Features
The mechanics of malware
Spyware
We couldn't finish this look inside malware without mentioning the two words that drive fear and loathing into the minds of most IT users: spyware and phishing. Spyware is generally defined as software that collects personal data without the informed consent of the user. Everything from collecting passwords and financial information for identity theft and fraud, through to recording internet search histories and targeted advertising can be accomplished with spyware. Spyware isn't self-replicating, like viruses and worms, but relies upon user deception or software vulnerability.
Spyware can be broken down into three elements that serve a unique role in the success of the threat: stealth, survival and objective. Obviously, if it can remain undetected on the target PC then its chances of success are greater, and stealth plays its part when trying to avoid detection by the main spyware predator, antimalware software.
Although spyware authors employ a number of stealth tactics, some of the most common are revealed by Chris Spencer, senior security researcher with PC Tools, developers of Spyware Doctor. "Once executed, stealth spyware will reside in process memory and then remove all traces of itself in the file system. Antimalware products that only scan files rather than checking running processes for an infection can miss these threats. Spyware files may unpack or decrypt as they execute, but always with a different body on the file system, so ensuring they can't be statically identified. Also, rootkit components
|
|
|
ADVERTISEMENT |
|
When it comes to survival - the ability to remain resident on a PC despite rebooting and even disinfection - spyware can entrench itself within a load-point location where it can be executed automatically. "By adding a Registry run key it can load each time the user starts the PC, and Browser Helper Objects are used to load malicious code into Internet Explorer upon startup," explains Spencer. Spyware will often come with a self-defence mechanism to disable antimalware applications and constantly check the load point hasn't been removed, and reset it if it has.
That leaves us with the objective, which is usually the collection of banking logins or other personal information. Many techniques are exploited in order to garner this information, but some appear time and again. "Keyloggers capture keyboard input, and screen captures on every mouse click can counteract the use of onscreen keyboards," reveals Spencer.
Phishing
Although phishing has the same financial motivation as spyware, its application is almost the polar opposite. Rather than relying on stealth to succeed, phishing employs social-engineering techniques to wave itself directly in front of the potential victim, hoping they'll take the bait. By posing as a trustworthy source, the phisher hopes to simply con, trick or scam the user into handing over login and account details under the misapprehension that they're dealing with a genuine entity. Ebay, PayPal and high-street banks are frequently targeted, and email is the most common form of attack, although IM and the humble phone are also used.
Phishers are gradually moving away from indiscriminate spamming. Instead, they're now targeting users, sending fewer messages to a well-researched audience in a trend known as spear phishing. One novel method, called USB seeding, is dropping infected USB flash drives outside the offices of a target company, or in the coffee shop its staff frequent. The hardware is cheap, and human nature dictates it won't be long before someone picks it up, plugs it in and falls victim.
