Malware has become the tool of choice for cybercriminals, hackers, and hacktivists. It has become easy for attackers to create their own malware by acquiring malware toolkits, such as Zeus, SpyEye, and Poison Ivy, and customising the malware produced by those toolkits to meet their individual needs. Many of these toolkits are available for purchase, whereas others are open source, and most have user-friendly interfaces that make it simple for unskilled attackers to create customise, high-capability malware. Much of today’s malware is specifically designed to quietly and slowly spread to other hosts, gathering information over extended periods of time, and eventually leading to exfiltration of sensitive data and other negative impacts. The term advanced persistent threats (APTs) is generally used to refer to this approach.
Types of Malware
Malware categorisation is based on infection and propagation characteristics. The categories of malware include viruses, worms, Trojans, bots, ransomware, rootkits, and spyware/adware. Hybrid malware is code that combines characteristics of multiple categories – for example, combining a virus’ ability to alter program code with a worm’s ability to reside in live memory and to propagate without any action on the part of the user.
A virus is a malicious code that attaches to and becomes part of another program. Generally, viruses are destructive. Almost all viruses attach themselves to executable files. They then execute in tandem with the host files. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.
A worm is a piece of malicious code that can spread from one computer to another without requiring a host file to infect. Worms are specifically designed to exploit known vulnerabilities, and they spread by taking advantage of network and Internet connections.
A Trojan is malicious code that masquerades as a legitimate benign application. A typical activity attributed to Trojans is to open connections to a command and control server (known as a C&C). Once the connection is made, the machine is said to be “owned.” The attacker takes control of the infected machine. In fact, cybercriminals will tell you that once they have successfully installed a Trojan on a target machine, they actually have more control over that machine that the very person seated in front of and interacting with it. Once “owned,” access to the infected device may be sold to other criminals. Trojans do not reproduce by infecting other files, nor do they self-replicate. Trojans must spread through user interaction, such as opening an email attachment or downloading and running a file from the Internet.
Bots (also known as robots) are snippets of code designed to automate tasks and respond to instruction. Bots can self-replicate (like worms) or replicate via user action (like Trojans). A malicious bot is installed in a system without the user’s permission or knowledge. The bot connects back to a central server or command center. An entire network of compromised devices is known as a botnet. One of the most common uses of a botnet is to launch distributed denial of service (DDoS) attacks. A DDoS attack is an attempt to make a machine or network resource unavailable for its intended use. In general terms, DDoS attacks consume computer resources to obstruct the communication channel.
Ransomware is a type of malware that takes a computer or its data hostage in an effort to extort money from victims. There are two types of ransomware: Lockscreen ransomware displays a full-screen image or webpage that prevents you from accessing anything from your computer. Encryption ransomware encrypts your files with a password, preventing you from opening them. The most common ransomware scheme is a notification that authorities have detected illegal activity on your computer and must pay a “fine” to avoid prospection and regain access to your system.
A Rootkit is a set of software tools that hides it presence in the lower layers of the operating system’s application layer, the operating system kernel, or in the device basic input/output system (BIOS) with privileged access permissions. Root is a Unix/Linux term that denotes administrator-level or privileged access permissions. The word kit denotes a program that allows someone to obtain root/admin-level access to the computer by executing the programs in the kit – all of which is done without end-user consent or knowledge. The intent is generally remote C&C. Rootkits cannot self-propagate or replicate; they must be installed on a device. Because of where they operate, they are very difficult to detect and even more difficult to remove.
Spyware is a general term used to describe software that without a user’s consent and/or knowledge tracks Internet activity such as searches and web surfing, collects data on personal habits, and displays advertisements. Spyware sometimes affects the device configuration by changing the default browser, changing the browser home page, or installing “add-on” components. It is not unusual for an application or online service license agreement to contain a clause that allows for the installation of spyware.
NIST Special Publication 800-83, Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, published in 2012, provides recommendations for improving an organizations malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones.
Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene.