SY0-501 Section 3.1 Explain types of malware.

Malware (for “malicious software”) is any program or file that is harmful to a computer user. Thus, malware includes computer viruses, worms, Trojan horses, and also spyware, programming that gathers information about a computer user without permission.


Generically, adware (spelled all lower case) is any software application in which advertising banners are displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.

Adware has been criticized because it usually includes code that tracks a user’s personal information and passes it on to third parties, without the user’s authorization or knowledge. This practice has been dubbed spyware and has prompted an outcry from computer security and privacy advocates, including the Electronic Privacy Information Center.

Software expert Steve Gibson of Gibson Research explains: “Spyware is any software (that) employs a user’s Internet connection in the background (the so-called ‘backchannel’) without their knowledge or explicit permission. Silent background use of an Internet ‘backchannel’ connection must be preceded by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed consent for such use. Any software communicating across the Internet absent of these elements is guilty of information theft and is properly and rightfully termed: Spyware.”

A number of software applications, including Ad-Aware and Opt Out (by Gibson’s company), are available as freeware to help computer users search for and remove suspected spyware programs.

AdWare is also a registered trademark that belongs to AdWare Systems, Inc. AdWare Systems builds accounting and media buying systems for the advertising industry and has no connection to pop-up advertising, spyware, or other invasive forms of online advertising.


A computer virus is an executable program. Depend on the nature of a virus, it may cause damage of your hard disk contents, and/or interfere normal operation of your computer.

By definition, a virus program is able to replicate itself. This means that the virus multiplies on a computer by making copies of itself. This replication is intentional; it is part of the virus program. In most cases, if a file that contains virus is executed or copied onto another computer, then that computer will also be “infected” by the same virus.

A virus can be introduced to a computer system along with any software program. For Internet users, this threat can come from downloading files through FTP (file transfer protocol), or referencing email attachments.

When a virus is introduced to a computer system, it can attach itself to, or sometimes even replace, an existing program. Thus, when the user runs the program in question, the virus is also executed. This usually happens without the user being aware of it.

A virus program contains instructions to initiate some sort of “event” that affects the infected computer. Each virus has an unique event associated with it. These events and their effects can range from harmless to devastating. For examples:

– An annoying message appearing on the computer screen.

– Reduced memory or disk space.

– Modification of data.

– Files overwritten or damaged.

– Hard drive erased.

Types of Viruses

There are many types of computer viruses:

 File virus: Most viruses’ fall into this category. A virus attaches itself to a file, usually a program file.

–  Boot sector virus: These viruses infect floppy and hard drives. The virus program will load first, before the operating system.

– Macro Virus: This is a new type of virus that use an application’s own macro programming feature to distribute themselves. Unlike other viruses, macro viruses do not infect programs; they infect documents.

– Virus Hoax: Although there are thousands of viruses discovered each year, there are still some that only exist in the imaginations of the public and the press – known as virus hoaxes. These viruses’ hoaxes do not exist, despite rumor of their creation and distribution


Worms are programs that reproduce, execute independently and travel across the network connections. The key difference between a virus and worm is the manner in which it reproduces and spreads. A virus is dependent upon the host file or boot sector, and the transfer of files between computers to spread, whereas a computer worm can execute completely independently and spread on its own accord through network connections.

The security threat from worms is equivalent to that of viruses. Computer worms are skilled of doing an entire series of damage such as destroying crucial files in your system, slowing it down to a large degree, or even causing some critical programs to stop working. Two very prominent examples of worms are the MS-Blaster and Sasser worms.

Computer Worm

Examples The original computer worm was (perhaps accidentally) unleashed on the Internet by Robert Tappan Morris in 1988. The Internet Worm used sendmail, fingerd, and rsh/rexec to spread itself across the Internet.

The SQL Slammer Worm founded in 2003 used vulnerability in Microsoft SQL Server 2000 to spread itself across the Internet. The Blaster Worm also founded in 2003 used vulnerability in Microsoft DCOM RPC to spread itself.

The Melissa worm founded in 1999, the Sobig worms founded in 2003 and the Mydoom worm founded in 2004 all spread through e-mail. These worms shared some features of a Trojan Horse, in that they spread by tempting a user to open an infected e-mail attachment.

Mydoom also attempted to spread itself through the peer-to-peer file sharing application called KaZaA. The Mydoom worms attempted a Denial of Service (DoS) attack against SCO and Microsoft.


Spyware is Internet jargon for Advertising Supported software (Adware). It is a way for shareware authors to make money from a product, other than by selling it to the users. There are several large media companies that offer them to place banner ads in their products in exchange for a portion of the revenue from banner sales. This way, you don’t have to pay for the software and the developers are still getting paid. If you find the banners annoying, there is usually an option to remove them, by paying the regular licensing fee.

While this may be a great concept, the downside is that the advertising companies also install additional tracking software on your system, which is continuously “calling home”, using your Internet connection and reports statistical data to the “mother ship”. While according to the privacy policies of the companies, there will be no sensitive or identifying data collected from your system and you shall remain anonymous, it still remains the fact, that you have a “live” server sitting on your PC that is sending information about you and your surfing habits to a remote location

There are also many PC surveillance tools that allow a user to monitor all kinds of activity on a computer, ranging from keystroke capture, snapshots, email logging, chat logging and just about everything else. These tools are often designed for parents, businesses and similar environments, but can be easily abused if they are installed on your computer without your knowledge.

These tools are perfectly legal in most places, but, just like an ordinary tape recorder, if they are abused, they can seriously violate your privacy.


Named after the Trojan Horse of ancient Greek history, a Trojan is a network software application designed to remain hidden on an installed computer. Trojans generally serve malicious purposes and are therefore a form of malware, like viruses.

Trojans sometimes, for example, access personal information stored locally on home or business computers then send these data to a remote party via the Internet. Alternatively, Trojans may serve merely as a “backdoor” application, opening network ports to allow other network applications access to that computer. Trojans are also capable of launching Denial of Service (DoS) attacks. A combination of firewalls and antivirus software protect networks against Trojans.

Trojans are similar to worms. In contrast to worms and viruses, however, Trojans do not replicate themselves or seek to infect other systems once installed on a computer.


A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.

A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a “backdoor” into the system for the hacker’s use; alter log files; attack other machines on the network; and alter existing system tools to escape detection.

The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are available for a number of operating systems, including Windows, and are increasingly difficult to detect on any network.

Rootkits have become more common and their sources more surprising. In late October of 2005, security expert Mark Russinovich of Sys-internals discovered that he had a rootkit on his own computer that had been installed as part of the digital rights management (DRM) component on a Sony audio CD. Experts worry that the practice may be more widespread than the public suspects and that attackers could exploit existing rootkits. “This creates opportunities for virus writers,” said Mikko Hypponen, director of AV research for Finnish firm F-Secure Corp. “These rootkits can be exploited by any malware, and when it’s used this way, it’s harder for firms like ours to distinguish the malicious from the legitimate.”

A number of vendors, including Microsoft, F-Secure, and Sys-internals, offer applications that can detect the presence of rootkits. If a rootkit is detected, however, the only sure way to get rid of it is to completely erase the computer’s hard drive and reinstall the operating system.


Attackers who have compromised a system to ease their subsequent return to the system often install Backdoors. We consider the problem of identifying a large class of backdoors, namely those providing interactive access on non-standard ports, by passively monitoring a site’s Internet access link. We develop a general algorithm for detecting interactive traffic based on packet size and timing characteristics, and a set of protocol-specific algorithms that look for signatures distinctive to particular protocols. We evaluate the algorithms on large Internet access traces and find that they perform quite well. In addition, some of the algorithms are amenable to pre-filtering using a stateless packet filter, which yields a major performance increase at little or no loss of accuracy. However, the success of the algorithms is tempered by the discovery that large sites have many users who routinely access what are in fact benign backdoors, such as servers running on non-standard ports not to hide, but for mundane administrative reasons. Hence, backdoor detection also requires a significant policy component for separating allowable backdoor access from surreptitious access.

Logic bomb

Logic bomb is a program, or portion of a program, which lies dormant until a specific piece of program logic is activated. In this way, a logic bomb is very analagous to a real-world land mine. The most common activator for a logic bomb is a date. The logic bomb checks the system date and does nothing until a pre-programmed date and time is reached. At that point, the logic bomb activates and executes it’s code.

A logic bomb could also be programmed to wait for a certain message from the programmer. The logic bomb could, for example, check a web site once a week for a certain message. When the logic bomb sees that message, or when the logic bomb stops seeing that message, it activates and executes it’s code. A logic bomb can also be programmed to activate on a wide variety of other variables, such as when a database grows past a certain size or a users home directory is deleted.

The most dangerous form of the logic bomb is a logic bomb that activates when something doesn’t happen. Imagine a suspicious and unethical system administrator who creates a logic bomb, which deletes all of the data on a server if he doesn’t log in for a month. The system administrator programs the logic bomb with this logic because he knows that if he is fired, he won’t be able to get back into the system to set his logic bomb. One day on his way to work, a bus hits our suspicious and unethical system administrator. Three weeks later, his logic bomb goes off and the server is wiped clean. The system administrator meant for the logic bomb to explode if he was fired; he did not forsee that a bus would hit him. Because a logic bomb does not replicate itself, it is very easy to write a logic bomb program. This also means that a logic bomb will not spread to unintended victims. In some ways, a logic bomb is the most civilized programmed threat, because a logic bomb must be targeted against a specific victim. The classic use for a logic bomb is to ensure payment for software. If payment is not made by a certain date, the logic bomb activates and the software automatically deletes itself. A more malicious form of that logic bomb would also delete other data on the system.


Botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Any such computer is referred to as a zombie – in effect, a computer “robot” or “bot” that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based. According to a report from Russian-based Kaspersky Labs, botnets — not spam, viruses, or worms — currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion.

Computers that are coopted to serve in a zombie army are often those whose owners fail to provide effective firewalls and other safeguards. An increasing number of home users have high-speed connections for computers that may be inadequately protected. A zombie or bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the zombie army

“controller” can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site. The computers that form a botnet can be programmed to redirect transmissions to a specific computer, such as a Web site that can be closed down by having to handle too much traffic – a distributed denial-of-service (DDoS) attack – or, in the case of spam distribution, to many computers. The motivation for a zombie master who creates a DDoS attack may be to cripple a competitor. The motivation for a zombie master sending spam is in the money to be made. Both of them rely on unprotected computers that can be turned into zombies. According to the Symantec Internet Security Threat Report, through the first six months of 2006, there were 4,696,903 active botnet computers.


With ransomware, software—often delivered through a Trojan—takes control of a system and demands that a third party be paid. The “control” can be accomplished by encrypting the hard drive, by changing user password information, or via any of a number of other creative ways. Users are usually assured that by paying the extortion amount (the ransom) they will be given the code needed to revert their systems to normal operations. Viruses come in many forms and are far more complicated than the other forms or malware.


malware Polymorphic Virus Polymorphic viruses and polymorphic malware of any type—though viruses are the only ones truly prevalent—change form in order to avoid detection. These types of viruses attack your system, display a message on your computer, and delete files on your system. The virus will attempt to hide from your antivirus software. Frequently, the virus will encrypt parts of itself to avoid detection. When the virus does this, it’s referred to as mutation. The mutation process makes it hard for antivirus software to detect common characteristics of the virus. Figure 3.1 uses a phrase to illustrate how the polymorphic virus changes characteristics to avoid detection. Like the phrase, small things within the virus are changed. In this example, the virus changes a signature to fool antivirus software.

Armored virus

An armored virus is designed to make itself difficult to detect or analyze. Armored viruses cover themselves with protective code that stops debuggers or dis-assemblers from examining critical elements of the virus. The virus may be written in such a way that some aspects of the programming act as a decoy to distract from analysis while the actual code hides in other areas in the program. From the perspective of the creator, the more time it takes to deconstruct the virus, the longer it can live. The longer it can live, the more time it has to replicate and spread to as many machines as possible. The key to stopping most viruses is to identify them quickly and educate administrators about them—the very things that the armor intensifies the difficulty of accomplishing.