The mechanics of malware

17 Aug 2007

How do viruses, trojans and other types of malware evade security software? Davey Winder explains exactly why they continue to thrive.

Ever felt like you're fighting a losing battle? That sums up many people's attitude to computing in the internet age: despite the best efforts of security vendors and software developers alike, malware not only exists, but continues to evolve and plague computer users.

Why does malware continue to thrive? The patronising answer would be that newbie users are behaving like amateurs and ignoring basic security practice. There's a kernel of truth in that, but it isn't only the newbie who clicks links they shouldn't, and it isn't only the novice who's fooled into running nefarious executables by technical and social-engineering techniques.

The crux of the problem is that threats have changed dramatically in recent years, with the rise in malware mirroring the rise in broadband popularity. As the number of online users grow, and the technology used to connect to the net becomes simultaneously simpler at the front end yet more complex behind the scenes, so the opportunity to make money expands. And that's where the answer to the "why?" question can be found: no longer are viruses the hobby of the über-nerd; malware has evolved into what most IT security experts quite rightly refer to as crimeware. Scatter-gun attacks are on the way out; targeted and financially motivated strikes are the new modus operandi.

But while everyone has heard terms such as worm, trojan, phishing and rootkit bandied about, how many people actually understand how they exploit security weaknesses? By understanding how malware works, you get one step closer to stopping it.

Click here to read "The emerging mobile threat."

Dodgy diagnosis

There's a great deal of misinformation when it comes to describing malware attacks. The terms worm, virus and trojan are used almost interchangeably, for example, yet the three threats are actually quite distinct.

The quick-and-dirty definition is that a virus spreads by attaching itself to something, and requires human interaction (running a program, forwarding an email attachment) to be distributed and replicated. A worm can self-replicate without any human intervention (sending copies of itself to everyone in your email contacts list, for example) and can exploit your network and the internet beyond to multiply very quickly indeed. The trojan, named after the mythical Trojan horse, hides within another container, be that a file or application, but can't self-replicate or spread by infecting other files.

Just for fun, we can add the blended threat into the malware mix, combining the worst characteristics of all three: stealth, replication and payload. Using server and internet application vulnerabilities, they can spread rapidly without human intervention, doing vast amounts of damage courtesy of the multiple attack payload (for example, Denial-of-Service, backdoor installation and data theft).


Like their biological counterpart, viruses replicate and mutate. Consequently, they can avoid being snared by your security software's byte-pattern signature detection by changing key text within the code payload, or part of that code themselves, every time they're copied.

They've come a long way since the first-known "in the wild" example, Elk Cloner, was discovered in 1982 on the Apple DOS 3.3 OS, or the first PC virus, (c)Brain, four years later. But today's viruses can still be divided into two camps: resident and non-resident. The resident variety loads itself into memory upon execution and transfers control to the host program while it infects new hosts as the infected files are accessed. A non-resident virus will check executable files on the system for infection and, if uninfected, replicate before transferring control to the host program. Cavity viruses such as CIH will infect without increasing the host file size, overwriting unused parts of the executable, in an effort to make antivirus software detection harder.

Read more