Infection Definitions Viruses Trojans Worms Rootkits PUPS Spyware

Types Of Infections What They Are And What They Do

Adware

Adware or advertising-supported software is any software package which automatically plays, displays, or

downloads advertisements to a computer after the software is installed on it or while the application is being used.

Some types of adware are also spyware and can be classified as privacy-invasive software.

Advertising functions are integrated into or bundled with the software, which is often designed to note what Internet

sites the user visits and to present advertising pertinent to the types of goods or services featured there. Adware is

usually seen by the developer as a way to recover development costs, and in some cases it may allow the software to

be provided to the user free of charge or at a reduced price. The income derived from presenting advertisements to the user may allow or motivate the developer to continue to develop, maintain and upgrade the software product. Conversely, the advertisements may be seen by the user as interruptions or annoyances, or as distractions from the task at hand.

Some adware is also shareware, and so the word may be used as term of distinction to differentiate between types of shareware software. What differentiates adware from other shareware is that it is primarily advertising-supported.

Users may also be given the option to pay for a "registered" or "licensed" copy to do away with the advertisements.

Adware can also download and install Spyware.

BHO Browser Helper Object

A Browser Helper Object (BHO) is a DLL module designed as a plugin for Microsoft's Internet Explorer web browser to provide added functionality.

Some modules enable the display of different file formats not ordinarily interpretable by the browser. The Adobe

Acrobat plugin that allows Internet Explorer users to read PDF files within their browser is a BHO.

Other modules add toolbars to Internet Explorer, such as the Alexa Toolbar that provides a list of web sites related

to the one you are currently browsing, or the Google Toolbar that adds a toolbar with a Google search box to the browser user interface.

The BHO API exposes hooks that allow the BHO to access the Document Object Model (DOM) of the current

page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of malware have also been created as BHOs. For example, the Download.ject malware installs a BHO that

would activate upon detecting a secure HTTP connection to a financial institution, record the user's keystrokes

(intending to capture passwords) and transmit the information to a website used by Russian computer criminals. Other BHOs such as the MyWay Searchbar track users' browsing patterns and pass the information they record to third parties.

Many BHOs introduce visible changes to a browser's interface, such as installing toolbars in Internet Explorer and the like, but others run without any change to the interface. This renders it easy for malicious coders to conceal the actions

of their browser add-on, especially since, after being installed, the BHO seldom requires permission before performing further actions. For instance, variants of the ClSpring trojan use BHOs to install scripts to provide a number of instructions to be performed such as adding and deleting registry values and downloading additional executable files,

all completely transparent to the user.

Browser Hijacker

A browser hijacker is a form of malware or spyware that replaces the existing internet browser home page,

error page, or search page with its own. These are generally used to force hits to a particular website.

Many people believe that browser hijackers were designed for simple annoyance. Most hijackers redirect a page to force hits to their websites which contain ads. This then drives up the advertising cost for that website, thus profiting

the site's webmaster.

Some rogue security software will also hijack the start page generally displaying a message such as "WARNING!

Your computer is infected with spyware!" to lead to an anti-spyware vendor's page. The start page will return to

normal settings once you've bought their software. Programs such as WinFixer are known to hijack the user's start page and redirect it to the website.

Dialer

Dialers are necessary to connect to the internet (at least for non-broadband connections), but some dialers are

designed to connect to premium-rate numbers.

The providers of such dialers often search for security holes that may be present in the operating system installed

on the user's computer and use them to change the computer to dial up through their number, pocketing the additional money for themselves. Alternatively, some dialers inform the user what it is that they are doing, with the promise of special content, accessible only via the special number. Examples of this content include software for download,

(usually illegal) MP3s, 'underground' hacking materials such as viruses, and in the case of at least one website, pornography.

The cost of setting up such a service is relatively low, amounting to a few thousand dollars for telecommunications equipment, whereupon the unscrupulous operator will typically take 90% of the cost of a premium rate call, with

very few overheads of their own.

Users with DSLs (or similar broadband connections) are usually not affected. A dialer can be downloaded and

installed, but dialing in is not possible as there are no regular phone numbers in the DSL network and users will not typically have their dial-up modem, if any, connected to a phone line. However, if an ISDN adapter or additional

analog modem is installed, the dialer might still be able to get a connection.

Installation routes

Computers without anti-virus software, or proper updates could be vulnerable to Visual Basic-scripts install a

trojan horse which changes values in the Microsoft Windows registry and sets Internet Explorer security settings

in a way that ActiveX controls can be downloaded from the Internet without warning. After this change is made,

when a user accesses a malicious page or email message, it can start installing the dialer. The script also disables the modem speaker and messages that normally come up while dialing into a network.

Users of Microsoft Office Outlook, Outlook Express and Internet Explorer are especially affected if running ActiveX controls and JavaScript is allowed and the latest security patches from Microsoft have not been installed.

Therefore links in spam emails should never be opened, automatically started downloads should be canceled as soon as discovered, and one should check on each dial-up to the Internet to see whether the displayed phone number is unchanged.

Keylogger

Keystroke logging (often called keylogging) is the practice of noting (or logging) the keys struck on a keyboard,

typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. There are numerous keylogging methods, ranging from hardware- and software-based to electromagnetic and acoustic analysis.

Malware

Malware, short for malicious software, is software designed to infiltrate or damage a computer systems

without the owner's informed consent. The expression is a general term used by computer professionals

to mean a variety of forms of hostile, intrusive, or annoying software or program code.

The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including

true viruses. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software.

Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the

World Wide Web.The prevalence of malware as a vehicle for organized Internet crime, along with the general

inability of traditional anti-malware protection platforms to protect against the continuous stream of unique and

newly produced professional malware, has seen the adoption of a new mindset for businesses operating on the

Internet - the acknowledgment that some sizable percentage of Internet customers will always be infected for

some reason or other, and that they need to continue doing business with infected customers. The result is a

greater emphasis on back-office systems designed to spot fraudulent activities associated with advanced malware operating on customers computers.

PUPS

A PUP (potentially unwanted program) is a program that may be unwanted, despite the possibility that users

consented to download it. PUPs include spyware, adware, and dialers, and are often downloaded in conjunction

with a program that the user wants.

Rogue

Rogue security software is a form of computer malware that deceives or misleads users into

paying for the fake or simulated removal of malware.

Rogue security software mainly relies on social engineering in order to defeat the security built

into modern operating system and browser software and install itself onto victims' computers.

Most have a Trojan horse component, which users are misled into installing. The Trojan may be

disguised as:

1. A browser plug-in or extension
2. An image, screensaver or archive file attached to an e-mail message
3. Multimedia codec required to play a certain video clip
4. Software shared on peer-to-peer networks
5. A free online malware scanning service

Some rogue security software however infect users computers as drive-by downloads which

exploit security vulnerabilities in web browsers or e-mail clients to install themselves without

any manual interaction

Once installed, the rogue security software may then attempt to entice the user into purchasing

a service or additional software by:

1. Alerting the user with the fake or simulated detection of malware or pornography.
2. Displaying an animation simulating a fake system crash and reboot.
3. Disabling parts of the system to prevent the user from uninstalling them.

4. Preventing anti-malware programs from running and block access to download anti-malware software.
5. Installing actual malware onto the computer, then alerting the user after "detecting" them.

Some rogue security software overlaps in function with scareware by also:

1. Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer.

2. Scaring the user by with authentic-looking pop-up warnings and security alerts, that mimic actual system notices.

Rootkit

A rootkit is a software system that consists of a program or combination of several programs

designed to hide or obscure the fact that a system has been compromised.

A rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their

presence on the system through subversion or evasion of standard operating system security scans and

surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus

fooling users into believing they are safe to run on their systems.

Rootkits may also install a "back door" in a system by replacing the login mechanism with an executable

that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless

of the changes to the actual accounts on the system.

A successfully-installed rootkit allows unauthorized users to maintain access as system administrators,

and thus to take and keep full control of the "rootkitted" or "rooted" system.

Rootkits are hard to detect with common antivirus programs and therefore a complete scan of the system

is necessary. Rootkits are normally used in conjunction with other malicious programs as a means to keep

them undetectable from the eyes of the user and antivirus scans.

It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this

is hat they make it possible to hide malware from PC users and antivirus programs.

Spyware

Spyware is a type of malware that is installed surreptitiously on personal computers to collect information

about users, their computer or browsing habits without their informed consent.

While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware

extend well beyond simple monitoring. Spyware programs can collect various types of personal information,

such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the

computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware

is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss

of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more

formal classification of its included software types is captured under the term privacy-invasive software.

Malicious websites attempt to install spyware on readers' computers. Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will

disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on

a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method). Some "rogue" anti-spyware programs masquerade as security software.

The distributor of spyware usually presents the program as a useful utility—for instance as a "Web accelerator" or as

a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a program bundled with spyware and targeted at children, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search,

e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products

you love and help you save money! Best of all, he's FREE!

Spyware can also come bundled with shareware or other downloadable software. The user downloads a program

and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm,

the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable freeware with installers that slipstream spyware.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent

unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires

a user action, such as clicking on a link. However, links can prove deceptive. For instance, a pop-up ad may appear

like a standard Windows dialog box. The box contains a message such as:

"Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system through security holes in the Web browser or in other software.

When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks

the browser and forces the download and installation of spyware. The spyware author would also have some

extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a

"drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target

security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime.

The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have

made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an

obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the

form of Browser Helper Objects, which modify the browser's behavior to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to

install spyware that put pornographic pop-ups on the infected system's screen. By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.

Effects and behaviors

A spyware program is rarely alone on a computer: an affected machine usually has multiple infections.

Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation

can create significant unwanted CPU activity, disk usage, and network traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes, are also common. Spyware, which interferes with networking

software commonly causes difficulty connecting to the Internet.

In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, Windows installation problems, or another Infection. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.

Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. The cumulative effect, and the interactions between spyware components, causes the symptoms commonly reported by users: a computer, which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spyware disables or even removes competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.

Some other types of spyware use rootkit like techniques to prevent detection, and thus removal. Targetsoft, for instance, modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.

A typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. As with other operating systems, Windows users too are able to follow the principle of least privilege and use non-administrator least user access accounts, or to reduce the privileges of specific vulnerable Internet-facing proceses such as Internet Explorer (through the use of tools such as DropMyRights).

However as this is not a default configuration, few users do this.

In Windows Vista, by default, a computer administrator runs everything under a limited user privileges. When a program requires administrative privileges, Vista will prompt the user with an allow/deny pop-up, see User Account Control. This improves on the design used by previous versions of Windows.

Trojan

A Trojan horse, or trojan for short, is a term used to describe malware that appears, to the user,

to perform a desirable function but, in fact, facilitates unauthorized access to the user's computer system.

The term comes from the Trojan Horse story in Greek mythology. Trojan horses are not self-replicating which distinguishes them from viruses and worms. Additionally, they require interaction with a hacker to fulfil their purpose.

The hacker need not be the individual responsible for distributing the Trojan horse. It is possible for hackers to scan computers on a network using a port scanner in the hope of finding one with a Trojan horse installed

Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has

been installed on a target computer system it is possible for a hacker to access it remotely and perform operations.

The type of operations that a hacker can perform are limited by user privileges on the target computer system and the design of the Trojan horse itself.

Operations which could be performed by a hacker on a target computer system include:

1. Use of the machine as part of a Botnet (e.g. to perform Distributed Denial-of-service (DDoS) attacks)
2. Data Theft (e.g. passwords, security codes, credit card information)
3. Installation of software (including other malware)
4. Downloading of files
5. Uploading of files
6. Deletion of files
7. Modification of files
8. Keystroke logging
9. Viewing the user's screen

How They Get Installed:

1. Software downloads A Trojan horse included as part of a software application downloaded from File

sharing networks

2. Websites containing executable content A Trojan horse in the form of an ActiveX control or Email attachments

3. Application exploits Flaws in a web browser, media player, messaging client or other software which can be

exploited to allow installation of a Trojan horse)

4. Social Engineering A hacker tricking a user into installing a Trojan horse by communicating with them directly

Additionally, there have been reports of compilers which are themselves Trojan horses. In addition to compiling code to executable form they also insert code into the output executables which cause them to become Trojan horses. This is still distinct from self-replication as the process is not automatic.

Worm

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to

other computers on the network and it may do so without any user intervention. Unlike a virus,

it does not need to attach itself to an existing program. Worms almost always cause at least some harm to

the network, if only by consuming bandwidth, whereas viruses almost always corrupt or devour files on a

targeted computer.

Many worms that have been created are only designed to spread, and don't attempt to alter the systems they

pass through. However, as the Morris worm and Mydoom showed, the network traffic and other unintended

effects can often cause major disruption.

A "payload" is code designed to do more than spread the worm - it might delete files on a host system

encrypt files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms

is to install a backdoor in the infected computer to allow the creation of a "zombie" computer under control of the

worm author - Sobig and Mydoom are examples which created zombies. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address. Spammers are therefore thought to be a source of funding for the creation of such worms,and the worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail companies with threatened DoS attacks.