Most common

security threats
explained
What is Malware?

Malware is short for malicious software. As the name suggests, a malware is

created with the intention to damage or take control of a computer, or steal
information from it. Malware is a general term used to refer to a variety of
hostile or intrusive software. Malware attaches itself to the components of a
web page, pop-up advertisements, toolbars, or free applications that users
download. Malware sneaks into computers when users click the infected
components. Once malware is inside a system, it steals information stored on
that computer such as social security numbers, passwords, and bank account
details. Examples of recently used malware by hackers are Backoff, Dyreza,
BlackEnergy, Crowti, and Crossbrowse.

Malware can be compared to the pea in a shell game. A street con running a
shell game on the sidewalk lures the mark (or victim) into trying to follow the
pea, when actually it’s an exercise in sleight of hand. Similarly, malware also
relies on sleight of hand—how to infect, persist, and communicate without
being detected. To understand, control, and successfully counter malware, we
need to focus on not just the pea (malware), but on all the moving parts.

Types of Malware

Malware has come a long way in the past thirty years. Initially malware was
thought of as an interesting experiment—what if computer programs could
take control of a system?
It has progressed from being a tool for jokes between programmers, to
become one of the key techniques used by cyber criminals to wreak havoc in
the cyber world. The most commonly used malware techniques are as follows:

 Virus- Computer viruses are just like biological viruses. They spread
rapidly, their spreading is accelerated or mitigated by human actions,
and more often than not, they are harmful to their host’s health.
Computer viruses spread to other computers by attaching themselves
to various programs, which are then replicated when the program is
run. They are often spread by sharing files or software between
computers. Just like shaking hands with a person who has a viral
infection can infect you, sharing files, like a picture or a song, with a
virus infected computer can infect your computer as well. Viruses can
be used to harm host computers and networks, steal confidential
information, and create botnets (collection of compromised
computers). Some viruses have the ability to hide inside encrypted
files, making it difficult to detect the virus. Encrypted files are those
files which only can be accessed with the correct password.

 Trojan- A Trojan is a destructive program that parades itself as a

harmless application. Malicious users can remotely access computer
systems using a Trojan. Once attackers have access to these systems,
they steal important data (login details, financial information,
passwords, electronic money, photos, and videos), inject more
malware, monitor user activity, or even modify files.

There was one instance, where a Trojan introduced viruses into computers by
claiming it could get rid of viruses present in the computer.

Worm- A Worm is the most commonly used type of malware. It’s a program
which enters an operating system with the intention of spreading malicious
code. It also harms
the computer by consuming excessive bandwidth, deleting files, or by sending
documents through email. Some of the commonly used worms by hackers are
Storm Worm, Nimda, and Morris Worm.

Worms are often confused with viruses—worms have the ability to self-
replicate while viruses rely on human activity to spread.

 Spyware- This malware spies on user activity without their knowledge.

Users enter their personal information on retail websites in the form of
shipping address and credit card details. Using spyware these details
are extracted and exploited.

Additionally, spyware also modifies browser security settings to make it more

vulnerable. Spyware is usually bundled along with the free applications which
are downloaded from the Internet. It spreads by exploiting software
vulnerabilities.

 Ransomware- Ransomware is a malware which prevents users from

accessing their computer systems. After finding its way into a system, it
encrypts all the files on it and holds the password which can decrypt it,
ransom. Ransomware is similar to kidnapping a person—the person
would only be released when ransom has been paid, and here the data
is only retrieved when the ransom was paid. Just like in kidnapping,
paying the ransom doesn’t guarantee the safety of the data.
Ransomware may be downloaded by users by logging on to
compromised or malicious websites. It also is delivered in the form of an
attachment in emails. Crowti is one of the prime examples of
ransomware.
 Rootkit- Rootkit is malicious software designed to remotely access or
control a computer without alerting the users or the security programs.
Once the rootkit is installed, malicious parties remotely access the files,
modify security settings, steal crucial information, or control the
computer and use it to attack other computers.

Rootkit prevention, detection, and removal is difficult due to its stealthy

operation. Hence rootkit detection is only done manually through regular
scans and monitoring. Users can protect their computers from rootkit by
frequently updating software, applications, operating systems, and virus
definitions (used to update the antivirus software on a system), avoiding
suspicious downloads, and carrying out scans to check for malware.

Adware: program code embedded to the software without user being aware
of it to show advertising. As a rule adware is embedded in the software that is
distributed free. Advertisement is in the working interface. Adware often
gathers and transfer to its distributor personal information of the user.

Botnet: Botnets Software running on infected computers called zombies is

often known as a botnet. Bots, by themselves, are but a form of software that
runs automatically and autonomously. (For example, Google uses the
Googlebot to fi nd web pages and bring back values for the index.) Botnet,
however, has come to be the word used to describe malicious software
running on a zombie and under the control of a bot-herder. Denial-of-service
attacks—DoS and DDoS—can be launched by botnets, as can many forms of
adware, spyware, and spam (via spambots). Most bots are written to run in the
background with no visible evidence of their presence. Many malware kits can
be used to create botnets and modify existing ones. There is no universal
approach to dealing with botnets, but knowing how to deal with various
botnet types (all of which are described here) is important for exam
preparation. Some can be easily detected by looking at a database of known
threats, whereas others have to be identifi ed through analysis of their
behavior.

Backdoor- The term backdoor attack (known also as backdoor) can have two
different meanings. The original term backdoor referred to troubleshooting
and developer hooks into systems that often circumvented normal
authentication. During the development of a complicated operating system or
application, programmers add backdoors or maintenance hooks. Backdoors
allow them to examine operations inside the code while the code is running.
The backdoors are stripped out of the code when it’s moved into production.
When a software manufacturer discovers a hook that hasn’t been removed, it
releases a maintenance upgrade or patch to close the backdoor. These patches
are common when a new product is initially released.
The second type of backdoor refers to gaining access to a network and
inserting a program or utility that creates an entrance for an attacker. The
program may allow a certain user ID to log on without a password or to gain
administrative privileges.

Surviving Viruses
A virus is a piece of software designed to infect a computer system. Under the
best of circumstances, a virus may do nothing more than reside on the
computer, but it may also damage the data on your hard disk drive (HDD),
destroy your operating system, and possibly spread to other systems.

Viruses get into your computer in one of three ways:

■ On contaminated media (DVD, USB drive, or CD-ROM)

■ Through email and social networking sites

As part of another program Viruses can be classified as:

Polymorphic :- polymorphic malware of any type—though viruses are the only

ones truly prevalent—change form in order to avoid detection. These types of
viruses attack your system, display a message on your computer, and delete
files on your system. The virus will attempt to hide from your antivirus
software. Frequently, the virus will encrypt parts of itself to avoid detection.
When the virus does this, it’s referred to as mutation. The mutation process
makes it hard for antivirus software to detect common characteristics of the
virus.

Stealth :- A stealth virus attempts to avoid detection by masking itself from

applications. It may attach itself to the boot sector of the hard drive. When a
system utility or program runs, the stealth virus redirects commands around
itself in order to avoid detection. An infected file may report a file size different
from what is actually present in order to avoid detection.
Retroviruses :- A retrovirus attacks or bypasses the antivirus software
installed on a computer. You can consider a retrovirus to be an anti-antivirus.
Retroviruses can directly attack your antivirus software and potentially destroy
your virus definition database file. Destroying this information without your
knowledge would leave you with a false sense of security. The virus may also
directly attack an antivirus program to create bypasses for itself.

Multipartite :- A multipartite virus attacks your system in multiple ways. It

may attempt to infect your boot sector, infect all of your executable files, and
destroy your application files. The hope here is that you won’t be able to
correct all of the problems and this will allow the infestation to continue.

Armored :- An armored virus is designed to make itself difficult to detect or

analyze. Armored viruses cover themselves with protective code that stops
debuggers or disassemblers from examining critical elements of the virus. The
virus may be written in such a way that some aspects of the programming act
as a decoy to distract from analysis while the actual code hides in other areas
in the program. From the perspective of the creator, the more time it takes to
deconstruct the virus, the longer it can live. The longer it can live, the more
time it has to replicate and spread to as many machines as possible. The key to
stopping most viruses is to identify them quickly and educate administrators
about them—the very things that the armor intensifi es the difficulty of
accomplishing.

Companion :- A companion virus attaches itself to legitimate programs and

then creates a program with a different filename extension. This file may
reside in your system’s temporary directory. When a user types the name of
the legitimate program, the companion virus executes instead of the real
program. This effectively hides the virus from the user. Many of the viruses
that are used to attack Windows systems make changes to program pointers in
the Registry so that they point to the infected program. The infected program
may perform its dirty deed and then start the real program.
Phage :- A phage virus modifies and alters other programs and databases. The
virus infects all of these fi les. The only way to remove this virus is to reinstall
the programs that are infected. If you miss even a single incident of this virus
on the victim system, the process will start again and infect the system once
more.

Macro :- A macro virus exploits the enhancements made to many application

programs that are used by programmers to expand the capability of
applications such as Microsoft Word and Excel. Word, for example, supports a
mini-BASIC programming language that allows files to be manipulated
automatically. These programs in the document are called macros. For
example, a macro can tell your word processor to spell-check your document
automatically when it opens. Macro viruses can infect all of the documents on
your system and spread to other systems via email or other methods. Macro
viruses are the fastest-growing exploitation today.