A malicious application that steal or encrypts the user’s data or system, then demands payment (a ransom) to restore the data or system access, is known as ‘ransomware’.
Ransomware programs typically encrypt files on an infected computer, then displays a message stating that the user needs to pay a certain sum in a proscribed method in order to recover the files. The specifics of the extortion method may vary, for example:
- The files may appear ‘corrupted and the user may be required to buy a ‘cleanup program’, or
- The files may be ‘locked by an authority for an alleged transgression, and the user may be told to pay a ‘fine’
In all cases however, the user is required to pay money to regain access to their own data. This form of extortion works on the assumption that the data is important enough to the user that they are willing to pay for recovery.
There is however no guarantee of actual recovery, even after payment is made.
The Registry is a directory found in later versions of Microsoft Windows operating systems that contains details on the settings and options selected for the operating system, most applications and hardware, users and their preferences and other critical information.
The registry key is an identifier listed in the computer system's Registry, specifying a particular process (usually an application or process). The registry key is almost always associated with a 'value' that indicates a detail, setting or option selected for that application or process.
The Registry and its keys can be viewed and edited using the Registry Editor (Regedit.exe), commonly referred to as Regedit.
How Malware Affect the Registry
Many malicious programs will alter relevant registry keys in order to replicate and perform other malicious routines. For example, a popular modification affects the registry key that specifies which programs are automatically run when the computer is started -
The alteration is made that the malware itself is automatically executed, for example:
In computer security, remote code execution means that an outside party being able to run arbitrary commands on a target machine or in a target process, almost always with malicious intent.
Remote code execution is usually the goal of a system or program exploit, as it essentially means an attacker can take complete control of the compromised machine.
The act of creating a copy of a malicious program's code, usually in order to infect a new target, or distribute a copy to a new computer system. 'Replication' is often used interchangeably with the term, 'propagation'.
Replication is an essential characteristic of certain types of malware. For example, if a program does not include a routine specifying a method for replicating its own code, it does not meet the definition of a virus or worm.
Replication in Viruses
Much like its biological counterpart, a computer virus cannot make copies of itself, or distribute the newly created copies to new hosts. Instead, a virus must infect a computer system and 'trick' it into unintentionally performing both tasks.
Successful replication has two elements or stages: the virus must first find a way to force a computer system to execute the its own instructions; and secondly, the newly created copies must infect new targets.
To make a computer system obey its instructions, a virus infects a host file with its own executable code. When the user next launches the host file, the computer system reads and unthinkingly executes the viral code inserted. The virus's instructions will, among other things, direct the computer to produce copies of the malicious code.
To infect new targets, a virus can use one of two strategies: it may either become resident in memory, where it can infect programs the user launches; or it can actively hunt for and infect specific files on the hard disk. A virus that uses the former strategy is known as a memory-resident virus; one that uses the latter tactic is known as a non-memory resident virus.
Replication in Worms
Unlike a virus, a worm doesn't need to use a computer system to create copies of itself; it can do so on its own. Instead, a worm uses a computer system more as a launch pad, by using its network connections and bandwidth to infect other computers connected to it.
Successful replication for a worm is therefore a little different: it simply involves getting a copy of the worm code from the first infected machine onto another.
A virus which remains in a computer system's memory after it has been executed and its host program has been closed is said to be 'resident' in the memory.
Memory-resident viruses were once also referred to as Terminate and Stay Resident (TSR). Today however, this term is archaic.
How A Memory-Resident Virus Works
To understand how a virus becomes resident in the memory, it helps to know how a program normally uses the memory. Whenever a file (including the virus's host file) is executed, it is loaded temporarily into the RAM memory, where temporary instructions related to the program can be stored. When the user closes the host program, it is unloaded from the memory, clearing the space for use by another program.
A virus takes advantage of this normal process for its own ends. First, the virus code is loaded into memory along with the host file. Once there, it will use typically capture or 'hook' an interrupt vector, an area of memory that stores special instructions for executing programs, which the virus then subverts by inserting viral information into it.
Later, when the host file is closed and unloaded from the memory, the virus information still in the interrupt is able to continue with its own agenda, at least until the computer is shut down.
Viruses usually become memory-resident in order to continue infecting other programs which the user has executed and are currently in memory. In contrast, a non-memory resident virus must independently find and infect files on the hard drives.
In computer security generally, and malware analysis in particular, reverse engineering generally refers to the process of disassembling and analyzing an executable file in order to determine its capabilities and behavioral routines.
Reverse engineering may also be applied to security patches and exploits to determine how they function.
Useful, legitimate software that is not malicious in nature, but may pose or introduce a security risk if improperly used, or used in certain circumstances.
Examples of legitimate programs that may be considered riskware if misused include File Transfer Protocol (FTP) servers, Internet Relay Chat (IRC) clients, Network Sniffers, overeager Digital Rights Management (DRM) software and Remote Administration utilities.
Some programs are not intentionally malicious, but do not provide the functionality claimed. If the functionality of software is suspect, it may be added to the riskware category.
It is also possible for a legitimate software to be bundled together with another program which is identified as riskware, resulting in conflation between the two programs.
Dealing with Riskware
If the user is aware of the security risks involved and wishes to proceed with installing and using the program, there is no reason not to do so.
The user may also exclude the application's folder from scans by F-Secure Anti-Virus products, by following the instructions provided.
An antivirus or antispyware application that does not provide the functionality claimed, and may not work at all. Rogues are often promoted by deceptive or fraudulent means.
How It Works
A rogue antivirus or antispyware program (commonly referred to as a rogue) is difficult to define as the intentions of the group vary. Rogues can be deliberately fraudulent, or just substandard products that present false information. The product may claim to be a legitimate antivirus or antispyware application, but may in fact be nothing more than an inexpensive clone of unreliable software. Once purchased, the final product may not perform as claimed, or may not perform at all.
When run, many rogue applications will perform a scan of the system, or pretend to perform one. They then display misleading or outright false scan reports in order to alarm users into buying their application. This may be accompanied by alarming warning messages and constant prompts, if the user declines to purchase.
The most common way for a user to come into contact with rogue software is through websites pushing these products to their visitors. Often, visitors are unknowingly redirected to these sites via such underhanded tactics as search engine poisoning, or website redirects. Worms and trojans also sometimes silently install rogues, which then performs - or pretends to perform - a scan of the system and offers to remove the malware.
Many websites promoting rogues use very questionable sales tactics to pressure the visitor into purchasing the product, or a license for the product. For example, detecting problems in a demo or trial version available online, but requiring a license to remove those problems is typical of a rogue-pushing website. Free, fully functional trial periods are usually not offered.
It has also become increasingly common for websites pushing rogueware to display an image of a generic computer desktop with a scanning dialog on the screen, and then deceptively claim that the product is running a scan on the visitor's own computer system. The website will next display a fake scanning result indicating malware infections being present. It will then urge the user to purchase the rogueware. Visitors may be told that they need to buy protection even if there is nothing dangerous found.
The most malicious rogue-pushing websites may install malware on the visitor's computer, which is then detected by the trial version.
Affiliate marketing programs are often used to sell rogue antispyware. Every time an affiliate product is installed and sold, a commission is paid. The result is a strong pressure to sell, by any means necessary. Rogues that have been available for a while are also often repackaged and given new names in order to gain new, unsuspecting users.
A standalone software component that attempts to hide processes, files, registry data and network connections. The term 'rootkit' may also be used to describe cloaking or stealth techniques a malware uses to hide itself or disguise its actions.
A rootkit program may not be not malicious in itself, but may be used for malicious purposes by viruses, worms, backdoors and spyware. For example, some spyware/adware programs such as EliteToolbar, ProAgent, and Probot SE use rootkit techiques to disguise their actions; similarly, some trojans (e.g., Haxdoor, Padodor and Hupigon) also utilize rookit functions.
A virus combined with a rootkit produces what was formerly known as a full stealth virus in the MS-DOS environment.
How They Work
Rootkits are generally difficult to detect as they are activated before the machine's operating system is completely booted up, and are therefore treated as outside the system's normal security procedures; this characteristic also makes them difficult to remove.
Typically, a malware's rootkit functionality is achieved by using a kernel-mode driver. In this scenario, malware drops a driver file on disk and loads it in kernel space. Once loaded, the driver is instructed to hide the malicious actions.
Some rootkits can also operate from user mode. It this case, the malware usually drops a DLL file on disk and loads it in all processes. In rare cases, the rootkit doesn't need any external files to operate.
Rootkit-like Legitimate Programs
Occasionally, legitimate software will use rootkit-like techniques, usually for software protection purposes. In this context, the techniques may be referred to as a form of Digital Rights Management (DRM).
Some antivirus programs will detect these applications as 'rootkits' and potential security risks, until the rootkit-like techniques are removed or another solution is reached.
A network component responsible for routing information between networks, or separate subnets on the same network.
A router may be a hardware device or, less commonly, a program. Like its name suggests, a router's main responsibility is in directing the data packets entering the network to the correct destination.
There are numerous types of routers, graded based on the amount of workload (traffic) they are capable of handling. The most common routers are those used by individual users for home networks, as well as larger routers dedicated to directing communications in businesses and large corporations. The highest capacity routers are responsible for routing major public Internet transmissions.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.