Malware 101 :: Demystifying Spyware/Malware Security Series - Part 1

Malware 101 - Getting to the Root of Understanding Malicious Software

Overview

If you've been using the Internet for more than a few weeks you're likely aware that there's some portion of the world's people that don't have your best interest in mind. While their motivations vary, from the usually benign computer enthusiast who in their zeal to learn release a troublesome program to the organized crime groups who's sole focus is to separate you from your money, they all have an end effect. They make your use of the Internet for personal and business purposes perilous, and a pain, to various degrees.

A spyware program that causes pop-ups is largely just annoying. A key logging program that records your login and password credentials for your bank or brokerage account and sends them over the Internet to a computer criminal can be disastrous.

Gone are the rather benevolent early days of the Internet prior to around 1997. We're now in the malevolent days of computer criminals, cyber terrorists and others looking to use the vast anonymity of the Internet for personal gain at other's expense. No, we're not in Kansas anymore.

Definitions : Naming the Beasts

The term Malware, a contraction of malicious software, is something a of a catch all term to describe the literal Pandora's Box of items that plague the Internet. While in fact many of the terms overlap for a given pest in an attempt to create some order in the chaos of naming I've chosen the following along with an accompanying brief definition. These are meant as an introduction as we'll go further into each of these areas later in the series.

I would also note that this list isn't all encompassing either as there are items such as Internet Explorer's browser helper objects (BHOs) that are commonly used to install spyware but aren't necessarily a malicious item and are more a mechanism (vector) exploited by malware developers. BHOs will be covered under Spyware / Adware (Week 2 of the series). In sum to keep things manageable I've chosen these broader categories with the intent to cover lesser items that are related later.

Spyware/Adware

The terms spyware and adware are often used somewhat interchangeably and have rather broad and inexact meanings. Adware usually refers to any type of software that after having infected a computer causes various advertisements, usually in the form of pop-ups, to appear on the infected computer.

Spyware may act in a similar matter but more importantly typically includes taking some degree of control of the infected computer such as changing default web pages for browsers, tracking user surfing habits and reporting that information to others usually without the consent of the computer owner/user and other clandestine breaches of privacy.

Software Bugs and Exploits

Software bugs, as the name implies, are flaws in the programming of the software that create an undesirable situation. The bugs of interest from a security viewpoint are those that create a situation where an attacker, by using a specially developed set of techniques, can exploit the software flaw to gain unauthorized access to the operating system on which the flawed software is running.

The goal for the attacker, once having achieved access to the system, is to elevate their privileges to a high enough level to take some degree of control of the system. The usual target is the "master" level accounts of "Administrator" for Windows NT based systems such as Windows 2000 and Windows XP and "root" for the Linux and Unix operating systems. This broad category has been at the heart of much of what has plagued the Internet for the past several years. Fixing these flaws is what software patching is about such as the software fixes that are released by Microsoft each 2nd. Tuesday of the month and accessed by running "Windows Update".

Root Kits

As of this writing (Jan 14, 2006) root kit technology has been all the news starting with the Sony issue in Dec. 2005 and a number of software products since. So what's the issue with root kits that's causing all the fuss? Root kits are primarily a set of software tools used by a malicious intruder who has successfully gained access (referred to as hacking or cracking) to a computer system. The functions of the root kit software are usually several fold including:

Installing altered versions of key operating system software components that assist the intruder (hacker) in hiding their presence on the system.

Software that allows the intruder by secure and secret means to remotely access (over a network such as the Internet) the computer system that has been compromised by the root kit. Such software is often referred to as a back door

Root kits exist for all most widely used operating systems including Microsoft Windows, UNIX and Linux.

Trojan Horses

Like the horse of Greek Mythology, a Trojan Horse program is more than it appears to be. Trojans, as they are often called in the parlance of the computer security world, are malicious programs underneath the guise of a useful or fun piece of software such as a screen saver or game. Trojan Horse programs often install a back door as mentioned previously under root kits.

Unlike viruses and worms, Trojans are generally non-replicating meaning that they can't spread by their own methods and require user interaction.

Worms

The key factor in defining the behavior of software of this category is that it has the ability to self replicate and therefore spread across a network of computers. Besides having the program code to self replicate and spread itself more recent worms also carry other program code referred to as the payload.

With worms of the past several years, delivery of the payload has been the real objective in order to install software such as spyware, keyloggers and hidden mail or proxy servers for the purpose of sending spam.

Back Doors

Given that the topic is a rather broad term for any number of programs and techniques we'll save the detailed exploration for later when we specifically cover the topic in Week 9 of this series. In the interim suffice that a backdoor is in general any method that allows an attacker to access a system bypassing normal security controls, such as a system login and password, in the process. Backdoors are typically installed by an attacker (hacker) after having successfully broken into the computer or by a worm designed for such purpose.

RATs (Remote Administration Tools)

Remote Administration tools, as per the name, allow a remote user to administer, i.e., operate, a remote computer. Under the direction of a system administrator they are extremely useful for managing computer systems on both a LAN (local area network) or WAN (Wide Area Network) connecting over the Internet. Obviously the same such administrative access under the control of a malicious attacker isn't a desirable thing. One of the better known and highly useful of such tools is RealVNC (Virtual Network Computing) and is widely used by administrators and attackers alike. One of best known tools that is used solely by attackers is the Subseven trojan.

Viruses

One of the original types of malicious software viruses date back to around the early 1980's with a program called "Elk Cloner" usually given the distinction as the first virus program to appear "in the wild". Like the biological counterpart, a computer virus requires a host to function. The computer virus attaches itself to a host program (code) is spread mechanically by movement of infected files to other machines.

Keyloggers & Password Stealers

Keyloggers, or key logging software, are programs that have the ability to run clandestinely on a computer system and record all keystrokes executed on that system. Like most categories of malware, the use and intent make the difference. There are legitimate uses for such programs and are utilized by companies to enforce AUPs (acceptable use policies) and parents to have some degree of awareness of what their children are doing on the family computer particularly in relation to Internet usage.

Electronic criminals have largely utilized key logging software to capture sensitive information such as login names and passwords for accounts at financial institutions and credit card numbers. When created for malicious purposes these programs typically save the captured keystrokes to a hidden file which is then sent over the network (Internet most commonly) to a host machine set up for this purpose. Key logging software is a key component to many Internet based identity theft rings. High quality anti spyware software has the ability to detect the vast majority of these programs.