Login close
 

What is Malware?

So what is Malware? Short for malicious software, malware is as old as software itself, and  programmers have been authoring it for as long as they have been authoring legitimate software. There are many reasons why a programmer might create malware. These reasons vary from simple pranks and experiments to serious organized Internet crime. Malware exists in many forms, most of which you’ve probably already heard of. The most common types of malware are viruses, trojans, worms, spyware and zombies.

This article will cover the inner workings of the most common types of malware, and will also explain why malware is created and the kind of damage that it can inflict on individuals, corporations and governments.

Viruses

As was mentioned earlier, malware manifests itself in different forms; the most well-known is the virus.

Computer viruses are similar to their biological counterparts because they are capable of self-replication. The prime motivation of a virus is not to cause damage, but to clone itself onto another host so that it can spread further. If a virus causes damage it is more likely to be detected, and for this reason virus authors employ stealth techniques to keep it unnoticed. A good virus has a very small footprint and can remain undetected for a very long time.

Damage is not always a side-effect of infection. Sometimes damage has been purposely built-in by the programmer. Some viruses are time activated; they silently spread for a number of days, months or years and will suddenly activate and do damage on one particular date. Other viruses are event driven. They will activate when something particular happens on a host, or when a command is sent to them via a covert Internet channel.

Worms

Worms are very similar to viruses in many ways. The biggest difference between a worm and a virus is that worms are network-aware. A virus finds it very easy to replicate itself amongst files on the same computer, however it has a hard time jumping from one computer to another. A worm overcomes this computer-to-computer hurdle by seeking new hosts on the network and attempting to infect them.

This is an important difference: in the past viruses could take years before moving from one corporation to another, or from one country to another. Worms are capable of going global in a matter of seconds. This makes it very hard for them to be controlled and stopped.

Trojans

The purpose of a trojan is to conceal itself inside software that seems legitimate. The term ‘trojan’ is derived from the Trojan Horse story in Greek mythology, which explains how the Greeks were able to enter the fortified city of Troy by hiding their soldiers in a big wooden horse given to the Trojans as a gift. The Trojans were very fond of horses and trusted the gift blindly. In the night, the soldiers emerged and attacked the city from the inside.

The disguises that a trojan can take are only limited by the programmer’s imagination. A common trick is to conceal the trojan inside a seemingly harmless game. Trojans also come disguised as videos, pictures and even legitimate software packages. In each case, the disguise is something designed to tempt into running it on his or her machine.

Cyber-crooks often use viruses, trojans and worms together. They design a trojan that ‘drops’ a virus or worm onto the victim’s computer thus initiating a brand new infection. This virus or worm is usually called the ‘payload’ of the trojan. Trojans also drop spyware, a type of malware that I will explain next.

Spyware

The primary function of spyware is to snoop on a user’s activity and send back the information it gathers to a hacker. Spyware does not have any infection mechanisms. It is usually dropped by trojans (and also by viruses and worms). Once dropped, it installs itself on the victim’s computer and sits there silently to avoid detection.

Once spyware is successfully installed it will begin collecting information. It is very common for spyware to log all the keys that the user types. This type of spyware is called a keylogger and can capture interesting information such as user names, passwords, credit card numbers and email addresses. Keyloggers capture every key stroke, so entire emails, documents and chats can be read by the malicious hacker.

There are more sophisticated forms of spyware that hook themselves to the network interface and siphon off all network data that enters or leaves the infected computer. This allows the hacker to capture entire network sessions giving them access to files, digital certificates, encryption keys and other sensitive information.

Zombies

A zombie works in a similar way to spyware. The infection mechanisms remain the same, however the scope is different. A zombie does not usually collect information from the computer. Instead, it just sits there waiting for commands from the hacker. At times, hackers can infect tens of thousands of computers, turning them into zombie machines. Each of these machines is now at the disposal of the hacker who usually issues commands so that all of them instantaneously send network requests to a target host, overwhelming it with traffic. This is called a distributed denial of service attack and is usually successful, even against the largest Internet organizations.

Infected Websites

Recently security experts have noticed a new and scary trend in malware – website infections. When a website is infected, all the visitors to that particular website can potentially catch the bug and further spread the malware. Websites are very vulnerable, they are much more exposed than normal users. They are directly connected to the world wide web and are continuously serving content to anonymous users, furthermore they are processing many requests, some of which might be malicious. New malware has now emerged that takes advantages of bugs in frameworks and their plug-ins; popular frameworks like WordPress and Joomla have vulnerabilities that allow them to be exploited and used as virus-serving mechanisms. Sometimes malware does not infect a website automatically, but a hacker breaks into the site and implants the malware manually. His reasons for doing so are explained in detail in the next sections.

If your website gets infected the damage can be devastating. Your website can be restored, but the trust of your users and customers can easily be destroyed. Furthermore, if you are discovered serving malware your site will be blacklisted in hundreds of blacklists worldwide. Removing yourself from these blacklists is a very lenghty and difficult task, so even after you have cleaned the virus, the damage will continue to linger for a long time.

Why is malware written?

The answer to the “what is malware?” question cannot be complete without exploring the ‘why’ of its creation. By now, you should have a pretty clear idea of what type of damage can be done as a result of malware, but you might be wondering – why do programmers create malware in the first place?

Student Hackers and Cyber-crooks

In the early days of software, programmers wrote malware mostly to prank one another, or to show off their technical skills. These programmers, who were usually students had a great sense of humor but did not have much business sense. These students eventually graduated and got jobs. Their new motivation was now money, and how to make more of it using their skills. Some of these programmers learned that they can make thousands of dollars a day if they successfully exploit malware to their advantage.

These people went on to become cyber-crooks, defrauding individuals and organizations for financial gain. These criminals steal personal banking information to transfer money out of users’ bank accounts and into their own. They also launch distributed denial of service attacks against corporations and ask for money in exchange for an end to the attack.

Cyber-activism and cyber-war

Worms, zombies and distributed denial of service attacks are a good way to inflict mass damage on a global scale and are therefore very appealing to cyber-activists. These people want to get a message across and are ready to do so by utilizing any means necessary and this includes writing malware that causes damage, gets them noticed, and enables them to announce their messages and beliefs to a large audience.

Governments are also part of the game. A cyber-war between countries is raging. Some countries such as China, Syria, and America are rumored to be state-sponsoring cyber-gangs whose only purpose is to research and develop new malware techniques capable of infiltrating government agencies and infrastructures. Malware has recently been spotted in the wild that was designed to infect SCADA systems with the scope of shutting down nuclear reactors. Some reports suggest that this worm, which might have been created by the Americans, was successful in shutting down several Iranian nuclear power plant coolers.

How bad is the problem?

The malware problem is huge and is growing fast. By the end of 2010 the counter for unique malware programs stood at 14 million, with a staggering 60,000 pieces of new malicious code detected every day. Recently a worm called Koobface — which targeted people on social networks — netted its creators over 2 million dollars in just 12 months. Another worm, the Mariposa is said to have created the biggest network of zombie machines in the world. Experts could never determine its exact size, but estimated that over 12 million computers were infected. This worm dropped spyware capable of stealing sensitive information from victims, such as bank account numbers and credit card details. All this was created by a single hacker in Spain who fortunately made a mistake which exposed him and got him arrested.

The industry is fighting back. Numerous security solutions are available from many vendors that help stop malware infections. The threat however is a moving target. Hackers keep finding new ways to write bigger and better malware, the incentives are all there and the waging war is showing no signs of slowing down.