What is Malware?
This
article will cover the inner workings of the most common types of malware, and
will also explain why malware is created and the kind of damage that it can
inflict on individuals, corporations and governments.
As
was mentioned earlier, malware manifests itself in different forms; the most well-known
is the virus.
Computer
viruses are similar to their biological counterparts because they are capable
of self-replication. The prime motivation of a virus is not to cause damage,
but to clone itself onto another host so that it can spread further. If a virus
causes damage it is more likely to be detected, and for this reason virus
authors employ stealth techniques to keep it unnoticed. A good virus has a very
small footprint and can remain undetected for a very long time.
Damage
is not always a side-effect of infection. Sometimes damage has been purposely
built-in by the programmer. Some viruses are time activated; they silently
spread for a number of days, months or years and will suddenly activate and do
damage on one particular date. Other viruses are event driven. They will
activate when something particular happens on a host, or when a command is sent
to them via a covert Internet channel.
Worms are very
similar to viruses in many ways. The biggest difference between a worm and a
virus is that worms are network-aware. A virus finds it very easy to replicate
itself amongst files on the same computer, however it has a hard time jumping
from one computer to another. A worm overcomes this computer-to-computer hurdle
by seeking new hosts on the network and attempting to infect them.
This
is an important difference: in the past viruses could take years before moving
from one corporation to another, or from one country to another. Worms are
capable of going global in a matter of seconds. This makes it very hard for
them to be controlled and stopped.
The purpose of a trojan is to
conceal itself inside software that seems legitimate. The term ‘trojan’ is
derived from the Trojan Horse story in Greek mythology, which explains how the
Greeks were able to enter the fortified city of Troy by hiding their soldiers
in a big wooden horse given to the Trojans as a gift. The Trojans were very
fond of horses and trusted the gift blindly. In the night, the soldiers emerged
and attacked the city from the inside.
The disguises that a trojan can
take are only limited by the programmer’s imagination. A common trick is to
conceal the trojan inside a seemingly harmless game. Trojans also come
disguised as videos, pictures and even legitimate software packages. In each
case, the disguise is something designed to tempt into running it on his or her
machine.
Cyber-crooks often use viruses,
trojans and worms together. They design a trojan that ‘drops’ a virus or worm
onto the victim’s computer thus initiating a brand new infection. This virus or
worm is usually called the ‘payload’ of the trojan. Trojans also drop spyware,
a type of malware that I will explain next.
The primary function of spyware is
to snoop on a user’s activity and send back the information it gathers to a
hacker. Spyware does not have any infection mechanisms. It is usually dropped
by trojans (and also by viruses and worms). Once dropped, it installs itself on
the victim’s computer and sits there silently to avoid detection.
Once
spyware is successfully installed it will begin collecting information. It is
very common for spyware to log all the keys that the user types. This type of
spyware is called a keylogger and can capture interesting information such as
user names, passwords, credit card numbers and email addresses. Keyloggers
capture every key stroke, so entire emails, documents and chats can be read by
the malicious hacker.
There
are more sophisticated forms of spyware that hook themselves to the network
interface and siphon off all network data that enters or leaves the infected
computer. This allows the hacker to capture entire network sessions giving them
access to files, digital certificates, encryption keys and other sensitive
information.
A
zombie works in a similar way to spyware. The infection mechanisms remain the
same, however the scope is different. A zombie does not usually collect
information from the computer. Instead, it just sits there waiting for commands
from the hacker. At times, hackers can infect tens of thousands of computers,
turning them into zombie machines. Each of these machines is now at the
disposal of the hacker who usually issues commands so that all of them
instantaneously send network requests to a target host, overwhelming it with
traffic. This is called a distributed denial of service attack and is usually
successful, even against the largest Internet organizations.
Recently
security experts have noticed a new and scary trend in malware – website
infections. When a website is infected, all the visitors to that particular
website can potentially catch the bug and further spread the malware. Websites
are very vulnerable, they are much more exposed than normal users. They are
directly connected to the world wide web and are continuously serving content
to anonymous users, furthermore they are processing many requests, some of
which might be malicious. New malware has now emerged that takes advantages of
bugs in frameworks and their plug-ins; popular frameworks like WordPress and
Joomla have vulnerabilities that allow them to be exploited and used as
virus-serving mechanisms. Sometimes malware does not infect a website
automatically, but a hacker breaks into the site and implants the malware
manually. His reasons for doing so are explained in detail in the next sections.
If
your website gets infected the damage can be devastating. Your website can be
restored, but the trust of your users and customers can easily be destroyed.
Furthermore, if you are discovered serving malware your site will be
blacklisted in hundreds of blacklists worldwide. Removing yourself from these
blacklists is a very lenghty and difficult task, so even after you have cleaned
the virus, the damage will continue to linger for a long time.
Why is malware
written?
The
answer to the “what is malware?” question cannot be complete without exploring
the ‘why’ of its creation. By now, you should have a pretty clear idea of what
type of damage can be done as a result of malware, but you might be wondering –
why do programmers create malware in the first place?
Student Hackers and Cyber-crooks
In
the early days of software, programmers wrote malware mostly to prank one
another, or to show off their technical skills. These programmers, who were
usually students had a great sense of humor but did not have much business
sense. These students eventually graduated and got jobs. Their new motivation
was now money, and how to make more of it using their skills. Some of these
programmers learned that they can make thousands of dollars a day if they
successfully exploit malware to their advantage.
These
people went on to become cyber-crooks, defrauding individuals and organizations
for financial gain. These criminals steal personal banking information to
transfer money out of users’ bank accounts and into their own. They also launch
distributed denial of service attacks against corporations and ask for money in
exchange for an end to the attack.
Cyber-activism and cyber-war
Worms,
zombies and distributed denial of service attacks are a good way to inflict
mass damage on a global scale and are therefore very appealing to
cyber-activists. These people want to get a message across and are ready to do
so by utilizing any means necessary and this includes writing malware that
causes damage, gets them noticed, and enables them to announce their messages
and beliefs to a large audience.
Governments
are also part of the game. A cyber-war between countries is raging. Some
countries such as China, Syria, and America are rumored to be state-sponsoring
cyber-gangs whose only purpose is to research and develop new malware
techniques capable of infiltrating government agencies and infrastructures.
Malware has recently been spotted in the wild that was designed to infect SCADA
systems with the scope of shutting down nuclear reactors. Some reports suggest
that this worm, which might have been created by the Americans, was successful
in shutting down several Iranian nuclear power plant coolers.
How bad is the problem?
The
malware problem is huge and is growing fast. By the end of 2010 the counter for
unique malware programs stood at 14 million, with a staggering 60,000 pieces of
new malicious code detected every day. Recently a worm called Koobface — which
targeted people on social networks — netted its creators over 2 million dollars
in just 12 months. Another worm, the Mariposa is said to have created the
biggest network of zombie machines in the world. Experts could never determine
its exact size, but estimated that over 12 million computers were infected.
This worm dropped spyware capable of stealing sensitive information from
victims, such as bank account numbers and credit card details. All this was
created by a single hacker in Spain who fortunately made a mistake which
exposed him and got him arrested.
The
industry is fighting back. Numerous security solutions are available from many
vendors that help stop malware infections. The threat however is a moving
target. Hackers keep finding new ways to write bigger and better malware, the
incentives are all there and the waging war is showing no signs of slowing
down.
No comments :
Post a Comment