What is Malware?
Malware is software aimed at illegal access to the data stored on computer in order to inflict damage on the owner of the data or computer.
With appearance of first viruses and antiviruses correspondently a very simple classification was used including virus name and size. However, some difficulties were faced for various antiviruses had different names for the same virus. There were several attempts of creating a universal classification, but the rising number of new viruses made this task extremely difficult.
Every company developing antivirus software has its own malware classification. However, nominally malware can be classified according to:
a) malicious load
It includes the following points:
- creating difficulties in computer functioning, starting from data wiping to crippling hardware;
- antivirus site and software blocking;
- installation of some other malicious software via the Internet of using another harmful program containing inside the file;
- theft, blackmail, spying on user;
Including:
- theft of valuable data;
- theft of various accounts: email, game servers, payment system accounts. Then these accounts are used for sending spam;
- computer blocking and data encrypting in order to get money;
- using modem for making expensive phone calls;
- masquerading of paid software which is totally useless;
- other illegal actions like:
- obtaining unauthorized access to the computer resources or administering the computer;
- creating common proxy servers on a computer;
- using infected computer for DDoS attacks;
- collecting email addresses and sending spam;
- programs that are not actually malicious but disturbing the computer performance:
- perform actions interfering user's work;
- show advertising;
- send information to the Internet without user's participation;
- so-called "poisoned" documents causing instability of computer performance;
- hide other malicious software;
- install various add-ins;
b) reproduction method:
- computer virus. It copies itself either on a computer or on removable disks. However, infecting could take place in the Internet if a user uploads such file or opens access to the infected disk.
- Trojan horse has no ability to self-reproduce;
- network worm can copy itself in the Internet on its own;
- logic bomb is distributed along with a useful program being its carrier. It starts functioning only if certain actions are performed;
- exploit. It is an absolutely harmless suite of some data (or a program generating such data) though being misunderstood by a program working with it. In the end errors occur. As a result of such error the program functions incorrectly.
The symptoms of being infected can vary greatly:
- at program startup unknown windows open automatically;
- blocked access to anti-virus web sites;
- unknown before processes appear in Windows Task Manager;
- new entries are created in the Autorun registry;
- impossibility to change computer settings in Administrator account;
- error message when attempting to run EXE file;
- popup windows or system notifications displaying unknown web addresses or names;
- program disorderly shutdown;
- chaotic computer turnoff.
Mind, that absence of the mentioned symptoms doesn't guarantee the fact that your computer is not infected.
A Trojan program (Trojan, Trojan horse) is a malicious program distributed by people and created for illegal activities. Such activities include blocking, deleting, modification, copying and transferring of data.
The program derived its name "Trojan" from the ancient Greek myth about a wooden horse caused the fall of ancient Troy. The Danai being at war with the Trojans many years decided to resort to cunning. So they constructed a wooden horse with a hollow belly and hid inside. The Trojans dragged the horse in the city. At night the Greeks got out of the horse and opened the city gate and let their companions in. as a result Troy was conquered.
As a rule Trojan programs have the same principle. They are masquerading as useful software and are waiting for a user to launch them. These are the simplest malicious programs which complexity depends solely on the complexity of a task and masquerading methods. The simplest examples of such software have just a couple of lines of the source code.
Trojans can be uploaded either directly to a computer system or to the open (indexable) resources and data carriers; or sent by email via vulnerabilities of the computer security system.
There are various methods of masquerading. Thus, it can be imitation of the icon and title of an existing program or non-existing one, a part of a program, file etc. it is done in order to hide from a user and the whole system. A Trojan program can also partially or even fully function as a program it is masquerading.
A network worm is a variety of malware able to spread via computer networks on its own. The first experiments took place in 1978 in the Xerox research centre. The most famous worm knows as the Morris worm was written in 1988. It infected over 10 percent of all computers attached to the Internet at that time.
Distribution mechanisms (often referred as attack vectors) can be divided into two categories for convenience:
- using errors and vulnerabilities in the installed software. For instance, the Morris worm could match a password using dictionary attack. The Conficker used Windows vulnerabilities. As a result such worms are spread and attack computers independently.
- provoking a user to launch a harmful program. In this case all social engineering principles are used, i.e. manipulating people without applying any technical means. This method is used in social networks and various bulk emailing.
The net worm structure is various. For example, there are resident worms able to infect running program and be located into computer main memory avoiding the hard drives. They can't be downloaded and use only those dynamic libraries already downloaded by other programs. This type of worms consists of the "infectious" part mainly, i.e. exploit and a little useful load fully located into the main memory.
Other worms are able to save its code to the hard drive after infecting the memory. Thus, they can run even after reboot. The "infectious" part of these worms also contains an exploit and a useful load able to download the worm body as a separate file via the net. Then the downloaded body can scan and keep on spreading over the system or contain more serious load (possibility of a DDoS attack).
However, the majority of worms are distributed as a single file without dividing into a "infectious" part, for as a rule a user downloads the whole worm and launches it. The useful load may contain worsen data, changes in web pages, spam emailing, etc.
A separate subclass of this malware is multiple-vector worm. It uses several mechanisms for spreading and damages data files.
A logic bomb is activated under certain specified conditions in order to perform some unauthorized actions. As a rule it is gaining unauthorized access to information, its distorting or wiping. A code having unpredictable consequences also belongs to this virus type.