1

In this unit we are going to talk about malware, the software that is installed on a computer once it has been successfully attacked. Malware, short for malicious software, is any software used to disrupt computer operations, gather sensitive information, or gain access to private computer systems. Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some defect. The term ‘badware’ is sometimes applied to both true (malicious) malware and unintentionally harmful software. Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms and other malicious programs. Malware is often disguised as, or embedded in, non-malicious files. Nowadays, the majority of active auto-spreading malware threats are worms or trojans rather than viruses.

2

Some malware is installed manually after a successful IT attack, but others incorporate auto disseminating strategies to spread their reach automatically without being detected. The most common types of auto disseminating malware are: Trojans, that are malicious programs disguised as normal software. In broad terms, a Trojan is any program that invites the user to run it, yet conceals some kind of harmful or malicious executable code. The name comes from the Greek tale of the "Trojan Horse" in which a large wooden horse was delivered to Troy as a sign of peace but was full of Greek soldiers that destroyed the city. Viruses are computer programs that act as biological viruses, they attach themselves to other seemingly innocuous programs and infect the systems once these programs are executed. Then they produce copies of themselves and insert them into other programs or files. Worms are programs that scan computer networks for known vulnerabilities and infect systems when they detect them. The difference between viruses and worms is the way they spread. When a virus embeds itself in some other executable software, it needs the intervention of the user to spread (in the same way as biological viruses), a worm is a stand-alone malware that actively transmits itself over a network to infect other vulnerable computers.

3

There are many types of computer viruses; among which we can mention: • Resident and non-resident viruses: A resident virus installs itself as part of the operating system

when this is executed, after which it remains in RAM from the time the computer is booted up to when it is shut down. A "non-resident virus" (or “non-memory-resident virus”), on the other hand, scans the computer for target files, infects them, and then exits (i.e. it does not remain in the memory after it is done executing).

• Macro viruses: Many well-known applications, such as MS Word and MS Excel, allow macro programs to be embedded in the documents that they produce to automate tasks. They usually have the option to make these programs run automatically when the document is opened. A macro virus (or "document virus") is a virus that is written in a macro language and embedded into these documents so that when users open the file, the virus code is executed and infects the user's computer. There are even viruses hosted in pdf files. This is why opening unexpected attachments in e-mails can be very dangerous.

• Boot sector viruses: Boot sector viruses specifically target the boot sector/Master Boot Record (MBR) of the host's hard drive or removable storage media such as flash drives, so the virus is loaded before any antivirus software and can avoid being detected.

• Auto loading viruses: Other viruses exploit the auto-load mechanism created for auto-running CDs and infect a system as soon the infected removable media is connected.

To give an example, in 1999, the Melissa virus was released. It was designed to infect macros in MS Word programs. The thing that made Melissa so dangerous was the way it propagated. The virus attached and e-mailed itself to the first 50 addresses in the MS Outlook program agenda of the user. This way, the people who received the email opened it without suspecting that it could contain something harmful because the sender was someone they trusted.

4

Once the malware has gained access to our system it can perform several malicious actions. These programs include: Disk scanners, scan all the units of the system looking for sensitive information and transmit it later. Rootkits, are software packages that allow the concealment of malware by modifying the host's operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Some malicious programs even contain routines to defend against removal by antivirus software. This type of malware can be very difficult to remove. Keyloggers capture, store and transmit every keystroke of the user to get passwords and other confidential data. They can even capture screenshots to get information that is entered with the mouse. Encryptors encrypt the personal data stored on a computer so that the data file cannot be read and ask the user for a ransom.

5

Backdoors, are methods of bypassing normal authentication procedures, usually over a connection to a network such as the Internet. Once a system has been infected, one or more backdoors may be installed in order to allow access in the future, unknown to the user. Remote control software, let the attacker completely control the infected computer, sometimes manually and sometimes automatically in what are called botnets, or groups of infected computers that are collectively controlled forming a net to take coordinated actions. These networks can have thousands of computers and be used for Denial-of-Service attacks or to send spam. The infected computers are known as zombie computers and most of the time their owners do not know their computers are being used by others. Destructors erase all the contents of a hard disk or make the system malfunction in some way.

6

7