Malware, cyber-attacks and how to protect yourself and your company – are top of mind for both employees and IT managers. To help understand and tackle the issues of malware and cyber-attacks, we would like to provide a series of basic information on this topic in a loose succession. In this first post we give a definition and classification of malware, this is by no means complete, but covers some of the most important types of malware.
Viruses have been around for millions of years. but have only been known to humanity for a blink of an eye since there was no scientific evidence of viruses until the end of the 19th century. Viruses are responsible for a variety of diseases and in nature there is an eternal struggle between the evolution of viruses and the defense against them.
It is almost the same situation in the field of Information Technology. There are numerous types of malicious software and IT security companies are constantly developing new defense methods to prevent intrusions and negative impacts on IT systems and sensitive data. When conceptually naming these malicious codes, the term “virus” is usually used.
This is perfectly understandable from the historical point of view, as originally only viruses and worms emerged as a threat. However, this terminology is insufficient because of the great variety of threats. Therefore, we would like to shed some light on the subject and give an overview of which terminologies are actually correct and which malicious codes are the most common.
The term “virus” is often used incorrectly because it is usually symbolic of the more general term “malware”. However, this is not correct since malware includes all malicious software.
The word “virus” refers only to the specific distribution path of a particular type of malware. This malware infects a defined file type and injects its part of the malicious code into it. The infected file then carries the virus on by recognizing other files of the same type and infecting them again.
However, viruses do not spread actively from computer to computer. This rather happens through external storage media, emails or within networks.
Just like the “virus”, the term “worm” stands for a certain type of distribution. Unlike the computer virus, the malicious code spreads actively and independently by exploiting existing security gaps. A current example is a worm that spreads via open Android debugging ports, especially in the area of Internet of Things (IoT), or Internet-enabled devices.
In contrast to a ransomware, or software that is clearly aiming at encrypting computer data and demanding a ransom, a computer worm does not have a clearly defined goal. For example, it can compromise and make changes to the system itself, ensure a very high utilization of the Internet infrastructure or trigger DDoS attacks.
Trojans / Trojan horses
Much of the malware that is used today can be described as “trojan horses.” The term is quite generic stating that the malware disguises itself as benign. This means that the user only sees the positive side of the application without recognizing that it has a negative impact and intention. Therefore, the user cannot influence the effects of the application.
The name “trojan horse” goes back to the legendary strategy of Greek mythology, in which the Greek invaders tricked the inhabitants of Troy with the help of a wooden horse. For this reason, the common terminology “trojan” is incorrect, since the Trojans were the inhabitants of the city and the ones that were attacked in this historic example. The horse, in fact, was the attacker.
In addition to these most commonly used malware terminologies, there is still a large number of malware that can be broken down into the following categories.
RAT: Remote Access Trojans
This type of malware allows attackers to take over computers and remotely control them. They allow attackers to execute commands on the victims’ systems and distribute the RAT to other computers with the goal of building a botnet.
A backdoor malware has a similar objective as a RAT but uses a different approach. The attackers use so-called “backdoors” which are mostly deliberately placed in programs or operating systems. However, they may also be installed in secret.
A special characteristic of backdoors is the fact that they can be used to bypass the existing defense mechanisms. For example, they are very attractive for cybercriminals to create botnets.
Botnets and Zombies
Botnets are large accumulations of infected computers that the attacker builds up over time. Each affected computer is called a zombie. The attacker can send commands to all computers at the same time to trigger activities such as DDoS attacks or to mine bitcoins with the help of individual zombie computers.
It is especially treacherous that owners of the affected computers do not notice that they are part of a botnet until they are already carrying out the externally controlled activities.
This is malware that collects information from the victim’s computer. These can be Credential Stealers which extract the login data from user accounts such as email mailboxes, Amazon or Google accounts., On the other hand Keyloggers record everything that users speak or write and often take screenshots. Bitcoin Stealers search for Bitoin Wallets and rob the cryptocurrency.
Downloader / Dropper
Downloaders or droppers are small programs that serve only one purpose – to reload more malware from the Internet. At first victims are not able to recognize which contents are being downloaded because only an URL is visible. The great advantage for an attacker with this method is being able to constantly provide new malware for download and distribute up-to-date and difficult-to-detect malware.
Rootkits are the most dangerous type of malware, even though is not even necessarily malware. Rather, a rootkit hides malicious code from discovery. In this form of attack, the attacker penetrates deeply into the computer system, gains root privileges and thus gains general access rights. The cybercriminals then change the system so that the user no longer recognizes when processes and activities are started. It’s very hard to locate attacks based on rootkit obfuscation.
Naturally, there are other categories and definitions of malware that are not listed here. It should be noted that the malware which is circulating nowadays is mostly a mixture of several types. For example, there are trojan horses that also include a backdoor.
Often, the different attack types can be put together dynamically according to a modular principle. Therefore, the malware found today can no longer be clearly assigned to one of the categories mentioned above.
In our next post, you will learn about the main players in terms of malware and cyber-attacks.