Understanding Malware - What is Malware?

There are numerous types of malicious software floating around the Internet. Many of them have existed for years. Once released "into the wild" they are almost impossible to eradicate.The one thing they all have in common is the intent to "...infiltrate a computer system without the owner's informed consent" (Wikipedia.org). Included in this definition are programs intended to steal personal information or masquerade as a user for financial gain. This collection of nasties has become known as malware (MALcious softWARE).

Spyware and adware programs, which may be annoying but have no criminal intent, are often included under the malware moniker. However, they are not included here. I cover them in detail in a future series.

The most common types of malware include:

• Viruses
• Worms
• Trojans
• Keyloggers
• Botnet agents
• Rootkits

Before I provide a detailed explanation of each of these, let's pause to look at the history of malicious software.

With the emergence of computers, malware arose from the dark side. UNIX computers were the first targets. In the 1970s and 1980s, programs known as rootkits were developed.¹ Those who hack systems with criminal intent, known as black hats, used these applications to hide their presence while they had their way with an unsuspecting organization's infrastructure.

The first personal computer malware category to arise was viruses. As early as 1982, high school student Rich Skrenta wrote a gem called "Elk Cloner" for Apple II computers.² Yes, the first known virus targeted an Apple computer. At the time, it was probably the biggest target.

As malware defense matured, so did malware sophistication. Other types of malicious programs emerged, including those which could propagate without any help from the user population. Known as worms, they are probably today's biggest challenge to malware defense.

And the black hats have been busy. Over the years, the malware count has risen exponentially--and continues to do so. Figure 1 depicts malware growth through May 2009.³

The statistics shown are from AV-Test.org, a company that tests the effectiveness of anti-virus software, and formatted by PC Magazine. They show an accelerating increase in the number of unique malware applications since 2007. There is no evidence this growth will stop.

Early malware was written by hackers trying to make a name for themselves within the black hat community. Today, malware is used by individual black hats as well as crime syndicates to make money--to transfer your money to criminals' bank accounts around the world.

Now that I have your attention, let's look at each of the types of malware as we explore the question, what is malware?

Like any malware program, viruses are written to perform some action on your computer which you would rather not allow, including:

• Erasing files
• Crashing your system
• Taking your computer hostage until you pay a "fee"
• Stealing intellectual property
• Stealing personal identity information
• and anything else the black hats can think of

Although many people label all malware as viruses, the term "virus" has a specific meaning. A virus is malware that cannot propagate from one computer to another without help. For example, early viruses were spread as floppy disks passed from one machine to another. They also spread as users share files over a network or email infected files to friends, family, and coworkers. I'll get into more detail about how this happens in the second installment of this series.

Viruses were nice, but they didn't get around fast enough. So the worm was born. Worms can move between computers or networks without help from anyone. As long as the vulnerability a worm was written to exploit exists, and as long as the worm can see the vulnerability, it will do its job.

Worms can spread very quickly. One recent example is Conficker.

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer, with more than seven million government, business and home computers in over 200 countries now under its control.⁴

Once a worm like Conficker infects an organization's network, in can potentially spread to all connected computers within hours--or minutes for smaller networks.

Trojans, keyloggers and rootkits are related types. They tend to support each other.

Trojans are malware installed when a user downloads software from a Web site, typically by clicking a link. The application downloaded may appear to be something the user wants or needs. However, hidden within it is a nefarious program.

For example, a user might download a new game from his or her favorite site. During installation, everything seems to work as expected, except a keylogger application is installed silently. Keyloggers capture all keystrokes--including passwords, PINs, etc.--entered bank or other protected sites. The captured information is periodically sent to the black hat's server. If the user is lucky, the information won't be used to steal his or her identity, reduce bank balances, etc.

Anti-virus software can't always locate and remove these types of malware. Black hats often use rootkit technology to "hide" their programs. If a keylogger or botnet agent is installed with rootkit technology, it is invisible to the operating system and therefore to most, if not all, anti-virus applications.

Finally, many malware instances are used to recruit computers into black hat botnets. A botnet is a collection of computers infected with malware specifically designed to give a cyber-criminal control. By passing commands to botnet agent software located on some or all controlled systems, a black hat can contract with other criminal elements to send spam, phishing messages, or perform other tasks across the Web--for a hefty fee.

In the next article, I dig deeper into how malware works once it breaks through your computer's defenses.

1 & 2. Koch, C. (2007, June). A Brief History of Malware and Cybercrime, CIO.com, p. 2, retrieved January 5, 2010 from http://www.cio.com/article/print/116250

3. Security Watch (2009, July). The Growth of Malware: Up, Up and Away, PCMag.com, retrieved January 5, 2010 from http://blogs.pcmag.com/securitywatch/2009/07/the_growth_of_malware_up_up_an.php

4. Wikipedia.org (2010, January) Conficker, Retrieved January 5, 2010 from http://en.wikipedia.org/wiki/Conficker