What exactly is malware?

The term malware appears everywhere. What is that, actually?

The word malware is a combination of the two English words “malicious” and “software”, which roughly mean malicious software. No computer user should be lulled into a false sense of security. No matter whether Windows, Linux or Mac. All operating systems are threatened by various types of malware. Even though Mac and Linux systems offer a smaller attack surface compared to Windows PCs, they are not spared from malware.

The dubious purpose of these types of programs is clear: they are intended to cause harm and can take a variety of forms. In principle, malware is the generic term for all types of malicious programs. When defining the malware, it is important to point out that malware operates without the consent of the computer user or has hidden functions that it conceals in order to then be able to carry out its task secretly. Software that allows you to harm others without putting yourself at a disadvantage is generally not included in this group.

Here one would rather talk about hacking tools. All in all, the term can be interpreted relatively freely. The only thing that is certain is that it must always be software, small tools or other directly and indirectly executable files that deliberately want to cause harm in the broadest sense. Classic representatives of this genus are: viruses, worms, Trojans and hijackers.

There are also several other types of malware, all of which act in a similar way to the main groups already listed. The boundaries between types of malware are fluid, so the classification should not be taken too literally.

Immature programs that cause data loss due to poor programming, for example, are just as little malware as hoaxes (false virus reports) or normal spam emails, because they either do not consciously cause the damage or are not executable (i.e. static).

Viruses

Viruses have four basic characteristics that distinguish them from harmless software. First, they reproduce without the user's knowledge or permission (replication), they are parasites, they have a destructive effect (payload) and try to start themselves every time the operating system or a specific program is started in order to cause further damage to be able to. Depending on the virus, one or two points may be omitted.

Depending on how the virus was programmed and which group it belongs to, the malicious routine also differs. There are relatively harmless viruses that have little effect or just annoy the user, but there are also some that delete or corrupt files. Some of the destructive copies format the hard drive or overwrite the BIOS. In the latter case, real hardware damage would occur. The original BIOS can only be restored by the manufacturer because no drive would be recognized from which you could renew (flash) the BIOS yourself. Either this adds up to high costs and long waiting times, or you have to buy a new motherboard. Fortunately, such dangerous viruses are the exception.

There is almost no activity where you cannot become infected. In the Internet age, opening a contaminated email attachment will be the most common way. But it can also be enough to visit a malicious website (drive-by infection). In the past, distribution via infected diskettes was common practice. In general, any data carrier (don't forget USB sticks and memory cards), the network or downloaded software comes into question. Simply any medium that can store or transmit data can also harbor a virus.

In order to activate a virus and thus contaminate (compromise) the computer, an interaction is usually required. This is usually achieved by opening or executing a file yourself. A CD Rom (DVD) in the PC when booting can also lead to an infection. It is particularly easy to send a virus via email while pretending to have interesting functions. Not only is the path very easy to follow, but the viruses are also very easy to construct. Stolen email addresses that appear to be a known or reputable sender are used to deceive the victim.

If a virus scanner finds a virus that has not yet been activated, the system is not infected. However, if there are doubts, one should initially assume the worst when a virus is found.

worms

Unlike computer viruses, worms do not infect foreign files. They are therefore independently working software and do not require a host file. Their main focus is on their mass distribution on the network or Internet and less on the local reproduction or infection of files. However, since this goal is pursued without the knowledge or consent of the computer owner, the worms, which are often not destructive, can still be described as harmful.

Strictly speaking, one would even have to differentiate between a computer worm and a computer worm segment. The segments are the individual worm files on the infected computers that try to spread further and the actual computer worm is the collective term for all the segments of a worm together. However, in user practice this distinction is no longer made.

In principle, the damage caused by most worms lies in their spread. In doing so, they cause Internet traffic and take up computer resources. This means that your computer will become slower and you may have an increased online bill. The Internet's infrastructure is also put under a heavy burden by all the worms, as they cause a lot of traffic and costs by sending their copies en masse. Sometimes they are also used to carry out attacks on web servers (DDoS attacks) from many thousands of infected computers at the same time, so that they become overloaded and can no longer be reached. An error in the programming of the worm can sometimes lead to harmful side effects (such as shutting down the operating system). Some worms even carry a special payload (damage routine) and, in addition to spreading them, delete or manipulate files on the infected system. Strictly speaking, however, these are hybrid worms because their malicious routines contain characteristics of other malware such as viruses.

Worms are also used to send mass spam emails (spambot network) or to spread the ideological views of some contemporaries.

As a rule, distribution takes place via email. To do this, a worm sends copies of itself to all email addresses it finds on your computer. He looks for these not only in address books and databases, but in almost all files that can contain text. For the actual sending, he uses his own SMTP engine (a mini e-mail program for sending e-mails), which he brings with him or an e-mail account that has already been set up on the computer. In order to prevent the true sender of such a worm email from being identified so quickly and thus contain the infection, today's worms fake the shipping addresses. It can therefore happen that the sender of the worm email shown is not infected at all and only his address has been misused. For this reason, it makes no sense to respond to a worm email and warn of an infection or even vent your anger. Unfortunately, some network administrators and webmasters have not yet fully understood this and send automatic notifications when they receive a worm email. So if you receive an email saying that you are infected with worm xyz and are continuing to send it, this does not mean that this is actually the case. It's just an indication that someone is infected with this worm and has saved your email address on their computer.

Worms that use this distribution method are called mass-mailing worms. You generate a short text in the email indicating that there is further information in the attachment. If you open such an attachment out of curiosity, you will also become infected with the worm and spread it further. In parallel to the e-mail distribution, such worms often place copies of themselves a few dozen times in network shares or file sharing directories with file names that are intended to encourage people to open them. Anyone who downloads such a file from an exchange or finds and opens it on the network will also become infected.

Another way it is spread is through security holes in the operating system. The efficiency is impressive. In such a case, a worm starts from an already infected computer and searches parts of the Internet or network for other computers that have the same security vulnerability. Once it finds one, it sends a copy of itself to that computer. The worm takes advantage of the fact that the user does not have to take any action. An active connection to the Internet or other computers is enough to become infected. You don't have to open email attachments or visit websites. Two world-famous examples of this genus are Blaster and Sasser. Normally, this type is simply referred to as network worms.

Trojans

Trojan horses have set themselves the task of spying on an infected computer according to a predetermined scheme and gaining backdoor access to the system. Therefore, such a pest has no interest in spreading further on its own. It is much more important for him to get onto the computer undetected and stay there.

True to their historical example, Trojan horses often creep onto your computer as seemingly harmless or useful tools that you have downloaded or received yourself. If you open such a file, the malware installs itself unnoticed on the system because you can use the carrier program to camouflage it and therefore generally do not raise any suspicions.

But there are also some who put in significantly less effort. Although they also pretend to be a useful program, if you want to use it, an error message only appears - but the Trojan installs itself anyway. How these files get onto the computer is very variable. However, it is often likely to happen via email, file sharing, instant messenger or normal download, or third-party data storage. In such cases, it is up to you to recognize dubious executable files and not open them. If you are already infected with another malware, it is also possible that Trojans will be dropped (downloaded from the Internet and stored on your computer without your consent and knowledge). The Trojan can also be activated without any interaction from you.

Once they are installed on the target computer and are therefore active, the damage can be immeasurable.

• Data is deleted or encrypted
• Data is blocked
• Data is copied

In extreme cases, it can take months before you become suspicious and examine your computer more closely. In the meantime, the Trojan can take your time to explore your passwords, credit card numbers and account details and send them to its author, who can then misuse them.

Industrial espionage and obtaining other confidential data are popular goals of a Trojan. This may sound a bit far-fetched for private individuals, but attempting it should still be commonplace. Medium-sized companies in particular often underestimate the enormous potential for danger.

Hijacker

Hijackers are a “further development” and combination of aggressive spyware and Trojan horses that, for example, infect the browser while surfing and permanently change some settings selected by the user without asking. This is most often manifested by a modified home or search page, but can also have much more serious consequences. It is not uncommon for the Windows “hosts” file to be changed in such a way that it is no longer possible to access special websites where you could get help against hijackers, or the request is redirected to a completely foreign site. The word hijacker comes from English, means something like “hijacker” and originally stands for the unwanted redirection of search queries.

The most common malicious functions are definitely the aforementioned changes to the start and search pages of the browser, redirecting to websites that are not accessed, blocking individual Internet presences and displaying unwanted advertising. In addition, other malware can be installed and advertising links can be added to the favorites, the start menu and the desktop. It also happens that in some cases Windows functions are no longer usable (for example opening the task manager) or system files are changed. Of course, all of this can only be achieved through massive system changes, which can often no longer be traced back precisely and reach deep into the registry. If you want to be on the safe side, install good virus protection software that detects hijackers and removes them without leaving any residue.

How can I avoid malware infections?

• Do not open suspicious email attachments. Unfortunately, the problem cannot be solved by paying attention to EXE files in email attachments. All types of executable files are suitable for transporting malware. Just don't open suspicious emails!
• Nobody will voluntarily download a malicious program onto their system. Malware developers therefore have to disguise their products. Therefore: Do not start downloads without first checking the virus scanner.
• Check regularly whether all programs (operating system, browser…) are up to date.
• On Windows: Use a user account with limited rights.
• The best defense against malware is to back up your data regularly.

Further topics on “What actually…?” can be found here.

Author: Felix Bauer |
Security Consultant Web: https://www.felix-bauer-it.de/
Twitter: https://twitter.com/FelixBauer100

Article image: Shutterstock / By thodonal88