A Field Guide To Malware In 2016

by Grey One •

Malware is used for a wide variety purposes from sleazy business practices to blatant crime. Discussions of malware often mix up the technology of malware and their uses.

You will see below that the same technology can be used to direct ads to you that normally you would not see, or steal your credentials to your online banking account. It’s the same technology with a different outcome.

This is a guide to malware types:

Adware/Spyware/Crimeware

Adware normally infects your vulnerable web browser. It originates from downloads of web sites that have the adware installed as a payload. This type of undesirable-ware monitors and reports on the web sites you visit and make you the target of ads that the authors of the malware get paid for their distribution.

Adware can affect the results of searches but does not normally steal information from your system.

Spyware is much like adware but has more dangerous objectives than delivering unwanted ads. It uses the same techniques for secretly infecting and monitoring a system but the use of the information can be more nefarious – hence the term “spyware”.

Spyware can be used for collecting your web browsing history for advertisers and for potential blackmail.

Crimeware is the next step in the use of malware to steal sensitive information with the intent to use it for financial gain by making illegal fund transfers or unauthorized transactions.

Botnets

Any of the malware we mention here (Trojan, worm, virus) can be used to convert an infected system into a victim or “zombie” machine of a botnet. These victim machines are controlled by central servers for their use. The controllers of the botnets can use these large numbers of machines to:

  • Run distributed denial of services (DDoS) attacks against organizations, political groups and individuals
  • Distribute large amounts of email spam
  • Operate “click fraud” where the criminals get paid for illegitimate site visits
  • Bitcoin mining where machines are used to solve the calculation needed to create bitcoins
  • Act as Dark Net nodes for continuously changing criminal web sites

Ransomware

We covered Ransomware in this article. The actual programs that encrypt the data and request ransoms are downloaded as the payloads of Trojans, worms and virus.

Malware

It is getting more difficult to create a breakdown of malware types for even the malware researchers. This is because the more modern attacks like Ransomware involve a number of phases and components that individually can each be described as a different category of malware. Each malware type described briefly below has a number of families of that particular type. Each family can also have a number of variants of the family.

Backdoors

Backdoors are malware programs installed on systems to allow a cyber criminal to get access to the system whenever they want for malicious purposes. In the past legitimate programs often had backdoors purposely included to allow the vendors to get access for maintenance purposes. These backdoors were discovered by cyber criminals and misused. Now they want to be able to get access to your system whenever they want and the backdoor programs provide it. The backdoors are installed once the system has been exploited through other malware like Trojans and worms.

Rootkit

A rootkit is another program that is used to secretly control a computer system. It is often installed as part of the operating system (OS) and/or modifies an OS program. Once it is part of the OS it has high kernel level privileges and it is difficult to be detected by AV programs. It is called a “root” kit because it is named after Unix programs that have the highest privileges of “root”.

The power of the rootkit is that it is difficult to detect and can prevent itself from being removed. Since it has administrative powers a rootkit can initiate any program and can communicate with external command and control systems. As an example, in 2005, Sony BMG created a music player on its CDs that installed a rootkit that was a digital management program that limited the ability to copy the CD.

Trojan

Like its namesake, a Trojan program disguises itself as a legitimate and harmless program or file. However, once it manages to be executed, it attempts to gain control of your system. The Trojan is often the first phase of a more advanced attack. Once it runs on the system, it will communicate to its command and control systems and download more malicious payloads. In this case, the Trojan acts as the “dropper” to download any number of other tools such as backdoors and rootkits that will be used for further exploitation. Trojans make up about 70% of all new malware.

The Gameover ZeuS is an example of a famous Trojan. It steals login details of popular web sites that involve financial transactions.

Virus

The term virus was used in early malware history to describe a piece of malware that is spread like a biological infection through contact with other systems. Viruses need human involvement in some way to infect and spread and they typically associate themselves with a legitimate program.

A virus makes copies of itself and tries to spread itself mostly through infected files that others will open through email or file shares. The virus will have some objective for its capability to infect and spread – in the past viruses destroyed data randomly but now they are used to spread other malware. Viruses make up about 10% of new malware.

As an example, Shamoon is a virus that was used for cyber espionage of computers in the in the oil and energy industry.

Worms

Worms are designed for the same purpose as viruses – to spread by themselves across systems. Unlike a virus, a worm spreads itself through some network activity like downloading it from an infected web site. Worms may cause disruption on a network due to its attempts to spread.

Worms typically are used to distribute payloads of backdoors, ransomware, etc. Worms make up about 5% of new malware.

As an example, Stuxnet was the first worm to attack SCADA industrial control systems and it was used to target Iranian nuclear facilities.

Hijackers/Keyloggers

Browser hijackers are often included in the spyware category of malware. This type of malware changes the browser configurations of your home page, default search engine and displays sponsored ads, links and search results.

Keyloggers are often used in very dangerous spyware. They are payloads that are downloaded by Trojans, worms and virus. A keylogger will record all your raw keyboard input in order to extract account ids and passwords for sensitive web sites. This information is used later to access the accounts for further malicious activity.

The Future

The categorization or taxonomy of malware is becoming more difficult for the professional researchers and they are working on a system to categorize individual samples. If they can do this, it makes it a lot easier for security analysts to be able to quickly determine the type and family, its behaviors, its indicators for detection and how it can be quickly mitigated.

But for us, just knowing the difference between a Trojan and a backdoor can be very helpful to understand the changing dynamics of cyber crime and the threats to our privacy.

Leave a Reply

Your email address will not be published.