Overview

When we talk about viruses, worms and Trojan horses, we generally mean software that has a damaging effect. The generally accepted generic term for this is "malware" (from "malicious" + "software") in German as well as English. Malware covers all programs that aim to cause damage by making electronic data inaccessible, changing it, deleting it or creating access to it for unauthorized third parties. Malware always has a damaging function (called Payload) and has different effects. Some Malware just wants to announce its existence in a harmless way, others spy on your personal data or even delete your hard drive. Malware can be divided into three groups: Trojan horses, worms and viruses. Spyware and O190 diallers are classed as Trojan horses. In a broader sense, malware also includes hoaxes.

Trojan Horses

Trojan horses - often also incorrectly referred to as Trojans - are different from worms and viruses in that they do not independently replicate themselves. Following the example of its historical namesake, the name "Trojan horse" refers to a program that pretends to be performing a particular function that is desired by the user. In addition, however, Trojans also include a hidden program component which, at the same time, opens a backdoor into the affected computer and can thereby allow almost full access to the affected system, without the user noticing.
Trojans' methods of concealing themselves are almost unlimited. They can hide in command lines for UNIX system administrators, such as passwd, ps or netstat (simple rootkits), or turn up as Remote Access Trojans (known as RATs or also backdoors). These insidious programs are also sent as screen savers or games via e-mail. One start-up is enough for the malware program to infect the system.

Common characteristics of viruses and worms

Viruses and worms are made up of the following parts:

Replication component

This program component is used to propagate the virus. This component is obligatory for all viruses and worms. The infection can be spread via diskettes (and other exchangeable media), shared folders, network scans, peer-to-peer networks or emails and instant messages. The malware programs make use of a wide range of attack points, although they are to some extent only effective on a specific combination of hardware, software and operating system.

Detection component

The detection component scans a system to check if it is already infected with this virus. Each host program is infected only once to enable the virus to spread more quickly and avoid detection.

Harmful component

The harmful payloads accompanying viruses and worms can be divided into the following groups:

  • Hackers use backdoor programs to gain access to the computer and the data on it so they can manipulate data or launch denial of service attacks.
  • Data can be manipulated. This ranges from (more or less amusing) messages, displays and noises to the deletion of files and drives.
  • Access to data can, for example, be prevented by encryption.
  • Information can also be discovered or spied on and distributed. These attacks target passwords, credit card numbers, login names and other personal data as well as corporate secrets.
  • Infected computers are often exploited for Denial of Service (DoS) attacks. DoS attacks aim to overload a service or website with excessively high numbers of queries. If the attacks originate from a single source, they are very easy to counteract. Distributed Denial of Service (DDoS) attacks therefore exploit infected computers to support the attacks. The objective of DoS and DDoS attacks may be to crash the target system, to overload the bandwidth and memory or to make it impossible for users to find the service on the network.
An explicit harmful component may not always be present. However, the wasted computing time, the required network bandwidth and increased memory capacity still represent a payload.

Conditional component

Both the distribution and the harmful payload can be programmed to be dependent on conditions.

  • In the simplest case, the malicious code starts automatically, without the victim noticing it.
  • In some cases, the payload has to be started by the victim himself. This can involve accessing a contaminated program, opening an email attachment or even phishing for personal data.
  • The launch of the malicious code can also be linked to conditions. For example, for some viruses the damage occurs on a certain date or after a certain number of accesses. The execution can also depend on certain programs being present on the computer.

Camouflage component

Worms, Trojans and viruses try to protect themselves from discovery by users and virus scanners. They use a range of mechanisms to do this.

  • For example, they recognize when debuggers are running, or protect themselves with superfluous and confusing lines of (assembly) code.
  • They hide the traces of an infection. This includes falsifying status report updates and log entries. A virus residing in the memory can lead the system to believe that the memory space it is occupying is still occupied by the program it has previously removed. This behaviour is known to be in rootkits in particular.
  • Some viruses encrypt themselves and/or their harmful code to avoid detection. This encryption varies: the same codes may be used every time, the codes may be taken from a list (oligomorphic virus) or an infinite number of new codes may be generated (polymorphic virus).
  • Using runtime packers, executable files are restructured so that they can only be detected using new virus signatures.

Worms

Unlike viruses, a worm does not attach itself to executable files. It spreads by transferring itself via networks or computer connections to other computers.

Network worms

Several ports on randomly selected network computers are scanned and, if an attack is possible, the weak points in the protocols (e.g. IIS) or their implementation are used to spread the worm. Infamous representatives of this type include "Lovsan/Blaster" and "CodeRed".
Sasser exploits a buffer overflow error in the Local Security Authority Subsystem Service (LSASS) and infects computers while they are connected to the Internet.

Email worms

A worm spread via email can use the available email programs (e.g. Outlook, Outlook Express) or it may bring its own SMTP mail engine with it. Aside from the resulting network traffic and the increased use of system resources, worms may contain other harmful payloads. Notable email worms include Beagle and Sober.

Peer-to-peer worms

P2P worms copy themselves into the sharing files of P2P file sharing services such as Emule, Kazaa etc.. Here they wait for potential victims with enticing file names of current software or celebrity names.

Instant Messaging Worms

IM-worms use chat programs to spread themselves. They do not just rely on the file transfer functions in the process. Even more frequently they send a link to a harmful website. Many IM worms are even able to chat to the would-be victims.

Viruses

Viruses also aim to reproduce themselves and spread to other computers. To do so, they attach themselves to other files or embed themselves in the boot sector of data carriers. They are often smuggled onto the PC undetected on exchangeable media (e.g. diskettes), via networks (including peer-to-peer), by email or via the Internet.

Viruses can attach themselves to many different parts of the operating system and can function using the widest range of different channels. They can be divided into the following categories:

Boot sector viruses

Boot sector or MBR viruses (= master boot record viruses) position themselves at the front of the actual boot sector of data media, thus ensuring that the virus code is read first and then the original boot sector, when the computer boots from this medium. This enables the virus to embed itself in the system undetected and then it also runs when the hard disk boots up. Often the virus code remains in the memory after it has infected the system. These viruses are known as memory-resident. The virus is then passed on by formatting diskettes, thus enabling it to spread to other computers. However, boot sector viruses are not just activated during formatting processes. A virus can be transferred from an infected diskette via the DOS DIR command. Depending on the malware routine, boot sector viruses can range from merely being a nuisance to being extremely dangerous. The oldest and most widespread virus of this type is called "Form".

File viruses

Many viruses make use of the chance of hiding themselves in executable files. This is achieved by either deleting or overwriting the host file or by the viruses attaching themselves to the file. In the latter case the executable code in the file remains functional. If the executable file is accessed, the virus code, mostly written in assembly code, starts running first and then the original program opens (if it has not been deleted).

Multipartite viruses

This type of virus is particularly dangerous, as its representatives not only infect executable files, but also the boot sector (or partition table).

Companion viruses

Under DOS, COM files are executed before EXE files of the same name. In the era when computers were frequently or exclusively operated via command line instructions, this was an effective mechanism for running harmful code on a computer undetected.

Macro Viruses

Macro viruses also attach themselves to files. However, they are not in themselves executable. Furthermore, macro viruses are not written in assembly code, but in a macro language such as Visual Basic. The viruses require a macro language interpreter, as found in Word, Excel, Access and PowerPoint, to enable them to run. Otherwise, macro viruses operate in the same ways as file viruses. They can also disguise themselves and in addition contaminate the boot sector or create companion viruses.

Stealth viruses and rootkits

Stealth or camouflage viruses have special protective mechanisms to escape detection by virus scanning programs. To do this they take control of various system functions. Once this state has been created, these viruses can no longer be detected during normal access to files or system areas. They deceive the virus scanning program into believing a file is not infected or make the file invisible to the virus protection. The camouflage mechanisms of stealth viruses do not start working until the virus is resident in the RAM.

Polymorphic viruses

Polymorphic viruses contain mechanisms to change their appearance with each infection. To enable them to do this, parts of the virus are encrypted. The encryption routine integrated in the virus generates a new code for each copy and sometimes even new encryption routines. Command sequences that are not required to operate the virus can also be substituted or randomly rearranged. In this way, billions of variants of a virus can easily be created. In order to  be sure to detect and remove encrypted and polymorphic viruses, it is often not enough to use classic virus signatures. In most cases, special programs must be written. The expense required for analysis and to prepare suitable countermeasures can be extremely high. Thus, when it comes to viruses, polymorphic viruses may truly be regarded as belonging to the premier league.

Intended Virus

The term "intended virus" refers to a partially defective virus which initially infects a file but which is then unable to replicate itself.

Email viruses

Email viruses belong to the so-called "blended threat" category. Malware of this kind combines the properties of Trojans, worms and viruses. When the BubbleBoy virus appeared on the scene, it became common knowledge that you could smuggle a virus onto a PC via the preview function of an HTML mail. The dangerous virus code hides itself in HTML emails and exploits a security loophole in Microsoft Internet Explorer. The threat posed by these "combination viruses" should not be underestimated.

Trojan Horses

Trojan horses (TPs) do not have their own distribution routines. They are sent via email or lurk in file sharing services or on websites. Their classification can be carried out based on their harmful function.

Backdoors

Backdoors provide backdoor access to the infected computer. Thus a computer can be remotely controlled by an attacker. Mostly this allows the installation of further software and the computer is integrated with other zombie computers into a botnet. However, there are also legitimate uses for such software. Many system administrators use remote maintenance programs to manage computers from their current location. This is very useful, especially for large organisations. This usually involves access by the system administrator with the knowledge and consent of the PC user. It is only when these backdoor functions are used without the PC user's knowledge and harmful actions are carried out, that a backdoor program actually becomes malware.

Adware

Adware records the activities and processes on a computer, such as surfing behaviour. When a suitable occasion arises, advertising slogans are then displayed. Or the results of online searches are manipulated.

Spyware

Spyware is used to steal data: passwords, documents and data, software registration numbers, email addresses and lots more besides. The data are either searched for on data media or filtered out from network traffic. The inputs from web forms (especially online banks) are also collected. In the worst case scenario, the attackers then have access to all email accounts, forums and online shops that the victim uses. Online criminals like using this camouflage.

Downloaders and droppers

Many Trojan horses have a specific task. The aim of downloaders and droppers is to load or copy a file onto the infected computer. Often they first attempt to reduce the computer’s security settings.

Diallers

Diallers are often installed undetected on a computer. If the Internet connection is established via a modem, an expensive premium rate number is then used the next time the user connects. In Germany, a number of conditions (price ceilings, registration) have come into force since a “Bill for the Prevention of Misuse of (0)190/(0)900 Premium Rate Numbers” was passed on 15 August 2003. Nevertheless, premium rate diallers are an annoying  plague that can sometimes have serious financial consequences. You can find out more about dialler protection under www.dialerschutz.de.

Malware in the broader sense

For the sake of completeness, several annoying and occasionally harmful categories should also be mentioned here that are not included in the malware group.

Hoaxes

Hoaxes are apparent false notifications that are often spread via email. The recipient is advised to forward the email alert to friends and colleagues. However this mostly involves alerts only intended to cause panic. More ...

Spam

A similarly costly and annoying plague is the sending of unwanted advertising or propaganda mail. Modern anti-spam programs use a combination of methods, both static (text analysis, mail server lists) and statistical (based on Bayes' Theorem), to filter out unwanted mail.

Phishing

Phishing is the attempt to obtain personal data such as login names, passwords, credit card numbers, bank account access data etc. via bogus websites or emails. This often involves users being lured to bogus websites. In recent years this phenomenon has increased considerably. In the meantime Trojan horses have accounted for billions in damage. You can find further information about this at www.antiphishing.org .