Malware
Software that gets installed on your computer without your knowledge that changes system settings, not limited to your browser settings, that cause harmful effects to occur on your computer.According to Wikipedia.org, Malware, also known as Malicious Software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The term is a portmanteau of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
Many normal computer users
are however still unfamiliar with the term, and most never use it. Instead,
"computer virus" is incorrectly used in common
parlance and even in the media to describe all kinds of malware, though not all
malware are viruses.
Software is considered
malware based on the perceived intent of the creator rather than any particular
features. Malware includes computer
viruses, worms, trojan horses, most rootkits, spyware,
dishonest adware,
and other malicious and unwanted software. In law, malware is sometimes
known as a computer contaminant, for instance in the legal codes of
several American states, including California
and West
Virginia.
Malware should not be
confused with defective software, that is, software which has a legitimate
purpose but contains harmful bugs.
Of all computer code
released today the majority may be malicious. Preliminary results from Symantec
sensors published in 2008 suggested that "the release rate of malicious
code and other unwanted programs may be exceeding that of legitimate software
applications." According to F-Secure, "As much malware [was] produced in 2007 as in
the previous 20 years altogether." Malware's
most common pathway from criminals to users is through the Internet, by
email and the World Wide Web.
Purposes
Many early infectious
programs, including the first Internet
Worm and a number of MS-DOS viruses, were written as experiments or pranks
generally intended to be harmless or merely annoying rather than to cause
serious damage to computers. Young programmers
learning about viruses and the techniques used to write them only to prove that
they could or to see how far it could spread. As late as 1999, widespread
viruses such as the Melissa virus appear to have been written chiefly as
pranks.
A slightly more hostile
intent can be found in programs designed to vandalize or cause data loss. Many
DOS viruses, and the Windows ExploreZip
worm, were designed to destroy files on a hard disk,
or to corrupt the file system by writing junk data. Network-borne worms such as
the 2001 Code Red worm or the Ramen worm fall into the same
category. Designed to vandalize web pages, these worms may seem like the online
equivalent to graffiti
tagging, with the author's alias or affinity group appearing everywhere the
worm goes.
However, since the rise of
widespread broadband
Internet
access, more malicious software has been designed for a profit motive. For
instance, since 2003, the majority of widespread viruses and worms have been
designed to take control of users' computers for black-market exploitation.
Infected "zombie
computers" are used to send email spam,
to host contraband data, or to engage in distributed denial-of-service attacks
as a form of extortion.
Another strictly for-profit
category of malware has emerged in spyware --
programs designed to monitor users' web browsing, display unsolicited
advertisements, or redirect affiliate marketing revenues to the spyware
creator. Spyware programs do not spread like viruses; they are generally
installed by exploiting security holes or are packaged with user-installed
software, such as peer-to-peer applications.
Infectious malware: viruses and
worms
The best-known types of
malware, viruses and worms, are known for the manner in
which they spread, rather than any other particular behavior. The term computer
virus is used for a program which has infected some executable
software and which causes that software, when
run, to spread the virus to other executable software. Viruses may also
contain a payload which performs other actions, often
malicious. A worm,
on the other hand, is a program which actively transmits itself over a network
to infect other computers. It too may carry a payload.
These definitions lead to
the observation that a virus requires user intervention to spread, whereas a
worm spreads automatically. Using this distinction, infections transmitted by email or Microsoft
Word documents, which rely on the recipient opening a file or email to infect
the system, would be classified as viruses rather than worms.
Some writers in the trade
and popular press appear to misunderstand this distinction, and use the terms
interchangeably.
Capsule history of viruses and worms
Before Internet access
became widespread, viruses spread on personal computers by infecting programs
or the executable boot sectors of floppy disks. By inserting a copy of
itself into the machine code instructions in these executables, a
virus causes itself to be run whenever the program is run or the disk is
booted. Early computer viruses were written for the Apple II and Macintosh,
but they became more widespread with the dominance of the IBM PC and MS-DOS system.
Executable-infecting viruses are dependent on users exchanging software or boot
floppies, so they spread heavily in computer hobbyist circles.
The first worms,
network-borne infectious programs, originated not on personal computers, but on
multitasking Unix
systems. The first well-known worm was the Internet
Worm of 1988, which infected SunOS and VAX
BSD systems. Unlike a
virus, this worm did not insert itself into other programs. Instead, it
exploited security holes in network server programs and started itself running
as a separate process. This same behavior is used by today's worms as well.
With the rise of the Microsoft
Windows platform in the 1990s, and the flexible macro systems of its applications, it
became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and
templates rather than applications, but rely on the fact that macros in a Word
document are a form of executable code.
Today, worms are most
commonly written for the Windows OS, although a small number are also written
for Linux and Unix systems. Worms
today work in the same basic way as 1988's Internet Worm: they scan the network
for computers with vulnerable network services, break in to those computers,
and copy themselves over. Worm outbreaks have become a cyclical plague for both
home users and businesses, eclipsed recently in terms of damage by spyware.[citation needed]
Concealment:
Trojan horses, rootkits, and backdoors
For a malicious program to
accomplish its goals, it must be able to do so without being shut down, or
deleted by the user or administrator of the computer it's running on.
Concealment can also help get the malware installed in the first place. When a
malicious program is disguised as something innocuous or desirable, users may
be tempted to install it without knowing what it does. This is the technique of
the Trojan horse or trojan.
Broadly speaking, a Trojan
horse is any program that invites the user to run it, but conceals a harmful or
malicious payload. The payload may take effect immediately and can lead to many
undesirable effects, such as deleting all the user's files, or more commonly it
may install further harmful software into the user's system to serve the
creator's longer-term goals. Trojan horses known as droppers are used
to start off a worm outbreak, by injecting the worm into users' local networks.
One of the most common ways
that spyware is distributed is as a Trojan horse, bundled with a piece of
desirable software that the user downloads from the Internet. When the user
installs the software, the spyware is installed alongside. Spyware authors who
attempt to act in a legal fashion may include an end-user license agreement which states
the behavior of the spyware in loose terms, and which the users are unlikely to
read or understand.
Once a malicious program is
installed on a system, it is often useful to the creator if it stays concealed. The same is true
when a human attacker breaks into a computer directly. Techniques known as rootkits allow
this concealment, by modifying the host operating system so that the malware is
hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list
of processes, or keep its files from being read. Originally, a rootkit was a
set of tools installed by a human attacker on a Unix system where the attacker
had gained administrator (root) access. Today, the term is used more generally
for concealment routines in a malicious program.
Some malicious programs
contain routines to defend against removal: not merely to hide themselves, but
to repel attempts to remove them. An early example of this behavior is recorded
in the Jargon
File tale of a pair of programs infesting a Xerox CP-V timesharing system:
Each ghost-job would detect the fact that the other had been
killed, and would start a new copy of the recently slain program within a few
milliseconds. The only way to kill both ghosts was to kill them simultaneously
(very difficult) or to deliberately crash the system.
Similar techniques are used
by some modern malware, wherein the malware starts a number of processes which
monitor one another and restart any process which is killed off by the
operator.
A backdoor is a method of bypassing normal authentication
procedures. Once a system has been compromised (by one of the above methods, or
in some other way), one or more backdoors may be installed, in order to allow
the attacker access in the future. The idea has often been suggested that
computer manufacturers preinstall backdoors on their systems to provide
technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure
remote access to a computer, while attempting to remain hidden from casual
inspection. To install backdoors crackers may use Trojan horses, worms,
or other methods.
Malware for
profit: spyware, botnets, keystroke loggers, and dialers
During the 1980s and 1990s,
it was usually taken for granted that malicious programs were created as a form
of vandalism
or prank (although
some viruses were spread only to discourage users from illegal software
exchange.) More recently, the greater share of malware programs have been
written with a financial or profit motive in mind. This can be taken as the
malware authors' choice to monetize their control over infected systems: to
turn that control into a source of revenue.
Since 2003 or so, the most
costly form of malware in terms of time and money spent in recovery has been
the broad category known as spyware.
Spyware programs are commercially produced for the purpose of gathering
information about computer users, showing them pop-up ads,
or altering web-browser behavior for the financial benefit of the spyware
creator. For instance, some spyware programs redirect search
engine results to paid advertisements. Others, often called "stealware"
by the media, overwrite affiliate marketing codes so that revenue goes
to the spyware creator rather than the intended recipient.
Spyware programs are
sometimes installed as Trojan horses of one sort or another. They differ in
that their creators present themselves openly as businesses, for instance by
selling advertising space on the pop-ups created by the malware. Most such
programs present the user with an end-user license agreement which
purportedly protects the creator from prosecution under computer contaminant
laws. However, spyware EULAs have not yet been upheld in court.
Another way that
financially-motivated malware creators can profit from their infections is to
directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobig and Mydoom virus
families, are commissioned by e-mail spam gangs. The infected computers are used as proxies
to send out spam messages. The advantage to spammers of using infected
computers is that they are available in large supply (thanks to the virus) and
they provide anonymity, protecting the spammer from prosecution. Spammers have
also used infected PCs to target anti-spam organizations with distributed denial-of-service
attacks.
In order to coordinate the
activity of many infected computers, attackers have used coordinating systems
known as botnets. In
a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat
system. The attacker can then give instructions to all the infected systems
simultaneously. Botnets can also be used to push upgraded malware to the
infected systems, keeping them resistant to anti-virus software or other
security measures.
Lastly, it is possible for
a malware creator to profit by simply stealing from the person whose computer
is infected. Some malware programs install a key logger, which copies down the user's
keystrokes when entering a password, credit card number, or other information
that may be useful to the creator. This is then transmitted to the malware
creator automatically, enabling credit
card fraud and other theft. Similarly, malware may copy the CD key or
password for online games, allowing the creator to steal accounts or virtual
items.
Another way of stealing
money from the infected PC owner is to take control of the modem and dial an
expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as
a U.S. "900 number" and leave the line open, charging the toll to the
infected user.
Vulnerability
to malware
In this context, as
throughout, it should be borne in mind that the “system” under attack may be of
various types, e.g. a single computer and operating system, a network or an application.
Various factors make a
system more vulnerable to malware:
- Homogeneity – e.g. when all computers in a network run the
same OS, if you can hack that OS, you can break into any computer running
it.
- Defects – most systems containing errors which may be
exploited by malware.
- Unconfirmed code – code from a floppy
disk, CD-ROM
or USB device may
be executed without the user’s agreement.
- Over-privileged users – some systems allow all users
to modify their internal structures.
- Over-privileged code – most popular systems allow
code executed by a user all rights of that user.
An often cited cause of
vulnerability of networks is homogeneity or software monoculture. In
particular, Microsoft Windows has such a large share of the market that
concentrating on it will enable a cracker to subvert a large number of systems.
Introducing inhomogeneity purely for the sake of robustness would however bring
high costs in terms of training and maintenance.
Most systems contain bugs
which may be exploited by malware. Typical examples are buffer
overruns, in which an interface designed to store data in a small area of
memory allows the caller to supply too much, and then overwrites its internal structures.
This may used by malware to force the system to execute its code.
Originally, PCs had to be
booted from floppy disks, and until recently it was common for this to be the
default boot device. This meant that a corrupt floppy disk could subvert the
computer during booting, and the same applies to CDs. Although that is now less
common, it is still possible to forget that one has changed the default, and
rare that a BIOS
makes one confirm a boot from removable media.
In some systems,
non-administrator users are over-privileged by design, in the sense that
they are allowed to modify internal structures of the system. In some
environments, users are over-privileged because they have been inappropriately
granted administrator or equivalent status. This is a primarily a configuration
decision, but on Microsoft Windows systems the default configuration is to
over-privilege the user. This situation exists due to decisions made by
Microsoft to prioritize compatibility with older systems above security
configuration in newer systems
and because typical applications were developed without the
under-privileged users in mind. As privilege escalation exploits have increased
this priority is shifting for the release of Microsoft Windows Vista. As a
result, many existing applications that require excess privilege
(over-privileged code) may have compatibility problems with Vista. However,
Vista's User Account Control feature attempts to remedy applications not
designed for under-privileged users through virtualization, acting as a crutch
to resolve the privileged access problem inherent in legacy applications.
Malware, running as
over-privileged code, can use this privilege to subvert the system. Almost all
currently popular operating systems, and also many scripting applications allow
code too many privileges, usually in the sense that when a user executes
code, the system allows that code all rights of that user. This makes users
vulnerable to malware in the form of e-mail
attachments, which may or may not be disguised.
Given this state of
affairs, users are warned only to open attachments they trust, and to be wary
of code received from untrusted sources. It is also common for operating
systems to be designed so that device
drivers need escalated privileges, while they are supplied by more and more
hardware manufacturers, some of whom may be unreliable.
Eliminating over-privileged code
Over-privileged code dates
from the time when most programs were either delivered with a computer or
written in-house, and repairing it would at a stroke render most anti-virus
software almost redundant. It would, however, have appreciable consequences for
the user interface and system management.
The system would have to
maintain privilege profiles, and know which to apply for each user and program.
In the case of newly installed software, an administrator would need to set up
default profiles for the new code.
Eliminating vulnerability
to rogue device drivers is probably harder than for arbitrary
rogue executables. Two techniques, used in VMS, that can
help are memory mapping only the registers of the device in question and a
system interface associating the driver with interrupts from the device.
Other approaches are:
- Various forms of virtualization,
allowing the code unlimited access only to virtual resources
- Various forms of sandbox or jail
- The security functions of Java, in
java.security
Such approaches, however,
if not fully integrated with the operating system, would reduplicate effort and
not be universally applied, both of which would be detrimental to security.
Academic
research on malware: a brief overview
The notion of a
self-reproducing computer program can be traced back to 1949 when John
von Neumann presented lectures that encompassed the theory and organization
of complicated automata. Neumann showed
that in theory a program could reproduce itself. This constituted a
plausibility result in computability theory. Fred
Cohen experimented with computer viruses and confirmed Neumann's postulate. He
also investigated other properties of malware (detectability, self-obfuscating
programs that used rudimentary encryption that he called
"evolutionary", and so on). His doctoral dissertation was on the
subject of computer viruses. Cohen's faculty advisor, Leonard Adleman (the A in
RSA) presented a
rigorous proof that, in the general case, algorithmically determining whether a
virus is or is not present is Turing undecidable. This problem must not be
mistaken for that of determining, within a broad class of programs, that a
virus is not present; this problem differs in that it does not require the
ability to recognize all viruses. Adleman's proof is perhaps the deepest result
in malware computability theory to
date and it relies on Cantor's diagonal argument as well as
the halting problem. Ironically, it was later shown by
Young and Yung that Adleman's work in cryptography
is ideal in constructing a virus that is highly resistant to
reverse-engineering by presenting the notion of a cryptovirus.
A cryptovirus is a virus that contains and uses a public key and randomly
generated symmetric cipher initialization vector (IV) and session key
(SK). In the cryptoviral extortion attack, the virus hybrid encrypts plaintext
data on the victim's machine using the randomly generated IV and SK. The IV+SK
are then encrypted using the virus writer's public key.
In theory the victim must negotiate with the virus writer to get the IV+SK back
in order to decrypt the ciphertext (assuming there are no backups). Analysis of
the virus reveals the public key, not the IV and SK needed for decryption, or
the private key needed to recover the IV and SK. This result was the first to
show that computational complexity theory can
be used to devise malware that is robust against reverse-engineering.
Another growing area of
computer virus research is to mathematically model the infection behavior of
worms using models such as Lotka–Volterra equations, which has been
applied in the study of biological virus. Various virus propagation scenarios
have been studied by researchers such as propagation of computer virus,
fighting virus with virus like predator codes, effectiveness of patching etc.
Grayware
Grayware (or greyware) is a
general term sometimes used as a classification for applications that behave in
a manner that is annoying or undesirable, and yet less serious or troublesome
than malware. Grayware encompasses spyware, adware, dialers, joke programs,
remote access tools, and any other unwelcome files and programs apart from
viruses that are designed to harm the performance of computers on your network.
The term has been in use since at least as early as September 2004.
Grayware refers to
applications or files that are not classified as viruses or trojan horse programs, but can still
negatively affect the performance of the computers on your network and
introduce significant security risks to your organization. Often grayware
performs a variety of undesired actions such as irritating users with pop-up windows,
tracking user habits and unnecessarily exposing computer vulnerabilities to
attack.
- Spyware is software that installs components on a
computer for the purpose of recording Web surfing habits (primarily for
marketing purposes). Spyware sends this information to its author or to
other interested parties when the computer is online. Spyware often
downloads with items identified as 'free downloads' and does not notify
the user of its existence or ask for permission to install the components.
The information spyware components gather can include user keystrokes,
which means that private information such as login names, passwords, and
credit card numbers are vulnerable to theft. Spyware gathers data, such as
account user names, passwords, credit card numbers, and other confidential
information, and transmits it to third parties.
- Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla Firefox. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance. Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software. Adware are also often installed in tandem with spyware programs. Both programs feed off of each other's functionalities - spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profile.