Do you know what a `zombie computer’ is? Many malware (malicious software) may turn a computer into a zombie that appears too slow to the user(s) of the computer, because they are using computer’s processor, memory, and other resources. Moreover, they can steal personally identifiable information (PII) and personally sensitive information (PSI) stored in the computer. We have a post on information types.
The diagram below shows a classification malwares. A brief introduction to each are provided next.
The reader should be warned that this classification is not universality accepted and it is possible to regroup them. Also, the description and function of each are short for brevity. If you think your computer (or digital device) is infected with one or more malwares, you may need professional help.
Discussion here is for a general introduction.
Digital computer systems were developed to perform very-long monotonous computations fast and free of errors. For example, to evaluate complicated physics or math equations it used to take months and sometimes years. Then, its applications were extended to spread almost every possible spheres of our life. During these developments safety of the system against malicious softwares were not a concern. No software tools were developed to detect, quarantine, or destroy malicious softwares.
Traditional malwares infested computers without facing any scrutiny from any software tools to do so. These malwares attacked the computers, or exploited their computing power without explicit permission from their owners, or stole information from the computer with malicious intent, or gathered information for indirect benefits or advertised for marketing products. Let us look at four types of traditional malwares next.
Computer viruses, worms, logic bombs, and Trojan horses are considered among the traditional malware. They were simple to detect and easy to quarantine and/or remove, because they would not mutate to hide from anti-malware tools. In this section we discuss them, but it is important that modern generations of these could be as dangerous, hard to detect, and remove as advanced malware discussed in the next sections.
Computer Viruses are analogous to biological viruses, they are software codes that replicate themselves in a host computer or laptop, or tablet or a smart phone, but they cannot spread to other computer or laptop, or tablet or a smart phone. They usually hide in an executable or data file. When this file is opened in a computer, the virus will move into the storage are of the device, will reside there and eventually replicate in the storage of the device. If the replicated code is in a portable storage-device, such as thumb-drive or SSD (solid-state drive) or traditional hard-drive, the virus will propagate to devices where this portable device is attached to. The virus, dubbed Rabbit discovered in 1974, would replicate in the infected computer until all available storage was filled. Now I am sure you know what would happen, the computer would crash!
Two simple measures against viruses are anti-virus software and regular scanning of all storages, specially portable ones. But a word of caution, some advanced viruses, like all advanced malwares, evade detection using help of malwares known as rootkit (discussed later).
Computer Worms are standalone computer programs that (like viruses) replicate themselves. Moreover, replicated copies crawl out from the worm’s host computer into the network where the host computer is connected. The process may repeats forever, or until all vulnerable computers have the infection. Thus, a worm spreads in other computers very fast and is difficult to control. Two ill-effects of worms are increase of network traffic and infection of digital devices. Traditional worms were harmless in the sense, they were not corrupting data or programs. But the problem started they started when they were carrying virulent payloads on them. The very first computer worm, creeper was detected on the ARPANET in 1970s.
Common measures against worms are firewalls and intrusion detection-and-prevention softwares. Also, modern malware detection software tools are useful. But you always have to stay alert, because malwares are always evolving to avoid detection tools.
A computer logic Bomb (and time bomb) in a computer software or hardware is similar to a timer in a time-bombs, but it triggers when one or more ‘logical conditions’ are satisfied. The part of code in the software that works as logic bomb is unnecessary for intended use of the software. For example, a computer virus may spread for a while but it remains dormant until a certain date and time; one of the intentions is to create a worldwide pandemic of the computer virus suddenly. There are other occasions where a software developer may set a condition in the program, if that condition is not met, the software would trigger predefined malicious activities. For example, if software’s annual maintenance contract is not renewed by a deadline, the software may delete some essential files from the computer creating a crisis.
A computer Trojan horse is a computer software or hardware that has some apparent utility and people install the software (or the hardware) for its utility. But hidden in a computer Trojan horse is a part that performs undisclosed malicious operations (of course without knowledge of the users). For example, a calendar app may have hidden software that sends your daily activity to the software distributor, who may use it to online advertising. A hardware, such as free thumb-drive may have a hidden virus that will spread when it is used in a computer. A famous case was disclosed in 2005 where the Sony BMG Music Entertainment embedded softwares in their music CDs.
First generation of malware detection tools identified malwares from their behavior and characteristic code segment know as signature. Advanced malware mutates by changing or reorganizing code segment. Technical term for these mutations are polymorphism and metamorphism.
Because of their mode of operations and functionalities advanced malwares are divided into two categories — Autonomous and Remote controlled. This categorization will make our discussions and presentations concise and simpler. While I put each malware type into one category only, in some situation, if just one property of a malware type is considered, it may be moved from one category to the other. Thus, this division may not be universally accepted.
An Adware (advertising software) presents unwanted (or unsolicited) advertisements in the form of a pop-up or ‘unclosable window.’ There are clear distinctions between malicious adwares and advertising-supported application softwares or online services.
In adware category we include only those advertising softwares that somehow sneak into a digital device and hide from user’s view, sometimes with the help of other advanced malwares such as rootkits (discussed next), and do everything to evade detection and removal. Since they were installed without explicit permission of the device owner and silently observe applications users running on the device and activate pop-ups for advertising products and/or services at opportune time, they are clearly fall into the malicious adware types and not in the advertising-supported applications. A bigger question arises about their spying on the users by monitoring the applications the users running: are they spying and sending those personal information outside as well?
Here a rootkit refers to a set of malicious computer softwares that alter or disable administrative software tools to make other malwares stealth. Adwares and spywares (discussed later) are often protected by rootkits. Installation of rootkits requires administrative or privileged access to the system. This is often done by exploiting some security holes in system software or in shared library routine. A rootkit may even create backdoors (discussed last) that allow access to the system without going through standard security procedures.
The worst rootkits are those that are created by altering firmwares or operating system kernels. In these cases, to remove the rootkit the hardware must be replaced and operating systems must be reinstalled, respectively.
A keylogger covertly records, with malicious intents, keystrokes while someone is typing. The action is known as keylogging or keyboard capturing. The operator of the keylogger retrieves the captured data for extracting information of interests. For example, usernames, passwords, credit details (card number, expiration date, and security code), and banking details etc. An advanced keylogger may utilize services of spywares to minimize recording of key strokes. The spywares would analyze key-strokes and alert the keylogger when they find something interesting. (For example, a credit card number has fixed number of digits.) The keylogger then would start recording the valuable information. To evade detection, advanced keyloggers are protected by rootkits.
Keyloggers can be either software or hardware. It is important to understand all key logging operations are not malicious or illegal. For example, parents of young children may install keyloggers to monitor websites their children are visiting.
A spyware is a software that gathers information about an entity, organization, or a person without his/her knowledge and then may send gathered information to one or more entities, usually operator of the spyware. Tracking cookies are a variant of spyware. As discussed earlier, advanced and sophisticated adwares and keyloggers are assisted by spywares, to optimize their effectiveness and reduce potential of detection by anti-malware programs.
Remote Controlled Malware
While many of the malwares discussed earlier could be controlled remotely, but often they are not. The three malwares discussed next are most often remote controlled by other softwares or people.
A ransomware is a malicious computer software that may (a) encrypt data in a computer, or (b) lock access to a computer, or (c) threatens to publish private data stolen from a computer of a victim. After infection, a message is displayer on the victim’s computer screen announcing the act the malware has done on the computer and asks for ransom payment, usually e-money. Act of ransomware is not limited to a computer, it has infected other digital device with Internet access, such as smart phones. The encrypting ransomwares are most potent, when a strong encryption techniques with long-encryption keys is used. Because, that would make it practically impossible to recover the data without the encryption key.
A bot or Internet bot is malicious software infected computer that performs tasks, that are simple and structurally repetitive, like a robot. Before we go froward, it should be understood that there are many bots that are not malicious. For example, there are bots that crawls the Internet to gather information from web-servers for search engines. But in our context we are referring to those malwares that are under the control and command of malicious entities and infects computers, tablets, smart phones and other digital devices for stealing their computing power to perform malicious acts that benefits only the malicious entities and not the owner of the device. In fact, most often these devices slow down to a point that they act like a ‘zombie computer’.
A backdoor in a computer software permits access to the computer system bypassing normal authentication procedures and requires no credentials, such as usernames and passwords. Traditionally, software developers kept backdoors for fast access to the software for development and maintenance purpose. But now malicious actors install code-segments to create backdoors. As mentioned earlier in our discussions on rootkits, these backdoors are exploited for malicious purpose.