This is part two of the series on computer security. You can find part one on hacking here.
Previously in this blog, we discussed hacking, including who hackers are, and what goals they pursue. The one aspect of hacking we didn’t cover was the tools at their disposal, specifically malware. So today, I’d like to expand a bit on types of software you can get hacked with. Welcome to today’s article titled “What is Malware, and possibly subtitled “Not everything is a virus”.
A Simple Definition
Let’s start with the basics:
Malware is malicious software.
Easy, right? Basically, it’s any software that was written specifically to cause problems and hurt people. This can range from turning your computer into a brick, to accessing your online bank accounts and draining all your funds, to enlisting your electric toothbrush in an attack to take down the entire internet.
Malware is one of the primary tools used by hackers. While it’s not strictly necessary (with some hackers simply exploiting flaws in otherwise functioning software already on your computer), malware is a tool to make a hacker’s job much easier, like a set of lock-picks would be for a thief.
Where to Get Malware (Hypothetically)
Obviously it’s not something I recommend you pursue. But the point of this article series is to keep people informed and teach them how to be safe online, so you may as well know: most malware is for sale on the internet. Most hackers don’t write their own malware. It’s a specialty field. And as cybersecurity evolves, so does malware. These days, the vast majority of hackers don’t have the skill-set to build their own malware any more than most drivers have the skill-set to build their own cars.
Obviously you can’t just login to your favorite video game distributor and buy some malware. For that, you need to go somewhere special.
The Dark Web
Remember our article about the internet? Well there’s a part of the internet that you can’t access using your Chrome or Safari web browser.
See, the way most browsers work is by keeping track of websites they’ve found or been told about about. For instance, when I created this blog, I had to go to Google and Microsoft and tell them my url, so they would start tracking it, so that they in turn could list it, so that people could find it. This process is called indexing. Like in a library where librarians maintain indexes of all the books they have, web browsers maintain indexes of all the websites they know about. The ones they don’t know about are referred to as the Darknet.
Note that not everything on the darknet is bad. Some websites are just outdated, forgotten by everyone. Some websites are only for a specific group of people, so they don’t need to be shared with the general public via web browser. Some website creators don’t want to be tracked by the big bad internet companies who want to use your data to sell you stuff, and keep their pages unindexed on purpose for privacy reasons. Some sites are used by whistleblowers to communicate anonymously with the authorities. This sector of the internet is referred to as the Deep Web. Not necessarily bad, just unknown.
But some sites are definitely malicious. These sites are referred to as the Darkweb. It’s like the World Wide Web, but for bad stuff. These are the sites where you can buy drugs, child pornography, stolen credit card numbers, and yes, malware.
Types of Malware
Malware comes in many different forms. This form depends on the goal the malware is created to achieve, the type of target it’s meant to attack, and the way in which it infiltrates the victim’s machine. Different types of malware can even be combined to achieve multiple goals at once.
Viruses
Probably the most famous type of malware in pop culture is the computer virus. Every sitcom has that one episode where a character downloads something naughty from the internet, and oh no! They installed a virus, which proceeds to wreck havoc on their computer.
And this isn’t entirely wrong. The hallmark of a computer virus is that it needs to be manually installed by the user.
But just because it’s on your machine, doesn’t mean anything bad is going to happen. See, viruses have one other defining feature: they need a host program to run. A host program is a specific computer program that you may already have on your computer, like an email program, or file viewer. Without the host program, the virus can’t activate. Only when you launch this host program, do you trigger the virus inside it, and that’s when the damage happens.
The easiest way to prevent getting a computer virus, is, quite simply, by using an antivirus program. Of course you shouldn’t download anything from untrusted sources, but if you have to, the antivirus will scan the thing and check if it contains any known virus code. This is also why it’s important to keep your antivirus updated. New computer viruses are discovered all the time, and an outdated antivirus might not recognize newer generations of viruses.
IRL: Melissa
If you’re curious about what a real-world computer virus looks like, look no further than Melissa. The 1999 Melissa computer virus was designed to use the Microsoft Word and Microsoft Outlook programs as hosts. This choice of host programs was no accident, as they were, and still are, very common programs to find on a computer, making them ideal targets. Victims received an email with a Microsoft doc attached to it. When they opened the file using one of the host programs, the virus would not just install itself on their computer, but also access their email address book, and mail itself to other people.
The funny thing about Melissa is that by malware standards, it was fairly harmless. All it did was send a bunch of spam emails. That is, it was harmless until it started overloading the email servers.
Melissa ultimately spread to an estimated 1 million email accounts, disrupted 250 organizations, including the US Marine Corps, and caused about 80 milllion dollars in damage, all in less than a week.
The creator of Melissa was sentenced to 20 months in prison and fined 5000 dollars.
Worms
Now software security has gotten better since then, and nowadays, downloading naughty pictures off the internet probably won’t infect your computer with a virus that will knock out everyone’s email. But it could very easily give you a computer worm.
“Worm” is not as ominous as “Virus”, so Hollywood and the media still prefer to call everything a virus, but in fact most “viruses” you hear about are actually worms. And they are far worse than viruses.
See, the major limitation of computer viruses is that they require a specific host program (and usually a specific version of that program) in order to activate and start doing damage. As long as you didn’t run Word or Outlook, there wasn’t a whole lot Melissa could do apart from sit in your downloads. Worms have no such limitations. Click on that link, download that picture, open that attachment? That’s all it takes.
IRL: ILOVEYOU
The ILOVEYOU worm is a good example of this. Launched in 2000, a mere year after Melissa, ILOVEYOU consisted of an email, with the title “I love you” (an early example of social engineering) and a text attachment. When curious people clicked on the text attachment, the worm would immediately activate. First, it would download a secret malware program, called a Trojan (discussed below), and hide it on the computer so it could spy on the user’s passwords and send them back to the hacker. Then it would delete or corrupt a random set of files on the computer. Finally, just like Melissa, it would access the email server and mail itself to everyone in the contacts list, allowing the worm to spread.
Within 10 days, ILOVEYOU had infected an estimated 10% of all computers on the internet. It caused about tens of billions of dollars in damages. It pushed the Pentagon, the CIA, the British parliament and many major companies to shut down their email servers completely to avoid infection. It was the first world-wide computer pandemic.
To add insult to injury, ILOVEYOU was created by a student in the Philippines, which had no laws against hacking until this incident. They created a law in response, but couldn’t charge the hacker with anything after the fact.
Trojan Horses
In the legendary Trojan War thousands of years ago, the Greek army snuck into the fortified city of Troy by building a wooden horse as a gift and hiding soldiers inside it. When the Trojans brought the horse inside the city, the soldiers were able to climb out and, you know. Destroy everything.
A Trojan horse, also known more simply as a Trojan, works in a similar way. It’s essentially an evil computer program in disguise.
Some examples of disguises for Trojans include routine forms to fill out (“Hey, I’m your doctor, please fill out this pdf for me and send it back”) and fake ads (“Click on me. Click on me! Click on meeee!). As discussed in the previous article on hacking, Trojans make strong use of social engineering to trick people into downloading them and bringing the wooden horse into the city, so to speak. Or, as in the case of ILOVEYOU, they can even be downloaded by other malware.
Note the big difference between Trojans and viruses: viruses run inside other, existing programs. Trojans are the program. They bring their own host as a disguise.
The other difference between Trojans and viruses, or worms for that matter, is that Trojans generally don’t try to spread to other computers. Sure, they’ll lock down your files and hold them for ransom, or install secret programs to spy on you when you’re doing your online banking, but at least they won’t ruin your social life.
IRL: Tiny Banker
One famous example of a Trojan is the 2015 Tiny Banker Trojan, which would infect web browsers and watch for any users accessing a banking website. Then it would steal their username and password and send them back to the hacker. Malware like this is why your bank doesn’t want you using strange computers to do your online banking.
Rootkits
At this point, things are going to get a bit technical (sorry). A rootkit is a type of malware usually bundled with other malware, and specifically designed to escalate its programs privileges.
What does that mean? Imagine the main malware as the mob boss who wants to force his way into a secure building. The rootkit is the bodyguard walking in front of him shooting and punching everyone who tries to stop him.
Just like the building, your computer has security, and sectors only specific programs are allowed to access. Rootkits are designed to sneak past security and break into those sectors.
On their own, rootkits don’t do much harm, but imagine pairing one with a Trojan, or a virus. They can be considered malware amplifiers, vastly increasing the amount of damage any other type of malware can inflict.
IRL: The Sony Rootkit
Weirdly enough, one of the most famous rootkits of all wasn’t even deployed by hackers. In 2005, music company Sony secretly installed rootkits on their CDs. The intended goal of the rootkits was to install themselves on any computer the CD was played on, and get the power to prevent the CD from being copied. What the rootkits ended up doing instead was ripping giant holes in the security of the computers they were run on. Lawsuits ensued.
KeyLoggers
Keyloggers are perhaps one of the simplest and most common forms of spyware.
Spyware is malware whose goal is specifically to spy on the stuff going on on the computer, rather than destroy stuff on it. And keyloggers do exactly that. They sit between your keyboard and your computer and watch every letter and number you type. This way, they can collect things like your password, your credit card numbers, your diary, pretty much all and any sensitive information you might type into your device.
While not particularly exciting, keyloggers feel important to mention as a reminder that just because everything seems fine, that doesn’t mean your computer is safe. A lot of malware is discrete, and runs in the background, so you’ll never know it was there and hackers can continue to spy on you and steal from you. So run those updates, and do those antivirus security scans!
Bots
In defense of bots: by themselves, they are not malware.
A bot is a very simple computer program designed to do a basic, repetitive task so that a human doesn’t have to. Many day-to-day cleaning and monitoring tasks are performed by perfectly legitimate bots. For example, web browsers use bots called web crawlers to find and index new websites. And customer service chatbots are popular for helping people find answers to simple questions.
However, bots can be turned to the dark side. Typically, if you’re seeing a pop-up ad on your computer even though you’re not on the internet – that might be an adware bot, a type of malware design to annoy people with extra advertising.
Bots become especially problematic in large numbers. If you’re a hacker, and you manage to use a worm to infect a couple million computers, you now have the possibility of putting a bot on each infected machine, and creating your own computer zombie army, known as a botnet. And botnets are a big problem.
IRL: Mirai
One of the largest botnets of all time was the Mirai botnet, discovered in 2016, when it broke part of the internet. Not in the figurative sense of some celebrity “breaking” the internet with a photo, or an announcement. Literally broke it. On October 21, 2016, hundreds of thousands of bots started a coordinated attack against the servers of the Dyn company, which provides internet to the east coast of the USA. The bots didn’t do anything particularly complicated. They just connected to the servers over and over again, monopolizing their resources and clogging their access points. It was the computer equivalent of being surrounded by a mob of people repeatedly shouting questions at you. Eventually the Dyn servers just curled up on the ground with their hands over their ears and shut down, taking hundreds of internet services with them.
The Internet of Things
One interesting thing about the Mirai botnet is the machines it controls (yes, Mirai is still out there). What the creators of Mirai realized is that while most computers have at least some level of malware protection, the same cannot be said for devices like security cameras, smart thermostats, and digital cameras. These devices, simple electronics with an internet connection, are referred to as the Internet of Things. And while they are not powerful enough to execute complicated attacks, they are capable of simple ones. Like running a bot to contact an internet server over and over and over again.
Hybrid Malware
As you may have noticed, not all of these types of malware can work on their own, nor do they try to. Most hacks involve a combination of several types of malware, each bringing something different to the table. These malware teams are known as hybrid or combo malware. For instance, you might use a worm or a virus to get into someone’s computer, and then that advance piece of malware can download a Trojan containing a rootkit, which will clear the way to install a keylogger and some bot functionality. Malware is mix-and-match, one of the things that makes it so difficult to recognize, neutralize and ultimately get rid of.
Signs of Infection
Now you may be wondering, after all this: how do I know if my computer has malware? (Or phone, or security camera, or smart refrigerator.) Besides the obvious signs, of course, like all your files disappearing, or your friends getting emails with weird links from you.
So to finish up, here’s a couple of easy steps to recognize a malware infection:
Performance Issues
If you notice your device is running more slowly than usual, if the memory is suddenly smaller, or if the internet is patchy – that could be a sign that some malware is stealing resources from you.
Weird Pop-ups
This is probably the most obvious one: an unwanted program popping up and bothering you could be malware trying to goad you into interacting with it.
The Antivirus Found Something
Seriously. Get an antivirus. One from a reliable company. There’s lots of free ones out there. And then actually use it.
