Malware is a type of software designed to take over or damage a computer without the user’s knowledge or approval. Common types of malwares are listed in the following table:
|Virus||A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A virus:|
i. Requires a replication mechanism (a file that it uses as a host). When the host file is distributed, the virus is also distributed. Viruses typically attach to files with execution capabilities, such as .doc, .exe, and .bat extensions. Many viruses are propagated via email and are distributed to everyone in the address book.
ii. Replicates only when an activation mechanism is triggered. For example, each time the infected file or program is executed, the virus is activated.
iii. Is programmed with an objective, which is usually to destroy, compromise, or corrupt data.
There are many virus types.
i. A stealth virus resides in low-level system service functions where it intercepts system requests and alters service outputs to conceal its presence.
ii. A multipartite virus is a combination of multiple attacks.
iii. A macro virus takes advantage of application programs that use macros to automate repetitive functions. A macro virus can infect the documents related to the program and then spread itself to other machines. Macro viruses run when the file is opened.
iv. A polymorphic virus mutates while keeping the original algorithm intact.
v. A retro virus tries to destroy virus countermeasures by deleting key files that antivirus programs use.
vi. An armored virus is designed to make itself difficult to detect or analyze by covering itself with protective code.
vii. A companion virus attaches itself to a legitimate program and then creates another program with a different file extension. When the legitimate program runs, the companion virus executes instead of the real program.
viii. A phage virus rewrites programs and infects all the files associated with that program. Its objective is usually to delete or destroy every program it infects.
|Worm||A worm is a self-replicating program. A worm:|
i. Does not require a host file to propagate.
ii. Automatically replicates itself without an activation mechanism. A worm can travel across computer networks without any user assistance.
iii. Infects one system and spreads to other systems on the network.
|Trojan horse||A Trojan horse is a malicious program that is disguised as legitimate or desirable software. A Trojan horse:|
i. Cannot replicate itself.
ii. Does not need to be attached to a host file.
iii. Often contains spying functions (such as a packet sniffer) or backdoor functions that allow a computer to be remotely controlled from the network.Is often hidden in useful software, such as screen savers or games. A wrapper is a program that is used legitimately, but has an attached Trojan attached that will infiltrate any computer that runs the wrapper software.
iv. Relies on user decisions and actions to spread.
|Zombie||A zombie is a computer that is infected with malware that allows remote software updates and control through a command and control center called a zombie master. A zombie:|
i. Is also known as a bot (short for robot).
ii. Typically uses internet relay chat (IRC) channels (also known as chat rooms) to communicate with the zombie master.
iii. Is frequently used to aid spammers.
iv. Exploits pay-per-click (PPC), an advertising mode used on the internet. With PPC, ads are embedded on a website by the developer. The advertiser pays the website owner for each click the ad generates. Zombie computers can commit click fraud, an imitation of a legitimate ad click that generates fraudulent revenue.
v. Can be used to perform denial of service attacks.
|Botnet||A botnet refers to a group of zombie computers that are commanded from a central control infrastructure. A botnet:|
i. Has a command and control infrastructure in which the zombie master (also known as the bot herder) can send remote commands to all the bots it controls. The commands order bots to perform attacks or other malicious acts.
ii. Is capable of performing distributed denial of service attacks.
iii. Is detected by examining firewall logs to determine if a computer is acting as a zombie and participating in external attacks.
|Rootkit||A rootkit is a set of programs that allows attackers to maintain permanent and hidden administrator-level access to a computer. A rootkit:|
i. Is almost invisible software.
ii. Resides below regular antivirus software detection.
iii. Requires administrator privileges to install. The privilege level is maintained to allow subsequent access.
iv. Might not be malicious.
v. Often replaces operating system files with alternate versions that allow hidden access.
|Logic bomb||A logic bomb is designed to execute only under predefined conditions. It lies dormant until the predefined condition is met. A logic bomb:|
i. Uses a trigger activity such as a specific date and time, the launching of a specific program, or the processing of a specific type of activity.
ii. Does not self-replicate.
iii. Is also known as an asynchronous attack.
|Spyware||Spyware is designed to intercept or take partial control of the user’s interaction with the computer. Similar to other malware, spyware is installed without the user’s consent or knowledge. Spyware:|
i. Can be installed when a user visits a web page or runs an application.
ii. Collects various types of personal information, such as internet surfing habits and passwords. It sends the information back to its originating source.
iii. Uses tracking cookies to collect and report a user’s activities.
iv. Can interfere with user control of the computer by installing additional software, changing computer settings, and redirecting web browser activity.
|Adware||Adware monitors actions that denote personal preferences and then sends pop-ups and ads that match those preferences. Adware is:|
i. Usually passive.
ii. Privacy-invasive software.
iii. Installed when a user visits a particular website or runs an application.
iv. More annoying than harmful.
|Ransomware||Ransomware denies access to a computer system until the user pays a ransom.|
|Scareware||Scareware is a scam that tricks users into thinking they have some form of malware on their system. The intent of the scam is to sell the user fake antivirus software to remove malware they don’t have.|
|Crimeware||Crimeware is designed to facilitate identity theft by gaining access to a user’s online financial accounts, such as banks and online retailers. Crimeware can:|
i. Use keystroke loggers that capture keystrokes, mouse operations, or screenshots and transmit those actions back to the attacker to obtain passwords.
ii. Redirect users to fake sites.
iii. Steal cached passwords.
iv. Conduct transactions in the background after logon.