A computer virus is a software program that attaches itself to, or copies itself into, another program. It causes the computer to follow instructions not intended by the original program developer. A virus “infects” a host program and may cause that host program to replicate itself to other computers. The term “virus” is used to describe malware that acts in a similar fashion to biological viruses. The virus cannot exist without a host, similar to many parasites. It can spread from host to host in an infectious manner.

The Creeper was the first reported intercomputer virus recorded. It was written by Bob Thomas in 1971. The Creeper would copy itself to other networked computers and display the message “I’m the creeper, catch me if you can!” It was designed as an experimental self-replicating program to see how such programs would affect computers on a network. Shortly after the Creeper was released, the Reaper program was unleashed to find and eradicate the Creeper.

Today, there are thousands of known viruses that infect programs of all types. The main concern with viruses is that they often attach themselves to commonly run programs. When users run these infected programs, they are actually running virus code with their user credentials and authorization. The virus doesn’t have to escalate privileges. Users who run the infected program provide the virus with their authenticated credentials and permissions.

A worm is a type of malware that is self-contained. It is a program that replicates and sends copies of itself to other computers, generally across a network. The worm may take other actions, or its purpose may just be to reduce availability by using up network bandwidth. The main difference between a virus and a worm is that a worm does not need a host program to infect; the worm is a stand-alone program. Since worms don’t rely on hosts, they generally can spread faster and farther. Worms tend to be somewhat platform specific, since they are stand-alone programs.

The first worm reported to spread “in the wild” was the Morris worm. The Morris worm was written by Robert Tappan Morris, Jr. in 1988. It was designed to spread across the Internet and infect computers running versions of the UNIX operating system. The original intent of this worm was to estimate the size of the Internet, but the worm spread faster than its author expected. The worm ended up infecting computers multiple times and eventually slowed down each infected computer until it became unusable.

The Morris worm exploited buffer overflow vulnerability. A buffer overflow is a condition in which a running program stores data in an area outside the memory location set aside for the data. By storing more data than a program expects, it is possible to put instructions into a program that alter its behavior at run time. Buffer overflows are numerous and always result from a programmer neglecting to validate input data.

Since the Morris worm, attackers have released many other notable worms, such as Melissa, The Love Bug, Stuxnet, Code Red, Nimda, SQL Slammer, Sasser, and Conficker. Worms tend to thrive in environments where users run them without thinking about the potential consequences. In the past, many worms were transported in email messages. In the near future, expect to see a substantial increase in worms spreading through social networking. The fast pace of communicating through social media mechanisms opens new opportunities for both attackers and security administrators.

The Trojan horse, also called a Trojan, is malware that either hides or masquerades as a useful or benign program. The name derives from the story of the Trojan horse in The Aeneid. In the story, the Greeks constructed a large wooden horse and offered it as a gift to Troy. After 10 years of war with Troy, the Greeks left the horse and sailed away. The gift was seen as a victory offering and was brought into the city. That night, Greek soldiers hidden inside the hollow horse opened the city gates, and let the rest of the Greek army, which had returned after dark, into the city. The Greeks soundly defeated Troy that night.

Trojan horse programs use their outward appearance to trick users into running them. They are disguised as programs that perform useful tasks, but actually hide malicious code. Once the program is running, the attack instructions execute with the user’s permissions and authority. In essence, the Trojan horse developer has tricked a user into running an attack program.

The first known Trojan was Animal, released in 1974. The program was disguised as a simple quiz game in which the user would think of an animal and the program would ask questions to attempt to guess the animal. In addition to just asking questions, the program would actually copy itself into every directory where the user had write access. Today’s Trojans do far more than just save copies of themselves. Trojans can hide programs that collect sensitive information, open backdoors into a computer, or actively upload and download files. The list of possibilities is endless.

A rootkit is a type of malware that modifies or replaces one or more existing programs to hide the fact that a computer has been compromised. It is common for rootkits to modify parts of the operating system to conceal traces of their presence. Rootkits can exist at any level, from the boot instructions of a computer up to the applications that run in the operating system. Once installed, rootkits provide attackers with access to compromised computers and easy access to launching additional attacks.

Rootkits are newer than other types of malware and did not appear until around 1990. They can be difficult to detect and remove since their main purpose is to hide their own existence. But identifying and removing rootkits is crucial to maintaining a secure system.

The last main type of malware is spyware. Spyware is software that covertly collects information without the user’s knowledge or permission. The information collected can be sensitive personal information, such as a password or credit card number, or information used to build profiles for future action. Spyware is commonly used by aggressive marketers to collect specific information about customers and their preferences.

Most spyware programs piggyback onto other legitimate programs. They are installed along with the intended programs. Although the primary purpose of most spyware is to collect and report on information, the process of doing just that can cause other problems. Spyware causes additional processes to run to collect the pieces of information. This adds more processes, uses more memory, and can generally slow down a computer. Computers that have many spyware programs installed can run noticeably more slowly than a clean computer.

Spyware has been around since the late 1990s, but became more common after 2000. The rapid growth of the Internet enabled attackers to collect useful information from unsuspecting users. Use of the information collected by spyware can range from customized suggestive selling to identity theft. The main goal of spyware is to collect and deliver information—especially private information. When successful, spyware violates the privacy of information and provides easy access to unauthorized users. Private information should stay private. Spyware is a type of malware that specifically threatens the confidentiality of information.

Another type of malware attempts to generate funds directly from a computer user. Ransomware attacks a computer and limits the user’s ability to access the computer. It can limit access by slowing down the computer, denying access for authorized users, or blocking access to specific programs or resources. Some ransomware operates by encrypting important files, or even the entire disk, and making them inaccessible. The attacker generally alerts the users to the restrictions and demands a payment to restore full access. The payment, or ransom, gives this type of malware its name. The attacker promises to decrypt the user’s data or remove any mechanisms that block access once the ransom is paid. Most computer users rely on their computers and the data they store. Few computer users can lose access to their data and other resources without encountering ongoing frustration.

Business users may find ransomware to be far more than a simple annoyance. The inability to access key parts of a business computing system can have the same effect as a denial of service (DoS) attack. Ransomware can cause organizations to lose large profits in a very short period of time. Attackers who launch ransomware attacks expose themselves to huge risks but also can realize large profits. Ransomware is a growing trend in malware. User reliance on mobile devices makes such devices attractive targets. As Windows computers and devices become more mobile, they become even more vulnerable to potential ransomware attacks.

Most current malware tends to be complex and possess characteristics of several of the basic types discussed in this section. Modern malware is commonly a hybrid of two or more types, allowing it to be more effective and harder to combat. Even though hybrid malware is becoming more common, it is still important to understand the basic types and how to protect your systems. Protection from more complex malware often includes protecting systems from a combination of basic malware types. TABLE 5-1 compares the six basic types of malware and their most prominent characteristics.