Oh boy, malware taxonomy!
FWIW, here's mine...
I use "malware" to refer to all software that:
- is user-hostile
- enters the system under false pretences
The terms "virus", "worm" and "trojan" relate to behaviors, and modern
malware is usually complex enough to show multiple behaviors.
Viruses infect something (files or disks) and passively waits for that
something to be spread through the normal course of events.
Worms actively send themselves out, rather than waiting to be
passively carried about, and are self-contained files (or in-memory
processes) rather than embedded in existing files.
Trojans pose as something harmless or useful; they may enter the
system by passively mimicing something you want, so that you instigate
thier installation, but can spread in other ways.
Modern malware usually exists to do work, and usually work that
generates income. Some opportunities to generate income require the
recipient of that income to be visible, and so the recipient is (or
poses as) a commercial business - hence "commercial malware".
Other ways of making money do not require visibility, so the attacker
can stay anonymous and is therefore not constrained to actions that
could be plausibly denied or defended as business practice.
A third type of malware is not intended to make money; this I refer to
as "traditional malware", in contrast to commercial malware.
I don't use the term "spyware" at all. Most commercial malware does
not spy - it's more likey to make money by showing you ads, enticing
you to click on sponsored links added to arbitrary content, or shoving
some sponsor's web page in your face as your home or search pages.
The software that does spy (keyloggers, RATs) are nearly always
criminally rather than commercially deployed, and are more usually
referred to as "trojans", irrespective of how they spread.
Malware can spread in different ways, and at different speeds:
1-generation, real-time
For example, malware may be hosted on sites that can be updated in
real-time to stay ahead of av detection signatures, or can be spammed
out from a central point. The latter is slower, but in both cases,
there is only one generation of spread, directly from the source to
the victim. This is usually too fast for av to keep up.
n-generation, but extremely fast
These are the pure network worms that enter the system via an
exploitable edge, and out again within a matter of seconds. Again,
the speed is faster than a daily-updated av can match; for example,
Saphire/Slammer went global within a few minutes of release.
n-generation, store-and-forward
This is your classic modern "virus" spread, from one infected PC to
one or more others, via email, messenging, peer-2-peer file sharing,
or disks that get carried around. It's a slow spreading method that's
more likely to be trumped by your daily av updates.
custom
Custom tools are not spread in the wild, but may be uploaded by human
hackers via some RAT (Remote Access Trojan) bridgehead. Because the
software hasn't been widely exposed, av is unlikely to catch it.
real-time updated
Some malware will automatically pull down updates or replacements for
itself, or take the form of a simple downloader stub that pulls down
the "real" malware. In both cases, there's that real-time factor that
means the malware is likely to be too new for av to detect. The main
defense is global; finding the host sites and shutting them down.
Then there are the ways that malware gets to run on the system:
runtime only
Some malware never exist as files at all - or make any attempt to
persist across runtimes. So if you switch the PC off or reboot it to
scan it, the malware you're looking for is gone. This type of pure
runtime infection makes sense for servers that are always connected
and are never shut down, and is also practical for broadband users of
NT-generation OSs, as this combines lengthy uptimes (no resource heap
depletion a la Win9x) with always-on (Inter)net access.
intrafile infection
These are your pure file viruses, which do not exist as separate files
but insert themselves within existing files that you'd want to keep.
The purest form also requires no explicit integration, because the
virus code runs whenever the infected file runs. This is type of
malware is best managed via antivirus tools; it is in fact the key
malware type for which av was invented.
stand-alone files with integration
Most modern malware fall into this category; the entire file is the
malware, and it needs to be integrated via startup axis, file
association etc. in order to run at all. HiJackThis and similar tools
can be used to manually track and manage such malware, and most
"antispyware" tools look as much for integration cues as the malware
files themselves. Complications can arise if the malware file is
deleted without cleaning up integration references to it.
landmine
Some malware avoid detection by not running most of the time; instead,
they lie around passively until the user trips over them in some way.
It's rare that malware will exist purely in this form; usually it will
be a separate component of an active malware that seeks to remain
undetected and thus later retain ownership of the victim. The
workings of System Restore can accidentally create this mechanism.
inactive
Often you will have malware that has never run, possibly because the
surface it seeks to exploit is not there, or the user's too smart to
click. Examples include email attachments you've received but not
"opened", stuff that's dumped into web cache, etc.
Then there are the ways that malware can resist removal; rootkits,
task-killers, DNS poisoners, re-infecting files after they've been
scanned, task re-spawners, recurrent primary entry, etc. Almost all
of these tactics can be disabled by isoltaing the PC from other
systems, and scanning it without running ANY code on the HD.
The point about all this is that it clarifies your defense and
management strategies. For example, a firewall is more useful than an
av as defense against pure network worms, whereas av scanners are your
best hope to detect and manage intrafile infectors. Many malware
spill out of these categories, e.g. stand-alone malware files that
also infect existing files or that integrate the files they infect.
------------ ----- --- -- - - - -
Drugs are usually safe. Inject? (Y/n)
