ONE OF THE PROBLEMS in the technology business that has grown considerably over the years is the issue of malware. Malware in all its forms has moved from being one of a simple annoyance to one of downright maliciousness. Software in this category has evolved to the point of being dangerous, as it now can steal passwords, personal information, and plenty of other information from an unsuspecting user.
Malware is nothing new, even though the term may be. The problem has existed for years under different names such as viruses, worms, adware, scareware, and spyware. But is has become easier to spread because of the convenient distribution channel the Internet offers, as well as the increasingly clever social-engineering methods the creators of this type of software employ. Making the problem of malware even larger is the complexity of modern software, lack of security, known vulnerabilities, and users' lax attitude toward security updates and patches.
Malware or malicious code is not going to decline; in fact, the opposite is true. One type of malware, Trojans with keyloggers, saw an increase of roughly 250 percent between January 2004 and May 2006, and such a trend represents just one category. Some types of malware have seen even larger increases.
It is with these points in mind that this chapter will examine the problem of malware, trends, and how to deal with the increasingly serious threat this type of software poses.
The term malware is often tossed around, but what exactly does it mean? Malware refers to software that performs any action or activity without the knowledge or consent of the system's owner. But the definition of malware can be expanded to include any software that is inherently hostile, intrusive, or annoying in its operation.
Note
Malware is a contraction for the term malicious software, which gives a much more accurate picture of the goal of this class of software.
In the past, malware was designed to infect and disrupt, disable, or even destroy systems and applications. In some cases this disruption went one step further and used an infected system as a weapon to disable or disrupt other systems. In recent years the nature of malware has changed with the software seeking to remain out of sight in an effort to evade detection and removal by the system owner for as long as possible. All the while, the malware is resident on a system taking up resources and power for whatever purpose the attacking or infecting party may have in mind.
Note
If the definition of malware is limited to just software that performs actions without the user's knowledge or consent, this could include a large amount of software on the average system. It is also important to classify as malware software that is hostile in nature.
In the present day malware has changed in nature dramatically with the criminal element realizing the advantages of using it for more malicious purposes. In the past it was not uncommon for malware to be written as a prank or to annoy the victim, but times have changed. Malware in the current day has been adopted by criminals for a wide array of purposes to capture information about the victim or commit other acts. As technology has evolved, so has malware—from the annoying to the downright malicious.
The term malware used to cover just viruses, worms, Trojans, and other similar software that performed no useful function or carried out malicious activities. Malware has evolved to include new forms, such as spyware, adware, and scareware. Software that used to just dial up systems or be annoying now redirects browsers, targets search engine results, or even displays advertisements on a system.
Another aspect of malware that has emerged is its use to steal information. Malware programs have been known to install what is known as a keylogger on a system. The intention here is to capture keystrokes when entered with the intention of gathering information such as credit card numbers, bank account numbers, or other similar information. For example, malware has been used to steal information from those engaging in online gaming to obtain players' game account information.
Malware has tested and defined legal boundaries since it came into being. Lawmakers have passed statues specifically to deal with the problem. Malware initially was perceived as being harmless, relegated to the status of a prank. But times changed—a more serious look at the problem of malware became necessary. Over the past few years the problems malicious code poses have been addressed technologically. In addition, new legal remedies have emerged in several countries.
In the United States several laws have been introduced since the 1980s. Some of the more notable ones include:
The Computer Fraud and Abuse Act 1986—This law was originally passed to address federal computer-related offenses and the cracking of computer systems. The act applies to cases that involve federal interests, or situations involving federal government computers or those of financial institutions. Additionally the law covers computer crime that crosses state lines or jurisdictions.
The Patriot Act—This expanded on the powers already included in the Computer Fraud and Abuse Act. The law:
Provides penalties of up to 10 years for a first offense and 20 years for a second offense
Assesses damages over the course of a year to multiple systems to determine if such damages are more than $5,000 total
Increases punishment for any violation that involves systems that process information relating to the justice system or military
Covers damage to foreign computers involved in US interstate commerce
Includes, in calculating damages, the time and money spent investigating a crime
Makes selling computer systems infected with malware a federal offense.
Each country has approached the problem of malware a little differently, with penalties ranging from jail time to potentially steep fines for violators. In the United States, states such as California, West Virginia, and a host of others have put in place laws designed to punish malware perpetrators. While the laws have different penalties designed to address malware's effects, it has yet to be seen what the effects of these laws will be.
While the term malware may refer to any software that fits the definition, it is also important to understand the specifics and significance of each piece of software under the malware banner. A broad range of software types and categories exists, some of which have been around for a long time. Malware includes the following:
Viruses
Worms
Spyware
Adware
Scareware
Trojan horses
Rootkits
The latter two will be discussed in the next chapter.
A quick review of the targets of malware authors gives a good taste of why the problem is so serious:
Credit card data—Credit card data and personal information is a tempting and all too common target. Upon obtaining this information an attacker can go on a shopping spree, purchasing any type of product or service: Web services, games, merchandise, or other products.
Passwords—Passwords are another attractive target for attackers. The compromise of this sort of information can be devastating to the victim. Most individuals will reuse passwords over and over again, and stealing a person's password can easily open many doors to the attacker. Stealing passwords can allow a hacker to read passwords from a system that includes everything from e-mail and Internet accounts to banking passwords.
Insider information—Confidential or insider information is another target for an attacker. An attacker may very well use malware to gain such information from an organization to gain a competitive or financial benefit.
Data storage—In some cases a system infected with malware may find itself a point for storing data without the owners' knowledge. Uploading data to an infected system can turn that system into a server hosting any type of content. This has included illegal music or movies, pirated software, pornography, financial data, or even child pornography.
A virus is one of the oldest pieces of software that fits under the definition of malware. It may also be one of the most frequently misunderstood. The term virus is frequently used to refer to all types of malware.
Before getting too far into a discussion of viruses it is important to make clear first what a virus actually is and the behaviors viruses exhibit. A virus is a piece of code or software that spreads from system to system by attaching itself to other files. When the file is accessed, the virus is activated. Once activated, the code carries out whatever attack or action the author wishes to execute, such as corrupting data or destroying it outright.
Viruses have a long history, one that shows how this form of malware adapted and evolved as technology and detective techniques improved. Let's examine the "back story" of viruses, how they have changed with the times, and how this affects you as a security professional.
As stated earlier, viruses are nothing new; the first viruses debuted in the "wild" roughly 40 years ago as research projects. They have evolved dramatically since then into the malicious weapons they are today.
Note
A second piece of code, known as the Reaper, was specifically designed to remove the Creeper from circulation.
The first recognized virus was created as a proof-of-concept application designed in 1971 to demonstrate what was known as a mobile application. In practice the Creeper virus, as it was known, spread from system to system by locating a new system while resident on another. When a new system was found the virus would copy itself and delete itself off the old one. Additionally the Creeper virus would print out a message on an infected machine that stated "I'm the Creeper, catch me if you can." In practice the virus was harmless and was not that advanced compared with modern examples.
Note
The term virus was not coined until the 1980s, so the negative term was not applied to these early examples.
In the mid-1970s a new feature was introduced in the Wabbit virus. The Wabbit virus represented a change in tactics in that it demonstrated one of the features associated with modern day viruses—replication. The virus replicated on the same computer over and over again until the system was overrun and eventually crashed.
In 1982 the first virus seen outside academia debuted in the form of the ElkCloner virus. This piece of malware debuted another feature of later viruses—the ability to spread rapidly and remain in the computer's memory to cause further infection. Once resident in memory, it would infect floppy disks placed into the system later, as many later viruses would do.
Note
The ElkCloner virus was developed by Rich Skrenta when he was all of 15 years old. He developed the virus to have fun with friends who no longer trusted floppies that he gave them. He came up with the novel concept of infecting floppies with a memory-resident program.
Four short years later, the first PC-compatible virus debuted. The viruses prior to this point were Apple II types or designed for specific research networks. In 1986 the first of what was known as boot sector viruses debuted, demonstrating a technique later seen on a much wider scale. This type of virus infected the boot sector of a drive and would spread its infection when the system was going through its boot process.
Note
The first logic bomb most individuals heard of was the Michelangelo virus, designed to infect on the famous painter's birthday. In reality the virus was a great non-event—it was detected very early and eradicated before it could cause any serious damage.
The first of what would later be called logic bombs debuted in 1987: the Jerusalem virus. This virus was designed to cause damage only on a certain date—in this case, Friday the 13th. The virus was so named because of its initial discovery in Jerusalem.
Multipartite viruses made their appearance in 1989 in the Ghostball virus. This virus was designed to cause damage using multiple methods and components, all of which had to be neutralized and removed to clear out the virus effectively. Polymorphic viruses first appeared in 1992 as a way to evade early virus-detection techniques. Polymorphic viruses are designed to change their code and "shape" to avoid detection by virus scanners, which would look for a specific virus code and not the new version.
Fast-forward to 2008 and Mocmex. Mocmex was shipped on digital photo frames manufactured in China. When the virus infected a system, its firewall and antivirus software were disabled; then the virus would attempt to steal online-game passwords.
Modern viruses and virus writers have gotten much more creative in their efforts and in some cases are financed by criminal organizations to build their software.
So you can see that not all viruses are the same; there are several variations of viruses, each of which is dangerous in its own way. Understanding each type of virus can give you a better idea of how to thwart them and address the threats they pose.
A logic bomb is a piece of code or software designed to lie in wait on a system until a specified event occurs. When the event occurs the bomb "goes off" and carries out its destructive behavior as the creator intended. While the options are literally endless as far as what a logic bomb can do, the common use of this type of device is to destroy data or systems.
Logic bombs have been notoriously difficult to detect because of their very nature of being "harmless" until they activate. Malware of this type is simply dormant until whatever it is designed to look for happens. What can activate this software is known as a positive or negative trigger event coded in by the creator. A positive trigger is a mechanism that looks for an event to occur such as a date. A negative trigger, on the other hand, is designed to monitor an action; when such action does not occur it goes off. An example would be if a user does not log on for some period. This process of "hiding" until an event occurs or does not occur makes this particular type of malware dangerous.
As a security professional you will have to be extra vigilant to detect logic bombs before they do damage. Traditionally the two most likely ways to detect this type of device are by accident or after the fact. In the first method, an IT worker just happens to stumble upon the device by sheer "dumb luck" and deactivates the bomb. In the second method, the device "detonates" and then the cleanup begins. The best detection and prevention methods are to be vigilant, to limit access of employees to only what is necessary, and to restrict access where possible.
The polymorphic virus is unique because of its ability to change its "shape" to evade antivirus programs and therefore detection. In practice this type of malware possesses code that allows it to hide and mutate itself in random ways that prevent detection. This technique debuted in the late 1980s as a method to avoid the detection techniques of the time.
Polymorphic viruses employ a series of techniques to change or mutate, these methods include:
When in action, polymorphic viruses rewrite or change themselves upon every execution. The extent of the change is determined by the creator of the virus and can include simple rewrite to changes in encryption routines or alteration of code.
Modern antivirus software is much better equipped to deal with the problems polymorphic viruses pose. Techniques to detect these types of viruses include decryption of the virus and statistical analysis and heuristics designed to reveal the software's behavior.
The term multipartite refers to a virus that infects using multiple attack vectors, including the boot sector and executable files on the hard drive. What makes these types of viruses dangerous and powerful weapons is that to stop them, you must totally remove all their parts. If any part of the virus is not eradicated from the infected system, it can re-infect the system.
Multipartite viruses represent a problem because they can reside in different locations and carry out different activities. This class of virus has two parts, a boot infector and a file infector. If the boot infector is removed the file infector will re-infect the computer. Conversely, if the file infector is removed the boot sector will re-infect the computer.
Macro viruses are a class of virus that infects and operates through the use of a macro language. A macro language is a programming language built into applications such as Microsoft Office in the form of Visual Basic for Applications (VBA). It is designed to automate repetitive tasks. Macro viruses have been very effective because users have lacked the protection or knowledge to counteract them.
Note
After the initial outbreaks of macro viruses, Microsoft introduced the ability to disable macros. In Office 2010 macros are disabled by default.
Macro viruses can be implemented in different ways, usually by being embedded into a file or spread via e-mail. The initial infections spread quite quickly because earlier applications would run the macro when a file was opened or when an e-mail was viewed. Since the debut of these viruses, most modern applications disable the macro feature or ask users whether they want to run macros.
A hoax is not a true virus. But no discussion of viruses is complete without mentioning the hoax virus. Hoax viruses are those designed to make the user take action even though no infection or threat exists. The following example is an e-mail that actually is a hoax "virus."
PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS: You should be alert during the next days: Do not open any message with an attached filed called "Invitation" regardless of who sent it. It is a virus that opens an Olympic Torch which "burns" the whole hard disc C of your computer. This virus will be received from someone who has your e-mail address in his/her contact list. That is why you should send this e-mail to all your contacts. It is better to receive this message 25 times than to receive the virus and open it. If you receive a mail called "Invitation," though sent by a friend, do not open it and shut down your computer immediately. This is the worst virus announced by CNN; it has been classified by Microsoft as the most destructive virus ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept. SEND THIS E-MAIL TO EVERYONE YOU KNOW, COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS AND REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US.
Here's another example:
All,
There's a new virus which was found recently which will erase the whole C drive. If you get a mail with the subject "Economic Slow Down in US" please delete that mail right away. Otherwise it will erase the whole C drive. As soon as you open it, it says, "Your system will restart now ... Do you want to continue?". Even if you click on NO, your system will be shut down and will never boot again. It already caused major damage in the US and few other parts of the world. The remedy for this has not yet been discovered.
Please make sure you have backed up any local hard drive files adequately—network, floppy, etc.
In both cases a simple search of Google or discussion with the IT department of a company will reveal these to be hoaxes; however, in many cases the recipients of these messages panic and forward them on, causing further panic.
Viruses have been in the computer and network business almost as long as the business itself has been around. A wide variety of techniques and tools have evolved to deal with the threat.
Knowledge is half the battle. Getting system owners to understand how not to get infected or spread viruses is a huge element in stopping the problem. Users should be instructed on proper procedures to stop the spread of virus code. Such tips should generally include:
Don't allow employees to bring media from home
Instruct users not to download files except from known and trusted sources
Don't allow workers to install software without permission from the company IT department
Inform IT or security of strange system behaviors or virus notifications
Ban flash drives
Ban portable hard drives
Limit the use of administrative accounts
The next line of defense is the antivirus software that is designed to stop the spread and activity of viruses. Antiviruses are designed to run in the background on a system, staying vigilant for activity that suggests viruses and stopping or shutting it down. Antiviruses are effective tools, but they can be so only if they are kept up to date. Antiviruses rely on a database of signatures that lets them know what to look for and remove. Because new viruses are released each day, if you neglect this database it becomes much more likely a virus will get through.
Because there is a wide range of viruses and other malicious code, an antivirus must be able to detect more than a simple virus. Good antivirus software can detect viruses, worms, Trojans, phishing attacks, and, in some cases, spyware.
Antiviruses tend to use one of two different methods. The first is the suspicious behavior method. Antivirus programs use this to monitor the behavior of applications on a system. This approach is widely used as it can detect suspicious behavior in existing programs, as well as detecting suspicious behavior that indicates a new virus may be attempting to infect your system.
The second method is dictionary-based detection. This method will scan applications and other files when they have access to your system. This advantage of this method is that it can detect a virus almost immediately instead of letting it run and detecting the behavior later. The downside is that the method can detect only viruses that it knows about—if you neglect to update the software it cannot detect new viruses.
Another detail that you cannot overlook is applying patches on systems and software when they become available. Vendors of operating systems and applications such as Microsoft regularly release patches designed to close holes and address vulnerabilities on systems that viruses could exploit. Missing a patch or update can easily mean the difference between avoiding a problem and having your system crippled.
Worms are a different type of malware altogether. Viruses require user intervention for their infection to take place—such as the opening of a file or the booting of a computer. In the case of worms, however, no user action is required. A worm is a self-replicating piece of software that combines the convenience of computer networks with the power of malware. Worms also differ from viruses in that viruses require a host program to stay resident. A worm does not require this and is actually self-contained. Worms also can cause substantially more harm than a virus, which is typically limited to corrupting data and applications.
Note
Worms can cause alterations to or corruption of data on a system, but can also cause damage indirectly by replicating at a rapid rate, clogging networks with traffic they cannot handle.
An earlier chapter mentioned the earliest recognized worm, known now as the Morris worm. This worm exhibited some of the traits associated with modern-day worms, particularly the ability to rapidly replicate. At the time the Morris worm was unleashed, the Internet was small compared with today, but the effect was no less devastating. The worm replicated so rapidly and so aggressively that networks were clogged with traffic and brought down. Estimates at the time placed the damage from the outbreak at $10 million (not adjusted for inflation).
Note
The fallout from the Morris worm is still debated today, with damage estimates ranging up to $100 million and several thousand computers or more infected. While the numbers can be argued, what cannot be is the impact of the infection. People realized that worms posed a threat and that tougher laws on cybercrime were needed.
One worm that caused widespread damage was the SQL Slammer or Slammer worm. The Slammer worm was responsible for widespread slowdowns and denials of service on the Internet. It was designed to exploit a known buffer overflow in Microsoft's SQL Server and SQL Server Desktop Engine products. Even though Microsoft had released a software patch six months before the actual infection, many had neglected to install the patch, and therefore the vulnerability still existed on many systems. As a result, in the early morning hours of January 25, 2003, the worm became active and in less than 10 minutes had infected 75,000 machines.
Worms are relatively simple in design and function, but very dangerous due to the speed and effectiveness with which they spread. Most worms share certain characteristics, which help define how they work and what they can do. The characteristics are as follows:
Do not need a host program to function
Do not require user intervention
Replicate rapidly
Consume bandwidth and resources
Worms can also perform some other functions, including:
Transmit information from a victim system
Carry a payload such as a virus
Examining these characteristics a bit more in detail will help you understand how a worm works and the challenges worms pose to a security professional. In fact, worms differ from viruses in two key ways:
A worm can be considered a special type of malware that can replicate and consume memory, but not attach to other programs.
A worm spreads through infected networks automatically, while a virus does not.
One of the main characteristics of worms is that they do not need a host program to function, unlike their fellow malware viruses. Worms are designed to function by leveraging vulnerabilities on a target system that is generally unknown or unpatched. Once a worm locates one of these vulnerabilities, it infects the system and then uses the system to spread and infect other systems. A worm performs all these functions by using the system's own processes to do its job, but does not require any host program to run before starting the initial process.
Another characteristic that differentiates worms from other malware is their ability to run without user intervention. Viruses, for example, require a host program to be executed for the infection to begin; worms simply need the vulnerability to exist in order for the process to take place. In the case of worms, just having a system turned on and connected to the Internet is enough to make it a target. Combine this with the vulnerabilities and the danger is obvious.
Note
The Slammer worm doubled the number of infected machines every 8.5 seconds, much faster than previous worms. Slammer boasted an infection rate that was 250 times as fast as Code Red, which had come only two years earlier.
Since Day 1, worms have possessed a feature that makes them a dangerous force to deal with—their ability to replicate very rapidly. One of the features of the Morris worm that even its creator did not expect was that it replicated so rapidly that it choked up networks and shut them down quite effectively. This feature has been a characteristic of worms ever since. Worms can replicate so quickly that their creators are frequently caught off guard. This replication is made possible by a number of factors, including poorly maintained systems, networked systems, and the number of systems linked via the Internet.
Probably the most visible or dramatic feature of worms is their consumption of resources, which shows up as a side effect. Mix into this equation of speed and replication the number of computers on the Internet, and you have a situation that leads to bandwidth resources being consumed on a huge scale. Worms such as Slammer caused massive slowdowns on the Internet due to the scans it sent out looking for vulnerable systems and the way it moved its payload around. Additionally, the worm consumed resources on infected systems as it replicated off the system, using system resources to do so.
Note
One of the earliest warning signs of worms is the unexplained slowdown of a system even after repeated reboots or other checks. While not always a sign of a worm, it is one of the red flags that the system owner should investigate.
In recent years some new characteristics have been added to the behaviors of worms, one of which is the ability to carry a payload. While traditionally worms have not directly damaged systems, worms that carry payloads can do all sorts of mischief. One of the more creative uses of worms has been to perform "cryptoviral extortion." The worm drops off a payload that looks for specific file types (such as .doc files) and encrypts them. Once this has taken place, the worm leaves a message for the user offering to reveal the encryption key after the user pays a certain amount of money.
At the core of the worm problem is operating systems that have overlooked or unpatched vulnerabilities. Vendors such as Microsoft have made concerted efforts to release patches regularly to address issues in their operating systems—including vulnerabilities that worms could use to spread. The problem becomes one of knowing patches are available for a system and applying them. This problem becomes even bigger when you realize that worms aren't restricted just to corporate systems—they can also hit home users, who are more likely to miss patches. In some cases, patches are not yet released for a vulnerability. This leads to what is called a zero-day exploit, in which a hole can be exploited immediately.
Note
Several worms such as Code Red, Nimda, Blaster, and Slammer are still alive and well on the Internet today, although at levels well below their initial outbreak. These worms, some of which are nine years old, still infect systems. The main reason? System owners that have neglected to patch their systems, either out of ignorance or laziness.
Much as with viruses, education is key to stopping worms. Worms are frequently spread via e-mail applications by e-mails bearing the name ILOVEYOU, for example. These prey on a user's curiosity—the user opens the e-mail and unknowingly runs the worm in the background. Add in attacks such as phishing, which further pique a user's curiosity, and you have a problem that only education can address.
Note
The old saying "An ounce of prevention is worth a pound of cure" applies to virus and worm prevention, as it is vastly easier to stop the problem before it starts than to try to remedy it after the fact.
One of the primary lines of defense against worms is reputable antivirus and anti-spyware applications. Having an antivirus application on a system helps prevent a worm infection—but only if it is kept up to date. Modern and up-to-date antivirus applications can easily stop most worms when they appear.
Another way to stop worms is the firewall. The firewall is a valuable tool as it can block the scans to and from a system that worms use both to spread the infection and to deliver it from an infected system to other systems. Most modern operating systems such as Microsoft's Windows 7 include this feature as part of the core system.
Spyware is software designed to collect and report information on a user's activities without the user's knowledge or consent. Spyware can collect any type of information about the user that the author wishes to gather, such as:
Browsing habits
Keystrokes
Software usage
General computer usage
Spyware has been used to gather information for any reason that its author deems useful. The information collected has been used to target ads, generate revenue for the author, steal personal information, or steal data from an infected system. In some cases, spyware has gone beyond simple information collection to altering a system's behavior to be more along the lines of the author's wishes. Additionally, spyware has been known to act as a precursor to further attacks or infection. It can be used to download and install software designed to perform other tasks.
Spyware can be placed on a system by a number of different methods, each of which is effective in its own way. When the software is installed, it typically remains hidden and proceeds to carry out its task. Delivery methods for spyware include:
Peer-to-peer networks (P2P)—This delivery mechanism has become very popular because of the increased number of individuals using these networks to obtain free software.
Instant messaging (IM)—Delivering malicious software via IM is easy and because IM software has never had much in the way of security controls.
Internet Relay Chat (IRC)—IRC is a commonly used mechanism to deliver messages and software because of its widespread use and the ability to entice new users to download software.
E-mail attachments—With the rise of e-mail as a communication medium, the practice of using it to distribute malware has also risen.
Physical access—Once an attacker gains physical access, it becomes relatively easy to install the spyware and compromise the system.
Browser defects—With many users forgetting or not choosing to update their browsers as soon as updates are released, distribution of spyware becomes easier.
Freeware—Downloading software free from unknown or untrusted sources can mean that you may have downloaded something nastier, such as spyware.
One of the more common ways to install software on a system is through Web browsing. When a user visits a given Web site, the spyware is downloaded and installed using scripting or some other means. Spyware installed in this manner is quite common as Web browsers lend themselves to this process—they are frequently unpatched, do not have upgrades applied, or are incorrectly configured. In most cases users do not use the most basic security precautions that come with a browser, in some cases overriding them to get a better browsing experience or to see fewer popups or prompts.
Another common way to place software on a user's system is via installation of other software that the user intentionally installs. In these cases, a user downloads a legitimate piece of software from a Web site and then proceeds to install it. During the installation process the user is prompted to install additional software before proceeding. In most cases users believe that they can't install the software they want without accepting it. Or they simply click the "Next" button and don't pay attention. Other ways to get spyware on a system during installation are strategically placed checkboxes that install spyware-type applications by default. Such a dialog is shown in Figure 10-1.
You will frequently find adware in the same machines infected with spyware. Adware is software specifically designed to display ads your system in the form of popups or nag screens. When this class of software is deployed with spyware, the effect can be quite dramatic, as you will be bombarded with ads specifically targeted to you and your search habits.
In a number of situations, adware is installed on victims' systems because it's been bundled with software that they wish to install. In these situations, when adware is installed it can monitor the usage of the software it was installed with or it can monitor a wide range of other activities. When a piece of adware is installed on a system, the goals can be very different from those of spyware or other types of malware. In the early days of adware, it was not uncommon for adware to be installed because developers wanted to make more money from their software than they otherwise could. When such software is installed, you will typically not notice until you are presented with ads or other types of prompts.
In other cases, adware is not hidden from the user; it is much more obvious. Some developers will offer different versions of their software, one with ads and one without. Users wishing to get the software free must tolerate the annoyance of ads. Users wishing to avoid ads must pay for the privilege.
Note
It is common for developers of so-called freeware to include adware as part of their product. In fact, some well-known software such as Google Earth bundles other software with it, such as browsers or other products. Most manufacturers of this type of software justify their actions as a way to provide the software free or at low cost.
Scareware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software.
Scareware generates authentic looking popups and other ads on a system to make users think something bad has happened or will happen. For example, a common tactic is to display a popup on-screen that appears to initiate a virus scan. It inevitably locates a "virus" and then presents you with an offer to purchase software that removes it. In most cases this software is worthless or actually installs something else that performs other nasty actions, such as those connected to spyware. Users who fall for this scam typically find themselves at the very least out some amount of money—not to mention that whatever they installed may have damaged their system.
Note
This type of software has become more common over the last few years as users have become more savvy, and malware authors have had to change their tactics. Enticing users to click on realistic dialogs and presenting real-looking error messages can be powerful ways to place illicit software on a user's system.
What makes this software even worse is that it frequently employs techniques that outright frighten system users. In addition to generating large numbers of bogus error messages, this class of malware may also generate real-looking dialogs such as those seen in Windows. When you click on these "dialogs" to close them, they may actually be installing the software.
When executed, some scareware will go one step further, even weakening existing system security. Scareware has been known to install on a system and specifically hunt down and disable protective software such as firewalls and antiviruses. Even worse, some of this software will even prevent updates from the system vendor, meaning that security holes and defects may no longer be fixed.
Removing scareware can be a daunting task, because it disables legitimate software that protects the system. In some cases, the system may be so compromised that all Internet activity and other update systems may error out, preventing you from making any changes.
Current tactics have evolved even further to include extortion. Recent tactics have included installing software on a system that hunts for certain file types (i.e., Word documents) that it encrypts. It then offers to decrypt them only if the user pays up.
Malware has increased in power and aggressiveness over the past few years to the point where a security professional cannot overlook or ignore the threat. Malware has taken many forms and has moved from being a simple annoyance to being criminal mischief. Software in this category has evolved dramatically to the point of being extremely malicious. Malware can now steal passwords, personal information, and plenty of other information from an unsuspecting user.
The modern concept of malware first came into being in the 1980s and 1990s. Terms such as viruses, worms, adware, scareware, and spyware have become more common in popular usage. In the past, malware was just annoying. But is has become easier to spread because of the convenient distribution channel the Internet offers, as well as the increasingly clever social engineering methods the creators of this type of software employ. Making the problem of malware even worse is the complexity of modern software, frequent lack of security, known vulnerabilities, and the lax attitude many users have toward applying security updates and patches.
New types of malware have included increasingly common scareware. Software in this category is designed to scare you into installing the package. When you do, it takes over the system and disables protective mechanisms or other items.
Viruses do not require a host program.
True
False
Worms are designed to replicate repeatedly.
True
False
_______ is designed to intimidate users.
Adware
Viruses
Scareware
Worms
Which is used to intercept user information?
Adware
Scareware
Spyware
Viruses
_______ is known to disable protective mechanisms on a system such as antiviruses, antispyware, and firewalls, and to report on a user's activities.
Adware
Scareware
Spyware
A virus
Which of the following is a characteristic of adware?
Gathering information
Displaying popups
Intimidating users
Replicating
Prevention of viruses and malware includes _______.
Popup blockers
Antivirus
Buffer overflows
All of the above
_______ is a powerful preventative measure to stopping viruses.
Which of the following can limit the impact of worms?
Antiviruses, firewalls, patches
Anti-spyware, firewalls, patches
Anti-wormware, firewalls, patches
Anti-malware
_______ attach(es) to files.
Viruses
Worms
Adware
Spyware
Multipartite viruses come in encrypted form.
True
False
_______ record(s) a user's typing.
Spyware
Virsues
Adware
Malware
_______ are configured to go off at a certain date, time, or when a specific event occurs.
Scareware is harmless.
True
False