Types of Malware and Related Things

Malware is a general term for software that does something undesirable on purpose. Most malware relies on human mistakes or on software vulnerabilities to get into a system. Once it's there, it usually has some type of payload that does something bad. Let's look at some of the different kinds of malware and related things.

Computer viruses, like human viruses, need a host to infect. Instead of being stand-alone programs, they are usually chunks of code that attach themselves to other files. Many viruses attach a copy of themselves to executable files, so when that file is run, the virus's code is also run. When running, the virus looks for other hosts to attach itself to. Some viruses attach themselves to the boot sector of a hard drive, which is the code that is run when a computer first starts up.

Macro viruses
Many types of software come with scripting languages that allow you to do things that are not possible in the regular user interface of the software. Scripts written for this purpose are sometimes called macros. The most common type is probably the macro capability built into MS Office products. They use Visual Basic. Used properly, they can allow you to do some pretty awesome spreadsheet calculations and PowerPoint tricks. However, these macros often have access to many system resources. Some macros can run immediately when the document is opened. You might download a MS Word document from the internet, run it, and if a virus has been written in the macro's scripting language, then your computer has now been infected. This is why when you open downloaded Word documents, Word will often put up a warning message.

A worm is similar to a virus in that it tries to spread itself. What makes them different is that they don't need a host to propagate. A worm stands on its own without a host to attach to. Worms often try to propagate to other machines via a network.

Rootkits are a type of malware that infects the operating system itself. They are usually broken into two types: user-mode rootkits and kernel-mode rootkits. The latter are the more dangerous as they infect the deepest part of the operating system and run with privileges even higher than that of the root user. Because they get so far into the operating system, they can perform all sorts of tricks to avoid being detected or deleted. For instance, they can block themselves from appearing in the task manager. Or when someone tries to delete a file associated with the rootkit, because the rootkit is running as part of the OS, it can make sure the deletion doesn't take place. Sometimes the only thing you can do to get rid of a rootkit is to reinstall the OS, though you may be able to locate and delete the rootkit files if you boot up using a different OS.

A trojan, like the mythological trojan horse, is malware that is disguised as something else. For instance, a program that claims to be a Minesweeper game but actually deletes all the files on your computer is a trojan.

Logic bombs
A logic bomb is code that is set to run when triggered by a particular event. An example would be a software engineer who adds some code to a system that is set to delete important files if the engineer's name is ever removed from the database of employees. Another example would be a program that only executes its payload if it recognizes that it is in a certain country on a specific date.

A backdoor isn't necessarily a program or a piece of malware, but it can have similar effects. A backdoor is something that gives access via other means than the usual way. For instance, if a router manufacturer sets a very specific username and password that gives access to the router's settings, and the manufacturer doesn't tell anyone about it, that is a backdoor. Another example is if a company allows SSH access to their servers to someone with username “Smith” at port 44503. When malware infects a system, it can set up a backdoor to the system by opening up a particular port. Related to this is the concept of remote access trojans, which is a trojan that gives an attacker remote access to a system, often by opening up a network port to allow access. The term “backdoor” is used in many other contexts. For instance, there has been a long-running debate between governments and security researchers about putting government-mandated backdoors into cryptography to allow governments to decrypt things.

Spyware is a type of malware that spies on a user's activities and sends the info to an attacker. Keyloggers are one example. They silently record all the keys you type and periodically send them to an attacker.

Ransomware is a type of malware that encrypts your data and forces you to pay the attacker money in order to get your data decrypted.

Fileless or memory-resident malware
This is a class of malware that exists only in RAM, not in a file. On the one hand, this type of malware is often (but not always) destroyed when the device is powered down, but on the other hand, it can be difficult for antimalware tools to detect.

One of the goals of a lot of modern malware is to make a device part of a botnet. A botnet is a network of compromised machines that all obey a bot master. The master issues instructions and the bots all follow those instructions. Bots can be computers, routers, and internet of things devices. Many of these devices get infected due to obvious default passwords and due to not being patched with the most recent security updates. It's also easy to get infected by clicking on a bad link or downloading something from the wrong place.

More about malware

Antivirus programs usually work by looking for signatures, usually blocks of code that are part of a virus. Virus creators get around this by modifying the code to change the signature. There are point-and-click programs out there for virus creation that allow people to create new viruses even without knowing how to code. They're not creating new exploits, but rather are creating viruses using preprogrammed exploits that have new signatures.

Some viruses can modify themselves to avoid detection. They can encrypt or obfuscate their code, and change parts of it on the fly. Others update themselves via the internet. Viruses that can change shape like this are called polymorphic. A counter to this is for antivirus programs to detect malware based on its behavior rather than on its signature. For instance, a program that is continually contacting a remote server known to be a command and control center for a botnet is likely to be malware.

Most malware relies on some type of vulnerability in a system. If that vulnerability has not previously been known to the company producing the system, then it's called a zero-day since the company has known about it for zero days and hence hasn't had any time to fix it. There's an active group of people coming up with zero-days. Some people disclose them to the companies and then publish them after patches are available. Often companies will reward people with bug bounties for this, though some companies take a less enlightened approach. Other people sell their zero-days on the black market.

A look at some famous pieces of malware

Here is a brief overview of some of the more well-known pieces of malware throughout the last 30+ years.

Morris worm (1988)
This is the first really well-known worm. It was not intentionally malicious, but it did affect a large percentage of the internet at the time due to a bug that caused it to infect machines multiple times. It relied on a few different attack vectors. One was a buffer overflow in the Unix finger program. Another was the fact that the sendmail program, if it was running in debug mode, would automatically run executable files sent in the subject line. Many machines were running it in debug mode. Once the worm infected a machine, it opening connections to other computers with the remote shell (rsh) program by guessing passwords. This was another way it coud spread.

ILOVEYOU worm (2000)

Versions of Microsoft Outlook around 2000 had a bug where if the file name of an attachment had two extensions, it wouldn't show the second one. The ILOVEYOU worm started out in emails that had an attachment called LOVELETTERFORYOU.txt.vbs. The second extension, the true one, is for a Visual Basic script. But Outlook only showed the file as LOVELETTERFORYOU.txt, making it look like an innocent text file. Once run, the script would send copies of the worm to people in the victim's address book, making it look like they were the ones sending the “love letter”. Besides this, the worm would overwrite various files with copies of itself.

Code red worm (2001)
This ia worm that relied on a buffer overflow in a specific version of Microsoft web server software. The worm would try sending a specific HTTP request to random IP addresses. If it found one running the vulnerable software, the HTTP request would trigger the buffer overflow. The worm would then vandalize the page and sometimes try to do a denial of service at a few targets, including the White House. The worm itself only lived in RAM and not on the hard drive. When the server was restarted, the worm would be removed, but the machine would soon be reinfected from the internet.

Blaster worm (2003)
Microsoft had released a security update. A group reverse-engineered the update to figure out what the bug was, and they developed it into an exploit. That exploit was a buffer overflow in remote procedure calls (RPCs). Because people are often slow to update their systems, the worm that used the exploit was able to spread widely. Once it got onto a network, it could spread very quickly to the rest of the network due to RPCs being allowed within the network.

One interesting development was the Welchia good worm. It used the same exploit to spread, but its payload was to actually patch the system so it couldn't be exploited by the Blaster worm. This brings up interesting ethical questions.

Sony rootkit (2005)
As a way to prevent people from illegally copying CDs, Sony included a rootkit that would install itself when a CD was played on a computer. Attackers found ways to use the rootkit to help their own malware. Sony's attempts to patch the problem caused even more problems.

Conficker (2008)
People think this worm may have been released by a government organization as a test. Like the Blaster worm, it relied on a buffer overflow in Windows remote procedure calls. The worm used a number of techniques including disabling Windows updates and blocking DNS queries for antivirus sites. It would infect USB drives, and it updated itself from the internet via randomly generated domain names.

Stuxnet (2010)
This widely believed to be developed by U.S. and Israeli agencies to target Iran's nuclear reactors. The worm spread far and wide, but it had no payload unless it detected that it was running on certain nuclear reactor control systems. It was able to cross air gaps (i.e., reach computers not connected to the internet) by infecting USB drives.

Wannacry ransomware (2017)
This also exploits a buffer overflow in Windows remote procedure calls. Patches for the exploit had been released about a month before the worm began spreading, but many people didn't update their systems. The worm had a kill switch built into it. If it wasn't able to reach a certain domain, it would shut itself off. This was a protective measure that the worm used to detect if it was being run in a virtual machine, which is what researchers use to safely study worms. A security researcher discovered the domain name, registered it, and set the DNS to sinkhole it (so it would go to This stopped the worm from spreading. Its creators tried using new domains, but each time they would be registered and sinkholed.