MALWARE - ROOTKITS - TROJANS - WORMS - VIRUS

[AdvancedSetup]

Not meant to be a scientific analysis but rather a more generic view - below are listed some of the basic infection types that the average user may understand better.

MALWARE | ROOTKITS | TROJANS | WORMS | VIRUS

 

 
MALWARE
Malware, short for malicious (or malevolent) software, is software used or created often to gain access to various forms of private information from computer systems. Signs of such an infection can sometimes be seen as unexpected browser behavior, popups, fake alerts, and similar undesirable operations. The infection can be coded as scripts, executable, code exploits, and other software. Much of the current code seen is more sophisticated than what has previously been around which some believe points to a more organized and well trained cadre of programmer(s) creating multiple various malware threats now days.

Malware includes computer viruses, ransomware, worms, Trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs and other malicious programs; the majority of active malware threats are usually rootkits, worms or Trojans rather than actual viruses.

Destructive malware can utilize popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from web sites, and virus-infected files downloaded from peer-to-peer connections.
Malware will also seek to exploit existing vulnerabilities on systems making their entry quiet and easy.
 
ROOTKITS

• There are at least five types of rootkits and even Hybrid combinations among them.
• User mode: User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes
• Kernel mode: Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers. Most operating systems support kernel-mode device drivers, which execute with the same privileges as the operating system itself.
• Bootkits : A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems. More recently, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7 by modifying the master boot record.
• Hypervisor level: Rootkits have been created as Type II Hypervisors in academia as proofs of concept. By exploiting hardware virtualization features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept hardware calls made by the original operating system.
• Hardware/Firmware: A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a network card, hard drive, or the system BIOS

The following are all capable of infecting an x64 Windows computer

Cidox / Mayachok.2
Necurs
MaxSS TDL4+
PlusDriver
TDL4

 
TROJANS
A Trojan horse, or Trojan, is a non-self-replicating type of malware which appears to perform a desirable function but instead facilitates unauthorized access to the users computer system. Trojans do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal information, or harm their host computer systems.

Trojans may use drive-by downloads or install via online games or internet-driven applications such as many that even include the word FREE as part of the product name in order to reach a targeted computer.

One of the major purposes is to allow open remote control connections to computers so that they can be used as part of a botnet or similar underground activity that cannot easily be traced back to them.
 
WORMS
A worm is a computer program that has the ability to copy itself from machine to machine or share to share. Typically reaching out to other systems on a network it can also make copies of itself on a local computer as well and in some cases filling the hard drive with copies of itself.
Worms use up computer processing time and network bandwidth when they replicate, and often carry payloads that do considerable damage.

The main difference between viruses and worms is the method in which they reproduce and spread.

A Worm does not attach itself to another program like a normal virus does but it can replicate so quickly that it can cause a network to come to a halt by consuming all resources in it's replication process thus also making it difficult to track down the sources and cut them off.

One example worm that hit millions of computers back in 2000 was the ILOVEYOU computer worm.
The worm Nimda was actually more effective because it used multiple methods of propagation.

In order to combat a computer worm you can use a dedicated tool for specific worms but in many cases the computer that has become infected by another remote system is due to having either no antivirus or old and outdated antivirus. First make sure you install and update an antivirus program and then scan the system to remove the worm. By having an up to date antivirus in most cases will prevent further reinfection from a remote computer but depending on what's happening the user may need to disconnect from the network until the system has been scanned, cleaned, and updated with protection software and if the worm is due to a known exploit having that exploit vector corrected typically by a patch.

For worms that are spreading across sub-nets one can use a Firewall to block further spread to other shares but on a flat network the worm does not need to cross any firewall or other routing points so it can reach all the other computers on it's own sub-net in which case the only prevention is the ability of the remote computer to fend for itself either by disabling the share its coming across or using it's own local firewall to block access.

Depending on the size and growth rate of the worm on the network total system isolation may be required in order to regain control. Once the system is fully cleaned and capable of preventing further infection it can then be brought back onto the network. If Servers are hit those should be cleaned first as they are typically sharing more resources openly to all computers which can help keep the worm spreading to other new systems that are brought online while it's infected.
 
 
VIRUSES
A computer virus is a program that can replicate itself and often has a destructive payload. In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs in order to spread. There are also some viruses that infect the boot sector, partition sector, or documents that supports macros such as Word and Excel, by inserting itself or attaching itself to the document.

File infector viruses are so damaging they often will infect all executable files on the system as well as targeting other certain file types which can include user created material. Unless there is a tool to undo the damage or the user has good backups of their data, then the user could potentially lose much if not all of their data.

Often a malicious infection can be introduced onto the system due to various vulnerabilities which are flaws in computer software that can allow an exploit on the system resulting in anything from a minor to severe threat to the system. A virus can potentially damage the system software by corrupting or erasing data. Though many tools often claim they're able to clean up a virus they are often not fully capable and it only takes one missed file for the virus to take off and wreak havoc again.

Users should be aware that 100% successful mitigation of a file infector virus is typically not very realistic. Though the computer may appear to be clean there will often be residual damage found going forward. If possible a complete fdisk, format and reinstall of Windows and restoring data from a good clean backup would be the best approach to a full recovery from such an infection.
 
 
Browser hijacking
Browser hijacking and add-ons often are not considered malware or a virus by definition but is often done by malware. These are typically referred to as PUP (Possibly Unwanted Programs)

Examples of some of the more common ones are:

• Ask Toolbar | IAC / Ask.com toolbars
• Babylon | Babylon toolbar
• Browser Manager
• Claro / iSearch
• Conduit
• Coupon Printer for Windows
• Crossrider
• Facemoods / Funmoods
• iLivid
• IncrediBar
• MyWebSearch
• Searchqu
• Web Assistant

While these technically aren't malware, many people complain about them because they were stealth installed without their knowledge and they often do not have an uninstaller listed for them and require manual removal. The rate with which these PUP add-ons are created daily makes it nearly impossible for any security vendor to find and remove all of them at any given point in time.
 
 
Additional reading and help if needed

Available Assistance for Possibly Infected Computers
 
I'm infected - What do I do now?
 
The complexity of finding, preventing, and cleanup from malware

Do I need a Windows Registry Cleaner?
 
Backup Software

List of well known antivirus products

 

Edited February 11, 2021 by AdvancedSetup
corrected font issue