Macon Computer Repair

Macon Computer Repair

Copyright © 2012
Macon Computer Repair

Why Do People Spread Malware?
Or the economics of cyber attacks

Malware, short for malicious software, is software designed to infiltrate a computer system without the owner's consent. "Computer virus" is often used instead, but viruses are only a method for delivering malware. Other delivery methods include worms, trojan horses, exploits, and social engineering. The malware delivered includes spyware, dishonest adware, rootkits, and other programs.

Early infectious programs were written as experiments or pranks. Students learning about programming techniques wrote them just to see if they could, or to see how far they'd spread. Since the rise of broadband Internet access, malicious software has become a type of white-collar crime, with the malware designed to generate profit either through semi-legal methods like forced advertising, or by purely criminal means. Many programs are designed to take control of users' computers for exploitation. Infected computers are used to send email spam, host illegal data such as child pornography, or engage in denial-of-service attacks as a form of extortion. Another strictly for-profit category of malware is spyware, programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the creator. Spyware programs do not spread like viruses. They are, in general, installed by exploiting security holes or are legally packaged with user-installed software. Legal spyware is known as grayware because while it falls within the laws, few people would dispute that it's mostly undesirable for the computer user.


Viruses and worms: The best-known types of malware delivery systems, viruses and worms, are classed by the manner in which they spread. The term computer virus is used for a program that, when run, infects other programs by altering their files, or installs a malicious program. A worm is a program that actively transmits itself over a network to infect other computers. A virus requires user actions to spread, but worms do not. Infections transmitted by email or in Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, are classified as viruses.

Trojan horses: A trojan horse is any program that tricks the user into running it while concealing harmful intent. Trojans can have many undesirable effects, such as deleting the user's files, or they may download and install malicious programs without doing direct harm themselves (that type of program is called a trojan downloader). Trojan horses known as droppers are used to start off a worm attack by transmitting the worm on the user's local network. Spyware is often distributed as a trojan horse. It's bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed too. Grayware is often spread this way, because it can be a powerful marketing tool for legitimate companies. Notice of the legal spyware is included in the end-user license agreement, which the company counts on the users not reading or understanding.

Rootkits: Once a malicious program is installed on a system, the creator wants it to avoid being detected and removed. Techniques known as rootkits allow this by modifying the computer's operating system so that the malware is hidden from the user and anti-virus software. Rootkits prevent the malware program from being seen in the system's list of processes and keep its files from being readable. Some rootkits contain routines to defend against virus removal. One such technique starts a number of processes that monitor and restore one another as needed. Malware protected by rootkits can be extremely hard to find and remove. The only known 100% reliable way to remove rootkits is to perform a fresh reinstall the computer's operating system. Backups or system restores will just reload the malware too, as any competent malware creator includes routines that infect all restore points.

Backdoors: A backdoor is a method of bypassing normal security procedures. Once a system has been compromised, one or more backdoors may be installed in order to allow easier access for the creator. Crackers typically use backdoors to secure remote access to a computer while attempting to remain hidden from casual inspection. To install backdoors, crackers may use Trojan horses, worms, or other methods. A common use for backdoors is in the creation of a botnet.

Spyware programs are commercially produced to gather information about a computer user's browsing habits, showing them ads, or altering web-browser behavior for the benefit of the spyware creator. Some spyware programs can redirect search engine results to paid advertisements. Others, often called "stealware", overwrite affiliate marketing codes so that revenue is redirected to the spyware creator rather than the person who hosts the ad. Spyware programs are sometimes installed as trojan horses. They differ from malicious versions in that their creators do so openly as businesses, often to gather marketing data (grayware). The spyware is listed in the end-user license agreement to protect the creator from prosecution.

Botnets: Another way that malware creators can profit is to use infected computers to do some form of work. Systems infected for this purpose are known as "zombie" computers. The advantage to email spammers of using zombies is that they make it very difficult to find the spammer, protecting him/her from prosecution. Spammers also use infected PCs to target anti-spam organizations with denial-of-service attacks. To coordinate the activity of a large number of zombies, attackers use coordinating systems known as botnets. In a botnet, the zombie logs into an Internet Relay Chat (IRC) system and waits for instructions. The attacker can then give commands to all the zombies logged in simultaneously. Botnets can be used to send more malware to the infected systems, keeping them resistant to antivirus measures, but botnets are more commonly used to launch distributed denial of service (DOS) attacks. In a DOS attack, all of the zombies in a botnet send a little piece of information to the targeted server or network. Since a botnet can consist of thousands of zombies, this overloads the server and can even cause it to shut down. Threat of a DOS attack at a critical time is often used in extortion schemes.

Keyloggers: It is possible for a malware creator to profit by stealing sensitive information from a victim. Some malware programs install a keylogger, which intercepts the user's keystrokes. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD key or password for online games, allowing the creator to steal accounts or virtual items.

Dialers: Another way of stealing money from the infected PC owner is to take control of a dial-up modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leaves the line open. This allows the owner of the number to levy an outrageous toll charge on the infected user's telephone bill.

Phishing: Keyloggers and dialers are unreliable and difficult to program properly, so the most common way for malware creators to try to gain access to sensitive information is by phishing. Phishing refers to any method that attempts to trick a computer user into sending the desired information to the criminal. There are numerous techniques used in phishing, but a common method used is spam email messages purporting to come from a financial institution such as a bank, or from a web site such as eBay or PayPal. In these scams, the criminal claims that the user needs to update their account information and gives a link to a private web site disguised to look like the real web site of the targeted institution. Once there, the user is directed to inter their account information. Another common method is to use a trojan or drive-by infection method to install a rogue security program (also known as scareware, because the programs are intended to panic the user into falling for the scam). This is a form of computer malware that deceives users into paying for the fake or simulated removal of malware, or that installs other malware. It starts running and immediately begins listing hundreds of "infections" that are either made up or are legitimate system files, and tells the user that in order to remove the infections, they must send their credit card information to the creator. The user thinks they are buying virus protection, but the creator simply uses the information to steal money from the user's credit account. Phishing relies on the idea that if enough messages are sent, or enough computers are infected, a percentage of users will fall for the trick, and when enough computers are involved, even a very small percentage can add up to very significant numbers of victims.

Drive-by infection methods use vulnerabilities in operating systems, web browsers, PDF readers, or advertising scripts to automatically download and install malware. Microsoft's Active X, JavaScript, and deceptive links or pop-ups are some of the openings exploited to sneak malware into a system. Web sites that have been hacked into and set up to deliver malware are known as poisoned web sites, and links to malware inserted into chat sessions or social networking forums are called poisoned links.

Social Networking Vectors: Malware is often spread by the desire of people to get things for "free". Peer to peer networks like Kazaa, Bearshare, Grockster, LimeWire, and Morpheus are hotbeds of malware distribution. Malware is often hidden inside music files, and when the file is accessed, the malware is installed (trojan viruses). Sometimes the file downloaded itself is a malware program with an innocent sounding name. The malware creators rely on the fact that the service providers do not monitor what is shared on their networks, and most people do not know that music files, screen savers, and many other desirable download files can carry or be malware. Social networking web sites such as Facebook are also prime targets for malware creators, since they are highly popular. They create bogus accounts, hack into legitimate accounts to poison them, or post links to malware in the response areas.

Email, Chat, and Instant Messaging Spam: These methods have been used for a very long time, and are still used heavily. Spammers use various techniques to hide their identities, such as spoofing email addresses to make the messages seem to come from an innocent person, using botnets to send spam from zombie computers, and raiding computer address books for email addresses. They may use customized bots (programs that search the Internet for information) to randomly generate email addresses to send spam to, and if the spam goes through without bouncing, the address is added to lists which may be sold to other spammers. They may harvest email addresses from chatrooms, websites, customer lists, and Usenet newsgroups. They also use a practice known as e-mail appending (epending) in which they use known information about their target, such as a postal address, to search for the target's email address. A great deal of spam is sent to invalid e-mail addresses while searching for valid targets, which places a huge burden on the email servers. Spam has been estimated to be up to 78% of all e-mail sent daily, and it's been estimated that spam cost businesses on the order of $100 billion in 2007. Worst of all, the government of the US, when asked to do something about spam email, declared it to be legal in the CAN-SPAM Act of 2003, provided the message adheres to certain specifications. Needless to say, US spammers frequently violate the conditions of the Act, but still hide behind the law, and spammers in foreign countries ignore it entirely.

Spamvertised sites: Many spam e-mails contain URLs to a website or websites. According to a report in the first quarter of 2010, there were around 183 billion spam messages sent every day. The most popular spam topic is "pharmacy ads" which make up 81% of email spam messages. The most common products advertised according to information, in order of frequency, are: Fake Pharmacies, Replica Watches, Male Sexual Enhancement, Phishing, Fake University Degrees, Online Casinos, Weight Loss, and then Other Topics. Sometimes spamvertising is for legitimate companies, but normally it is not. Pharmacies in particular are almost guaranteed to be fake, as it is illegal to sell precription medicines by mail order in the USA.

Advance fee fraud spam such as the Nigerian "419" scam may be sent by a single individual from a cyber cafe in a developing country, or by a group. In this scam, an email purporting to be a legal form of money laundering is sent to the prospective victim. If answered, the fraudster sends the victim a check for an enormous sum of money, which they are instructed to deposit, and then immediately withdraw the amount requested by the fraudster. This money is sent to the fraudster, while the victim is left to deal with the consequences when the original check bounces.

Email Phishing: Spam is also a medium for fraudsters to scam users to enter personal information on fake web sites using e-mail forged to look like it is from a bank or other organization such as PayPal. Spear-phishing is targeted phishing, using known information about the recipient, such as making it look like it comes from their employer.

Organized Crime: There are organized crime gangs operating from Russia or Eastern Europe who share many features in common with other forms of organized crime, including turf battles and revenge killings. Some gangs try to control successful forms of spamming. Other gangs with talented members specialize in writing malware programs which they test against the top antivirus programs. These programs are not used by the gangs directly. Instead, the programs are sold to others who do want to profit from them, but do not have the talent to write their own. This trade has become a big business for the gangs.