From Wikipedia, the free encyclopedia
Malware, short for malicious software, is software designed to infiltrate or damage a computer systems
without the owner's informed consent. The expression is a general term used by computer professionals
to mean a variety of forms of hostile, intrusive, or annoying software or program code.
The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including
true viruses. Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software.
Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the
World Wide Web.The prevalence of malware as a vehicle for organized Internet crime, along with the general
inability of traditional anti-malware protection platforms to protect against the continuous stream of unique and
newly produced professional malware, has seen the adoption of a new mindset for businesses operating on the
Internet - the acknowledgment that some sizable percentage of Internet customers will always be infected for
some reason or other, and that they need to continue doing business with infected customers. The result is a
greater emphasis on back-office systems designed to spot fraudulent activities associated with advanced malware operating on customers computers.
PUPS
A PUP (potentially unwanted program) is a program that may be unwanted, despite the possibility that users
consented to download it. PUPs include spyware, adware, and dialers, and are often downloaded in conjunction
with a program that the user wants.
ROGUE INFECTION
From Wikipedia, the free encyclopedia
Rogue security software is a form of computer malware that deceives or misleads users into
paying for the fake or simulated removal of malware.
Rogue security software mainly relies on social engineering in order to defeat the security built
into modern operating system and browser software and install itself onto victims' computers.
Most have a Trojan horse component, which users are misled into installing. The Trojan may be
disguised as:
1. A browser plug-in or extension
2. An image, screensaver or archive file attached to an e-mail message
3. Multimedia codec required to play a certain video clip
4. Software shared on peer-to-peer networks
5. A free online malware scanning service
Some rogue security software however infect users computers as drive-by downloads which
exploit security vulnerabilities in web browsers or e-mail clients to install themselves without
any manual interaction
Once installed, the rogue security software may then attempt to entice the user into purchasing
a service or additional software by:
1. Alerting the user with the fake or simulated detection of malware or pornography.
2. Displaying an animation simulating a fake system crash and reboot.
3. Disabling parts of the system to prevent the user from uninstalling them.
4. Preventing anti-malware programs from running and block access to download anti-malware software.
5. Installing actual malware onto the computer, then alerting the user after "detecting" them.
Some rogue security software overlaps in function with scareware by also:
1. Presenting offers to fix urgent performance problems or perform essential housekeeping on the computer.
2. Scaring the user by with authentic-looking pop-up warnings and security alerts, that mimic actual system notices.
ROOTKIT INFECTION
From Wikipedia, the free encyclopedia
A rootkit is a software system that consists of a program or combination of several programs
designed to hide or obscure the fact that a system has been compromised.
A rootkit is intended to seize control of the operating system. Typically, rootkits act to obscure their
presence on the system through subversion or evasion of standard operating system security scans and
surveillance mechanisms such as anti-virus or anti-spyware scan. Often, they are Trojans as well, thus
fooling users into believing they are safe to run on their systems.
Rootkits may also install a "back door" in a system by replacing the login mechanism with an executable
that accepts a secret login combination, which, in turn, allows an attacker to access the system, regardless
of the changes to the actual accounts on the system.
A successfully-installed rootkit allows unauthorized users to maintain access as system administrators,
and thus to take and keep full control of the "rootkitted" or "rooted" system.
Rootkits are hard to detect with common antivirus programs and therefore a complete scan of the system
is necessary. Rootkits are normally used in conjunction with other malicious programs as a means to keep
them undetectable from the eyes of the user and antivirus scans.
It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this
is hat they make it possible to hide malware from PC users and antivirus programs.
SPYWARE
From Wikipedia, the free encyclopedia
Spyware is a type of malware that is installed surreptitiously on personal computers to collect information
about users, their computer or browsing habits without their informed consent.
While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware
extend well beyond simple monitoring. Spyware programs can collect various types of personal information,
such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the
computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware
is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss
of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more
formal classification of its included software types is captured under the term privacy-invasive software.
Routes of infection
Malicious websites attempt to install spyware on readers' computers.
Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system
does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception
of the user or through exploitation of software vulnerabilities.
Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will
disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on
a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method). Some "rogue" anti-spyware programs masquerade as security software.
The distributor of spyware usually presents the program as a useful utility—for instance as a "Web accelerator" or as
a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a program bundled with spyware and targeted at children, claims that:
He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search,
e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products
you love and help you save money! Best of all, he's FREE!
Spyware can also come bundled with shareware or other downloadable software. The user downloads a program
and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm,
the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable freeware with installers that slipstream spyware.
A third way of distributing spyware involves tricking users by manipulating security features designed to prevent
unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires
a user action, such as clicking on a link. However, links can prove deceptive. For instance, a pop-up ad may appear
like a standard Windows dialog box. The box contains a message such as:
"Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.
Some spyware authors infect a system through security holes in the Web browser or in other software.
When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks
the browser and forces the download and installation of spyware. The spyware author would also have some
extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a
"drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target
security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime.
The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have
made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an
obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the
form of Browser Helper Objects, which modify the browser's behavior to add toolbars or to redirect traffic.
In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to
install spyware that put pornographic pop-ups on the infected system's screen. By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.
Effects and behaviors
A spyware program is rarely alone on a computer: an affected machine usually has multiple infections.
Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation
can create significant unwanted CPU activity, disk usage, and network traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes, are also common. Spyware, which interferes with networking
software commonly causes difficulty connecting to the Internet.
In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, Windows installation problems, or another Infection. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.
Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. The cumulative effect, and the interactions between spyware components, causes the symptoms commonly reported by users: a computer, which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spyware disables or even removes competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.
Some other types of spyware use rootkit like techniques to prevent detection, and thus removal. Targetsoft, for instance, modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.
A typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. As with other operating systems, Windows users too are able to follow the principle of least privilege and use non-administrator least user access accounts, or to reduce the privileges of specific vulnerable Internet-facing proceses such as Internet Explorer (through the use of tools such as DropMyRights).
However as this is not a default configuration, few users do this.
In Windows Vista, by default, a computer administrator runs everything under a limited user privileges. When a program requires administrative privileges, Vista will prompt the user with an allow/deny pop-up, see User Account Control. This improves on the design used by previous versions of Windows.
TROJAN
From Wikipedia, the free encyclopedia
A Trojan horse, or trojan for short, is a term used to describe malware that appears, to the user,
to perform a desirable function but, in fact, facilitates unauthorized access to the user's computer system.
The term comes from the Trojan Horse story in Greek mythology. Trojan horses are not self-replicating which distinguishes them from viruses and worms. Additionally, they require interaction with a hacker to fulfil their purpose.
The hacker need not be the individual responsible for distributing the Trojan horse. It is possible for hackers to scan computers on a network using a port scanner in the hope of finding one with a Trojan horse installed
Trojan horses are designed to allow a hacker remote access to a target computer system. Once a Trojan horse has
been installed on a target computer system it is possible for a hacker to access it remotely and perform operations.
The type of operations that a hacker can perform are limited by user privileges on the target computer system and the design of the Trojan horse itself.
Operations which could be performed by a hacker on a target computer system include:
1. Use of the machine as part of a Botnet (e.g. to perform Distributed Denial-of-service (DDoS) attacks)
2. Data Theft (e.g. passwords, security codes, credit card information)
3. Installation of software (including other malware)
4. Downloading of files
5. Uploading of files
6. Deletion of files
7. Modification of files
8. Keystroke logging
9. Viewing the user's screen
How They Get Installed:
1. Software downloads (e.g. A Trojan horse included as part of a software application downloaded from File
sharing networks)
2. Websites containing executable content (e.g. A Trojan horse in the form of an ActiveX control)
Email attachments
3. Application exploits (Flaws in a web browser, media player, messaging client or other software which can be
exploited to allow installation of a Trojan horse)
4. Social Engineering (e.g. A hacker tricking a user into installing a Trojan horse by communicating with them directly)
Additionally, there have been reports of compilers which are themselves Trojan horses. In addition to compiling code to executable form they also insert code into the output executables which cause them to become Trojan horses. This is still distinct from self-replication as the process is not automatic.
WORM
From Wikipedia, the free encyclopedia
A computer worm is a self-replicating computer program. It uses a network to send copies of itself to
other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus,
it does not need to attach itself to an existing program. Worms almost always cause at least some harm to
the network, if only by consuming bandwidth, whereas viruses almost always corrupt or devour files on a
targeted computer.
Many worms that have been created are only designed to spread, and don't attempt to alter the systems they
pass through. However, as the Morris worm and Mydoom showed, the network traffic and other unintended
effects can often cause major disruption.
A "payload" is code designed to do more than spread the worm - it might delete files on a host system
(e.g., the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail.
A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a
"zombie" computer under control of the worm author - Sobig and Mydoom are examples which created zombies. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for
sending junk email or to cloak their website's address. Spammers are therefore thought to be a source of funding
for the creation of such worms,and the worm writers have been caught selling lists of IP addresses of infected
machines. Others try to blackmail companies with threatened DoS attacks.