Pin Me

Understanding Malware - What is Malware?

written by: Tom Olzak, CISSP•edited by: Michele McDonough•updated: 5/23/2011

The Internet is an essential part of our modern lives. However, it is also a haven for malicious software written by, and often controlled by, cybercriminals. Understanding the enemy is the first step in mounting an effective defense.

  • slide 1 of 6

    Malware Defined

    There are numerous types of malicious software floating around the Internet. Many of them have existed for years. Once released "into the wild" they are almost impossible to eradicate.The one thing they all have in common is the intent to "...infiltrate a computer system without the owner's informed consent" ( Included in this definition are programs intended to steal personal information or masquerade as a user for financial gain. This collection of nasties has become known as malware (MALcious softWARE).

    Spyware and adware programs, which may be annoying but have no criminal intent, are often included under the malware moniker. However, they are not included here. I cover them in detail in a future series.

    The most common types of malware include:

    • Viruses
    • Worms
    • Trojans
    • Keyloggers
    • Botnet agents
    • Rootkits

    Before I provide a detailed explanation of each of these, let's pause to look at the history of malicious software.

  • slide 2 of 6

    Brief History of Malware

    With the emergence of computers, malware arose from the dark side. UNIX computers were the first targets. In the 1970s and 1980s, programs known as rootkits were developed.1 Those who hack systems with criminal intent, known as black hats, used these applications to hide their presence while they had their way with an unsuspecting organization's infrastructure.

    The first personal computer malware category to arise was viruses. As early as 1982, high school student Rich Skrenta wrote a gem called "Elk Cloner" for Apple II computers.2Yes, the first known virus targeted an Apple computer. At the time, it was probably the biggest target.

    As malware defense matured, so did malware sophistication. Other types of malicious programs emerged, including those which could propagate without any help from the user population. Known as worms, they are probably today's biggest challenge to malware defense.

    And the black hats have been busy. Over the years, the malware count has risen exponentially--and continues to do so. Figure 1 depicts malware growth through May 2009.3

    Figure 1: AV-Test.Org Unique Malware Instances The statistics shown are from, a company that tests the effectiveness of anti-virus software, and formatted by PC Magazine. They show an accelerating increase in the number of unique malware applications since 2007. There is no evidence this growth will stop.

    Early malware was written by hackers trying to make a name for themselves within the black hat community. Today, malware is used by individual black hats as well as crime syndicates to make money--to transfer your money to criminals' bank accounts around the world.

    Now that I have your attention, let's look at each of the types of malware as we explore the question, what is malware?

  • slide 3 of 6


    Like any malware program, viruses are written to perform some action on your computer which you would rather not allow, including:

    • Erasing files
    • Crashing your system
    • Taking your computer hostage until you pay a "fee"
    • Stealing intellectual property
    • Stealing personal identity information
    • and anything else the black hats can think of

    Although many people label all malware as viruses, the term "virus" has a specific meaning. A virus is malware that cannot propagate from one computer to another without help. For example, early viruses were spread as floppy disks passed from one machine to another. They also spread as users share files over a network or email infected files to friends, family, and coworkers. I'll get into more detail about how this happens in the second installment of this series.

  • slide 4 of 6


    Viruses were nice, but they didn't get around fast enough. So the worm was born. Worms can move between computers or networks without help from anyone. As long as the vulnerability a worm was written to exploit exists, and as long as the worm can see the vulnerability, it will do its job.

    Worms can spread very quickly. One recent example is Conficker.

    Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer, with more than seven million government, business and home computers in over 200 countries now under its control.4

    Once a worm like Conficker infects an organization's network, in can potentially spread to all connected computers within hours--or minutes for smaller networks.

  • slide 5 of 6

    Trojans, Keyloggers, Rootkits, and Botnet Agents

    Trojans, keyloggers and rootkits are related types. They tend to support each other.

    Trojans are malware installed when a user downloads software from a Web site, typically by clicking a link. The application downloaded may appear to be something the user wants or needs. However, hidden within it is a nefarious program.

    For example, a user might download a new game from his or her favorite site. During installation, everything seems to work as expected, except a keylogger application is installed silently. Keyloggers capture all keystrokes--including passwords, PINs, etc.--entered bank or other protected sites. The captured information is periodically sent to the black hat's server. If the user is lucky, the information won't be used to steal his or her identity, reduce bank balances, etc.

    Anti-virus software can't always locate and remove these types of malware. Black hats often use rootkit technology to "hide" their programs. If a keylogger or botnet agent is installed with rootkit technology, it is invisible to the operating system and therefore to most, if not all, anti-virus applications.

    Finally, many malware instances are used to recruit computers into black hat botnets. A botnet is a collection of computers infected with malware specifically designed to give a cyber-criminal control. By passing commands to botnet agent software located on some or all controlled systems, a black hat can contract with other criminal elements to send spam, phishing messages, or perform other tasks across the Web--for a hefty fee.

    In the next article, I dig deeper into how malware works once it breaks through your computer's defenses.

  • slide 6 of 6


    1 & 2. Koch, C. (2007, June). A Brief History of Malware and Cybercrime,, p. 2, retrieved January 5, 2010 from

    3. Security Watch (2009, July). The Growth of Malware: Up, Up and Away,, retrieved January 5, 2010 from

    4. (2010, January) Conficker, Retrieved January 5, 2010 from

Understanding Malware

This series of four articles describes the types of malware, how they negatively affect our lives, and how to combat them.
  1. Understanding Malware - What is Malware?
  2. Understanding Malware - How Malware Works
  3. Configuring Free Anti-virus Protection
  4. To Pay or Not To Pay for Anti-virus protection
Additional Info
Additional Info