Menu

ICT-Security‎ > ‎Onderwerpen‎ > ‎

Malware


Malware is een samentrekking van Maliceous en Software en betreft kwaadaardige computercodes / programmatjes die we zoal kunnen tegenkomen. Denk bijvoorbeeld aan:

Veel voorkomende soorten:
  • Virussen. Ongewilde computerprogrammatjes die via diverse media (Internet-sites, downloaden, mail, CD, stick) op je PC terecht kunnen komen, jouw computer besmetten en zichzelf kunnen vermenigvuldigen. Ze kunnen de besturing overnemen, ongewilde acties uitvoeren, files verwijderen en ga maar door.
  • Trojaanse paarden (trojans).  Ongewilde computerprogrammatjes die via diverse media (Internet-sites, downloaden,mail, CD, stick) op je PC terecht kunnen komen, jouw computer besmetten en zichzelf niet kunnen vermenigvuldigen. Kan destructieve acties uitvoeren.
  • Rootkits is een kwaadaardig programma om in te breken in jouw systeem en contact te leggen met de aanvaller. Verbergt zich 'onder Windows' en kan vaak niet met gangbare virusscanners gedetecteerd worden.
  • Wormen verspreiden zichzelf  via netwerken, MSN etc. en bevatten 'achterdeurtjes' en communicatiemogelijkheden naar de aanvaller buiten.
Computervirussen schrijven al geschiedenis vanaf de 80'er -jaren.

In het begin bestonden eenvoudige virussen uit programma's die nog vrij gemakkelijk te lezen en te begrijpen waren. Rond 2000 heb ik eens een, voor die tijd, eenvoudig virus bestudeerd. Dat bestond uit heel veel pagina's code en ik raakte al snel de draad kwijt.... Anno 2012 is er malware (zoals Stuxnet) welke dermate complex is, dat nog maar weinigen deze virussen goed en compleet kunnen analyseren!


 

Malware Types    T achter de naam = voorbeelden op de site van ThreatExpert. Hier zie je honderden voorbeelden.

The type part of the full malware name in the CARO Malware Naming Scheme indicates, unsurprisingly, the type of malware is, e.g., virus, Trojan, etc. Currently, the Naming Scheme permits the following different types:

  1. virus. Basically, a virus is a program (or a set of programs) that can replicate itself recursively (i.e., the replicant is also a virus). For a formal definition see, for instance,[Bontchev98]. Note that whether the malware performs some other (e.g., destructive) action besides self-replication is considered irrelevant for the purposes of determining its type. In some cases, the recursive replication cannot continue ad infinitum but stops after a certain number of generations. Such malware is also classified as a "virus", if the number of generations is larger than one; otherwise it is classified as an "intended" (see below). For macro viruses for platforms that use the concept of "global template" (e.g., Microsoft Word), a single "generation" is defined as infecting the global template from an infected document and then infecting a document from an infected global template, or, if the virus does not infect the global template, infecting a clean document from an infected one.
  2. dropper. This is malware that does not replicate itself but which releases other malware (e.g., mainly viruses, but some droppers release Trojan horses, etc.). It does not matter whether the virus is released on disk or only in memory, although in the latter case some anti-virus researchers prefer to use the term "injector". Normally, the family name (see section 2.4) of a dropper must be the same as the family name of the malware it releases. If, however, it can release more than one malware program (the so called "multi-droppers"), it is acceptable to use a different family name or even to classify the malware differently (e.g., as a "tool" or as a "trojan"; see below).
  3. intended. An "intended" is malware written with the obvious intent to write a virus but which fails to replicate, usually due to some bug. Unfortunately, the definition of "intent" is highly subjective, so it is not possible to give a formal definition for this malware type.
  4. trojan T. A "trojan" is malware that does not even try to replicate itself but which performs some intentionally destructive action, without correctly warning the user. Again, "intentionally", "destructive", "correctly" and "warns" are highly subjective terms. Consider, for instance, a disk formatting program that warns the user in Swahili that it is going to destroy the contents of the hard disk and which assumes that the default answer is "yes". Is such a program a Trojan or not? So, no formal definition of this malware type is possible. keylogger that tracks various user activities. It periodically sends its tracking logs to a remote attacker using email or ftp.
  5. pws. A "password stealer" is a program, the main purpose of which is to steal passwords. Often (but not always) this is achieved via some kind of keyboard logging. Some anti-virus researchers prefer to classify such programs as "trojans", but CARO has decided that a special malware type for them is needed in the Naming Scheme.
  6. dialer T. This is a program that installs itself in the chain of programs invoked when the computer is establishing a dial-up connection. The purpose of such a program is to force the connection to the Internet to go through a particular premium phone number. Not all programs of this type are malicious, some are used quite legitimately for micro-payments. The vast majority of them are malicious, though; their only purpose is to steal money from the victim by forcing them to dial a particular premium phone number. Whether a dialer is non-malicious is determined by whether it properly informs the user of its actions and whether it is easily uninstalled. Again, some anti-virus researchers prefer to classify the malicious "dialers" as "trojans", but CARO has decided that a special malware type for them is needed in the Naming Scheme. is a program used to dial a high-cost international phone number using a modem without the users permission or knowledge
  7. backdoor T. This is a program that allows access to the machine on which it has been installed, access that circumvents the legitimate login authentication procedures for that machine. Note that it is perfectly possible for a "backdoor" to use a login authentication procedure on its own so that only a particular attacker is granted access to the compromised machine; not just anyone. Not all backdoors are installed by external attackers, sometimes a system program shipped with the machine can be a backdoor, e.g., because the vendor has forgotten to disable some undocumented way of accessing the machine, one that had been put there originally for debugging purposes. Again, some anti-virus researchers prefer to classify such programs as "trojans", but CARO has decided that a special malware type for them is needed in the Naming Scheme. Is a malicious application that runs in the background and allows remote access to your system, giving the attacker full control of your system.
  8. exploit. An "exploit" is a way of bypassing the security of a program or an operating system, usually because of some kind of bug. Programs that demonstrate such security flaws are also called "exploits". It is highly recommended that Mitre's CVE/CAN vulnerability names ([Mitre]) are used as "family names" (see section 2.4) when reporting exploits.
  9. tool. A "tool" is a program that is not dangerous to the user who runs it, but that can be used to produce malicious programs or to perform malicious actions. A typical example is a virus construction kit, a program for automated construction of new computer viruses. (It does not matter whether they are constructed in ready-to-execute form or only in source.) In the past, the Naming Scheme used to have the malware type "kit" which meant exactly that. However, it was decided to rename this malware type and to extend its meaning to cover construction kits for other kinds of malware, password cracking tools, and all other kinds of tools used by the attackers.
  10. garbage. The type "garbage" is reserved for the various programs that do not perform any meaningful action (usually due to bugs) and do not even try to be viruses (or they would be classified as "intended") but which tend to float around in the various low-quality virus exchange collections and which are often included in the test sets used by incompetent testers to test virus scanners. As a result, many vendors have given up and decided that it is more cost-effective to implement detection of them instead of educating the testers. In some special cases buggy viruses can produce non-replicable replicants; these should also be classified as "garbage".
  11. adware T. is a potentially unwanted adware program that could be used to display various pop-up advertisements.
  12. BHO TBrowser helper Object is a toolbar which updates itself silently without user knowledge and installs other malware on user's machine.
  13. Downloader T. attempts to download malicious files to the local computer and execute them
  14. Exploit T. is a detection of the code that takes advantage of an existing software vulnerability.
  15. Hacktool T. is a virus or trojan creation toolkit, monitoring, sniffing, cracker...tools
  16. Hijacker T. Hijacker is a BHO which hijacks and redirects your browser.
  17. Keylogger T. Invisible Keylogger: Spy Software Secretly Records Email, Keystrokes, Chats + More (from their Spysoftware.com home page). 007 Spy Software allows you to secretly monitor and record user's activities on computer, such as web sites visited, all windows opened, application executed, Internet chats, every keystroke, including username and password, and even take snapshots of the entire Windows desktop at set intervals, just like a surveillance camera pointed directly at your computer monitor. If you bought this product, add it to the Ignore List.
  18. Monitoring software T. Advanced Email Monitoring is an email monitoring spy software from Softbe Inc. It copies all the emails sent through email clients (such as Microsoft Outlook Express, Eudora, Pegasus etc.) on the monitored computer (i.e. on the installed computer) and sends a copy to the secret email address as specified by the person who installed it. It even has the ability to stop the email from going to the original recipient. It can also be installed in stealth mode. It is better to remove this software if not installed for a purpose.
  19. RAS T. is a registry cleaner which when it isn't installed, continually asks the user to download their software on every reboot even if the user says no. It is also installed along with various malware without the users permission.
  20. Rootkit T. is a malicious application that could be used by attackers to break into a system. Allows attackers to hide process, services, files, registry entries and network connections. Hides its presence on infected machine. It contacts the attacker when successfully installed. TLS 4
  21. Spyware T Kephyr Bazooka Spyware Encyclopedia. claims to be a spyware remover. However, it sets itself to run when you start the computer and it remains memory-resident. When it runs, the software will periodically attempt to contact a server to download updates and instructions. Some versions may annoy you with pop-up advertisements in Internet Explorer. They claim that your system is at risk and that you should purchase an upgrade to AdDestroyer.
  22. Worm T. backdoor that has Worm functionality as well. It spreads itself by sending itself via MSN. It also has HTTP and backdoor capabilities.
  23. Parasites (link) Call it what you may, depending on small differences in the function of the malicious code — adware, spyware, hijackers, automatic diallers — some of it intentionally if misguidedly installed, some of it foisted on you without your awareness — these invaders don’t qualify as viruses but, at least in a few cases, they are more destructive and compromising of your privacy and your computer security than actual viruses. The formal name for these invaders is unsolicited commercial software — the spam of downloads! The most useful one-word label to distinguish them from viruses is parasites. Most of the time, I prefer to call them scumware
  24. Cookieseen cookie – of het effect ervan - kan in voorkomende gevallen gelijk worden gesteld aan spyware of malware
  25. Others T.
    • Network Password Recovery is an application by Nirsoft to recover network password stored on Windows XP. It has been used by attackers with malicious intent. We recommend that Network Password Recovery be removed unless installed for a purpose.
    • Scareware
      • Wat te doen bij scareware

        Tijdens deze tutorial laten we zien wat er gebeurt wanneer je op een pop-up klikt en wat je moet doen wanneer je een pop-up krijgt tijdens het browsen op het internet. Veel nep-virusscanners worden op deze manier verspreid.

    • Adware
    • ....etc etc.
In some cases, a malware program matches the definitions of several of the permitted types described above, e.g., it can be both a "virus" (in the sense that it replicates itself) and a "dropper" (in the sense that it drops another virus or a Trojan horse). In such cases it should be classified as the worst type, the definition of which it matches. The permitted malware types are listed above in such an order, with "virus" being the worst. Therefore, in our particular example, the "virus and dropper" malware should be classified simply as "virus".
 
Currently, the above malware types are the only malware types permitted by the CARO Malware Naming Scheme. Notably, there is no special malware type for "worm"; these should be classified as "viruses". The reason for this is that it seems impossible to reach an agreement among anti-virus researchers on what, exactly, a worm is. There are at least three fundamentally different definitions of this term and different anti-virus researchers prefer different definitions. In order to avoid confusion, the Naming Scheme does not use such a malware type at all. If an anti-virus producer feels that they absolutely must report that something is a worm (according to their pet definition of this term), they should put this information in the comment field (see section 2.9).

In addition, there are no malware types for "spam", "adware", "spyware", "phishing scam", "non-malicious application" or "unwanted application", despite the fact that some anti-virus vendors have chosen to report such things with their products. Although CARO has considered proposals for adding special malware types for these to the Naming Scheme, it was decided that either the definitions of these terms were too imprecise or there was insufficient need for them (e.g., because it is not really the job of an anti-virus program to report such things). However, malware types might be introduced for them in the future (and/or for other things as well). When/if this happens, it will be reflected in the on-line version of this document.

Links:

Subpagina''s (1): Malware geschiedenis
Comments