporated rootkit features (or are rootkits) to hide or resist removal. See Gromozon for an example.

Technical note

Note: The original definition of rootkit comes from the unix world where a rootkit is a tool used to *gain* and *maintain* root access. While maintaining root access ( administrator level rights in Windows), often involves hiding files and/or processes, the current definition used for windows rootkits stresses only the ability of the malware to hide. Purists would insist that the correct term for that is stealth/stealthware since it is not strictly necessary to gain root access for malware to hide. This parallels the whole hacker/cracker definitional debate on a small scale. Also some people (particularly The Boclean team) claim that security software like firewalls and antiviruses that hook system calls can be considered rootkits as well.

[edit] Dialers

Programs that use a computer or modem to dial out to a toll number or internet site, typically to accrue charges. Dialers can be installed with or without a user’s explicit knowledge, and may perform their dialing activity without a user’s specific consent prior to dialing.

[edit] Botnet

Bot (short for robot), is similar to a RAT (remote access trojan), in that it allows access and control over the infected machine. A botnet refers to a network of such systems controlled by bots.

"Unlike a RAT, bots don't sit around on the affected machine waiting for a 3rd party to find and connect to them - instead they go out and connect to one or more communication points where other instances of the bot have also connected to and await instruction. In this way the 3rd party can give instructions thousands of affected computers at once.

The simplest botnet configuration is where all the bots connect to a single hub (such as an IRC chat room) where the bot master (the 3rd party controlling the bots) will give them instructions."^[5]

See Botnets

[edit] Dropper

A dropper is a program that carries a instance of some already known malware within itself and drops (extracts and runs) the malware it carries when the dropper gets executed. It is a way to try to hide from scanners which already detect the known malware but not the dropper which is in itself not malicious (it just extracts the payload, but isn't itself malicious).

[edit] Downloader

A downloader is somewhat related to the dropper, in that by itself it isn't malicious. However once run, the downloader will try to download and install or run some malware from the internet. It differs from the dropper in that the dropper carries malware within itself, while the downloader has to get it from the net. A good firewall might be able to stop the dropper from downloading malware.

[edit] Leaktest

This is technically not malware but a test program that shows ways an authorized program can evade a personal firewall to connect outbound without permission. See this page for more details.

[edit] Others

There are other ware types that have being coined of course (thiefware, stealware, badware, scumware) for various reasons but the list above should be sufficient to cover the bases as many of the terms are just alternative names for the same class of malware. E.g Badware/scumware = malware or are very specialized terms (thiefware programs that tamper with affiliate commissions).

1. ↑ Skoudis, Ed.(2003). Malware: Fighting Malicious Code. New York : Prentice Hall.
2. ↑ http://virus.gr/portal/en/node/17
3. ↑ http://anti-virus-rants.blogspot.com/2006/05/what-is-exploit-code.html
4. ↑ http://en.wikipedia.org/w/index.php?title=Rogue_software&oldid=180981056
5. ↑ http://anti-virus-rants.blogspot.com/2006/03/what-is-botnet.html