Malware
Malware (a portmanteau for malicious software)[1] is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy.[1][2][3][4][5] Researchers tend to classify malware into one or more sub-types (i.e. computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and keyloggers).[1]
Malware poses serious problems to individuals and businesses on the Internet.[6][7] According to Symantec's 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016.[8] Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy US$6 trillion in 2021, and is increasing at a rate of 15% per year.[9] Since 2021, malware has been designed to target computer systems that run critical infrastructure such as the electricity distribution network.[10]
The defense strategies against malware differ according to the type of malware but most can be thwarted by installing antivirus software, firewalls, applying regular patches, securing networks from intrusion, having regular backups and isolating infected systems. Malware can be designed to evade antivirus software detection algorithms.[8]
Purposes[edit]
Since the rise of widespread broadband Internet access, malicious software has more frequently been designed for profit. Since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for illicit purposes.[24] Infected "zombie computers" can be used to send email spam, to host contraband data such as child pornography,[25] or to engage in distributed denial-of-service attacks as a form of extortion.[26] Malware is used broadly against government or corporate websites to gather sensitive information,[27] or to disrupt their operation in general. Further, malware can be used against individuals to gain information such as personal identification numbers or details, bank or credit card numbers, and passwords.[28][29]
In addition to criminal money-making, malware can be used for sabotage, often for political motives. Stuxnet, for example, was designed to disrupt very specific industrial equipment. There have been politically motivated attacks which spread over and shut down large computer networks, including massive deletion of files and corruption of master boot records, described as "computer killing." Such attacks were made on Sony Pictures Entertainment (25 November 2014, using malware known as Shamoon or W32.Disttrack) and Saudi Aramco (August 2012).[30][31]
Detection[edit]
Antivirus software typically uses two techniques to detect malware: (i) static analysis and (ii) dynamic/heuristic analysis.[60] Static analysis involves studying the software code of a potentially malicious program and producing a signature of that program. This information is then used to compare scanned files by an antivirus program. Because this approach is not useful for malware that has not yet been studied, antivirus software can use dynamic analysis to monitor how the program runs on a computer and block it if it performs unexpected activity.
The aim of any malware is to conceal itself from detection by users or antivirus software.[1] Detecting potential malware is difficult for two reasons. The first is that it is difficult to determine if software is malicious.[32] The second is that malware uses technical measures to make it more difficult to detect it.[60] An estimated 33% of malware is not detected by antivirus software.[57]
The most commonly employed anti-detection technique involves encrypting the malware payload in order to prevent antivirus software from recognizing the signature.[32] Tools such as crypters come with an encrypted blob of malicious code and a decryption stub. The stub decrypts the blob and loads it into memory. Because antivirus does not typically scan memory and only scans files on the drive, this allows the malware to evade detection. Advanced malware has the ability to transform itself into different variations, making it less likely to be detected due to the differences in its signatures. This is known as polymorphic malware. Other common techniques used to evade detection include, from common to uncommon:[61] (1) evasion of analysis and detection by fingerprinting the environment when executed;[62] (2) confusing automated tools' detection methods. This allows malware to avoid detection by technologies such as signature-based antivirus software by changing the server used by the malware;[61] (3) timing-based evasion. This is when malware runs at certain times or following certain actions taken by the user, so it executes during certain vulnerable periods, such as during the boot process, while remaining dormant the rest of the time; (4) obfuscating internal data so that automated tools do not detect the malware;[63] (v) information hiding techniques, namely stegomalware;[64] and (5) fileless malware which runs within memory instead of using files and utilizes existing system tools to carry out malicious acts. The use of existing binaries to carry out malicious activities is a technique known as LotL, or Living off the Land.[65] This reduces the amount of forensic artifacts available to analyze. Recently these types of attacks have become more frequent with a 432% increase in 2017 and makeup 35% of the attacks in 2018. Such attacks are not easy to perform but are becoming more prevalent with the help of exploit-kits.[66][67]
Risks[edit]
Vulnerable software[edit]
A vulnerability is a weakness, flaw or software bug in an application, a complete computer, an operating system, or a computer network that is exploited by malware to bypass defences or gain privileges it requires to run. For example, TestDisk 6.4 or earlier contained a vulnerability that allowed attackers to inject code into Windows.[68] Malware can exploit security defects (security bugs or vulnerabilities) in the operating system, applications (such as browsers, e.g. older versions of Microsoft Internet Explorer supported by Windows XP[69]), or in vulnerable versions of browser plugins such as Adobe Flash Player, Adobe Acrobat or Reader, or Java SE.[70][71] For example, a common method is exploitation of a buffer overrun vulnerability, where software designed to store data in a specified region of memory does not prevent more data than the buffer can accommodate being supplied. Malware may provide data that overflows the buffer, with malicious executable code or data after the end; when this payload is accessed it does what the attacker, not the legitimate software, determines.
Malware can exploit recently discovered vulnerabilities before developers have had time to release a suitable patch.[6] Even when new patches addressing the vulnerability have been released, they may not necessarily be installed immediately, allowing malware to take advantage of systems lacking patches. Sometimes even applying patches or installing new versions does not automatically uninstall the old versions. Security advisories from plug-in providers announce security-related updates.[72] Common vulnerabilities are assigned CVE IDs and listed in the US National Vulnerability Database. Secunia PSI[73] is an example of software, free for personal use, that will check a PC for vulnerable out-of-date software, and attempt to update it. Other approaches involve using firewalls and intrusion prevention systems to monitor unusual traffic patterns on the local computer network.[74]
Excessive privileges[edit]
Users and programs can be assigned more privileges than they require, and malware can take advantage of this. For example, of 940 Android apps sampled, one third of them asked for more privileges than they required.[75] Apps targeting the Android platform can be a major source of malware infection but one solution is to use third-party software to detect apps that have been assigned excessive privileges.[76]
Some systems allow all users to modify their internal structures, and such users today would be considered over-privileged users. This was the standard operating procedure for early microcomputer and home computer systems, where there was no distinction between an administrator or root, and a regular user of the system. In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status.[77] This can be because users tend to demand more privileges than they need, so often end up being assigned unnecessary privileges.[78]
Some systems allow code executed by a user to access all rights of that user, which is known as over-privileged code. This was also standard operating procedure for early microcomputer and home computer systems. Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user.
Weak passwords[edit]
A credential attack occurs when a user account with administrative privileges is cracked and that account is used to provide malware with appropriate privileges.[79] Typically, the attack succeeds because the weakest form of account security is used, which is typically a short password that can be cracked using a dictionary or brute force attack. Using strong passwords and enabling two-factor authentication can reduce this risk. With the latter enabled, even if an attacker can crack the password, they cannot use the account without also having the token possessed by the legitimate user of that account.
Use of the same operating system[edit]
Homogeneity can be a vulnerability. For example, when all computers in a network run the same operating system, upon exploiting one, one worm can exploit them all:[80] In particular, Microsoft Windows or Mac OS X have such a large share of the market that an exploited vulnerability concentrating on either operating system could subvert a large number of systems. It is estimated that approximately 83% of malware infections between January and March 2020 were spread via systems running Windows 10.[81] This risk is mitigated by segmenting the networks into different subnetworks and setting up firewalls to block traffic between them.[82][83]
Mitigation[edit]
Antivirus / Anti-malware software[edit]
Anti-malware (sometimes also called antivirus) programs block and remove some or all types of malware. For example, Microsoft Security Essentials (for Windows XP, Vista, and Windows 7) and Windows Defender (for Windows 8, 10 and 11) provides real-time protection. The Windows Malicious Software Removal Tool removes malicious software from the system.[84] Additionally, several capable antivirus software programs are available for free download from the Internet (usually restricted to non-commercial use).[85] Tests found some free programs to be competitive with commercial ones.[85][86][87]
Typically, antivirus software can combat malware in the following ways:
Research[edit]
Utilizing bibliometric analysis, the study of malware research trends from 2005 to 2015, considering criteria such as impact journals, highly cited articles, research areas, productivity, keyword frequency, institutions, and authors, revealed an annual growth rate of 34.1%. North America led in research output, followed by Asia and Europe. China and India were identified as emerging contributors.[95]