04-11-2010, 03:48 AM
Malware Explanation
A brief explanation on malware and types of malware
Part of the credits go to Microsoft and Kaspersky
Part of the credits go to Microsoft and Kaspersky
Introduction
This guide provides a concise explanation of the diverse assortment of malicious software or malware that exists today. This guide defines an assortment of known malware types and techniques, and also provides information about malware propagation and the risks it poses to organizations of any size.
Because of the nature of this ever-evolving topic, this guide is not designed to capture and explain all malware elements and possible variations. However, it does provide a significant first step in trying to understand the nature of the various elements that comprise malware. The guidance also discusses and defines other things that are not malware, such as spyware (programs that conduct certain activities on a computer without obtaining appropriate consent from the user), spam (unsolicited e-mail), and adware (advertising that is integrated into software).
Because of the nature of this ever-evolving topic, this guide is not designed to capture and explain all malware elements and possible variations. However, it does provide a significant first step in trying to understand the nature of the various elements that comprise malware. The guidance also discusses and defines other things that are not malware, such as spyware (programs that conduct certain activities on a computer without obtaining appropriate consent from the user), spam (unsolicited e-mail), and adware (advertising that is integrated into software).
What Is Malware?
This guide uses the term malware (an abbreviation of the phrase “malicious software”) as a collective noun to refer to viruses, worms, and Trojan horses that intentionally perform malicious tasks on a computer system. So what exactly is a computer virus or a worm? How are these different from Trojan horses? And will anti-virus applications only work against worms and Trojan horses or just viruses?
All these questions stem from the confusing and often misrepresented world of malicious code. The significant number and variety of existing malicious code makes it difficult to provide a perfect definition of each malware category. For general anti-virus discussions, the following simple definitions of malware categories apply:
All these questions stem from the confusing and often misrepresented world of malicious code. The significant number and variety of existing malicious code makes it difficult to provide a perfect definition of each malware category. For general anti-virus discussions, the following simple definitions of malware categories apply:
- Trojan horse. A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run. Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program’s purpose and function. Also called Trojan code. A Trojan horse does this by delivering a malicious payload or task when it is run.
- Worm. A worm uses self-propagating malicious code that can automatically distribute itself from one computer to another through network connections. A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial of service attack. Some worms can execute and spread without user intervention, while others require users to execute the worm code directly in order to spread. Worms may also deliver a payload in addition to replicating.
- Virus. A virus uses code written with the express intention of replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. When the host is executed, the virus code also runs, infecting new hosts and sometimes delivering an additional payload.
- DoS and DDoS Tools. These programs attack web servers by sending numerous requests to the specified server, often causing it to crash under an excessive volume of requests. If the server is not backed by additional resources, it will signal the failure to process requests by denying service. This is why such attacks are called Denial of Service attacks. DoS programs conduct such attacks from a single computer with the consent of the user. Distributed Denial of Service (DDoS) attacks use a large number of infected machines without the knowledge or consent of their owners. DDoS programs can be downloaded onto victim machines by various methods. They then launch an attack either based on a date included in the code or when the 'owner' issues a command to launch the attack.
- Cryptors. These are hacker utilities used by virus writers use to encrypt malicious programs to prevent them being detected by antivirus software. Most of the time they are detected as Trojan Droppers. Cryptors can be found in these forums as well. Although, they are actually not causing any harm to the system when run, it is a nuisance to clean malware that has been encrypted.
Trojan Horses
A Trojan horse is not considered a computer virus or worm because it does not propagate itself. However, a virus or worm may be used to copy a Trojan horse on to a target system as part of the attack payload, a process referred to as dropping. The typical intent of a Trojan horse is to disrupt the user’s work or the normal operations of the system. For example, the Trojan horse may provide a backdoor into the system for a hacker to steal data or change configuration settings. There are two other terms that are often used when referring to Trojan horses or Trojan-type activities that are identified and explained as follows:
- Remote Access Trojans. Some Trojan horse programs allow the hacker or data thief to control a system remotely. Such programs are called Remote Access Trojans (RATs) or backdoors. Examples of RATs include Back Orifice, Cafeene, and SubSeven. For a detailed explanation of this type of Trojan horse, see this article: http://netsecurity.about.com/od/hackerto...092004.htm
- Rootkits. These are collections of software programs that a hacker can use to gain unauthorized remote access to a computer and launch additional attacks.. These programs may use a number of different techniques, including monitoring keystrokes, changing system log files or existing system applications, creating a backdoor into the system, and starting attacks against other computers on the network. Rootkits are generally organized into a set of tools that are tuned to specifically target a particular operating system.
- Trojan Downloaders. This family of Trojans downloads and installs new malware or adware on the victim machine. The downloader then either launches the new malware or registers it to enable autorun according to the local operating system requirements. All of this is done without the knowledge or consent of the user.
- Trojan Droppers. These Trojans are used to install other malware on victim machines without the knowledge of the user. Droppers install their payload either without displaying any notification, or displaying a false message about an error in an archived file or in the operating system. The new malware is dropped to a specified location on a local disk and then launched.
- Trojan Clickers. This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows). Clickers are used to raise the hit-count of a specific site for advertising purposes, to organize a DoS attack on a specified server or site, or to lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans).
Worms
If the malicious code replicates it is not a Trojan horse, so the next question to address in order to more clearly define the malware is: “Can the code replicate without the need for a carrier?” That is, can it replicate without the need to infect an executable file? If the answer to this question is “Yes,” the code is considered to be some form of worm.
Most worms attempt to copy themselves onto a host computer and then use the computer’s communication channels to replicate. For example, the Sasser worm relies on a service vulnerability to initially infect a system, and then uses the infected system’s network connection to attempt to replicate. If you have installed the latest security updates (to stop the infection), or enabled the firewalls in your environment to block the network ports the worm uses (to stop the replication), the attack will fail. In the case of Windows XP, once Service Pack 2 has been applied both the infection and replication methods are blocked. This is because the service vulnerability has been removed and the Windows firewall is enabled by default. Additionally, if the Automatic Updates option is set to Automatic (recommended) any future issues will be addressed as the updates become available.
Most worms attempt to copy themselves onto a host computer and then use the computer’s communication channels to replicate. For example, the Sasser worm relies on a service vulnerability to initially infect a system, and then uses the infected system’s network connection to attempt to replicate. If you have installed the latest security updates (to stop the infection), or enabled the firewalls in your environment to block the network ports the worm uses (to stop the replication), the attack will fail. In the case of Windows XP, once Service Pack 2 has been applied both the infection and replication methods are blocked. This is because the service vulnerability has been removed and the Windows firewall is enabled by default. Additionally, if the Automatic Updates option is set to Automatic (recommended) any future issues will be addressed as the updates become available.
Viruses
If the malicious code adds a copy of itself to a file, document, or boot sector of a disk drive in order to replicate it is considered a virus. This copy may be a direct copy of the original virus or it may be a modified version of the original. As mentioned earlier, a virus will often contain a payload that it may drop on a local computer, such as a Trojan horse, which will then perform one or more malicious acts, such as deleting user data. However, a virus that only replicates and has no payload is still a malware problem because the virus itself may corrupt data, take up system resources, and consume network bandwidth as it replicates.
Defense Mechanisms Used By Malware
Many malware examples use some kind of defense mechanism to help reduce the likelihood of detection and removal. The following list provides examples of some of these techniques that have been used:
- Armor. This type of defense mechanism employs some technique that tries to foil analysis of the malicious code. Such techniques include detecting when a debugger is running and trying to prevent it from working correctly, or adding lots of meaningless code to make it difficult to determine the purpose of the malicious code.
- Stealth. Malware uses this technique to hide itself by intercepting requests for information and returning false data. For example, a virus may store an image of the uninfected boot sector and display it whenever an attempt is made to view the infected boot sector. The oldest known computer virus, called “Brain,” used this technique in 1986.
- Encrypting. Malware that uses this defense mechanism encrypts itself or the payload (and sometimes even other system data) to prevent detection or data retrieval. Encrypted malware contains a static decryption routine, an encryption key, and the encrypted malicious code (which includes an encryption routine). When executed, the malware uses the decryption routine and key to decrypt the malicious code. The malware then creates a copy of its code and generates a new encryption key. It uses that key and its encryption routine to encrypt the new copy of itself, adding the new key with the decryption routine to the start of the new copy. Unlike polymorphic viruses, encrypting malware always uses the same decryption routines, so although the key value (and thus the encrypted malicious codes signature) usually changes from infection to infection, anti-virus software can search for the static decryption routine to detect malware that uses this defense mechanism.
- Oligomorphic. Malware that exhibits this characteristic uses encryption as a defense mechanism to defend itself and is able to change the encryption routine only a fixed number of times (usually a small number). For example, a virus that can generate two different decryption routines would be classified as oligomorphic.
- Polymorphic. Malware of this type uses encryption as a defense mechanism to change itself to avoid detection, typically by encrypting the malware itself with an encryption routine, and then providing a different decryption key for each mutation. Thus, polymorphic malware uses an unlimited number of encryption routines to prevent detection. As the malware replicates, a portion of the decryption code is modified. Depending on the specific malware code, the payload or other actions performed may or may not use encryption. Typically, there is a mutation engine, which is a self contained component of the encrypting malware that generates randomizes encryption routines. This engine and the malware are then both encrypted, and the new decryption key is passed along with them.
Conclusion
Hope this shed some light on people learning about malware. I give credits to an e-book by Microsoft for a lot of information that is found in this guide. I also give credits to VirusList.com
.
![[Image: 28jy5v9.png]](http://i39.tinypic.com/28jy5v9.png)