S 3.69 Introduction to the threats posed by malware
Initiation responsibility: IT Security Officer
Implementation responsibility: IT Security Officer, Specialists Responsible
Malware is malicious software that executes damaging functions on a computer without the consent or knowledge of the corresponding user. The malware is usually camouflaged and is run secretly on a computer. Malware is used for various purposes. These purposes include remotely controlling systems, spying on passwords, and collecting data, but also recording keyboard input.
In the following, the term virus protection program is used but applies to a program used to find any kind of malware. The term malware as used in the following also includes computer viruses.
Malware can contain a large number of different damage functions, and these functions can also be combined during an attack. Malware can be classified based on the following characteristics:
Viruses
A virus (also referred to as a computer virus) is a non-autonomous, self-reproducing program routine that manipulates system areas, programs, and their environments in a manner that cannot be controlled by the user. Such program functions can be triggered intentionally as well as accidentally. The most serious damage that can be caused by a virus is the loss or corruption of data or other programs.
As in the case of its biological equivalent, it is the property of reproduction that lends it the name "virus". There are numerous possibilities for manipulation by viruses. Viruses often overwrite or attach their code to areas of a program or of the operating system. In principle, computer viruses can infect any operating system. However, the greatest threat is posed to personal computers (PCs) with x86 architectures due to their widespread use.
There are several different basic types of computer viruses, although special types and combinations can also appear:
Boot viruses
Boot viruses are located in the boot sector or the master boot record of a storage medium, for example of a hard disk. The boot procedure also involves the execution of certain program routines which are autonomous, but which are located in inaccessible sectors that are not visible in the directories on the data medium. Boot viruses overwrite these sectors with their own program code. The original contents are moved to another location on the data medium. Boot viruses are activated even before the operating system is fully loaded.
File viruses
Most file viruses attach themselves to program files. File viruses are started when an infected file is called, and they then spread from there. Afterwards, the original program is started so that it appears to the user that the program has started as usual. However, primitive overwriting viruses are also known to exist that attach themselves to the beginning of the host program in such a way that the program no longer runs correctly.
File viruses can contain a wide variety of damage functions. Instead of attaching themselves to existing files, many file viruses nowadays make copies of themselves and store the copies as executable files in the operating system. By manipulating the settings of the operating system (for example using autostart entries), such file viruses ensure that they will be executed at some time in the future.
Macro viruses
Files can also contain macro viruses. However, they do not infect the applications themselves, but infect the files generated by these applications instead. All application programs that enable individual control characters to be embedded in the files generated as well as those which allow programs to be embedded in them (e.g. Microsoft Office, StarOffice/OpenOffice) can become infected by macro viruses. Some data formats can contain objects that in turn can also contain programs. Such nested embedding of programs can also enable viruses to infect files.
Macros are programs used to add extra customised functions to provide special functionality (e.g. to produce a fair copy from the draft of a text) in the application program. Macro viruses are started when a user works with the file. In many cases, files with macro viruses are spread via e-mail and the Internet, but can also be spread via CDs or USB sticks.
Script viruses
A script is a program that is executed by an interpreter. In many cases, such scripts are used on web servers or are embedded in web pages (using JavaScript, for example). These scripts are normally executed without being noticed and can be misused under certain circumstances by attackers to load malware on to the IT system.
Bot viruses
A bot virus is a program that is installed secretly, for example when visiting an infected web site. A bot virus can secretly send e-mails, spy on data, or communicate with other bots in the network to start a DDoS attack (Distributed Denial-of-Service). Many bots are inconspicuous at first so that the users do not notice anything unusual, but an attacker can activate bots at a specific time by sending corresponding commands to the infected PCs. The term "bot" is derived from the word "robot".
Stealth viruses
Stealth viruses are also referred to as camouflage viruses. Stealth viruses try to protect themselves from potential detection by determining which virus protection program is used and then removing their code from the infected file during a scan.
Polymorphic viruses
Polymorphic viruses are one of the most dangerous types of viruses. They change their appearance every time they infect a new host using encryption or permutation and are therefore difficult for virus scanners to detect. Usually, polymorphic viruses re-encrypt their malicious code after every infection. Even the encryption key is usually changed after each infection. The routine that changes the keys is stored itself in the encrypted code of the virus,
Retro viruses
To protect themselves from being detected by virus protection programs or firewalls, retro viruses try to deactivate or manipulate the program or firewall. Deactivation can then allow additional malware to be downloaded without the user noticing.
Worms
Worms are autonomous and self-reproducing programs that spread themselves throughout an entire system (but especially in networks). In contrast to viruses, worms do not need a host. In general, worms steal processor capacity or transmission capacity. They can therefore impair a large number of computers in a very short time and cause significant economical and financial damage.
Trojan horses
A Trojan horse (often also referred to as a "Trojan" for short) is a program with a hidden damage function that is embedded in another program. Trojan horses are spread by integrating them into host programs designed to be as "attractive" as possible that are then made available for downloading or are sent via e-mail as an attachment. Trojan horses cannot only cause direct damage, but can also spy on information on individual computers or the local network.
Rootkits
On a Unix system, the "root" user is the name for the administrator, who also has extensive system and data access rights. A rootkit is a collection of tools that can be used to gain unrestricted access (if possible) to the system without the knowledge of the user. Although the term "rootkit" comes from the Unix world, there are a number of Windows rootkits available nowadays. They can change system files or allow an attacker to take over control of the infected system, for example. Afterwards, the attacker may attempt to distribute additional malware using the infected system.
Backdoor
A backdoor is a "door" that allows an attacker to gain access to a computer or to program functions. Backdoors can be installed in the operating system or in application programs, as well as in other software. Usually, a backdoor is used to install additional malware such as a Trojan horse on a computer.
Spyware
Spyware refers to programs that secretly (i.e. without any indication) collect information on a user or on the use of a computer and forward the information to unauthorised persons. Spyware is often considered a nuisance but not as dangerous as viruses, worms, or Trojan horses. However, spyware can cause security problems, for example by passing personal data to unauthorised persons, but also due to the unauthorised access obtained to the IT system to gain access to this data. Among other things, spyware can change the system configuration, for example the Windows registry, or it can install executable code, for example DLLs, ActiveX, or Java objects. In many cases, spyware infections are caused by the unauthorised downloading of software, updates, or other types of files (music files or documents from dubious sources) from the Internet to the IT system.
Spyware can also integrate programs for recording keyboard input, which are referred to as key loggers. Key loggers record all keyboard input and send this information to the attacker, if possible without being noticed. The attacker can then read out the data he considers to be important from this information, for example login information or credit card numbers.
Diallers
Pay-per-use services offered in the Internet were often billed on the telephone bill by redirecting the user to chargeable telephone numbers using special dial-up programs. In Germany, such telephone numbers were prefixed by the codes 0190 or 0900.
The diallers used for this purpose are programs that set up a new Internet connection on the computer. After downloading and installation on the PC, the dialler would dial in to the Internet. Any Internet connection already open at this time was generally disconnected first. (However, this only works with dial-up connections and not with DSL connections or connections using similar technologies) The pay-per-use content could then be called up over the new connection. In this case, the amount charged depended greatly on the telephone number the dialler used to open the connection. High costs can result from pay-per-call connections as well as pay-per-time connections.
The threat posed by diallers has dropped dramatically due to the widespread use of DSL nowadays.
Scareware
Scareware is a combination of the words "scare" and "software". Scareware is used primarily to make users insecure or cause anxiety. For example, the user is displayed a warning when visiting a web site that states the user's PC is infected with a virus. At the same time, the web site offers a free virus protection program for eliminating the virus. This program then contains the actual malware. In many cases, the users are offered useless but costly programs for eliminating the malware supposedly detected.
It must be noted that the malware properties described above are only examples of the properties often encountered in practice. In concrete cases, a piece of malicious software may contain different or additional functions as well.
Due to the increasingly complex distribution mechanisms used to spread malware over the past few years, it is becoming more and more difficult to distinguish between viruses, worms, and Trojan horses. In an actual attack, a variety of different modular programs are used one after the other or possibly even all at the same time. The manufacturers of virus protection programs therefore often use the collective term "malware" (short for "malicious software") or use the terms "malicious software" or "malicious program" generically.