The mechanics of malware
Posted on 17 Aug 2007 at 11:22
How do viruses, trojans and other types of malware evade security software? Davey Winder explains exactly why they continue to thrive.
Ever felt like you're fighting a losing battle? That sums up many people's attitude to computing in the internet age: despite the best efforts of security vendors and software developers alike, malware not only exists, but continues to evolve and plague computer users.
Why does malware continue to thrive? The patronising answer would be that newbie users are behaving like amateurs and ignoring basic security practice. There's a kernel of truth in that, but it isn't only the newbie who clicks links they shouldn't, and it isn't only the novice who's fooled into running nefarious executables by technical and social-engineering techniques.
The crux of the problem is that threats have changed dramatically in recent years, with the rise in malware mirroring the rise in broadband popularity. As the number of online users grow, and the technology used to connect to the net becomes simultaneously simpler at the front end yet more complex behind the scenes, so the opportunity to make money expands. And that's where the answer to the "why?" question can be found: no longer are viruses the hobby of the über-nerd; malware has evolved into what most IT security experts quite rightly refer to as crimeware. Scatter-gun attacks are on the way out; targeted and financially motivated strikes are the new modus operandi.
But while everyone has heard terms such as worm, trojan, phishing and rootkit bandied about, how many people actually understand how they exploit security weaknesses? By understanding how malware works, you get one step closer to stopping it.
There's a great deal of misinformation when it comes to describing malware attacks. The terms worm, virus and trojan are used almost interchangeably, for example, yet the three threats are actually quite distinct.
The quick-and-dirty definition is that a virus spreads by attaching itself to something, and requires human interaction (running a program, forwarding an email attachment) to be distributed and replicated. A worm can self-replicate without any human intervention (sending copies of itself to everyone in your email contacts list, for example) and can exploit your network and the internet beyond to multiply very quickly indeed. The trojan, named after the mythical Trojan horse, hides within another container, be that a file or application, but can't self-replicate or spread by infecting other files.
Just for fun, we can add the blended threat into the malware mix, combining the worst characteristics of all three: stealth, replication and payload. Using server and internet application vulnerabilities, they can spread rapidly without human intervention, doing vast amounts of damage courtesy of the multiple attack payload (for example, Denial-of-Service, backdoor installation and data theft).
Like their biological counterpart, viruses replicate and mutate. Consequently, they can avoid being snared by your security software's byte-pattern signature detection by changing key text within the code payload, or part of that code themselves, every time they're copied.
They've come a long way since the first-known "in the wild" example, Elk Cloner, was discovered in 1982 on the Apple DOS 3.3 OS, or the first PC virus, (c)Brain, four years later. But today's viruses can still be divided into two camps: resident and non-resident. The resident variety loads itself into memory upon execution and transfers control to the host program while it infects new hosts as the infected files are accessed. A non-resident virus will check executable files on the system for infection and, if uninfected, replicate before transferring control to the host program. Cavity viruses such as CIH will infect without increasing the host file size, overwriting unused parts of the executable, in an effort to make antivirus software detection harder.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- Chrome Remote Desktop now available on Android
- Sony warns of fresh VAIO battery fires
- 4G version of Surface 2 launched in the UK
- BlackBerry CEO says not selling off phones "any time soon"
- 13 May: the day we'll know if Microsoft is really abandoning Windows XP
- Office for iPad hits 12m downloads, but receives poor reviews
- Windows Phone 8.1 gets its own PA: Cortana
- 24m vulnerable home routers ready to launch DDoS attacks
- Mozilla's Eich: my views on gay marriage are irrelevant
- Windows support scam ringleader convicted
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- Cut out the broadband jargon? What jargon?