In Part 1 of the Anti-Malware series
, we looked at the symptoms that may indicate that your system is infected. With so many different classes of malware, each having their own various ways of inflicting damage to computers and networking components, it is essential to have a basic understanding of their structure and classification in order to combat those threats. While many users tend to use the words virus, worm and Trojan as synonyms, they are actually very distinct classifications of malware, each with distinct identifiers. Below is an overview of the most common types of Malware.
A virus is a type of malware that propagates by creating copies of itself and becoming part of another program or action. In other words, they are able to spawn copies of themselves. They are designed to spread from component to component (host to host) and range in severity from the mild (annoying) to the disastrous (damaged data). Most viruses are attached to some type of executable file or script, which means that a virus can lay dormant until such time that it is executed. Once the virus has been executed, the viral portion works on attaching itself to other programs and files, while the body focuses on the designed intent, i.e. registry manipulation, file deletion, etc. Some viruses can actually overwrite other programs and/or files with copies of themselves which in turn destroys the original program altogether. The virus can then be spread by two means, a) the program is coded to seek out a route to another system via the network, email, or a variety of other means or b) the file is unintentionally spread via file sharing or similar activities by the user.
A popular example of a virus is the Brain virus, also referred to as the Pakistani flu in some circles, which was created by a 19-year-old Pakistani programmer and his brother. This virus which was released in January of 1986 was responsible for the first IBM PC compatible virus epidemic.
Trojans, named after the Trojan horse, are similar to viruses in the way that they infect or destroy programs and files; however, unlike the virus they will not replicate themselves. A Trojan is designed to carry out specific actions, such as damaging programs or altering/deleting data. It is very common for Trojans to look like legitimate software and is named after the Trojan Horse from the Trojan War. Often times, Trojans act as a back door which lead to unauthorized access to the infected computer and in turn allow undetected use of the machine. Trojans are generally used to perform spamming, money theft, modification or deletion of files, key logging and denial of service attacks. Trojans are becoming more common due to the popularity of botnets.
An example of a popular Trojan is Cryptolocker, which surfaced in the last quarter of 2013. Cryptolocker works by encrypting certain types of files on local and mapped networked drives, where the private key is stored on the malware’s server, and then the user is then ‘blackmailed’ for payment in return for decrypting the files, essentially holding the files for ransom.
Worms are similar to viruses in that they replicate themselves and can cause the same varying degrees of damage. Unlike viruses, worms are standalone software that do not require a host program or human intervention (executing software or files) in order to replicate. Worms are specifically built to exploit vulnerabilities on a target computer. Common usage of worms includes installing backdoors in conjunction with a Trojan in order to add a target to a hacker’s botnet. This infected computer becomes what is known as a “zombie”. An example of a common worm is the NGRbot, which uses the IRC network for file transfer and sending and receiving commands to “zombie” computers.
Probably one of the most notable worms was the Sapphire Worm, aka the Slammer. According to The Cooperative Association for Internet Data Analysis
, the Sapphire Worm was able to double in size every 8.5 seconds. “The worm infected at least 75,000 hosts, perhaps considerably more, and caused network outages and such unforeseen consequences as canceled airline flights, interference with elections, and ATM failures.”
Once malware has been installed or has infected a system, it is essential that it stays hidden in order to avoid detection, modification or deletion. Software that is known as a rootkit allows this type of concealment by modifying software, especially operating systems, in order to hide the contained malware from a user. The rootkit hides the existence of certain programs or processes and enables a continual elevated access to the computer.
For an interesting read on one of the most publicized rootkits, if you are not already familiar with the Sony BMG Music Entertainment rootkit, head over to the Texas Attorney General
’s website where AG Greg Abbott filed the first enforcement action in the nation against Sony BMG for malware violations.
Spyware is a very common type of computer infection, especially amongst novice computer users. The spyware software is normally bundled with legitimate programs that is downloaded from a malicious or unmonitored website. Spyware is commonly used for tracking and storing the user’s movements on the Internet and in turn displaying pop-up ads that when clicked, create revenue for the author of the malware. Another common purpose of spyware is to log personal data such as names, addresses, passwords and banking and credit card numbers. Spyware can also interfere with the use of a computer by redirecting web browsers and changing computer settings. Popular versions of spyware include CoolWebSearch, Internet Optimizer, and Zango.
Hopefully by now you are able to identify what type of malware infection you may be facing. And now that we have identified a potential culprit, it is time to get rid of it!
How Do I Fix It: Malware Removal and Prevention (Part 3 of Anti-Malware)