MALWARE

1. Malware

1. Classification

Types of Malware:

  • Virus

  • Trojan Horse

  • Rootkit

  • Bootkit

  • Backdoor

  • Adware

  • Spyware

  • Greyware

  • Dialer

  • Key-logger

  • Botnet

  • Ransomware

  • Data-stealing malware

  • Worm

A. Virus

Computer virus is a computer program that copies itself and spreads without permission or knowledge of the owner.

Virous do not spread via exploiting vulnerabilities (the ones that do that are called worms)

The only way viruses are supposed to spread is with the host - at least in their rigorous classification.

Let us say, that a virus has infected a file; now if the owner moves the file to any system, the virus has thus a chance to spread and survive.

Viruses can be classified into the following sub-types:

  • Resident type which when executed becomes memory resident (and waits for some triggers such as loading of other program). It then infects other program and so on.

  • Non-resident type once a virus is executed, it will search for files it can infect. Then after infecting them, it will quit. When the infected program is run again, it will again find new targets and so on.

  • Boot-sector virus which spreads via boots sectors. For example, if a user leaves a infected CD-ROM while turning off a system, the next time system will boot-up, the boot sector virus will activate and will thus spread to the hard-disk which will then spread it to another disks / flash-drives. When disk / flask-drives disks are moved, the cycle gets repeated.

  • Multi-partite type The virus has several types of infection mechanisms such as they can have both Boot-sector and resident type virus or even more.

B. Trojan Horse

Trojan horse is a kind of malware that appears to the user to perform a function but in-fact facilitates unauthorized access to the owner's system.

They are not self-repeating like viruses.

C. Rootkit

Rootkit is a malware which is designed to hide the fact that a compromise has already been done or to do the compromise at a deeper level.

A rootkit is basically used as a supplement to other malware.

Basically, rootkits can be used to hide processes, files on the system, implement backdoors and/or create loopholes.

Rootkit exist for all major operating systems such as Windows, Linux, Solaris, OS X, etc.

They are basically installed as drivers (or kernel modules).

Rootkits are known to exits at the following levels (even at lower levels possibly):

  • Application level They replace actual program with copies of other programs

  • Library level Let us say that 10 applications are sharing a library, taking control of the library means taking control of all 10 apps

  • Kernel level This is the most common type and was first developed by Greg Hoglund around 1999 for Windows NT. They are known for their resistance to removal since they run at the same privilege level at which Anti-Virus solutions are run

  • Hypervisor level These days, processor have come up with support for virtualization. Rootkits which use such processor-specific technologies are called hyper-visor rootkits. E.g., blue-pill and subvirt.

  • Firmware level Rootkits for firmware such as BIOS, ACPI tables or device ROMSS are known to exist. They have the highest chance of survival because currently, no tools exist to verify/scan up the firmware level rootkits.

D. Bootkit

Bootkits are rootkits which grabs the OS during the boot process itself and were introduces by Nitin Kumar and Vipin Jumar in 2007 (author of this section).

They differ from the rootkits in the installation process and how they take control of the OS.

They start attacking the OS when the OS has not even started, so they are able to completely violate the security of the target OS.

E. Backdoor

Backdoor is a software (or modification to the software) which help in bypassing authentication mechanism, keeping remote access open (for later unauthorized purpose) which trying to remain hidden.

For example, a backdoor in a login system might give you access when a specifies username/password is entered, even though they might not be a valid combination.

F. Adware

Adware is basically advertising supported software which displays ads from time-to-time during the use of the software.

Some adware also act as spyware. Adware also install other unwanted software on the users system which might/might not be malware. This is done without the consent of the user.

G. Spyware

Spyware is a software which keeps on spying the user's activities such as collecting user information, his website visiting record and other information without the consent of the user.

This information is sent to the author after a certain amount has been collected.

They are also called privacy-violating software or privacy-invading software.

Normally, a system which has spyware also has other kinds of malware such as rootkits/trojans to hide the tracks and to keep in control of the machine.

H. Greyware

Greyware is a collective name for spyware and adware. A greyware can be either spyware or adware or both.

I. Dialer

Dialer is a software which is used to connect to the internet but instead of using normal numbers, they connect to premium numbers which are charged highly.

Thus the owner of the dialer who has setup the stuff makes bug sums of money.

J. Key-logger

Key-loggers are malware which log down key pressed by the key owner without their consent. Thus, the person is unaware that his actions are being monitored.

For example, a person might type his credit-card numbers which might them be misused by the keylogger creator.

There are numerous kinds and methods of keylogging such as:

  • Software keylogger kernel mode or user mode keyloggers

  • Hardware keylogger firmware-based keylogger can be put in BIOS

    PS/2 and USB keyboards can be sniffed with an additional device placed between the keyboard port and CPU.

  • Wireless keyboard sniffer Passive sniffers can be used to collect keyboard data in case of wireless keyboards

  • Acoustic keylogger These kinds of keylogger are based on the sound made when a key is struck by the user

    After sometime of data logging, clear patterns can be distinguished when a key is pressed or released which leads to remote passive keylogging

  • Optical keylogger Optical keylogging is done by a person standing beside you or by a camera.

K. Botnet

Botnet refers to a collection of compromised computers which run commands automatically and autonomously (with the help of command and control server).

Botnets are typically created when a number of clients install the same malware.

This is usually done via drive-by-downloads (drive-by-download means a compromised website will try to exploit your web browser and install a software without user consent).

The controller or owner of the botnet is called a bot master and is usually the one who gives commands to the bots.

Botnets are used by the botmaster for reasons such as distributed denial of service (DDOS), sending SPAM, etc.

L. Ransomware

This is a software which locks down important files with a password then demands from the user to send money and in return promises to unlock the files.

The most famous example being gpcode which used public-key cryptography to encrypt the user files.

M. Data-stealing malware

Data stealing malware basically steals data such as private encryption keys, credit-card data, competitors data such as internal secret algorithms, new product designs, and other internal data which could be used by the 3rd party to cause damage to the original data owner.

Some of these are highly targeted attacks and are never detected.

N. Worm

Worms are basically software which use network/system vulnerabilities to spread themselves from system to system.

They are typically part of other software such as rootkit and are normally the entry point into the system.

They basically compromise the system (locally or remotely) and then provide access to other software such as bot clients, spyware, key-loggers, and so on.

PreviousReferencesNextTechniques Used by Malware

Last updated