Malware

Malware (malicious software) is a generic term for a number of different types of malicious code. Malware can be used to compromise normal computer functions, steal data, obtain unauthorised access, and form a botnet to launch organised attack.

What are Malicious Code?

Malicious code refers to a broad category of programs that can cause damage or undesirable effects to computers or networks. Potential damage can include modifying, destroying or stealing data, gaining or allowing unauthorised access to a system, bringing up unwanted screens, and executing functions that a user never intended.

Examples of malicious code include computer viruses, worms, trojan horses, spyware & adware, rootkit, active content, zombies & botnets and ransomware. Because they pose a serious threat to software and information processing facilities, users and administrators must take precautions to detect and prevent malicious code outbreaks.

Computer Virus

A computer virus is a self replicating computer program which can attach itself to other files/programs, and can execute secretly when the host program/file is activated. When the virus is executed, it can perform a number of tasks, such as erasing your files/hard disk, displaying nuisance information, attaching to other files, etc.

Type of virus

Memory-Resident Virus

This type will reside in main system memory. Whenever the operating system executes a file, the virus will infect a file if it is a suitable target, for example, a program file.

Program File Virus

This will infect programs like EXE, COM, SYS etc.

Polymorphic Virus

The virus itself can change form using various polymorphism techniques.

Boot Sector Virus

This type will infect the system area of a disk, when the disk is accessed initially or booted.

Stealth Virus

A virus which uses various stealth techniques in order to hide itself from detection by anti-virus software.

Macro Virus

Unlike other virus types, these viruses attack data files instead of executable files.

Macro viruses are particularly common due to the fact that:

They attach to documents and files, which are platform independent.

The document is sent to other computers by, for example, email or file exchange. Recipients are receiving the infected document from a "trusted" sender.

Email virus

A virus spread by email messages.

Tips for Prevention

The Common Best Practices

Worms

A worm is a self-replicating program that does not need to attach to a host program/file. Unlike viruses, worms can execute themselves. Worms have the ability to spread over a network and can initiate massive and destructive attacks in a short period of time.

One typical example of a massive attack is the "SQL Sapphire Slammer (Sapphire)" that occurred on 25 January 2003. The Sapphire exploited an MS SQL Server or MSDE 2000 database engine vulnerability. The weakness lays in an underlying indexing service that Microsoft had released a patch in 2002. It doubled in size every 8.5 seconds, and infected more than 90 percent of vulnerable hosts within 10 minutes. It eventually infected at least 75,000 hosts and caused network outages that resulted in:

Cancelled airline flights

Interference with elections

Bank ATM failures

Tips for Prevention

The Common Best Practices

Trojan Horses

A trojan horse is a non-replicating program that appears legitimate, but actually performs malicious and illicit activities when executed. Attackers use trojan horses to steal a user's password information, or they may simply destroy programs or data on the hard disk.

A trojan horse is hard to detect as it is designed to conceal its presence by performing its functions properly.

Some recent examples are:

Trojan horses embedded into online game plug-ins which will help online gamer to advance their game characters; however, the online game account and password are also stolen. The gamer's cyber assets are therefore stolen.

Trojan horses are embedded into popular commercial packages and uploaded to websites for free download or to be shared across peer-to-peer download networks.

Trojan horses are particularly dangerous due to the fact that they can also open a back door into a system and allow an attacker install further malicious programs on your computer. Back Orifice and SubSeven are two well-known remote access trojan horses that allow attackers to take control of a victim's computer.

Tips for Prevention

Besides the following The Common Best Practices, you should:

Install a file and directory integrity checker.

Be alert to suspicious hard disk activity and/or network activity e.g. if your hard disk access LED light is always on.

Be alert to suspicious deletion or modification of files.

Check if your system is accessed without your knowledge, e.g. your email accounts.

Spyware & Adware

Spyware is a type of software that secretly forwards information about a user to third parties without the user's knowledge or consent. This information can include a user's online activities, files accessed on the computer, or even user's keystrokes.

Adware is a type of software that displays advertising banners while a program is running. Some adware can also be spyware. They first spy on and gather information from a victim's computer, and then display an advertising banner related to the information collected.

A system with spyware / adware installed may display one or more of the following symptoms:

The default start page of the web browser is changed to another website and/or new items are added to the Favourites folder without the user's consent. The user cannot undo the changes, and these browser hijackers force the user to visit the unwanted websites in order to, for example, inflate the hit rate of the websites for higher advertising value.

Pop-up windows with advertisements open on the screen even when the user's browser is not running or when the system is not connected to the Internet.

New software components, such as browser toolbars, are installed on a user's computer without his or her permission.

Suspicious network traffic appears on the user's computer when he or she is not performing any online activities.

However, there are some spyware carefully programmed to avoid being noticed, and hence cannot be picked up by the above abnormalities. This type of spyware can only be detected and removed by anti-spyware products / tools.

Tips for Prevention

Besides the following The Common Best Practices, you should:

Not download / install software from suspicious sources such as websites, peer-to-peer file sharing sources, etc.

Read the terms and conditions of use, even before downloading and installing a legitimate piece of software, because they may require you to accept that an adware or spyware system be installed.

Read the terms of use carefully when you are asked to install a plug-in or use active content when visiting some websites.

Review the information provided by certain search engines whose search results may contain malicious code. This may help in avoiding dangerous or untrustworthy websites via search links.

Install browser toolbars that can help filter out adware and spyware.

Install anti-spyware and anti-adware software.

Rootkit

A rootkit is a collection of files that alter the standard functionality of an operating system on a computer in a malicious and stealthy manner. By altering the operating system, a rootkit allows an attacker to act as system administer on the victim's system. (Or the "root" user in a Unix system - hence the name "rootkit".)

Many rootkits are designed to hide their existence and the changes they made to a system. This makes it very difficult to determine whether a rootkit is present on a system, and identify what has been changed by the rootkit. For example, a rootkit might suppress directory and process listing entries related to its own files.

Rootkits may be used to install other types of attacker tools, such as backdoors and keystroke loggers. Examples of rootkits include LRK5, Knark, Adore, and Hacker Defender.

Tips for Prevention

The Common Best Practices

Active Content

Unlike the traditional methods of working with static data files using a software program, today's data objects, such as web pages, email and documents can interweave data and code together, allowing dynamic execution of program code on the user's computer. The fact that these data objects are frequently transferred between users makes them efficient carriers of viruses. The transparency of code execution can be a security concern.

The two main 'active content' technologies are ActiveX controls and Java. In general, ActiveX poses a greater threat because it has direct access to native Windows calls, and hence any system function. Java, on the other hand, is "sandboxed" or insulated from operating system services by the Java Virtual Machine. However, this does not mean that there will never be a Java virus.

Tips for Prevention

Besides the following The Common Best Practices, you should:

Watch out for any abnormal machine behaviour:

Programs taking much longer than usual to execute.

A sudden reduction in system memory, or available or disk space.

The browser home page was changed.

Some websites cannot be accessed anymore.

Not install any active content from suspicious websites. Instead of selecting the decline option at the installation page, you should close the browser. This is because some installation pages may be a visual spoof, installing active content no matter which option is chosen. If it is not successful, you may consider using the task manager to force quit the browser.

Zombies & Botnets

A zombie computer, usually known in the short form zombie, is a computer attached to the Internet that has been compromised and manipulated without the knowledge of the computer owner. A botnet refers to a network of zombie computers that have been taken over and put under the remote control of an attacker.

A botnet might consist of thousands of zombie computers, and even more. The zombie computers in the botnets can consist of computers at homes, schools, businesses and governments scattered around the world.

A zombie computer itself may only be slowed down slightly, or displaying mysterious messages. However, the whole botnet can be used by the attacker for a massive attack, such as DDoS (the Distributed Denial of Service) attack, against another system or network. Due to the large number of machines in a botnet, the aggregate computing power can be enormous when all these machines work together to launch a DDoS attack against a single target.

You should protect your machines or systems from becoming zombie computers.

Others

Virus Hoax

A virus hoax is a false virus warning, usually in the form of an email message. It suggests the reader to forward the message to others, resulting in a rapidly growing proliferation of emails that may overload systems.

Mobile Device Virus / Worms

Like any computing platform, mobile devices are also susceptible to malicious code attacks. Although at present, malicious codes for handheld devices and smart phones are not that common, there is likely to be an increase as the functionality of mobile applications increase and with the wider deployment of these devices.

The open architecture of mobile application development environments, often with extensive software development documentation and tools, also allow attackers to create malicious code for these platforms quite easily.

Malicious code can infect mobile devices in several ways. These include:

Via email SMS or MMS: a message containing a hyperlink to a malicious code is sent to entice a user to select the link and download the code. Alternatively, the code can be sent in an email as an attached file and infect the device when executed. Similarly, malicious code can also be propagated via MMS messages. SymbOS / Commwarrior.M is a worm that is capable of spreading via MMS messages on Symbian Series 60 devices.

Via desktop synchronisation: the worm Cxover is one such an example. Cxover is a proof-of-concept worm that can affect both Windows PC and Windows Mobile devices. If it is executed on a Windows Mobile device, it will copy itself to the computer over an ActiveSync connection. If it is executed on a Windows PC, it will search for any handled devices connected over ActiveSync and copy itself to the device.

Via Bluetooth, Infra-red or Wi-Fi: the first worm capable of spreading via Bluetooth was discovered in June 2004 and was named Cabir. It was a proof-of-concept worm for Symbian OS Series 60 smart phones but it has not been found in the wild since then. The worm required several interactive steps on the part of the recipient in order to execute. An attacker who intentionally sends a malicious program to trick the recipient into accepting it can also exploit the potential weakness of Bluetooth.

Logic Bombs

A logic bomb is a program code which is embedded in another program, and can be activated when a certain predefined criteria are met.

For instance, a time bomb will attack a system and erase all data if a licence key or another program code is not found in the system. In some cases, a logic bomb will inform the attacker via the Internet that the bomb is ready to attack the victim.

Trap Door

A trap door is a secret entry point into a program that is intentionally included in the program code. While it can facilitate debugging during program development, it may be used for malicious purposes as well.

Common Obfuscation Techniques

The following are common obfuscation techniques used by malicious code developers and writers to evade detection and destruction:

Binders and Packers
Most virus signature files are created based on the checksum value which makes use of the file properties and first few bytes of the malicious code binaries. The binders technique is to bind the virus and malicious code file on to another file, which changes its form. The packers technique is to compress the virus code before it is embedded.

Self-Encryption and Self-Decryption
Malicious code may encrypt and decrypt itself, even using several layers of encryption and decryption and/or using random keys in encryption and decryption. This makes them harder to examine directly.

Polymorphism
Malicious code can change its default encryption settings as well as the decryption code during self-encryption. These make it much more difficult to detect.

Metamorphism
Malicious code change its form by, for instance, rearranging its code fragments or/and by adding useless lines of code into its source, and recompiling itself into a new form.

Code conversion to a VB (Visual Basic) script
This method converts an executable program (.exe) into a visual basic script (.vbs) file that can be attached to a document, data files or email messages.

Stealth
The technique is designed to evade anti-virus software detection by hiding the code itself. One example is to monitor system calls to files; the malicious code then modifies the return information to the process call by returning only original information.

Growing Risk

The risks posed by malicious code are on the rise, due to fundamental changes in the threats and purposes that malicious code is put to. Instead of just causing a nuisance and being destructive, malicious code attacks are becoming more motivated by financial gain. Attackers are increasingly sophisticated and organised, adopting methods that are similar to traditional software development and business practices.

It has been shown that the amount of time between the discovery of a software vulnerability and attempts to exploit that vulnerability via attacks from new computer viruses/worms is continuously decreasing. In addition, it takes time for anti-virus vendors to develop virus and malicious code definitions, so there is always a chance that your anti-virus software cannot detect newly discovered malicious code in time. Thus, your computer is still vulnerable to virus attack if other security best practices are not put in place.

Your computer system could be infected if:

a user is lured into installing or opening a malicious attachment / program / plug-in from an un-trusted source or from a email

a user is lured into visiting a malicious website

the computer is not properly , so attackers take advantage and exploit a vulnerability

the computer is not properly configured, so attackers take advantage and exploit a vulnerability

Symptoms of Infection of Malware

Protection Against Malware

Anti-virus Information

Virus Bulletin

Virus Databases

(The following list contains links to commercial product/service vendors for reference purpose only and should NOT be regarded as a list of InfoSec recommended or approved products and services.)

F-Secure Security Advisories

McAfee Threat Center

Symantec Security Center

Trend Micro Threat Encyclopaedia