Malware

Malware (a portmanteauof "malicious software") is software designed to infiltrate or damage a computer system, without the owner's consent. The term describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, Trojan horses, and spyware. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, Virginia, and several other U.S.states [1]. Malware is sometimes pejoratively called scumware.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Goals

Over the years, people have written malicious software for a number of different purposes.

Many early infectious programs, including the Internet Wormand a number of MS-DOSviruses, were written as experiments or pranks -- generally intended to be harmless or merely annoying, rather than to cause serious damage. Young programmers, learning about the possibility of viruses and the techniques used to write them, might write one just to prove that they can do it, or to see how far it could spread.

A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. Many DOS viruses were designed to destroy files on a hard disk, or to corrupt the filesystem by writing junk data. Network-borne worms such as the Code Red wormor Ramen worm fall into the same category. Designed to vandalize Web pages, these worms may seem like an online equivalent of graffiti tagging, with the author's name or affinity group appearing everywhere the worm goes.

Revengeis sometimes a motive to write malicious software. A programmer or system administrator about to be fired from a job may leave behind backdoorsor software "time bombs" that will allow them to damage the former employer's systems or destroy their own earlier work.

However, since the rise of widespread broadbandInternetaccess, a greater portion of malicious software has been focused strictly on a profit motive. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-serviceattacks as a form of extortion.

Another strictly for-profit category of malware has emerged in spyware-- programs designed to monitor users' Web browsing, display unsolicited advertisements, and redirect affiliate marketingrevenues to the spyware creator. Spyware programs don't spread like viruses; usually they are installed by exploiting browser security holes, or are installed like a Trojan horse when the user installs other software.

Infectious malware: viruses and worms

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. Originally, the term computer virus was used for a program which infected other executable software, while a worm transmitted itself over a network to infect computers. Today, the words are often used interchangeably.

Today, some draw the distinction between viruses and worms by saying that a virus requires user intervention to spread, whereas a worm spreads automatically. This means that infections transmitted by email, which rely on the recipient opening an attachment to infect the system, are classed as viruses.

Capsule history of viruses and worms

Main articles: Computer virus, computer worm.

Before Internet access became widespread, viruses spread on personal computers by infecting programs or the executable boot sectorsof floppy disks. By inserting a copy of itself into the machine codeinstructions in these executables, a virus causes itself to be run whenever the program is run or the disk is booted. Early computer viruses were written for the Apple IIand Macintosh, but they became more widespread with the dominance of the IBM PCand MS-DOSsystem. Executable-infecting viruses are dependent on users exchanging software or boot floppies, so they spread heavily in computer hobbyist circles.

The first worms -- network-borne infectious programs -- originated not on personal computers, but on multitasking Unixsystems. The first well-known worm was the Internet Wormof 1988, which infected SunOSand VAXBSDsystems. Unlike a virus, this worm did not insert itself into other programs; rather, it exploited security holes in network server programs and started itself running as a separate process. This same behavior is used by today's worms as well.

With the rise of the Microsoft Windowsplatform in the 1990s, and the flexible macrosystems of its applications, it became possible to write infectious code in the macro language of Microsoft Wordand similar programs. These macro viruses infect documents and templates rather than applications, but rely on the fact that macros in a Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a small number are also written for Linuxand other Unix systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network for computers with vulnerable network services, break in to those computers, and copy themselves over. Worm outbreaks have become a cyclical plague for both home users and businesses, eclipsed recently in terms of damage by spyware.

Concealment: Trojan horses and rootkits

For a malicious program to accomplish its goals, it must be able to do so without being shut down by the user or administrator of the computer it's on. Concealment can also help get the malware installed in the first place: by disguising a malicious program as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or trojan.

Broadly speaking, a Trojan horse is any program that invites the user to run it, but conceals a harmful or malicious payload. This payload can be anything: it may take effect immediately, such as by deleting all the user's files, or more commonly it may install some harmful software into the user's system to serve the creator's longer-term goals. Trojan horses known as droppersare used to start off a worm outbreak, by injecting the worm into users' local networks.

One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads off the Web or a peer-to-peer file-trading network. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act legally may include an end-user license agreementwhich states the behavior of the spyware in loose terms, but with the knowledge that users are unlikely to read or understand it.

Once a malicious program is installed on a system, it is often useful to the creator if it stays concealed. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being reported in the process table, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access; today, the term is used more generally for concealment routines in a malicious program.

Malware for profit: spyware, botnets, loggers, and dialers

During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalismor prank. More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.

Since 2003or so, the most costly form of malware -- in terms of time and money spent in recovery -- has been the broad category known as spyware. Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, and altering Web-browser behavior to financially benefit the spyware creator. For instance, some spyware programs redirect search engineresults to pages full of paid advertisements. Others -- deemed "stealware" by the media -- overwrite affiliate marketingcodes so that the revenue goes to the spyware creator rather than a legitimate Web site owner.

Spyware programs are usually installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreementwhich purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.

Another way that financially-motivated malware creator can monetize their infections is to directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobigand Mydoomvirus families, are commissioned by e-mail spamgangs. The infected computers are used as proxiesto send out spam messages. The advantage to spammers of using infected computers is that they are available in large supply (thanks to the virus) and they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks.

In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware logs in to an Internet Relay Chatchannel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures.

Lastly, it is possible for a malware creator to profit by simply stealing from the person whose computer is infected. Stealing here can mean stealing information such as passwords, or outright financial theft. Some malware programs install a key logger, which copies down the user's keystrokes when entering a password, credit card number, or other useful information. This is then transmitted to the malware creator automatically, enabling credit card fraudand other theft. Similarly, malware may copy the CD keyor password for online games, allowing the creator to steal accounts or virtual items.

Another way of stealing money from the infected PC owner is to take control of the modemand dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number-- such as a U.S. "900 number" -- and leaves the line open, costing the user hundreds of dollars in telephone bills.

Malware tools and aids

Exploit

An exploitis a piece of software that attacks a particular security vulnerability. Exploits are not necessarily malicious in intent — they are often devised by security researchers as a way of demonstrating that a vulnerability exists. However, they are a common component of malicious programs such as network worms.

Curing an infection

Unfortunately, cleaning an operating system that has been infected by malware is no longer as simple as it used to be. Malware has become increasingly more difficult to clean, as malware creators find more ways to avoid removal. No single anti-virus or anti-spyware application can reliably successfully remove all malware that has been installed on a computer. In fact, it is not unusual to resort to an arsenal of security products, online scanners, and anti-spyware/ virus software in an attempt to ensure everything has been properly removed. Furthermore, there are many dubious anti-malware products, from those that are advertised by malware or those from creators who strike deals with malware creators to ignore their software, to those that ignore government spyware, such as Magic Lantern software. Prevention is the best strategy.

See also

• Computer viruses
• Spyware
• Worms
• Trojan horse
• Timeline of notable computer viruses and worms
• List of computer viruses
• List of computer virus hoaxes
• List of trojan horses

External links

• Malware: what it is and how to prevent it
• Magoo's Guide to Eliminating Spyware— Information on how to get rid of spyware and keep it from coming back
• Antisource.com - Malware Analysis
• CastleCopsFree support in computer malware removal.
• Spyware Warrior- Free resources and help for removing all types of Malware
• "Ten steps to Malware prevention"- Systematic tutorials on Spyware removal and prevention.
• Future MalwareFuture Trends of Malware
• CASEScontact.org - tips and tricks protecting systems against malware, spyware and blended threats
• CyTRAP.org labs - online resource community for IT security, strategy and risk assessment
• EU-IST news - IT security & malware insights for CERT staff & security engineers

da:Malware de:Schadprogramm es:Malware fr:Logiciel malveillant ko:???? it:Malware nl:Malware ja:????? pl:Malware pt:Malware sk:Malware fi:Haittaohjelma sv:Malware vi:Ph?n m?m ác tính zh:????

This article is licensed under the GNU Free Documentation License.
It uses material from the http://en.wikipedia.org/wiki/Malware Wikipedia article Malware.