- COMP.SEC.100
- 7. Malware & Attack Technologies
- 7.1 Malware
Malware¶
Malware (malicious software) refers to software that intentionally does something harmful. Types of malware include, among others, viruses, worms, Trojan horses, spyware, botnet malware and ransomware.
The definition of a virus and a worm is almost unambiguous: a program (or a piece of code) is capable of creating independently spreading copies of itself recursively. Recursion here means that the copies have the same capabilities. The copies do not have to be identical, nor does every copy have to be capable of spreading. The definition as such does not take a stance on harmfulness.
A Trojan horse refers to a program that contains, or appears to contain, some useful functionality, but in which a harmful function has been intentionally concealed. Unlike a virus or a worm, a Trojan horse does not spread independently.
Botnet malware refers to any malware that is part of a botnet, that is, a collection of computers or devices that together are capable of carrying out coordinated attacks. A botnet network is typically formed of compromised machines, some of which are control machines (masters) and others controlled machines (slaves).
Classification of malware¶
There are many kinds of malware, and precise classification is not always possible. Malware presupposes intentional harmful intent, but the author’s intent cannot be known for certain. Software originally developed for a normal purpose may be applied maliciously, an example being a program that deletes files. Nevertheless, it is important to become familiar with classifications in order to understand malware and to be able to use and develop defensive measures. The classification presented here follows CyBOK (with some notes in parentheses on differing approaches).
A key distinction is whether the malware is standalone or part of some other program code. This is one way to distinguish worms and viruses: both are capable of creating recursively spreading copies of themselves. Worms are standalone, whereas viruses are part of some other program code. (An alternative definition is to classify worms as a subset of viruses.) Standalone file-based malware is easier to detect because the file’s fingerprint can be identified. In addition to viruses, malware that requires a host program includes, for example, malicious browser plug-ins, scripts executed in browsers, and program macros.
Malware may be persistent or transient. Most malware is persistent, meaning it is typically part of the file system. Malware is transient (also memory-resident) when it is installed as part of main memory, from which it disappears when the device is shut down. For example, some malware that infects IoT devices disappears when the device is restarted. (Viruses often include both a memory-resident component and a persistent file-based component, meaning the malware does not disappear.)
| Malware | Host program or standalone? | Persistent or transient? | System layer | Automatically spreading? | Updatable? | Coordinated? |
|---|---|---|---|---|---|---|
| Viruses | Host program | Persistent | From firmware upwards | Yes | Yes | No |
| Malicious browser extensions | Host program | Persistent | Application | No | Yes | Yes |
| Botnet malware | Both | Persistent | From kernel upwards | Yes | Yes | Yes |
| Memory-resident malware | Standalone | Transient | From kernel upwards | Yes | Yes | Yes |
Many malware samples include obfuscation. The aim is to make detection more difficult, both manually and automatically. There are several techniques for this, and malware authors can use ready-made tools. One technique used by some viruses as early as the 1990s is mutability, also known as polymorphism. This means that copies of the malware differ from one another. There are various implementation techniques, such as changing the order of instructions, implementing the same functionality with different instructions, inserting no-operation instructions, packing and encryption. When encrypting, different keys may be used. When the malware differs sufficiently each time, the traditional method of comparing binary code or parts of it to a previously stored bit string no longer works for identification.
The persistent bit string of a particular malware sample is called its fingerprint. This may consist of a combination of bit strings, since in some malware polymorphism covers parts of the code while other parts remain constant. A fully polymorphic malware sample may therefore have a different fingerprint each time. However, the malware must itself be capable of unpacking or decrypting, so by analysing the code it is possible to trace its unpacking mechanism. Defensive software can also execute the malware code virtually for long enough to have the encryption removed and the program identified.
A virus attaches itself to a host program by adding malicious code to it. When the host program is executed, the virus code is also run. The virus searches for other targets to infect and attaches itself to them. A virus may also be updatable if it is able to establish an internet connection.
Potentially unwanted programs¶
Some programs are potentially unwanted programs (PUPs). Such programs may be harmful in some situations but desirable in others. The boundary is not self-evident, as the usage context and the user matter. A PUP is typically a useful program that contains a harmful function. PUPs often describe their behaviour in their terms of use, but few users notice what is stated there.
One example of a PUP is software that contains advertisements (adware). Typically, a PUP also collects information about the user. If this happens without the user’s consent, it constitutes spyware. Spyware may be deliberately designed to collect a wide range of information, such as contact details and passwords. In such cases, it is clearly malware.