The mechanics of malware
Posted on 17 Aug 2007 at 11:22
How do viruses, trojans and other types of malware evade security software? Davey Winder explains exactly why they continue to thrive.
Ever felt like you're fighting a losing battle? That sums up many people's attitude to computing in the internet age: despite the best efforts of security vendors and software developers alike, malware not only exists, but continues to evolve and plague computer users.
Why does malware continue to thrive? The patronising answer would be that newbie users are behaving like amateurs and ignoring basic security practice. There's a kernel of truth in that, but it isn't only the newbie who clicks links they shouldn't, and it isn't only the novice who's fooled into running nefarious executables by technical and social-engineering techniques.
The crux of the problem is that threats have changed dramatically in recent years, with the rise in malware mirroring the rise in broadband popularity. As the number of online users grow, and the technology used to connect to the net becomes simultaneously simpler at the front end yet more complex behind the scenes, so the opportunity to make money expands. And that's where the answer to the "why?" question can be found: no longer are viruses the hobby of the über-nerd; malware has evolved into what most IT security experts quite rightly refer to as crimeware. Scatter-gun attacks are on the way out; targeted and financially motivated strikes are the new modus operandi.
But while everyone has heard terms such as worm, trojan, phishing and rootkit bandied about, how many people actually understand how they exploit security weaknesses? By understanding how malware works, you get one step closer to stopping it.
There's a great deal of misinformation when it comes to describing malware attacks. The terms worm, virus and trojan are used almost interchangeably, for example, yet the three threats are actually quite distinct.
The quick-and-dirty definition is that a virus spreads by attaching itself to something, and requires human interaction (running a program, forwarding an email attachment) to be distributed and replicated. A worm can self-replicate without any human intervention (sending copies of itself to everyone in your email contacts list, for example) and can exploit your network and the internet beyond to multiply very quickly indeed. The trojan, named after the mythical Trojan horse, hides within another container, be that a file or application, but can't self-replicate or spread by infecting other files.
Just for fun, we can add the blended threat into the malware mix, combining the worst characteristics of all three: stealth, replication and payload. Using server and internet application vulnerabilities, they can spread rapidly without human intervention, doing vast amounts of damage courtesy of the multiple attack payload (for example, Denial-of-Service, backdoor installation and data theft).
Like their biological counterpart, viruses replicate and mutate. Consequently, they can avoid being snared by your security software's byte-pattern signature detection by changing key text within the code payload, or part of that code themselves, every time they're copied.
They've come a long way since the first-known "in the wild" example, Elk Cloner, was discovered in 1982 on the Apple DOS 3.3 OS, or the first PC virus, (c)Brain, four years later. But today's viruses can still be divided into two camps: resident and non-resident. The resident variety loads itself into memory upon execution and transfers control to the host program while it infects new hosts as the infected files are accessed. A non-resident virus will check executable files on the system for infection and, if uninfected, replicate before transferring control to the host program. Cavity viruses such as CIH will infect without increasing the host file size, overwriting unused parts of the executable, in an effort to make antivirus software detection harder.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- Windows 8.2/Windows 9: release date, features and free cloud version
- Facebook testing keyword searching in old posts
- Google promises faster Chrome with 64-bit support
- iPhone 6 release date, specs/features and rumours: when is the new iPhone 6 coming out in the UK
- Sony Xperia Z3 specs leak online
- Samsung Galaxy Alpha release date, specs and rumoured price in the UK
- Vodafone has worst reception but Ofcom tests questioned
- Boxed iPhone 6 photos leak online
- Still on IE8? You've got 18 months to upgrade
- iPhone 6 launch event tipped for 9 September
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?