Herein, the term “threat” defines any kind of software that can potentially or directly inflict damage on a computer or network or compromise the user's information or rights (in other words, malicious and other unwanted programs). However, generally speaking, the term “threat” may be used to indicate any potential danger to computer or network security (that is, vulnerabilities that can be exploited to launch attacks).
All program types described below have the ability to endanger the user's data or confidentiality. Programs that do not hide their presence from the user (for example, spam-sending software or traffic analyzers) usually are not considered to be computer threats, although they can also become threats under certain circumstances.
This type of computer threats is characterized by their ability to inject malicious code into running processes of other programs. This action is called infection. In most cases, the infected file becomes a virus carrier itself, and the injected code does not necessarily match the original one. The majority of viruses are created with a purpose to damage or destroy data in the system.
Doctor Web divides viruses by the type of objects they infect into the following categories:
•File viruses infect operating system files (usually, executable files and dynamic-link libraries) and are activated when an infected file is run.
•Macro viruses infect documents used by Microsoft Office (or other programs supporting macro commands written for example, in Visual Basic). Macro commands are a type of built-in programs (macros) that are written in a fully functional programming language and can be launched under specific circumstances (for example, in Microsoft Word, macros can be activated upon opening, closing, or saving a document).
•Script viruses are created using script languages, and, mostly, they infect other scripts (such as OS service files). By exploiting vulnerable scripts in web applications, they can also infect other file types that support script execution.
•Boot viruses infect boot sectors of disks and partitions or master boot records of hard disks. They require little memory and can perform their tasks until the operating system is rolled out, restarted, or shut down.
Most viruses have special mechanisms that protect them against detection. These mechanisms are constantly improved, and ways to overcome them are constantly developed. According to the type of protection they use, all viruses can be divided into two following groups:
•Encrypted viruses self-encrypt their malicious code upon every infection to make its detection in a file, boot sector, or memory more difficult. Each sample of such viruses contains only a short common code fragment (decryption procedure) that can be used as a virus signature.
•Polymorphic viruses use a special decryption procedure in addition to code encryption. This procedure is different in every new virus copy. This means that such viruses do not have byte signatures.
•Stealth viruses (invisible viruses) perform certain actions to disguise their activity and to conceal their presence in an infected object. Such viruses gather the characteristics of an object before infecting it and then plant these “dummy” characteristics that mislead the scanner searching for modified files.
Viruses can also be classified according to the language they are written in (most viruses are written in Assembly but there are also viruses written in high-level programming languages, script languages, and so on) and operating systems that can be infected by these viruses.
Recently, worms have become much more widespread than viruses and other malicious programs. Like viruses, these programs can replicate themselves however they do not infect other objects. A worm infiltrates a computer from a network (usually, as an email attachment or from the internet) and spreads its functional copies among other computers. Distribution can be triggered by some user action or automatically.
Worms do not necessarily consist of only one file (the worm's body). Many of them have a so-called infectious part (shellcode) that is loaded into the main memory. After that, it downloads the worm's body as an executable file via the network. If only the shellcode is present in the system, the worm can be easily removed by restarting the system (at that, RAM is reset). However, if the worm's body infiltrates the computer, only an anti-virus program can fight it.
Even if worms do not bear any payload (do not cause direct damage to a system), they can still cripple entire networks because of how intensely they spread.
Doctor Web classifies worms in accordance with their distribution methods as follows:
•Network worms spread via various network and file-sharing protocols.
•Mail worms spread via mail protocols (POP3, SMTP, and others).
•Chat worms use protocols of popular instant messengers and chat programs (ICQ, IM, IRC, etc.).
Trojan programs (Trojans)
These programs cannot replicate themselves. Trojans substitute a frequently-used program and perform its functions (or imitate its operation). Meanwhile, they perform some malicious actions in the system (damages or deletes data, sends confidential information, etc.) or make it possible for hackers to access the computer without permission, for example, to harm the computer of a third party.
Like viruses, these programs can perform various malicious activities, hide their presence from the user, and even be a virus component. However, usually, Trojans are distributed as separate executable files (through file-exchange servers, data carriers, or email attachments) that are run by users themselves or by some specific system process.
It is very hard to classify Trojans due to the fact that they are often distributed by viruses or worms and also because many malicious actions that can be performed by other types of threats are attributed to Trojans only. Here are some Trojan types which Doctor Web distinguishes as separate classes:
•Backdoors are Trojans that allow an intruder to get privileged access to the system bypassing any existing protection mechanisms. Backdoors do not infect files—they register themselves in the registry modifying registry keys.
•Rootkits are used to intercept operating system functions in order to hide their presence. Moreover, a rootkit can conceal processes of other programs, registry keys, folders, and files. It can be distributed either as an independent program or as a component of another malicious application. Based on the operation mode, rootkits can be divided into two following categories: User Mode Rootkits (UMR) that operate in user mode (intercept functions of user-mode libraries) and Kernel Mode Rootkits (KMR) that operate in kernel mode (intercept functions at the system kernel level, which makes these malicious programs hard to detect).
•Keyloggers can log data that users enter by means of a keyboard. These malicious programs can steal varies confidential information (including network passwords, logins, bank card data, and so on).
•Clickers redirect users to specified internet resources (may be malicious) in order to increase traffic to those websites or to perform DDoS attacks.
•Proxy Trojans provide cybercriminals with anonymous internet access via the victim's computer.
Trojans can also perform other malicious actions besides those listed above. For example, they can change the browser home page or delete certain files. However, such actions can also be performed by threats of other types (viruses or worms).
Hacktools are designed to assist intruders with hacking. The most common among these programs are port scanners that detect vulnerabilities in firewalls and other components of computer protection system. Such tools can be used not only by hackers but also by administrators to check security of their networks. Sometimes various programs that use social engineering techniques are designated as hacktools too.
Usually, this term refers to a program code incorporated into freeware programs that forcefully display advertisements to users. However, sometimes such codes can be distributed via other malicious programs and show advertisements, for example, in web browsers. Many adware programs operate based on data collected by spyware.
Like adware, this type of minor threats cannot be used to inflict any direct damage on the system. Joke programs usually just generate messages about allegedly detected errors and threaten to perform actions that may lead to data loss. Their purpose is to frighten or annoy users.
These are special programs that are designed to scan a range of telephone numbers and find those where a modem answers. These numbers are then used to mark up the price of telephoning facilities or to connect the user to expensive telephone services.
These programs are not intended to be computer threats. However, they can still cripple system security due to certain features and, therefore, are classified as minor threats. This type of threats includes not only programs that can accidentally damage or delete data but also programs that can be used by hackers or some malicious applications to harm the system. Among such programs are various remote chat and administrative tools, FTP-servers, and so on.
These are potential computer threats detected by the heuristic analyzer. Such objects can be any type of threat (even unknown to information security specialists) or turn out safe in case of a false detection. Please move files containing suspicious objects to quarantine and send them for analysis to Doctor Web anti-virus laboratory.