Viruses,Worms,Trojans
what’s all about?

If you think about malware, you probably think about a big family of computer programs, which has been created to perform unwanted or dangerous operations on a users PC.  The term “virus” established itself, as – historically – the first malicious programs that arose in the wild have been called “virus”. By the time as other sorts of malware entered the stage, the terms “virus” and “antivirus” have been established in public and the makers of Anti-Virus software stayed with the name.

Let´s try to get an overview of the terminology on malware:

    • A Virus is a program, which is able to replicate itself in order to spread from computer to computer and steal or erase data from the affected systems.
      carberp_front

      common virus – 40x magnification

      Almost all viruses hide themselves in an executable program, which means that the virus is inactive, as long as the program is not excuted.  If you run the infected program, you also run the viruscode. Normally a virus just attaches itself on the host program, so that it´s function remains intact. However some variants simply overwrite the host program with a copy of the malicious code, destroying the host functionallity. To infect other computers, viruses rely on the fact that the file or program, to which a virus has appended, is transferred to another computer, for example by disk, E-Mail attachments, over a network network or by file-sharing.

    • A Worm is working similar to a virus, but won´t need a host file anymore to stay executable or intact, after infecting a computer.

      Worm – (c) team 17

      Worms are easily spread and their aggressive behavior poses a serious threat not only to a single PC but also for a whole network. One of the most destructive worms ever, that we saw on the internet was called “slammer” and recently celebrated his 10th birthday. Slammer had the tiny size of 376 bytes and fitted in one single UDP packet. It had no other functionality than to spread further, but the spreading process is so aggressive that the worm generates extreme loads. Slammer exploited a vulnerability in the Microsoft SQL Server on UDP Port 1434 (see also  http://www.f-secure.com/weblog/archives/00002491.html). Although he was only attacking Microsoft SQL Servers, the worm affected end user machines by generating massive amounts of network packets, slowing down all internet functions, such as sending e-mail or surfing the net.

    • A Trojan Horse or Trojan can not spread itself, but disguises itself as a useful program or document which will be run by a user and then can bring it´s malicious code into position.

      Horse, origin: Troja

      The user is mostly tricked by the software which pretends to be a screensaver or another tool and while the user starts the software, the malicious code is executed and does is attacks on the targeted machine, such as installing a backdoor or spyware on the PC. With the help of such a trojan, which installs back doors on affected systems, attackers can control thousands of PCs at the same time. If such a remote-trojan comes with it´s own user interface, things would become even more comfortable for an attacker, as it would then even easier to forge commands to the affected computers. Whole networks of infected computers can easily be managed by such trojans and its controllers.

Some kind of attacks combine attributes of viruses, trojans and worms to hide effectively from they eye of antivirus programs and to complicate countermeasures.

  • As one could suspect by the name, a backdoor is used to establish a secret entrance to a system. Mostly deployed by a trojan or a  virus, it grants the attacker access to the computer, bypassing the safety features of the operating system.As an example, a backdoor was used to infiltrate the RSA servers in an attack, which became public in March 2011. The backdoor was deployed by an E-Mail with the subject “2011 Recruitment Plan“, which had an Excel-file attached, containing an embedded Adobe Flash file that installed the backdoor. In the moment, the receiver opened the attached Excel-file, the Flash code was executed by Excel, installing a backdoor on the affected computer. By connecting to the installed backdoor, the attacker had full remote access complete to the PC and its network shares and could do everything the user of the affected workstation could do.

    F-Secure: mail with attached file

  • Software that is specialized in stealing informations from affected computers is called Spyware. These include so-called keyloggers that record user input and pass it to a third party, or programs that can make screenshots in the background, desktop recorders or software which can steal information out of your computers memory so called memory scrapers.
    Adware displays, mostly unasked and unwanted, advertising and thus disrupts the use of the Internet by randomly fading in advertising pages.

    Scareware

  • Scareware is used to confuse the user with reports of alleged system insecurities and risks, and tries to tempt him purchasing one of the offered products, which allegedly eliminate the problem.
  • Ransomware, however, denies access to the user interface of the system and asks the user to pay a ransom to regain access to his system.

    german GVU-trojan

    Often, image and text files are encrypted and thus blocked from the users access. The best known representative of this kind in Germany are the BKA and GVU Trojans, which lock the PC and shows a picture that mimics the logo of an official authority to trick the victim to pay the fee. Even if the victim pays, a decryption of the data will usually not happen, leaving the victim alone with the encrypted data.

The signs, that a computer is infected by malware is not always as obvious as by Ransomware. Malicious programs often work silently in the background, send spam, attack other networks or spy on the unsuspecting user. Malware can infect a PC without knowledge or active help of the victim. It´s enough to view an infected website in your Browser, which contains malicious Java or Flash code, to infect a computer with malicious code.

Possible signs, that your PC is infected with Malware:

  • Lots of popup messages, especially for anti Virus or windows “optimization” software.
  • The home page in your browser has changed or a new toolbar appeared out of the blue.
  • Programs start with no reason or interaction from the user.
  • The PC feels slower than usual. Internet connections, no matter on which pages, are much slower than normal.
  • Files and folders disappear.
  • You get a lot of system error messages.
  • The firewall shows unknown programs which want to connect to the Internet.
Protect your PC with an updated anti-virus product. Keep your browser and the software being used up to date.

Microsoft Security report: most common exploits

If you are concerned that your PC has an issue with malware, you can use specialized tools like Malwarebytes AntiMalware to check your system or you can scan your PC using the DE-Cleaner.
Is your PC infected by ransomware as the BKA-Trojan, we recommend HitmanPro to unlock your PC. If you need help, you´ll find it in the botfrei.de forum, where experts will take care of your problem and your questions.