TC

Malware

2.1.1 Types of Malware

  • Cybercriminals use many different types of malicious software, or malware, to carry out their activities.
  • Malware is any code that can be used to steal data, bypass access controls, or cause harm to or compromise a system.
  • Knowing what the different types are and how they spread is key to containing and removing them.
  • Common malware types listed in the material: Spyware, Adware, Backdoor, Ransomware, Scareware, Rootkit, Virus, Trojan horse, Worms.
  • Roles and relationships (quick orientation):
    • Spyware: tracks online activity and can log keystrokes; may capture sensitive information; can modify security settings; often bundles with legitimate software or Trojan horses.
    • Adware: automatically delivers advertisements, usually in a web browser; often accompanies spyware.
    • Backdoor: bypasses normal authentication to grant unauthorized, remote access to resources; runs in the background and is hard to detect.
    • Ransomware: holds a computer system or its data captive until payment is made; encrypts data to block access; can leverage specific system vulnerabilities; often spread via phishing emails or software vulnerabilities.
    • Scareware: uses scare tactics (e.g., fake OS warnings) to trick users into running a program that infects the system.
    • Rootkit: listed among common types but not described in detail in this excerpt; typically used to conceal presence and gain covert control.
    • Virus: a program that replicates and attaches to executable files; usually requires end-user interaction to activate; can be harmless or destructive; can mutate to avoid detection; spread via USB drives, optical disks, network shares, or email.
    • Trojan horse: masquerades as legitimate software but performs malicious actions; often does not self-replicate; may appear in image files, audio files, or games; acts as a decoy to bypass users.
    • Worms: self-replicating malware that can spread without user participation; does not require a host program to run; exploits vulnerabilities to propagate; includes a payload to damage systems or networks; historically responsible for large-scale incidents (e.g., Code Red).
  • Note: While this section lists several types, detailed descriptions for all terms (e.g., Rootkit) may not be provided in this excerpt.

2.1.1 Types of Malware (detailed descriptions for select types)

  • WORMS
    • Definition: a type of malware that replicates itself in order to spread from one computer to another.
    • Key distinction: unlike a virus, worms can run by themselves and do not require host programs or user participation after initial infection.
    • Common pattern: exploit system vulnerabilities, propagate themselves, and carry a payload to damage systems or networks.
    • Significance: worms can spread very quickly across networks and have caused major internet-wide incidents.
    • Notable example: Code Red worm infected
    • Example quantified: the Code Red worm infected 3\times 10^{5} servers in just 19\,\text{hours}.
  • TROJAN HORSE
    • Definition: malware that carries out malicious operations by masking its true intent.
    • Perception vs. reality: may appear legitimate but is dangerous.
    • Common vectors: often found in image files, audio files, or games.
    • Replication: Unlike viruses, Trojans do not self-replicate.
    • Function: acts as a decoy to sneak malicious software past unsuspecting users.
  • VIRUS
    • Definition: a computer program that, when executed, replicates and attaches itself to other executable files (e.g., documents) by inserting its own code.
    • Activation: most viruses require end-user interaction to initiate activation; can be programmed to act on a specific date or time.
    • Range of effects: can be relatively harmless (e.g., display a funny image) or destructive (e.g., modify or delete data).
    • Mutation: viruses can mutate to avoid detection.
    • Spread vectors: commonly spread by USB drives, optical disks, network shares, or email.
  • SCAREWARE
    • Definition: malware that uses scare tactics to trick you into taking a specific action.
    • Mechanism: mainly consists of operating system style windows that pop up to warn you that your system is at risk and needs to run a specific program.
    • Consequence: if you run the program, your system becomes infected with malware.
  • BACKDOOR
    • Definition: malware used to gain unauthorized access by bypassing normal authentication procedures.
    • Capability: enables remote access to resources within an application and the ability to issue remote system commands.
    • Behavior: operates in the background and is difficult to detect.
  • RANSOMWARE
    • Definition: malware designed to hold a computer system or the data it contains captive until a payment is made.
    • Mechanism: usually works by encrypting data so you cannot access it.
    • Exploitation: can take advantage of specific system vulnerabilities to lock down access.
    • Delivery vectors: commonly spread through phishing emails with malicious attachments or via software vulnerabilities.
  • ADWARE
    • Definition: malware that delivers advertisements to a user, typically in a web browser.
    • Co-occurrence: often bundled with spyware and other software; can be noticeable via frequent pop-ups.
  • SPYWARE
    • Definition: software designed to track and spy on you.
    • Capabilities: monitors online activity, can log keystrokes, and capture sensitive information (e.g., online banking details).
    • Mechanism: can modify security settings on devices and often bundles with legitimate software or Trojan horses.
    • Goal: primarily to gather data for theft or targeted advertising.

2.1.2 Symptoms of Malware

  • Regardless of type, look for a set of common symptoms:
    • Increase in CPU usage, leading to slower device performance.
    • Computer freezes or crashes frequently.
    • Decreased web browsing speed.
    • Unexplainable problems with network connections.
    • Modified or deleted files.
    • Presence of unknown files, programs, or desktop icons.
    • Unknown processes running.
    • Programs turning off or reconfiguring themselves.
    • Emails being sent without your knowledge or consent.
  • Practical implication: these symptoms suggest a malware infection and warrant scanning, malware removal, and possible system restoration.

2.1.3 What Do You Think?

  • Match the descriptions to the correct malware type:

    • Malware designed to track your online activity and capture your data → Spyware
    • Software that automatically delivers advertisements → Adware
    • Malware that holds a computer system captive until a payment is made to the attacker → Ransomware
    • Malicious code that attaches to legitimate programs and usually spreads by USB drives, optical media, network shares or email → Virus
    • Malicious code that replicates itself independently by exploiting vulnerabilities in networks → Worms

  • Connections and implications (summary of relevance and applications):

    • Understanding types helps in targeted defense: different types have distinct propagation methods and payloads.
    • Network and system hardening: patching vulnerabilities reduces worm-like spread; application whitelisting and least privilege reduce Trojan/Backdoor impact.
    • User education: awareness of scams (phishing) reduces ransomware effectiveness; recognizing scareware prompts is crucial.
    • For incident response: differentiate behavior (e.g., self-replication vs. decoy behavior) to locate the root cause and remove persistence mechanisms.
    • Real-world relevance: many incidents rely on user interaction (phishing, drive-by downloads) to initiate infections; cybersecurity practices aim to minimize attack surface and improve detection.