Malware, short for malicious software, is any software used to disrupt

computer operation, gather sensitive information, or gain access to private

computer systems.[1] It can appear in the form of executable code, scripts,
active content, and other software.[2] Malware is a general term used to
refer to a variety of forms of hostile or intrusive software.[!] "he term
badware is sometimes used, and applied to both true #malicious$ malware
and unintentionally harmful software.[%]
Malware includes computer viruses, worms, tro&an horses, ransomware,
spyware, adware, scareware, and other malicious programs. 's of 2(11 the
ma&ority of active malware threats were worms or tro&ans rather than viruses.
[)] In law, malware is sometimes *nown as a computer contaminant, as in
the legal codes of several +.,. states.[-][.] Malware is often disguised as, or
embedded in, non/malicious 0les.
,pyware or other malware is sometimes found embedded in programs
supplied o1cially by companies, e.g., downloadable from websites, that
appear useful or attractive, but may have, for example, additional hidden
trac*ing functionality that gathers mar*eting statistics. 'n example of such
software, which was described as illegitimate, is the ,ony root*it, a "ro&an
embedded into 23s sold by ,ony, which silently installed and concealed itself
on purchasers computers with the intention of preventing illicit copying4 it
also reported on users listening habits, and created vulnerabilities that were
exploited by unrelated malware.[5]
"he term malware only applies to software that intentionally causes harm.
,oftware that causes harm due to bugs or poor design are not classi0ed as
malware4 for example some legitimate software written before the year 2(((
had errors that caused serious malfunctions when the year changed from
1666 to 2((( / these programs are not considered malware.
,oftware such as anti/virus, anti/malware, and 0rewalls are used by home
users and organi7ations to try to safeguard against malware attac*s.
[6]8urposes[edit]
Malware by categories on March 1-, 2(11.
Many early infectious programs, including the 0rst Internet 9orm, were
written as experiments or pran*s. "oday, malware is used by both blac* hat
hac*ers and governments, to steal personal, 0nancial, or business
information[11][12] and sometimes for sabotage #e.g., ,tuxnet$.
Malware is sometimes used broadly against government or corporate
websites to gather guarded information,[1!] or to disrupt their operation in
general. :owever, malware is often used against individuals to gain
information such as personal identi0cation numbers or details, ban* or credit
card numbers, and passwords. ;eft unguarded, personal and networ*ed
computers can be at considerable ris* against these threats. #"hese are most
fre<uently defended against by various types of 0rewall, anti/virus software,
and networ* hardware$.[1%]
,ince the rise of widespread broadband Internet access, malicious software
has more fre<uently been designed for pro0t. ,ince 2((!, the ma&ority of
widespread viruses and worms have been designed to ta*e control of users
computers for illicit purposes.[1)] Infected =7ombie computers= are used to
send email spam, to host contraband data such as child pornography,[1-] or
to engage in distributed denial/of/service attac*s as a form of extortion.[1.]
8rograms designed to monitor users web browsing, display unsolicited
advertisements, or redirect a1liate mar*eting revenues are called spyware.
,pyware programs do not spread li*e viruses4 instead they are generally
installed by exploiting security holes. "hey can also be pac*aged together
with user/installed software, such as peer/to/peer applications.[15]
>ansomware a?ects an infected computer in some way, and demands
payment to reverse the damage. @or example, programs such as
2rypto;oc*er encrypt 0les securely, and only decrypt them on payment of a
substantial sum of money.
8roliferation[edit]
8reliminary results from ,ymantec published in 2((5 suggested that =the
release rate of malicious code and other unwanted programs may be
exceeding that of legitimate software applications.=[16] 'ccording to @/
,ecure, ='s much malware [was] produced in 2((. as in the previous 2(
years altogether.=[2(] Malwares most common pathway from criminals to
users is through the InternetA primarily by e/mail and the 9orld 9ide 9eb.
[21]
"he prevalence of malware as a vehicle for Internet crime, along with the
challenge of anti/malware software to *eep up with the continuous stream of
new malware, has seen the adoption of a new mindset for individuals and
businesses using the Internet. 9ith the amount of malware currently being
distributed, some percentage of computers are currently assumed to be
infected. @or businesses, especially those that sell mainly over the Internet,
this means they need to 0nd a way to operate despite security concerns. "he
result is a greater emphasis on bac*/o1ce protection designed to protect
against advanced malware operating on customers computers.[22] ' 2(1!
9ebroot study shows that -%B of companies allow remote access to servers
for 2)B to 1((B of their wor*force and that companies with more than 2)B
of their employees accessing servers remotely have higher rates of malware
threats.[2!]
Cn March 26, 2(1(, ,ymantec 2orporation named ,haoxing, 2hina, as the
worlds malware capital.[2%] ' 2(11 study from the +niversity of 2alifornia,
Der*eley, and the Madrid Institute for 'dvanced ,tudies published an article
in ,oftware 3evelopment "echnologies, examining how entrepreneurial
hac*ers are helping enable the spread of malware by o?ering access to
computers for a price. Microsoft reported in May 2(11 that one in every 1%
downloads from the Internet may now contain malware code. ,ocial media,
and @aceboo* in particular, are seeing a rise in the number of tactics used to
spread malware to computers.[2)]
' 2(1% study found that malware was increasingly aimed at the ever more
popular mobile devices such as smartphones.[2-]
Infectious malwareA viruses and worms[edit]
Main articlesA 2omputer virus and 2omputer worm
"he best/*nown types of malware, viruses and worms, are *nown for the
manner in which they spread, rather than any speci0c types of behavior. "he
term computer virus is used for a program that embeds itself in some other
executable software #including the operating system itself$ on the target
system without the users consent and when that is run causes the virus to
spread to other executables. Cn the other hand, a worm is a stand/alone
malware program that actively transmits itself over a networ* to infect other
computers. "hese de0nitions lead to the observation that a virus re<uires the
user to run an infected program or operating system for the virus to spread,
whereas a worm spreads itself.[2.]
2oncealmentA Eiruses, tro&an horses, root*its, and bac*doors[edit]
#"hese categories are not mutually exclusive.$
Eiruses[edit]
Main articleA 2omputer virus
"ro&an horses[edit]
@or a malicious program to accomplish its goals, it must be able to run
without being detected, shut down, or deleted. 9hen a malicious program is
disguised as something normal or desirable, users may unwittingly install it.
"his is the techni<ue of the "ro&an horse or tro&an. In broad terms, a "ro&an
horse is any program that invites the user to run it, concealing harmful or
malicious executable code of any description. "he code may ta*e e?ect
immediately and can lead to many undesirable e?ects, such as encrypting
the users 0les or downloading and implementing further malicious
functionality.[citation needed]
In the case of some spyware, adware, etc. the supplier may re<uire the user
to ac*nowledge or accept its installation, describing its behavior in loose
terms that may easily be misunderstood or ignored, with the intention of
deceiving the use into installing it without the supplier technically in breach
of the law.[citation needed]
>oot*its[edit]
Cnce a malicious program is installed on a system, it is essential that it stays
concealed, to avoid detection. ,oftware pac*ages *nown as root*its allow this
concealment, by modifying the hosts operating system so that the malware
is hidden from the user. >oot*its can prevent a malicious process from being
visible in the systems list of processes, or *eep its 0les from being read.[25]
,ome malicious programs contain routines to defend against removal, not
merely to hide themselves. 'n early example of this behavior is recorded in
the Fargon @ile tale of a pair of programs infesting a Gerox 28/E time sharing
systemA
Hach ghost/&ob would detect the fact that the other had been *illed, and
would start a new copy of the recently/stopped program within a few
milliseconds. "he only way to *ill both ghosts was to *ill them simultaneously
#very di1cult$ or to deliberately crash the system.[26]
Dac*doors[edit]
' bac*door is a method of bypassing normal authentication procedures,
usually over a connection to a networ* such as the Internet. Cnce a system
has been compromised, one or more bac*doors may be installed in order to
allow access in the future,[!(] invisibly to the user.
"he idea has often been suggested that computer manufacturers preinstall
bac*doors on their systems to provide technical support for customers, but
this has never been reliably veri0ed. It was reported in 2(1% that +,
government agencies had been diverting computers purchased by those
considered =targets= to secret wor*shops where software or hardware
permitting remote access by the agency was installed, considered to be
among the most productive operations to obtain access to networ*s around
the world.[!1] Dac*doors may be installed by "ro&an horses, worms, implants,
or other methods.[!2][!!]
Eulnerability to malware[edit]
Main articleA Eulnerability #computing$
In this context, and throughout, what is called the =system= under attac* may
be anything from a single application, through a complete computer and
operating system, to a large networ*.
Earious factors ma*e a system more vulnerable to malwareA
,ecurity defects in software[edit]
Malware exploits security defects #security bugs or vulnerabilities$ in the
design of the operating system, in applications #such as browsers, e.g. older
versions of Microsoft Internet Hxplorer supported by 9indows G8[!%]$, or in
vulnerable versions of browser plugins such as 'dobe @lash 8layer, 'dobe
'crobat or >eader, or Fava #see Fava ,H critical security issues$.[!)][!-]
,ometimes even installing new versions of such plugins does not
automatically uninstall old versions. ,ecurity advisories from plug/in
providers announce security/related updates.[!.] 2ommon vulnerabilities are
assigned 2EH I3s and listed in the +, Iational Eulnerability 3atabase.
,ecunia 8,I[!5] is an example of software, free for personal use, that will
chec* a 82 for vulnerable out/of/date software, and attempt to update it.
Malware authors target bugs, or loopholes, to exploit. ' common method is
exploitation of a bu?er overrun vulnerability, where software designed to
store data in a speci0ed region of memory does not prevent more data than
the bu?er can accommodate being supplied. Malware may provide data that
overJows the bu?er, with malicious executable code or data after the end4
when this payload is accessed it does what the attac*er, not the legitimate
software, determines.
Insecure design or user error[edit]
Harly 82s had to be booted from Joppy dis*s4 when built/in hard drives
became common the operating system was normally started from them, but
it was possible to boot from another boot device if available, such as a Joppy
dis*, 23/>CM, 3E3/>CM, or +,D Jash drive. It was common to con0gure the
computer to boot from one of these devices when available. Iormally none
would be available4 the user would intentionally insert, say, a 23 into the
optical drive to boot the computer in some special way, for example to install
an operating system. Hven without booting, computers can be con0gured to
execute software on some media as soon as they are become available, e.g.
to autorun a 23 or +,D device when inserted.
Malicious software distributors would tric* the user into booting or running
from an infected device or medium4 for example, a virus could ma*e an
infected computer add autorunnable code to any +,D stic* plugged into it4
anyone who then attached the stic* to another computer set to autorun from
+,D would in turn become infected, and also pass on the infection in the
same way.[!6] More generally, any device that plugs into a +,D port/
K=including gadgets li*e lights, fans, spea*ers, toys, even a digital
microscope=Kcan be used to spread malware. 3evices can be infected during
manufacturing or supply if <uality control is inade<uate.[!6]
"his form of infection can largely be avoided by setting up computers by
default to boot from the internal hard drive, if available, and not to autorun
from devices.[!6] Intentional booting from another device is always possible
by pressing certain *eys during boot.
Clder email software would automatically open :"M; email containing
potentially malicious Fava,cript code4 users may also execute disguised
malicious email attachments and infected executable 0les supplied in other
ways.[citation needed]
Cver/privileged users and over/privileged code[edit]
Main articleA principle of least privilege
Cver/privileged usersA some systems allow all users to modify their internal
structures. "his was the standard operating procedure for early
microcomputer and home computer systems, where there was no distinction
between an 'dministrator or root, and a regular user of the system. In some
systems, non/administrator users are over/privileged by design, in the sense
that they are allowed to modify internal structures of the system. In some
environments, users are over/privileged because they have been
inappropriately granted administrator or e<uivalent status.
Cver/privileged codeA some systems allow code executed by a user to access
all rights of that user. 'lso standard operating procedure for early
microcomputer and home computer systems. Malware, running as over/
privileged code, can use this privilege to subvert the system. 'lmost all
currently popular operating systems, and also many scripting applications
allow code too many privileges, usually in the sense that when a user
executes code, the system allows that code all rights of that user. "his ma*es
users vulnerable to malware in the form of e/mail attachments, which may or
may not be disguised.
+se of the same operating system[edit]
:omogeneityA e.g. when all computers in a networ* run the same operating
system4 upon exploiting one, one worm can exploit them allA[%(] @or
example, Microsoft 9indows or Mac C, G have such a large share of the
mar*et that concentrating on either could enable an exploited vulnerability to
subvert a large number of systems. Instead, introducing diversity, purely for
the sa*e of robustness, could increase short/term costs for training and
maintenance. :owever, having a few diverse nodes would deter total
shutdown of the networ*, and allow those nodes to help with recovery of the
infected nodes. ,uch separate, functional redundancy could avoid the cost of
a total shutdown.
'nti/malware strategies[edit]
Main articleA 'ntivirus software
's malware attac*s become more fre<uent, attention has begun to shift from
viruses and spyware protection, to malware protection, and programs that
have been speci0cally developed to combat malware. #Cther preventive and
recovery measures, such as bac*up and recovery methods, are mentioned in
the computer virus article$.
'nti/virus and anti/malware software[edit]
' speci0c component of the anti/virus and anti/malware software commonly
referred as the on/access or real/time scanner, hoo*s deep into the operating
systems core or *ernel functions in a manner similar to how certain malware
itself would attempt to operate, though with the users informed permission
for protecting the system. 'ny time the operating system accesses a 0le, the
on/access scanner chec*s if the 0le is a legitimate 0le or not. If the 0le is
considered a malware by the scanner, the access operation will be stopped,
the 0le will be dealt by the scanner in pre/de0ned way #how the 'nti/virus
program was con0gured duringLpost installation$ and the user will be noti0ed.
"his may considerably slow down the operating system depending on how
well the scanner was programmed. "he goal is to stop any operations the
malware may attempt on the system before they occur, including activities
which might exploit bugs or trigger unexpected operating system behavior.
[citation needed]
'nti/malware programs can combat malware in two waysA
"hey can provide real time protection against the installation of malware
software on a computer. "his type of malware protection wor*s the same way
as that of antivirus protection in that the anti/malware software scans all
incoming networ* data for malware and bloc*s any threats it comes across.
'nti/malware software programs can be used solely for detection and
removal of malware software that has already been installed onto a
computer. "his type of anti/malware software scans the contents of the
9indows registry, operating system 0les, and installed programs on a
computer and will provide a list of any threats found, allowing the user to
choose which 0les to delete or *eep, or to compare this list to a list of *nown
malware components, removing 0les that match.[citation needed]
>eal/time protection from malware wor*s identically to real/time antivirus
protectionA the software scans dis* 0les at download time, and bloc*s the
activity of components *nown to represent malware. In some cases, it may
also intercept attempts to install start/up items or to modify browser settings.
Decause many malware components are installed as a result of browser
exploits or user error, using security software #some of which are anti/
malware, though many are not$ to =sandbox= browsers #essentially isolate the
browser from the computer and hence any malware induced change$ can also
be e?ective in helping to restrict any damage done.[citation needed]
Hxamples of Microsoft 9indows antivirus and anti/malware software include
the optional Microsoft ,ecurity Hssentials[%1] #for 9indows G8, Eista,
9indows . and 9indows 5$ for real/time protection, the 9indows Malicious
,oftware >emoval "ool[%2] #now included with 9indows #,ecurity$ +pdates on
=8atch "uesday=, the second "uesday of each month$, and 9indows 3efender
#an optional download in the case of 9indows G8$.[%!] 'dditionally, several
capable antivirus software programs are available for free download from the
Internet #usually restricted to non/commercial use$.[%%] "ests found some free
programs to be competitive with commercial ones.[%%] Microsofts ,ystem
@ile 2hec*er can be used to chec* for and repair corrupted system 0les.
,ome viruses disable ,ystem >estore and other important 9indows tools
such as "as* Manager and 2ommand 8rompt. Many such viruses can be
removed by rebooting the computer, entering 9indows safe mode with
networ*ing,[%)] and then using system tools or Microsoft ,afety ,canner.[%-]
2urrently, no method is *nown for detecting hardware implants.
Mnown good[edit]
"ypical malware products detect issues based on heuristics or signatures N
i.e., based on information that can be assessed to be bad. ,ome products[%.]
[%5] ta*e an alternative approach when scanning documents such as 9ord
and 83@, by regenerating a new, clean 0le, based on what is *nown to be
good from schema de0nitions of the 0le #a patent for this approach exists$.
[%6]
9ebsite security scans[edit]
's malware also harms the compromised websites #by brea*ing reputation,
blac*listing in search engines, etc.$, some websites o?er vulnerability
scanning.[)(][)1][)2][)!] ,uch scans chec* the website, detect malware,
may note outdated software, and may report *nown security issues.