The mechanics of malware
Posted on 17 Aug 2007 at 11:22
How do viruses, trojans and other types of malware evade security software? Davey Winder explains exactly why they continue to thrive.
Ever felt like you're fighting a losing battle? That sums up many people's attitude to computing in the internet age: despite the best efforts of security vendors and software developers alike, malware not only exists, but continues to evolve and plague computer users.
Why does malware continue to thrive? The patronising answer would be that newbie users are behaving like amateurs and ignoring basic security practice. There's a kernel of truth in that, but it isn't only the newbie who clicks links they shouldn't, and it isn't only the novice who's fooled into running nefarious executables by technical and social-engineering techniques.
The crux of the problem is that threats have changed dramatically in recent years, with the rise in malware mirroring the rise in broadband popularity. As the number of online users grow, and the technology used to connect to the net becomes simultaneously simpler at the front end yet more complex behind the scenes, so the opportunity to make money expands. And that's where the answer to the "why?" question can be found: no longer are viruses the hobby of the über-nerd; malware has evolved into what most IT security experts quite rightly refer to as crimeware. Scatter-gun attacks are on the way out; targeted and financially motivated strikes are the new modus operandi.
But while everyone has heard terms such as worm, trojan, phishing and rootkit bandied about, how many people actually understand how they exploit security weaknesses? By understanding how malware works, you get one step closer to stopping it.
There's a great deal of misinformation when it comes to describing malware attacks. The terms worm, virus and trojan are used almost interchangeably, for example, yet the three threats are actually quite distinct.
The quick-and-dirty definition is that a virus spreads by attaching itself to something, and requires human interaction (running a program, forwarding an email attachment) to be distributed and replicated. A worm can self-replicate without any human intervention (sending copies of itself to everyone in your email contacts list, for example) and can exploit your network and the internet beyond to multiply very quickly indeed. The trojan, named after the mythical Trojan horse, hides within another container, be that a file or application, but can't self-replicate or spread by infecting other files.
Just for fun, we can add the blended threat into the malware mix, combining the worst characteristics of all three: stealth, replication and payload. Using server and internet application vulnerabilities, they can spread rapidly without human intervention, doing vast amounts of damage courtesy of the multiple attack payload (for example, Denial-of-Service, backdoor installation and data theft).
Like their biological counterpart, viruses replicate and mutate. Consequently, they can avoid being snared by your security software's byte-pattern signature detection by changing key text within the code payload, or part of that code themselves, every time they're copied.
They've come a long way since the first-known "in the wild" example, Elk Cloner, was discovered in 1982 on the Apple DOS 3.3 OS, or the first PC virus, (c)Brain, four years later. But today's viruses can still be divided into two camps: resident and non-resident. The resident variety loads itself into memory upon execution and transfers control to the host program while it infects new hosts as the infected files are accessed. A non-resident virus will check executable files on the system for infection and, if uninfected, replicate before transferring control to the host program. Cavity viruses such as CIH will infect without increasing the host file size, overwriting unused parts of the executable, in an effort to make antivirus software detection harder.
For more details about purchasing this feature and/or images for editorial usage, please contact Jasmine Samra on firstname.lastname@example.org
- Google I/O live stream and blog: how to watch 2014 Google I/O keynote speech live
- Google testing its own domain registration service
- Adobe announces first hardware: Adobe Ink and Slide
- Vote now in the PC Pro Excellence Awards 2014!
- What’s new in OS X 10.10? Apple Yosemite’s new features
- Samsung Z Tizen phone helps loosen ties with Android
- Microsoft rumoured to launch smartwatch this summer
- LG G3 launched: LG takes the wraps off smartphone that offers “more with less effort”
- LG G3 launch live video stream and blog: as it happened
- Apple fixes iMessage lock-in for Android switchers
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- I went to Glastonbury and the only thing that got high was my smartphone
- Meet the robots helping teach children
- PaperLater: would you pay to print the internet?
- Amazon vs Kobo: how much to make the ebook switch?
- Phishing emails: how I nearly got caught out