Malware Types

Malicious software, commonly known as malware, can be classified into a few categories or types based on known behaviors, method of infection, and the resulting symptoms. One challenge with creating a classification scheme is taking into consideration that the majority of recent threats are a compilation of malware types; in effect, they are blended. A malware attack could be the result of a virus or worm that has some Trojan functionality and results in creating a breach in the system and a release of a malware payload. Other malware can be uploaded to the system and effectively turn it into a zombie computer for the purpose of a Denial of Service attack. This can make classification a considerable challenge. However, what is more important is that the categories used here are formulated as a starting place so as to better describe the malicious software activities that result in loss of security, damage, and degradation to system performance.

Malware can breach computer security systems for the purpose of criminal activities including fraud and theft. In most cases these items are contracted without the user’s knowledge or consent. They can run and stay resident on a computer despite attempts to manually remove them. These malicious programs are created by software authors with purpose and intent and new malware threats are developed and released to the public every day. Accordingly, the information presented here will be updated as required.

The following categories detail specific types of malware threats:

• Viruses
• Worms
• Trojan Programs
• Other Malware

Viruses

Description: Viruses are distinguishable from other malware in that they spread and propagate themselves from computer to computer. Viruses are contracted only in cases when a user accesses an infected object or when a user launches or runs malicious code when performing a particular action.

Method of Infection: Viruses infect files which are used by others on a network, through removable storage devices, or via email attachments. Viruses can also be used in conjunction with worms and Trojans.

Symptoms: There are numerous potential symptoms in this sub-category. A virus can use up system resources, but are more commonly known to overwrite code, delete files, or corrupt data in some way. This can result in erratic and unusual computer activities. Other system resources can be penetrated and affected as the malware intruder spreads and replicates itself. In some cases viruses are programmed not to do any damage but to display messages and in these cases the effects to the system may be negligible or undetectable for the average user. In other cases, viruses are created to do harm and the computer can suffer system crashes, experience data loss, or incur irreparable damage. Some viruses will use up available system memory and bring the system to a halt and others are capable of bypassing system security and travelling across networks.

Worms

Description: Worms are distinguishable from other malware in that they spread and propagate themselves from computer to computer. They can be distinguished from viruses in that they do not need to be attached to another existing program. Worms penetrate remote machines and launch infected copies using email, instant messages, file sharing (P2P), IRC channels, and network transfer on LANs and WANs.

Method of Infection: Worms can spread in one form or another. They can be carried in email attachments and can attack insecure network access points or attack vectors – vulnerable entry points in applications or the operating system. Some worms are known as “fileless” or packet worms. These spread on a network and directly target and penetrate the computer RAM.

Symptoms: There are numerous potential symptoms in this sub-category. Worm infected systems and networks can use up system resources and consume bandwidth. In the past, the majority of Worm infections were designed only to spread and propagate themselves. However, network traffic can be disrupted in these cases. With other, more intentional cases of Worm attacks, unwanted items can be installed such as backdoor malware which can be used to exploit the system further or turn it into a “zombie” or “bot” machine. Other symptoms can include the unexplained deletion of files, corruption of existing data, and the overwriting of code. The effect on the system can include erratic and unusual activities. The Worm can also spread and replicate itself and infect other resources on the system. In some cases, with less harmful worm variants, changes to the system may be unnoticed. However, in other situations system crashes and performance loss can result.

Trojan Programs

Description: Unlike viruses and worms, Trojan malware does not self-replicate. Similar to the story of the Trojan horse, these items appear benign until they are downloaded and become resident on your computer system. Trojans are a serious threat to security. Once resident on the system they can open a “backdoor” to the computer (for example, port 21). By doing so they gain remote access and other security breaches can be performed. Trojans are one of the most common tools of the malware trade and are used in conjunction with other malicious software. As a result, there are numerous activities that these items can perform including collecting sensitive data such as banking information and using the host machine as a proxy so that other remote attacks can be performed such as a Denial of Service (DoS) attack.

Symptoms: Trojan horse attacks are considered the most invasive and harmful to your computer. Once they are covertly installed on a system they can be activated automatically. While this may not be detected there are several results that can occur behind the scene. Potential behaviors include:

• Using system resources resulting in impaired functioning
• Damaging system files resulting in computer malfunction
• Uploading other malware to gain sensitive information
• Converting the computer to a proxy machine
• Locating and deleting files from the system; erase, overwrite, or corrupt files
• Redirecting the computer to a specified destination such as a dial-up connection
• Gaining total control of the computer

Other Malware

This category consists of Unwanted Programs and Malware Tools.

Unwanted Programs

Description: Some programs can be installed onto a computer system and these items can threaten system functioning or bring about undesirable conditions. These programs include:

• Pornware: redirected to pay-per-view pornographic sites
• Riskware: administration tools that put the security of the system at risk
• Adware: unwanted and annoying advertisements that pop up
• Browser Helper Object (BHO): redirect the web browsers or modify the browser toolbar
• Exploit: programs that take advantage of system vulnerabilities
• Denial of Service (DoS) / Flooder: sending massive quantities of data to an Internet connection such as a server or a network so as to disrupt or flood the service
• Hoax: designed to trick an intended audience into believing a falsehood; it falsely warns the user about a virus and encourages the message to be forwarded.

Symptoms: There is a wide array of potential symptoms in this sub-category. In the most severe cases symptoms include system security breach, loss of computer controls or inadvertent payment of fees. With Exploits, there is a potential loss of sensitive data and the computer could be transformed into a “zombie” or “bot” machine so that it can perform other malicious attacks such as a DoS. Secondary symptoms include having programs taking up disk space and using system resources unnecessarily. The computer functioning can experience a slowdown in performance or can crash completely. In many instances these programs can be difficult to remove using common uninstall procedures.

Malware Tools

Description: This includes tools that are used by malware creators, also known as "hackers", to develop malware programs. This also includes utility programs that simplify the malware creation process or perform some analysis to test the ability of the malware item in an upcoming attack. These programs include:

• Constructors: mechanisms capable of creating malware such as a Trojan, virus, or macro-virus. They are, in effect, a malicious software creation toolkit; the creator only needs to refer to a menu to select the features of the Trojan or virus.
• Hack Tools: programs that are created for the purpose of creating adware items such as pop-ups, unwanted advertisements, and website re-directs. These items can also collect data for the purpose of market research.

Symptoms: Not applicable; these tools are used to create or test malware.