Malware Flashcards
Worm
A worm functions similarly to a virus, except it does not need to attach itself to other programs to replicate. It can replicate on its own through networks, or even hardware like Thunderbolt accessories. If the infected computer is on a network, a worm will start scanning the network for other vulnerable systems to infect.
Virus
A virus is a program that has two jobs: to replicate and to activate. Replication means it makes copies of itself, by injecting itself as extra code added to the end of executable programs, or by hiding out in a drive’s boot sector. Boot sector viruses can be particularly nasty because they live inside your system’s boot partition and activate their malicious code before the security software is able to start up and prevent it. Activation is when a virus does something like corrupting data or stealing private information. A virus only replicates to other drives, such as thumb drives or optical media. It does not self-replicate across networks. A virus needs human action to spread.
Trojan
A Trojan (named for the Trojan Horse) is a piece of malware that appears or pretends to do one thing while, at the same time, it does something evil. A Trojan horse may be a game, like poker, or ironically, a fake security program. The sky is the limit. Once installed, a Trojan horse can have a hold on the system as tenacious as any virus or worm; a key difference is that installed Trojan horses do not replicate.
Rootkit
For malware to succeed, it often needs to come up with some method to hide itself. As awareness of malware has grown, anti-malware programs make it harder to find new locations on a computer to hide malware. A rootkit is a program that takes advantage of very low-level operating system functions to hide itself from all but the most aggressive of anti-malware tools. Worse, a rootkit, by definition, gains privileged access to the computer. Rootkits can strike operating systems, hypervisors, and even firmware (including hard drives and accessories . . . yikes!).
The most infamous rootkit appeared a while back as an antipiracy attempt by Sony on its music CDs. Unfortunately for the media giant, the rootkit software installed when you played a music CD and opened a backdoor that could be used maliciously.
Cryptominers
Malicious actors are often motivated by financial gain, so sometimes, they try to kill two birds with one stone by installing malware that can mine cryptocurrency. These cryptominers take control of a computer’s hardware resources and use them to mine cryptocurrency, which is then deposited into a crypto wallet belonging to the attacker. A telltale sign a system is infected with this kind of malware may be inexplicably high GPU or CPU utilization. There are other problems that can lead to excessive hardware utilization, but if you see it, it might be a good idea to check for cryptominer malware.
Keylogger
Keylogger malware does pretty much what you might imagine, recording the user’s keystrokes and making that information available to the programmer. You’ll find keylogging functions as part of other malware as well. Keyloggers are not solely evil; a lot of parental control tools use keyloggers.
Spyware
Spyware—malicious software, generally installed without your knowledge—can use your computer’s resources to run distributed computing applications, capture keystrokes to steal passwords, or worse. Classic spyware often sneaks onto systems by being bundled with legitimate software—software that functions correctly and provides some form of benefit to the user. What kind of benefit? Way back in 2005, Movieland (otherwise known as Movieland.com and Popcorn.net) released a “handy” movie download service. They didn’t tell users, of course, that everyone who installed the software was “automatically enrolled” in a three-day trial. If you didn’t cancel the “trial,” a pop-up window filled your screen demanding you pay them for the service that you never signed up for. The worst part, however, was that you couldn’t uninstall the application completely. The uninstaller redirected users to a Web page demanding money again. (Movieland was shut down in 2007.)
For another classic example, look at Figure 27-14: the dialog box asks the user if she trusts the Gator Corporation (a well-known spyware producer from ages ago). Because everyone eventually knew not to trust Gator, they would click No, and the company faded away.
Ransomware
As bad as spyware can be, at least you still have access to your data. Ransomware, on the other hand, encrypts all the data it can gain access to on a system. To top it off, many versions of ransomware can even encrypt data on mapped network drives! Once it has locked up all your data, the ransomware application pops up a message asking for money (often bitcoins) to decrypt your data. Also, to encourage a faster payment, this ransom is presented with a timer that, when it reaches 0, triggers deletion of the encryption keys, leaving you with a drive full of scrambled data. In some particularly dastardly cases, the ransomware doesn’t actually have the ability to decrypt built in, and will just leave your drives encrypted or wipe the data altogether when that clock hits 0.
Botnet
Another type of malware I want to talk about is the botnet (“bot” as in robot, get it!). As we touched on when we discussed Denial of Service attacks, a botnet, as “net” in its name implies, isn’t a single type of malware, but rather, a network of infected computers (zombies) under the control of a single person or group. Botnets can be massive, easily growing into the millions of zombies for the largest networks.
With that many machines under their control, botnet operators have command of massive computing and network resources. Some of the most common uses of botnets are sending spam or launching distributed denial of service attacks. If you’ve ever wondered how spammers and hackers pay for all that bandwidth, they don’t! They use the bandwidth of millions of zombie machines spread all around the world, from grandma’s e-mail machine to hacked Web servers.
Spam is but one use of a botnet. The criminals who run these networks also use all that collective power to launch a DDoS attack against companies and governments and demand a ransom to call off the attack.
