Malware constitutes any software written for malicious reasons that infiltrates a computer without authorization and performs some nefarious function. Malware can come in many varieties and perform a myriad of functions. It is malware that is the centerpoint of the modern cybercrime landscape, for it is this carefully engineered software that performs attacks on an automated level among millions of compromised machines around the world. This is a level of influence that could once be only dreamed of in the early days of the internet.
The public conception of computer crime centers around the understanding of a computer "virus." Although computer viruses have a very limited definition, it is common today to refer to all malware as viruses. A virus, in the traditional sense, is specifically a malicious program that copies itself into other programs and documents on the infected system. As we will see in the next section, network worms are far more devastating in the modern malware landscape.
Below, we list some common malware types:
A trojan (short for trojan horse) is a package disguised to appear as something useful or popular, but in fact it actually carries a malicious payload that the victim may never be aware of. In many instances, this can be a free screensaver or collection of artwork coming in through an email attachment, and the contents may well indeed be as advertised, however along with the 'legitimate' contents a well designed virus can lurk. Once executed, the malware has done its damage. What is unique about trojan horses is the mechanism that it uses to gain access to your machine. It requires your ignorance and authorization. Trojans cannot punch through your machines defenses without your direct action. As a consequence, trojans are not as devastating as their network-resident counterparts: Worms.
Worms on the other hand are malware variants that can propagate on their own. They contain builtin functionalities that exploit computer networks and file transfer mechanisms that allow them to self-copy and infect other machines. To gain entry into the target computers, worms need no human interaction. They penetrate and infect purely through vulnerabilties that are inherent to the system itself.
Worms are most known to play havok on networks, as they rapidly consume bandwidth as they scan for new infection possibilities. The network congestion goes up exponentially as the worm has infected larger populations on the network.
A bot is a computer program that provides some automated function or service on the internet. For the purposes of our work, we are only concerned with such automated utilities that are designed and used for malicious purposes. Bots are written to perform a variety of attacks against sites and individuals online. What distinguishes a bot from the other malware classifications described in this document is that the bot is the core weapons bay of the infectious package. It is not responsible for reproduction or camouflage, but only to launch attacks and do other dirty work.
A rootkit is a malicious bundle of software designed to modify the underlying operating system of an infected computer to hide other malicious programs from the user of the system. Hidden information can include the presence of suspicious files, executable names in process lists, network information, and other key statistics. It is the use of rootkits that allows malware to thwart detection from even the most trained eyes.
Rootkits are typically bundled with other forms of malware. They are useless by themselves. There are rootkits designed for all platforms.
A large fraction of the malware in the wild today is designed specifically for commercial use. Spyware and Adware, although not as much of a threat as conventional trojans and worms, still pose a significant challenge to maintaining privacy online.
Spyware is any software that collects personal information about you and your actions. Certain applications can follow your trail of web visits and report them upstream. Marketers can use this information to better searve advertisements to you, or to benefit their own operations without concern for you.
Adware on the other hand is a classification of malware that brings commercial advertising to your desktop, namely in the form of popup ads. These ads can be triggered by certain web visits, or can occur at random times. Some adware programs also hijack the browser and redirect web pages. Even more complicated packages can overlay advertisement information within the browser on top of third party search engines.
For free removal utilities for adware and spyware, we recommend "Adaware" and "Spybot".
In computing terms, a backdoor is an alternate entry point into a system or a service. Back doors aren't always locked. In a malware sense, backdoors are undesired alternate entry points that the vitim user rarely knows about. Many forms of malware will establish a backdoor to allow the attacker to login and do with the compromised machine as they wish. This can entail roaming and modifying your files, stealing information, storing contraband on your computer (child porn, warez), or using your machine to attack others.
Many criminals will operate all of their attacks through other's compromised computers in order to maintain a level of protection between themselves and authorities. Backdoors make this a reality.
A new form of attack we are seeing more of these days is cyptovirologic extortion. Such crimes begin when a computer virus attacks a system and immediately begins encrypting all of the users documents with an asymmetric key. When the deed is finished, many times the malware will display a message informing the user that if they want their files back, they must pay up, in which the attacker will (supposedly) provide them with the decryption key.
For most home users, holding data hostage in this sense can mean the difference of lost tax information and music collections, however in the corporate environment, the damage can be much worse. For this reason, we can not emphasize enough the need to backup your important data to other mediums running different operating systems if possible should you become a victim of such an extortion. Cryptographic technology has evolved to a very advanced state, and breaking decryption keys is rarely an option.
When a malware analyst has the malware source code at their disposal, analysis becomes quite simple. Understanding the malicious program is as simple as reading and interpreting the code, and looking for code fragment that reveal key information on the attacker and the attack.
In the malware world however, very rarely does one have access to the source code. Many times a precompiled malware sample (a binary) will be harvested from the wild by a honeypot. Understanding the full nature of the attack from just the program itself requires careful scrutiny and a few clever strategies.
A useful first step in dealing with a new unknown malware sample is establishing whether or not it is known by the security industry at large, or if it is new in the wild. To do this, we first run several antivirus applications against the captured malware to check if it is in the database of any of the vendors. If it is, this step can uncover incredibly useful information for our disposal, including, possibly, how the criminal may have obtained the source code for the exploits. Many samples in the wild are variants of a select few freely available exploits. We can learn a lot about the botnet, its capabilties, rate of growth, and of the botnet herder's level of competence by the strain of malware we find.
A sandbox is a tightly controlled environment in which things can be tested or scrutinized. In malware analysis, sandboxing a malware sample involves allowing it to execute on a native system under very restrictive conditions to prevent it from doing any damage. Under these conditions, we can learn what the malware does and gain insight as to how it could concievably be behaving in the wild.
In most circumstances, this involves executing a malicious program on a target operating system and monitoring its network traffic flow. Firewalls are used to contain the influence it has on the outside world and prevent further infection, however certain kinds of traffic are allowed outbound in order to see how the code functions. Furthermore, many network services can actually be emulated from outside the sandbox to fool the malware into thinking it is speaking to the outside world.
File changes can also be monitored and recorded under certain sandbox environments. This gives us even more knowledge as to how to classify a particular malware sample, as many samples are derived from only a small set of openly published malware sourcecodes.
Sandboxes are designed with efficiency in mind. A well-built malware analysis sandbox is capable of being restored to its uninfected, pristine state as quickly as possible. For this reason, much malware analysis is done within virtual machines such as vmware and qemu. Under such emulated environments, we can restore the target host to its initial uninfected state in very short order.
Simply executing the binary and watching is the easiest way to understand a binary, however the fundamental limitations we have in anticipating or provoking all behaviors from the malware makes sandboxing only a superficial glance into the inner workings of an attack. We can never be absolutely sure that the binary isn't hiding some feature or action from us because we have not given it the correct set of conditions.
For the truly ambitious who want to understand the malware on a deep level, reverse engineering can be done on the compiled code. Disassemblers are tools that read the raw machine language of the binary, however understanding what the code does on such a low hardware level can be very difficult and will take any professional some time to understand what is happening.