Overview

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. However, the term "virus" is commonly used, albeit erroneously, to refer to many different types of malware programs. The original virus may modify the copies, or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Meanwhile viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless. Both worms and Trojans will cause harm to computers when executed.

Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of self-replicating malware.

Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.

History

The Creeper virus was first detected on ARPANET, the forerunner of the Internet in the early 1970s.It propagated via the TENEX operating system and could make use of any connected modem to dial out to remote computers and infect them. It would display the message "I'M THE CREEPER : CATCH ME IF YOU CAN.". It is rumored that the Reaper program, which appeared shortly after and sought out copies of the Creeper and deleted them, may have been written by the creator of the Creeper in a fit of regret.

A program called "Rother J" is commonly credited with being the first computer virus to appear "in the wild" — that is, outside the single computer or lab where it was created, but that claim is false. See the Timeline of notable computer viruses and worms for other earlier viruses. It was however the first virus to infect computers "in the home". Written in 1982 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk.This virus was originally a joke, created by a high school student and put onto a game. The disk could only be used 49 times. The game was set to play, but release the virus on the 50th time of starting the game. Only this time, instead of playing the game, it would change to a blank screen that read a message about the virus named Elk Cloner. The message that showed up on the screen is as follows:

"Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!
It will stick to you like glue
It will modify RAM too
Send in the Cloner!"

The computer would then be infected.

The first PC virus in the wild was a boot sector virus called (c)Brain, created in 1986 by the Farooq Alvi Brothers, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.

Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks.In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk.

Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS and modem use, and software sharing. Bulletin board driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBS's.Within the "pirate scene" of hobbyists trading illicit copies of retail software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.

Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel. These viruses spread in Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most of these viruses were able to spread on Macintosh computers as well. Most of these viruses did not have the ability to send infected e-mail. Those viruses which did spread through e-mail took advantage of the Microsoft Outlook COM interface.

Macro viruses pose unique problems for detection software. For example, some versions of Microsoft Word allowed macros to replicate themselves with additional blank lines. The virus behaved identically but would be misidentified as a new virus. In another example, if two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents".

A virus may also send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating.

The newest species of the virus family is the cross-site scripting virus. The virus emerged from research and was academically demonstrated in 2005.This virus utilizes cross-site scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, most notable sites affected have been MySpace and Yahoo.

Overview

Adware or advertising-supported software is a software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software.

Application

Adware is software with advertising functions integrated into or bundled with a program. It is usually seen by the programmer as a way to recover programming development costs, and in some cases it may allow the program to be provided to the user free of charge or at a reduced price. The advertising income may allow or motivate the programmer to continue to write, maintain and upgrade the software product.

Some adware is also shareware, and so the word may be used as term of distinction to differentiate between types of shareware software. What differentiates adware from other shareware is that it is primarily advertising-supported. Users may also be given the option to pay for a "registered" or "licensed" copy to do away with the advertisements.

The Eudora e-mail client is a popular example of an adware "mode" in a program. After a trial period during which all program features are available, the user is offered a choice: a free (but feature-limited), an ad-supported mode with all the features enabled, or a paid mode that enables all features and turns off the ads. If the user choose the ad-supported mode, Eudora becomes adware, although according to Qualcomm the program does not collect any information about user activity.

Some of the well known programs/programs distributed with adware are the 888bar,Bonzi Buddy,BlockChecker,ClipGenie,Comet Cursor ,Crazy Girls ,Cursor Mania ,Cydoor,Direct Revenue ,DollarRevenue,Ebates ,MoneyMaker,ErrorSafee,Gator,Hotbar, and theIEPlugin

Prevention and detection

Programs have been developed in order to detect, quarantine, and remove spyware. As there are many examples of adware software that are also spyware or malware, many of these detection programs have been developed to detect, quarantine, and remove adware as well. Among the more prominent of these applications are Ad-Aware and Spybot - Search & Destroy. These programs are designed specifically for spyware detection and will not detect viruses, although some commercial antivirus software can also detect adware and spyware, or offer a separate spyware detection package.

Overview

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Naming and history

The name worm comes from The Shockwave Rider, a science fiction novel published in 1975 by John Brunner. Researchers John F Shock and Jon A Hupp of Xerox PARC chose the name in a paper published in 1982; The Worm Programs, Comm ACM, 25(3):172-180, 1982), and it has since been widely adopted.

The first implementation of a worm was by these same two researchers at Xerox PARC in 1978.Shoch and Hupp originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing load, and so improving the 'CPU cycle use efficiency' across an entire network. They were self-limited so that they would spread no farther than intended.

Payloads

Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through. However, as the Morris worm and Mydoom showed, the network traffic and other unintended effects can often cause major disruption. A "payload" is code designed to do more than spread the worm - it might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author - Sobig and Mydoom are examples which created zombies. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address.Spammers are therefore thought to be a source of funding for the creation of such worms,and worm writers have been caught selling lists of IP addresses of infected machines.Others try to blackmail companies with threatened DoS attacks.

Backdoors can be exploited by other malware, including worms. Examples include Doomjuice, which spreads using the backdoor opened by Mydoom, and at least one instance of malware taking advantage of the rootkit and backdoor installed by the Sony/BMG DRM software utilized by millions of music CDs prior to late 2005.

Worms with good intent

Beginning with the very first research into worms at Xerox PARC there have been attempts to create useful worms. The Nachi family of worms, for example, tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system — by exploiting those same vulnerabilities. In practice, although this may have made these systems more secure, it generated considerable network traffic, rebooted the machine in the course of patching it, and did its work without the consent of the computer's owner or user.

Most security experts regard all worms as malware, whatever their payload or their writers' intentions.

Protecting against dangerous computer worms

Worms spread by exploiting vulnerabilities in operating systems. All vendors supply regular security updates(see "Patch Tuesday"), and if these are installed to a machine then the majority of worms are unable to spread to it. If a vendor acknowledges a vulnerability but has yet to release a security update to patch it, a zero day exploit is possible. However, these are relatively rare.

Users need to be wary of opening unexpected email, and should not run attached files or programs, or visit web sites that are linked to such emails. However, as with the ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks, it remains possible to trick the end-user into running a malicious code.

Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least every few days. The use of a firewall is also recommended.

Overview

Keystroke logging (often called keylogging) is a method of capturing and recording user keystrokes. Keylogging can be useful to determine sources of errors in computer systems, to study how users interact with systems, and is sometimes used to measure employee productivity on certain clerical tasks. Such systems are also highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. Keyloggers are widely available on the Internet.

Application

Keystroke logging can be achieved by both hardware and software means. Hardware key loggers are commercially available devices which come in three types: inline devices that are attached to the keyboard cable, devices which can be installed inside standard keyboards, and actual replacement keyboards that contain the key logger already built-in. The inline devices have the advantage of being able to be installed instantly. However, while they may go unnoticed for quite some time, they are easily detected visually upon closer inspection. Of the three devices available, the most difficult to install is also the most difficult to detect. The device that installs inside a keyboard (presumably the keyboard the target has been using all along) requires soldering skill and extended access to the keyboard to be modified. However, once in place, this type of device is virtually undetectable unless specifically looked for.

They also have a legitimate use, that is, they are used to study how users interact with software.

Types of keystroke loggers

1) Local Machine software Keyloggers – Are software programs that are designed to work on the target computer’s operating system. From a technical perspective they can be categorized into three categories:

* Kernel based: This method is most difficult both to write, and combat. Such keyloggers reside at the kernel level and are thus practically invisible. They almost always subvert the OS kernel and gain unauthorized access to the hardware which makes them very powerful. A keylogger using this method can act as a keyboard driver for example, and thus gain access to any information typed on the keyboard as it goes to the Operating System.

* Hook based: Such keyloggers hook the keyboard with functions provided by the OS. The OS warns them any time a key is pressed and it records it.

* Creative Methods: Here the coder uses functions like GetAsyncKeyState, GetForegroundWindow, etc. These are the easiest to write, but as they require polling the state of each key several times per second, they can cause a noticeable increase in CPU usage and can miss the occasional key.

2) Remote Access software Keyloggers – Are local software keyloggers programmed with an added feature to transmit recorded data out of the target computer and make the data available to the monitor at a remote location. Remote communication is facilitated by one of four methods:

* Data is uploaded to a website or an ftp account.
* Data is periodically emailed to a pre-defined email address.
* Data is wirelessly transmitted by means of an attached hardware system.
* It allows the monitor to log into the local machine via the internet or ethernet and view the logs stored on the target machine itself.

3) Hardware Keyloggers - are used for keystroke logging by means of a hardware circuit that is attached somewhere in between the computer keyboard and the computer. It logs all keyboard activity to its internal memory which can be accessed by typing in a series of pre-defined characters. A hardware keylogger has an advantage over a software solution; because it is not dependent on the computers operating system it will not interfere with any program running on the target machine and hence cannot be detected by any software.

4) Remote Access Hardware Keyloggers – Or otherwise know as Wireless Hardware Keyloggers work in much the same way as regular hardware keyloggers. Except they have the ability to be controlled and monitored remotely by means of a wireless communication standard.

5) Wireless Keylogger sniffers - Collect packets of data being transferred from a wireless keyboard and its receiver and then attempts to crack the encryption key being used to secure wireless communications between the two devices.

6) Acoustic Keylogger - This concept is based on analysing a recording of the sound created by someone typing on a computer. Each character on the keyboard makes a subtely different acoustic signatures when stroked. Using statistical methods similar to decryption, it is then possible to identify which keystroke signature relates to which keyboard character. This is done by analysing the repetition frequency of similar acoustic keystroke signatures, the timings between different keyboard strokes and other context information such as the probable language in which the user is writing. As with decryption, a fairly long recording (1000 or more keystrokes) is required so that the statistics are meaningful.

Cracking

Writing software applications for keylogging is trivial, and like any computer program can be distributed as a trojan horse or as part of a virus. What is not trivial however, is installing a keystroke logger without getting caught and downloading data that has been logged without being traced. An attacker that manually connects to a host machine to download logged keystrokes risks being traced. A trojan that sends keylogged data to a fixed e-mail address or IP address risks exposing the attacker.

Trojan

Young and Yung devised several methods for solving this problem and presented them in their 1997 IEEE Security & Privacy paper (their paper from '96 touches on it as well). They presented a deniable password snatching attack in which the keystroke logging trojan is installed using a virus (or worm). An attacker that is caught with the virus or worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered login/password pairs using the public key of the trojan author and covertly broadcasts the resulting ciphertext. They mentioned that the ciphertext can be steganographically encoded and posted to a public bulletin board (e.g. Usenet).

Ciphertext

Young and Yung also mentioned having the cryptotrojan unconditionally write the asymmetric ciphertexts to the last few unused sectors of every writable disk that is inserted into the machine. The sectors remain marked as unused. This can be done using a USB token. So, the trojan author may be one of dozens or even thousands of people that are given the stolen information. Only the trojan author can decrypt the ciphertext because only the author knows the needed private decryption key. This attack is from the field known as cryptovirology.

Federal Bureau of Investigation

The FBI used a keystroke logger to obtain the PGP passphrase of Nicodemo Scarfo, Jr., son of mob boss Nicodemo Scarfo. Scarfo Jr. pleaded guilty to running an illegal gambling operation in 2002.The FBI has also reportedly developed a trojan-horse-delivered keylogger program known as Magic Lantern.

Use in surveillance software

Some surveillance software has keystroke logging abilities and is advertised to monitor the internet use of minors. Such software has been criticized on privacy grounds, and because it can be used maliciously or to gain unauthorized access to users' computer systems.

Keylogger prevention

Currently there is no easy way to prevent keylogging. In the future it is believed that software with secure I/O will be protected from keyloggers.Until then, however, the best strategy is to use common sense and a combination of several methods. It is possible to use software to monitor the connectivity of the keyboard and log the absence as a countermeasure against physical keyloggers. For a PS/2 keyboard the timeout bit (BIT6 at port 100) has to be monitored . But this only makes sense when the PC is (nearly) always on.

Monitoring what programs are running

A user should constantly observe the programs which are installed on his or her machine. Also, devices connected to PS/2 and USB ports (which have both been hacked) can be used to secretly install a keylogger and then remove it (along with the user's data) by the perpetrator.

Anti-spyware

Anti-spyware applications are able to detect many keyloggers and cleanse them. Responsible vendors of monitoring software support detection by anti-spyware programs, thus preventing abuse of the software.

Firewall

Enabling a firewall does not stop keyloggers per se, but can possibly prevent transmission of the logged material over the net if properly configured.

Network monitors

Network monitors (also known as reverse-firewalls) can be used to alert the user whenever an application attempts to make a network connection. This gives the user the chance to prevent the keylogger from "phoning home" with his or her typed information.

Automatic form filler programs

Automatic form-filling programs can prevent keylogging entirely by not using the keyboard at all. Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts. Once the user's account and credit card information has been entered into the program, it will be automatically entered into forms without ever using the keyboard or clipboard, thereby reducing the possibility that private data is being recorded. (Someone with access to browser internals and/or memory can often still get to this information; if SSL is not used, network sniffers and proxy tools can easily be used to obtain private information too.)

It is important to generate passwords in a fashion that is invisible to keyloggers and screenshot utilities. Using a browser integrated form filler and password generator that does not just pop up a password on the screen is therefore key. Programs that do this can generate and fill passwords without ever using the keyboard or clipboard.

Alternative keyboard layouts

Most keylogging hardware/software assumes that a person is using the standard QWERTY keyboard layout, so by using a layout such as DVORAK, captured keystrokes are nonsense unless converted. For additional security, custom keyboard layouts can be created using tools like the Microsoft Keyboard Layout Creator.

One-time passwords (OTP)

Using one-time passwords is completely keylogger-safe because the recorded password is always invalidated right after it's used. This solution is useful if you are often using public computers where you can't verify what is running on them. One-time passwords also prevents replay attacks where an attacker uses the old information to impersonate. One example is online banking where one-time passwords are implemented and prevents the account from keylogging attacks as well as replay attacks.

Smart cards

Because of the integrated circuit of smart cards, they are not affected by keylogger and other logging attempts. A smart card can process the information and return back a unique challenge every time you login. The information cannot usually be used to login again.

On-screen keyboards

Program-to-program (non-web) keyboards

It is sometimes said that a third-party (or first party) on-screen keyboard program is a good way to combat keyloggers, as it only requires clicks of the mouse. However, this is not true, because for most on screen keyboards (such as the onscreen keyboard that comes with Microsoft Windows XP), a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text sent as typed characters from one program to another with an on-screen keyboard, and additionally, some programs also record or take snapshots of what is displayed on the screen. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

Web-based keyboards

Web-based on-screen keyboards (written in Javascript, etc.) may provide some degree of protection. At least some commercial keylogging programs do not record typing on a web-based virtual keyboard. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

Notably, the game MapleStory uses, in addition to a standard alphanumeric password, a 4-digit PIN code secured by both on-screen keyboard entry and a randomly changing button pattern; there is no real way to get the latter information without logging the screen and mouse movements; another MMORPG called RuneScape makes a similar system available for players to protect their in-game bank accounts.

Anti-keylogging software

Keylogger detection software is also available. Some of this type of software use "signatures" from a list of all known keyloggers. The PC's legitimate users can then periodically run a scan from this list, and the software looks for the items from the list on the hard-drive. One drawback of this approach is that it only protects from keyloggers on the signature-based list, with the PC remaining vulnerable to other keyloggers.

Other detection software doesn't use a signature list, but instead analyzes the working methods of many modules in the PC, allowing it to block the work of many different types of keylogger. One drawback of this approach is that it can also block legitimate, non-keylogging software. Some heuristics-based anti-keyloggers have the option to unblock known good software, but this can cause difficulties for inexperienced users.

Speech recognition

Similar to on-screen keyboards, speech-to-text conversion software can also be used against keyloggers, since there are no typing or mouse movements involved. The weakest point of using voice-recognition software may be how the software sends the recognized text to target software after the recognition took place.

Handwriting recognition / Mouse gestures

Also, many PDAs and lately Tablet PCs can already convert pen (also called stylus) movements on their touchscreens to computer understandable text successfully. Mouse gestures utilize this principle by using mouse movements instead of a stylus. Mouse gesture programs convert these strokes to user-definable actions, among others typing text. Similarly, Graphics tablets and light pens can be used to input these gestures, however, these are getting used less commonly everyday.

The same potential weakness of speech recognition applies to this technique as well.

Macro expanders/recorders

With the help of many Freeware/Shareware programs, a seemingly meaningless text can be expanded to a meaningful text and most of the time context-sensitively, e.g. we can be expanded en.wikipedia.org when a browser window has the focus. The biggest weakness of this technique is that these programs send their keystrokes directly to the target program. However, this can be overcome by using the 'alternating' technique described below, i.e. sending mouse clicks to non-responsive areas of the target program, sending meaningless keys, sending another mouse click to target area (e.g. password field) and switching back and forth.

Drag & Drop

Most keyloggers cannot intercept texts which are drag & dropped from one window to another[dubious – discuss]. With the help of this technique, sensitive data could be transferred, for example, from a password manager to the target application.

Window transparency

Using many readily available utilities, the target window could be made temporarily transparent, in order to hinder screen-capturing by advanced keyloggers. Although not a fool-proof technique against keyloggers on its own, this could be used in combination with other techniques.

Non-technological methods

Most keyloggers can be fooled by alternating between typing the login credentials and typing characters somewhere else in the focus window. Similarly, one can move their cursor using the mouse during typing, causing the logged keystrokes to be in the wrong order. One can also use context menus to remove, copy, cut and paste parts of the typed text without using the keyboard.

Another very similar technique utilizes the fact that any selected text portion is replaced by the next key typed. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd".

Overview

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Many normal computer users are however still unfamiliar with the term, and most never use it. Instead, "computer virus" is incorrectly used in common parlance and even in the media to describe all kinds of malware, though not all malware are viruses.

Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, West Virginia, and several other American states.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains harmful bugs.

Purposes

Many early infectious programs, including the first Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks generally intended to be harmless or merely annoying rather than to cause serious damage. Young programmers learning about viruses and the techniques used to write them wrote them only to prove that they could or to see how far it could spread. As late as 1999, widespread viruses such as the Melissa virus appear to have been written chiefly as pranks.

A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the filesystem by writing junk data. Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, these worms may seem like the online equivalent to graffiti tagging, with the author's alias or affinity group appearing everywhere the worm goes.

However, since the rise of widespread broadband Internet access, more malicious software has been designed for a profit motive. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation.Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion.

Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally installed by exploiting security holes or are packaged with user-installed software, such as Kazaa.

Infectious malware: viruses and worms

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virus is used for a program which has infected some executable software and which causes that software, when run, to spread the virus to other executable software. Viruses may also contain a payload which performs other actions, often malicious. A worm, on the other hand, is a program which actively transmits itself over a network to infect other computers. It too may carry a payload.

These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms.

Some writers in the trade and popular press appear to misunderstand this distinction, and use the terms interchangeably.

Capsule history of viruses and worms

Before Internet access became widespread, viruses spread on personal computers by infecting programs or the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever the program is run or the disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot floppies, so they spread heavily in computer hobbyist circles.

The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes in network server programs and started itself running as a separate process. This same behavior is used by today's worms as well.

With the rise of the Microsoft Windows platform in the 1990s, and the flexible macro systems of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and templates rather than applications, but rely on the fact that macros in a Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a small number are also written for Linux and Unix systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network for computers with vulnerable network services, break in to those computers, and copy themselves over. Worm outbreaks have become a cyclical plague for both home users and businesses, eclipsed recently in terms of damage by spyware.

Concealment: Trojan horses, rootkits, and backdoors

For a malicious program to accomplish its goals, it must be able to do so without being shut down, or deleted by the user or administrator of the computer it's running on. Concealment can also help get the malware installed in the first place. By disguising a malicious program as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or trojan.

Broadly speaking, a Trojan horse is any program that invites the user to run it, but conceals a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting all the user's files, or more commonly it may install further harmful software into the user's system to serve the creator's longer-term goals. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local networks.

One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Web or a peer-to-peer file-trading network. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement which states the behavior of the spyware in loose terms, but knowing that users are unlikely to read or understand it.

Once a malicious program is installed on a system, it is often useful to the creator if it stays concealed. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.

Some malicious programs contain routines to defend against removal: not merely to hide themselves, but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V timesharing system:

Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.

Similar techniques are used by some modern malware, wherein the malware starts a number of processes which monitor one another and restart any process which is killed off by the operator.

A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed, in order to allow the attacker access in the future. The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods.

Malware for profit: spyware, botnets, keystroke loggers, and dialers

During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank (although some viruses were spread only to discourage users from illegal software exchange.) More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.

Since 2003 or so, the most costly form of malware in terms of time and money spent in recovery has been the broad category known as spyware. Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others often called "stealware" by the media overwrite affiliate marketing codes so that revenue goes to the spyware creator rather than the intended recipient.

Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement which purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.

Another way that financially-motivated malware creator can profit from their infections is to directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobig and Mydoom virus families, are commissioned by e-mail spam gangs. The infected computers are used as proxies to send out spam messages. The advantage to spammers of using infected computers is that they are available in large supply (thanks to the virus) and they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks.

In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures.

Lastly, it is possible for a malware creator to profit by simply stealing from the person whose computer is infected. Some malware programs install a key logger, which copies down the user's keystrokes when entering a password, credit card number, or other information that may be useful to the creator. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD key or password for online games, allowing the creator to steal accounts or virtual items.

Another way of stealing money from the infected PC owner is to take control of the modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.

Vulnerability to malware

In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application.

Various factors make a system more vulnerable to malware:

* Homogeneity – e.g. when all computers in a network run the same OS, if you can break that OS, you can break into any computer running it.
* Defects – most systems containing errors which may be exploited by malware.
* Unconfirmed code – code from a floppy disk, CD-ROM or USB device may be executed without the user’s agreement.
* Over-privileged users – some systems allow all users to modify their internal structures.
* Over-privileged code – most popular systems allow code executed by a user all rights of that user.

An oft-cited cause of vulnerability of networks is homogeneity or software monoculture. In particular, Microsoft Windows has such a large share of the market that concentrating on it will enable a cracker to subvert a large number of systems. Introducing inhomogeneity purely for the sake of robustness would however bring high costs in terms of training and maintenance.

Most systems contain bugs which may be exploited by malware. Typical examples are buffer overruns, in which an interface designed to store data in a small area of memory allows the caller to supply too much, and then overwrites its internal structures. This may used by malware to force the system to execute its code.

Originally, PCs had to be booted from floppy disks, and until recently it was common for this to be the default boot device. This meant that a corrupt floppy disk could subvert the computer during booting, and the same applies to CDs. Although that is now less common, it is still possible to forget that one has changed the default, and rare that a BIOS makes one confirm a boot from removable media.

In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is a primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft to prioritize compatibility with older systems above security configuration in newer systems and because typical applications were developed without the under-privileged users in mind. As privilege escalation exploits have increased this priority is shifting for the release of Microsoft Windows Vista. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users through virtualization, acting as a crutch to resolve the privileged access problem inherent in legacy applications.

Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of e-mail attachments, which may or may not be disguised.

Given this state of affairs, users are warned only to open attachments they trust, and to be wary of code received from untrusted sources. It is also common for operating systems to be designed so that device drivers need escalated privileges, while they are supplied by more and more hardware manufacturers, some of whom may be unreliable.

Eliminating over-privileged code

Over-privileged code dates from the time when most programs were either delivered with a computer or written in-house, and repairing it would at a stroke render most anti-virus software almost redundant. It would, however, have appreciable consequences for the user interface and system management.

The system would have to maintain privilege profiles, and know which to apply for each user and program. In the case of newly installed software, an administrator would need to set up default profiles for the new code.

Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue executables. Two techniques, used in VMS, that can help are memory mapping only the registers of the device in question and a system interface associating the driver with interrupts from the device.

Other approaches are:

* Various forms of virtualization, allowing the code unlimited access only to virtual resources
* Various forms of sandbox or jail
* The security functions of Java, in java.security

Such approaches, however, if not fully integrated with the operating system, would reduplicate effort and not be universally applied, both of which would be detrimental to security.

Academic research on malware: a brief overview

The notion of a self-reproducing computer program can be traced back to 1949 when John von Neumann presented lectures that encompassed the theory and organization of complicated automata.Neumann showed that in theory a program could reproduce itself. This constituted a plausibility result in computability theory. Fred Cohen experimented with computer viruses and confirmed Neumann's postulate. He also investigated other properties of malware (detectability, self-obfuscating programs that used rudimentary encryption that he called "evolutionary", and so on). His doctoral dissertation was on the subject of computer viruses. Cohen's faculty advisor, Leonard Adleman (the A in RSA) presented a rigorous proof that, in the general case, algorithmically determining whether a virus is or is not present is Turing undecidable.This problem must not be mistaken for that of determining, within a broad class of programs, that a virus is not present; this problem differs in that it does not require the ability to recognize all viruses. Adleman's proof is perhaps the deepest result in malware computability theory to date and it relies on Cantor's diagonal argument as well as the halting problem. Ironically, it was later shown by Young and Yung that Adleman's work in cryptography is ideal in constructing a virus that is highly resistant to reverse-engineering by presenting the notion of a cryptovirus.A cryptovirus is a virus that contains and uses a public key. In the cryptoviral extortion attack, the virus hybrid encrypts plaintext data on the victim's machine using the virus writer's public key. In theory the victim must negotiate with the virus writer to get the plaintext back (assuming there are no backups). Analysis of the virus reveals the public key, not the needed private decryption key. This result was the first to show that computational complexity theory can be used to devise malware that is robust against reverse-engineering.

Another growing area of computer virus research is to mathematically model the infection behavior of worms using models such as Lotka-Volterra equations, which has been applied in the study of biological virus. Various virus propagation scenarios have been studied by researchers such as propagation of computer virus, fighting virus with virus like predator codes,effectiveness of patching etc.

Grayware

Grayware (or greyware) is a general classification for applications that behave in a manner that is annoying or undesirable.Grayware encompasses spyware, adware, dialers, joke programs, remote access tools, and any other unwelcome files and programs apart from viruses that can harm the performance of computers on your network. The term has been in use since at least as early as September 2004.

Grayware refers to applications or files that are not classified as viruses or trojan horse programs, but can still negatively affect the performance of the computers on your network and introduce significant security risks to your organization.Often grayware performs a variety of undesired and threatening actions such as irritating users with pop-up windows, logging user key strokes, and exposing computer vulnerabilities to attack.

* Spyware is software that installs components on a computer for the purpose of recording Web surfing habits (primarily for marketing purposes). Spyware sends this information to its author or to other interested parties when the computer is online. Spyware often downloads with items identified as 'free downloads' and does not notify the user of its existence or ask for permission to install the components. The information spyware components gather can include user keystrokes, which means that private information such as login names, passwords, and credit card numbers are vulnerable to theft. Spyware gathers data, such as account user names, passwords, credit card numbers, and other confidential information, and transmits it to third parties.

* Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla Firefox. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance. Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software. Adware are also often installed in tandem with spyware programs. Both programs feed off of each other's functionalities - spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profile.

Emerging vectors and pathways

Wikis and Blogs

Innocuous wikis and blogs are not immune to hijacking. It has been reported that the German edition of Wikipedia has recently been used as an attempt to vector infection. Through a form of social engineering, users with ill intent have added links to web pages that contain malicious software with the claim that the web page would provide detections and remedies, when in fact it was a lure to infect.

Targeted SMTP Threats

Targeted SMTP threats also represent an emerging attack vector through which malware is propagated. As users adapt to widespread spam attacks, cybercriminals distribute crimeware to target one specific organization or industry, often for financial gain.

If you think only computers can be infected with viruses, think again. Mobile phones and PDA's can be infected too.

A mobile virus, much like its name, is a virus that can be transmitted wirelessly through mobile phones or wireless-enabled PDA's. As cell phones and PDA's get more complex as well as larger in number, security risks increase and it is harder to defend against viruses or malware.

The first case occurred in June 2004 when a company called Ojam engineered an anti-piracy Trojan Horse on older versions of their mobile phone game “mosquito”. The virus sent SMS messages to the company without the user's knowledge. The virus is removed from later versions of the game but still exist in some of the older versions.

On July 2004, computer hobbyists released a mobile virus called “Cabir”. It replicates itself on Bluetooth wireless connections. When the infected phone Is turned on, the words Caribe is shown and it then tries to replicate.

On March 2005, a virus called Commwarrior-A was reported to be infecting Symbian Series 60 mobile phones. The worm replicates itself using MMS. It sends copies of itself to everyone in the infected phones address book. It may also spread through the use of Bluetooth. Experts conclude however, that it is not harmful.

A few other mobile viruses include the Skull and the Duts. The Skull virus is a type of Trojan Horse. Once downloaded, the virus replaces all desktop icons with skulls and renders the SMS and MMS applications useless.

The Duts, is a parasitic file infector virus and is the first virus to infect the PocketPC. It attempts to infect all EXE type files.

Overview

Spyware is a computer virus that is stealthily installed in a computer. Its purpose is to intercept or partially take control of the user's interaction without him/her knowing. Spyware do more than monitor your actions, it also collects personal information, installs additional programs, redirecting Web browser activity and accessing websites blindly. Spyware is also known to alter computer settings which may cause slow connection speeds, a change in the home page of the internet or even loss of internet and/or other programs.

A small industry has sprung up to deal with the emergence of spyware by creating anti-spyware programs. Running these anti-spyware programs has become practical with almost all computer users due to the increasing risk of being infected by spyware.

The first recorded use of spyware occurred on the 16th of October, 1995 in a Usenet post. At first, spyware was considered to be hardware use for spying purposes but during the early 2000's, Gregor Found, founder of Zone Labs, used the term spyware in a press release and since then, spyware had taken on its present sense. As of 2006, spyware has been noted to be a preeminent security threat to computer systems that use Microsoft Windows operating systems. Computers that use Internet Explorer (IE) are the most vulnerable because of its popularity and its integration with Microsoft systems.

Before IE7 was released, a prompt asking the user to install Active X components would appear. The lack of computing knowledge that leads to users thinking that Active X components are benign lead to a major breakout of spyware. Many spywares will take advantage of flaws in Javascript, IE and Windows to install without the users consent. Spywares also link themselves from each location in the registry that allows execution. Once running, the spywares will check whether any of these links are removed and if they are, they will be restored.

Comparison

Spyware, adware and tracking

The term adware refers to software which displays ads. Therefore, adware isn't classified as spyware. However, most adware is spyware in a certain sense. This is because it displays ads related to what it finds by spying on you. The user also usually receives many pop-up advertisements. Adware and spyware are similar to viruses because they can be malicious in nature, but many people are gaining profit from these programs.

Spyware, virus and worm

Unlike viruses and worms, spyware does not usually replicate itself but like many viruses, exploits infected computers for commercial gain. Typical tactics include pop-up ads, theft of personal info and monitoring of Web-browsing as well as routing of HTTP requests to advertising sites.

Routes of infection

Spyware does not spread like viruses. Instead, they get on a system through deception of the user or through exploitation of software vulnerabilities. Most of them are installed without the users consent. Most spyware deceives its installers by piggybacking on other programs or by tricking the user using an advertisement. Some “rouge” anti-spyware programs trick users into downloading them while they themselves are spyware.

Spyware can also be downloaded with shareware or other downloadable software, like music. Although the desirable software does no harm, the spyware bundled together does.

Another way is by tricking the users by manipulating the security features designed to block spyware installations. IE usually blocks websites from installing programs. However, a pop-up usually appears asking the user to download a certain program with links saying yes or no. Whichever buttons they click will instantiate a download anyway.

Spywares are also known to infect computers through a hole in the Web-browsing system. In this case, when a user enters a website, a download is forced into the system leaving the user with no options of cancelling the download. The site may also collect data on the computers anti-virus and anti-spyware programs.

Effects and behaviors

Spyware usually isn't alone on a computer. Usually, it is accompanied by many more infectious components. Users would usually experience diminished computer performance. Unwanted CPU activity caused by the spyware slows the system significantly. Difficulty connecting to the net and crashes also frequently occur.

Many users are unaware of the spyware's presence and usually relate the problems to hardware and/or viruses. Some spyware programs disable and uninstalled other spyware because of competition among companies. Some spywares modify system files so that they will be harder to remove.

Examples of spyware

Some examples of spyware include:

CoolWebSearch
Internet Optimizer
Zango (formerly 180 Solutions)
HuntBar, aka WinTools or Adware.Websearch
Movieland, also known as Moviepass.tv or Popcorn.net
Zlob trojan, or just Zlob

Prevention

Anti-spyware programs

Many programmers and companies have created anti-spyware programs to remove and /or block spyware. Some well known anti-spyware programs include:

PC Tools's Spyware Doctor
Sunbelt Software's Counterspy
Trend Micro's HijackThis
Webroot Software's Spy Sweeper
ParetoLogic's Anti-Spyware and XoftSpy SE
Ad-Aware

Major anti-virus came later into view and usually categorizes spyware as extended threats. Most of them also provide real-time protection.

Anti-spyware programs combat spyware in two ways:

1. By providing real-time protection which scans all incoming network data and blocks unwanted or dangerous downloads.

2. By detecting and removing spyware. These types of anti-spyware programs are more popular and they usually provide scans and updates.

Like anti-virus programs, anti-spyware programs have virus/spyware databases that need to be constantly updated to protect the user's computer.

If a spyware program manages to get through and installs itself, it will resist attempts of removing and uninstalling it. This is because the spyware usually is associated with another program that respawns the spyware when deleted. Restarting the computer in safe mode gives the anti-spyware a better chance of deleting the spyware. Killing the process tree also works.

Security practices

Many computer users have a different web browser like Opera or Mozilla Firefox as they have a lower risk of being infected. Firewalls and proxies are set up to prevent users from entering known spyware distributing websites. Downloading from reputable sources also reduce the risk of being infected by spyware.

Overview

A Trojan Horse is a software that appears to be performing a certain action but in turn is actually performing another such a s a computer virus. Trojans are notorious for its backdoor programs but by itself isn't always malicious. A simple example of a Trojan horse would be “stonehenge.scr” where it poses to be a free screensaver download. When a user downloads it, many other hidden programs, commands or scripts are unloaded. Malicious Trojans are used to weaken or circumvent protection which makes the system more vulnerable. Non-malicious Trojans are used mainly for surveillance, managing systems, deploying software and forensics.

Types of Trojan Horse payloads

There are 6 main types of Trojan payloads:

-Remote Access

-Data Destruction

-Downloader

-Server Trojan(Proxy, FTP , IRC, Email, HTTP/HTTPS, etc.)

-Security software disabler

-Denial-of-service attack (DoS)

The examples of the damage done are:

-Erasing or overwriting data on a computer

-Encrypting files in a cryptoviral extortion attack

-Corrupting files in a subtle way

-Upload and download files

-Copying fake links, which lead to false websites, chats, or other account based websites, showing any local account name on the computer falsely engaging in untrue context

-Allowing remote access to the victim's computer. This is called a RAT (remote access trojan)

-Spreading other malware, such as viruses: this type of Trojan horse is called a 'dropper' or 'vector'

-Setting up networks of zombie computers in order to launch DoS attacks or send spam.

-Spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware)

Taking Screenshots

-Logging keystrokes to steal information such as passwords and credit card numbers

-Phishing for bank or other account details, which can be used for criminal activities

-Installing a backdoor on a computer system

-Opening and closing CD-ROM tray

-Playing sounds, videos or displaying images.

-Calling using the modem to expensive numbers, thus causing massive phone bills.

-Harvesting e-mail addresses and using them for spam

-Restarting the computer whenever the infected program is started

-Deactivating or interfering with anti-virus and firewall programs

-Deactivating or interfering with other competing forms of malware

-Randomly shutting off the computer

Methods of infection

Many Trojans are installed because the user is tricked into downloading them. For example, an unknown e-mail attachment with animations may arrive in a user's inbox and when he/she opens is, Trojans start infecting the computer. Trojans are mainly spread by downloads.

Road Apple

It is a term used for Trojans that use physical media to infect computers (e.g. CD's, USB drives and etc.) and also relies on the curiosity of the victim. Example, a USB drive titled “Employee Salaries” may be placed on a targeted person's desk and the attacker hopes that the victim shall use it. Usually isn't used unless the attacker has a certain target in mind that he has access to.

Methods of deletion

The simplest ways of deleting Trojans would be to clear temporary internet files or to delete its source file.

A computer virus hoax is a false email message warning the recipient of a virus that is going around. The message usually serves as a chain e-mail that tells the recipient to forward it to everyone they know.

Clues

Most hoaxes are easily identified by the fact that they say the virus will do nearly impossible things, like blow up the recipient's computer. They often claim to be from reputable organizations such as Microsoft and IBM, but include emotive language and encouragement to forward the message which would not come from an official source.

Virus hoaxes are usually harmless, and do nothing more than annoy people who know it's a hoax or waste the time of people who forward the message. However, a number of hoaxes have warned users that vital system files are viruses, and encourages the user to delete the file, possibly damaging the system. An example of this is the jdbgmgr.exe virus hoax.

Some consider virus hoaxes, and other chain e-mails to be a computer worm in and of themselves. They self replicate by exploiting users' ignorance or emotional responses.

Hoaxes are not to be confused with computer pranks. Computer pranks are programs that perform unwanted and annoying actions on a computer, like randomly move the mouse.

The consensus of anti-virus specialists is that recipients should delete virus hoaxes instead of forwarding them. For example, McAfee says: "We are advising users who receive the email to delete it and DO NOT pass it on as this is how an email HOAX propagates."