Malicious software and antivirus
Categorization of malware

Malware can be classified in different ways according to different criteria: distribution mechanisms, system installation methods, the way they are remotely controlled, etc. Nowadays, malware specimens usually have many features, so they are usually classified according to their main feature. For example, there could be a Trojan horse with rootkit capabilities able to remain hidden from expert users and security solutions. It could also be a boot in a network of infected computers that are remotely controlled. At the same time, it could make advertisements appear and capture keystrokes, so it would also be part of the adware and keylogger families. That is, it would be a Trojan horse-rootkit-bot-adware-keylogger... All in one! In fact, this example is quite common.

A first classification of malware is based on the need of a host file for propagation.

The following four kinds of malicious software correspond to the malicious software needing host files for propagation:

Figure 4 shows the distribution of malware by categories (source: Panda Security)

Fig. 4 – Malware distribution by categories

Two kinds of malicious software that do not need a host file for propagation are:

Trap doors are secret entries into the program which can allow access to the system without going through the security mechanisms. These approaches are used by programmers during the program debugging. The trap doors help avoid the authentication mechanisms during the program debugging and testing and it is then when the programmer can obtain special privileges. These trap doors are searched by malicious software and can be used for the avoidance of the security mechanisms. This results into a serious software threat to the computer system.

Logic bombs are the oldest kind of malicious software, what poses a software threat. This is software integrated into a legitimate program which is activated after the fulfillment of some conditions. One example of these conditions can be the presence or absence of a specific file in a preset day, week or date for the start of a certain application. Logic bomb can cause loss or damage in the IS, for example it can erase some files, stop running computing applications and so on…

Trojan horses are programs or commands that perform useful procedures or processes but at the same time, they conduct malicious activities on the background, such as data erasing. A special example of this kind of malicious software is spyware, which collects passwords entered on the keyboard, information about visited web pages, the kind of software that is being used on the computer and the information that has been sent through the Internet.

Viruses are programs that attach themselves to other programs or files and can perform unauthorised effects. For their propagation, the hosted file is needed which can be modified by the virus. Viruses can attack other files, propagate themselves and corrupt IS.

A worm can propagate from one computer system to another if the two systems are interconnected by the network. The worm propagation is mainly performed by using e-mail clients or through the services offered by these clients.

A zombie is a malicious software that is propagated through the network. After its successful penetration into a computer system, the infected computer can be remotely controlled and administered. When several computers are infected by the same sort of malicious software, this is known as botnet. The botnet can be controlled from one remote computer and force infected computers to carry out the same orders. This enables DDoS (Distributed Denial of Service) attack.