3. Malware Forms
Malware has been evolving into more and more insidious forms ever since its creation as a virus in 1970s. These malware forms fall in one or more categories of malware mentioned in the previous chapter.
First ever form of malware, a computer virus is a piece of code that is designed to replicate by attaching itself to a host program. The behaviour of attaching itself to another file is key to the distinction of a virus from other malware. A virus also requires some type of user interaction such as running an infected program or opening an infected file. Once a virus is executed it will attempt to spread to other files. Viruses do not rely on system vulnerabilities to spread but instead rely on functionality that is commonly used by other non-malicious software.
Worms are often confused with viruses since they self replicate like viruses. There are a number of distinctions that separate worms from viruses and other malware. Worms are stand-alone applications that do not attach to or infect another file. Worms typically do not rely on a user executing a program instead they rely on vulnerabilities in software to allow them to spread. Worms typically spread across networks without user intervention.
Trojan horse software operates differently than advertised. Typically, a Trojan will be advertised as a useful tool such as a browser plug-in but carry additional unwanted malicious code with it. The malicious code may damage the system or open a back door that an attacker can use later to attack the system. Trojan horse applications do not self replicate A sub form of Trojan horse is known as a Remote Administration Trojan (RAT). A RAT has the same characteristics of other Trojan horse programs but specifically allows control of the system by an outsider. RATs are often installed by exploiting security vulnerabilities in the operating system or web browser when visiting infected web.
Keystroke logger, as the name suggests, records keystrokes on the target system, which could be then sent remotely to someone other than the computerâ€™s user. This type of malware may overlap with any of the previously mentioned types of malware. Keystroke loggers may steal data such as passwords, financial data or any other data entered through the keyboard.
Browser hijackers change a browser’s settings. This is often an attempt to increase the number of hits to the publisher’s web site or to re-route browser requests through the hijacker’s proxy server. Browser hijackers can also be used to gather information about the user without their consent. Finally, browser hijackers may change the user’s search functionality within their browser. In short, they can take total control of the browser for malicious purpose.
Spyware is broadly defined as any software that collects, subverts and reports information about a user to a remote attacker without the user’s knowledge.
Adware is often associated with spyware because both types of software have similarities in function and purpose but they are not the same thing. At its simplest, adware is software that is advertiser supported. The problem with adware is that some cross a line and transform from being advertiser sponsored software to spyware. What makes malicious adware unique from other forms of malware is that it is advertiser driven. Adware may monitor a userâ€™s web browsing habits and report them to a central database or force advertising on the user based on the browsing habits. Some adware may change the way that the browser works or may change default browser settings. Specifically adware may change the userâ€™s home page or search settings. Some adware will initiate popup advertising on the infected computer. A common form of adware that can be malicious or benign is the browser plug-in. Plug-ins are software that extend or change the functionality of a web browser. Most adware plug-ins consist of a search toolbars.
Bundleware is simply software bundled with other legitimate software. Bundleware is a common source of both spyware and adware. Bundleware will often disclose the inclusion of malware in the EULA, but this is not a guarantee. In some cases, bundled software may be installed without any agreement from the end user or warning about what will be installed. Even if the EULA discloses the bundled software, it may do so in a confusing or overly broad manner.
A blended threat is malware that uses multiple attack vectors to install itself. Unlike some other forms of attack, blended threats do not require any interaction on the part of the end user. Blended threats specifically look for security weaknesses as a way of spreading. While many forms of malware rely on an end-user running or installing malicious software a blended threat will take attack code for known software vulnerabilities and include it in an automated malware attack. Blending of attack methods makes this type of malware a very efficient spreader. Code Red and Nimda were extremely efficient examples of blended threat malware.
This malware form is a wolf in sheepâ€™s clothing. There are fake programs that claim they can remove malicious files and restore computer performance. In many of these situations, the user is browsing to a site and they get some notification that they are infected with some form of malware. While there may be malware on the system, rogue programs do not detect actual instances of malware. Instead they make false claims and in some cases they run a fake scan that takes only one or two seconds and then a message is displayed stating hundreds of malicious items have been found infecting the system. The user is then directed to download and purchase a program. While there are programs that are inefficient or very mediocre at removing malware, rogue programs do not even attempt to remove malware or improve system performance. In some cases they is play more annoying advertisements or download more malware on to the system. Rogue software programs are very difficult to remove from the system.
The shortest definition of a rootkit is software that allows an attacker to mask his presence on a system while allowing the attacker access to the system at a later time. The term rootkit originally referred to a collection of tools used to gain and keep administrative access on UNIX systems. These tools usually included trojaned or modified copies of important system binaries that were modified to hide the actions of an unauthorized user from the system administrators. With Microsoft Windows, rootkits have a narrower definition. Rootkits in Windows refers to programs that use system hooking or modification to hide files, processes, registry keys, and other objects in order to hide programs and behaviours. In particular, Windows rootkits do not necessarily include any functionality to gain administrative privileges. In fact, many Windows rootkits require administrative privileges to even function . They are known to be the most sinister of all malware due to their stealth feature. They make their presence invisible to the operating system and as well as most of the anti-malware products available in the market. As a result, other forms of malware make use of rootkits to remain hidden and carry out other malicious tasks they are intended for.Once installed, rootkits can:
1) Hide processes.
2) Hide files and their contents.
3) Hide registry keys and their contents.
4) Hide open ports and communication channels.
5)Capture keyboard strokes (keylogger).
6) Sniff passwords in a local area network.
Rootkits can be broken down into two major categories:
1) User mode rootkits.
2) Kernel mode rootkits.
Kernel mode rootkits are much more difficult to create as well as detect as compared to the user mode rootkits.
 Daniel B. Owen, State of Malware, Middle Tennessee State University
 Chris Gates, “HackerDefender Rootkit For the masses”, 2007