Appendix A. Types of Computer Threats

Herein, the term “threat” is defined as any kind of software potentially or directly capable of inflicting damage to a computer or network and compromising user information or rights (that is, malicious and other unwanted software). Broadly speaking, the term “threat” can be used to indicate any type of potential danger to a computer or network (that is, a vulnerability, which can be used in cyberattacks).

All of the program types stated below are capable of endangering user data or confidentiality. Programs that do not conceal their presence in the system (e.g. spam distribution software or traffic analyzers) are usually not considered computer threats, although they can also harm the user under certain circumstances.

Computer Viruses

Computer threats of this type are capable of embedding their code in other programs. Such embedding is called infection. In most cases, an infected file becomes a virus carrier and the embedded code does not necessarily match the original one. A significant number of viruses is designed to damage or destroy data.

In Doctor Web classification, viruses are separated by the type of objects they infect:

•File viruses infect files of the operating system (usually executable files and dynamic libraries) and are activated when an infected file is started.

•Macro-viruses infect documents used by Microsoft® Office (and other applications supporting macros, for example, written in Visual Basic). Macros are embedded programs written in a fully functional programming language and can be run in specific conditions (for instance, in Microsoft® Word, macros can be automatically started upon opening, closing or saving a document).

•Script viruses are created using script languages and usually infect other script files (e.g. service files of an operating system). They can also infect files of other types that allow execution of scripts and can spread, for example, via vulnerable web applications.

•Boot viruses infect boot records of disks and partitions as well as master boot records of hard drives. They do not require much memory and remain ready to continue performing their tasks until the system is unloaded, restarted or shut down.

Most viruses employ certain mechanisms of protection against detection. They are constantly being improved, and ways to cope with them are constantly being developed. All viruses can also be classified according to their type of protection against detection:

•Encrypted viruses encrypt their code upon every infection to hinder their detection in a file, a boot sector or memory. All instances of such viruses contain only a short common code fragment (the decryption procedure) that can be used as a signature.

•Polymorphic viruses not only encrypt their code, but they also generate a special decryption procedure that is different in every instance of the virus. As a result, such viruses do not have byte signatures.

•Stealth viruses (invisible viruses) perform certain actions to disguise their activity and to conceal their presence in infected objects. Such viruses gather the characteristics of an object before infecting it and then pass old data when the operating system or a program scans for modified files.

Viruses can also be classified according to a programming language in which they are written (for example, a low-level language such as an assembly language or a high-level language such as Go) or according to infected operating systems.

Computer Worms

Like viruses, programs of the “computer worm” type can copy themselves, but they do not infect other objects. A worm gets into a computer from a network (typically as an email attachment or from the internet) and sends its functioning copies to other computers. Worms either rely on user actions or spread automatically.

Worms do not necessarily consist of only one file (the worm body). Many of them have a so called infectious part (the shellcode), which loads into the computer operating memory and then downloads the worm body as an executable file over the network. Until the worm body is downloaded to the system, the worm can be avoided by rebooting the computer (at which the operating memory is reset). However, if the worm body infiltrates the system, then only an anti-virus program can cope with it.

Worms are capable of rendering entire networks inoperable even if these worms do not carry any payload (i.e. do not cause any direct damage to the system).

In Doctor Web classification, worms are separated by their distribution method (environment):

•Network worms spread via various network and file sharing protocols.

•Mail worms spread via email protocols (POP3, SMTP and so on).

•Chat worms spread via popular instant messaging services (ICQ, IM, IRC and so on).

Trojans

Malware of this type cannot reproduce itself. A trojan pretends to be a popular program and performs its functions (or imitates its operation). Meanwhile, it performs some malicious actions (damages or deletes data, sends confidential information and so on) or makes it possible for a hacker to access the computer without permission, for example, in order to harm a third party.

Trojan masking and malicious features are similar to those of a virus. A trojan can even be a component of a virus. However, most trojans spread as separate executable files (through file exchange servers, removable data carriers or email attachments) that are started by users or certain system processes.

It is very hard to classify trojans due to the fact that they are often spread by viruses and worms and also because many malicious actions that can be performed by other types of threats are attributed to trojans only. Here are some trojan types that are classified by Doctor Web as separate classes:

•Backdoors are trojans that allow to gain privileged access to a system, bypassing existing access and security measures. Backdoors do not infect files.

•Rootkits are used to intercept system functions of an operating system in order to conceal themselves. Furthermore, a rootkit can hide processes of other programs, directories and files. It can spread either as an independent program or as an auxiliary component of another malicious program. There are two kinds of rootkits according to their operation mode: User Mode Rootkits—UMR (intercept functions of user mode libraries) and Kernel Mode Rootkits—KMR (intercept functions at the system kernel level, which makes them harder to detect and neutralize).

•Keyloggers are used to log data that users enter by means of a keyboard. The aim of this is to steal personal information (i.e. network passwords, logins, primary account numbers and so on).

•Clickers redefine hyperlinks when they are clicked and thus redirect users to certain websites (sometimes malicious). This is usually done to increase ad traffic of websites or perform distributed denial-of-service (DDoS) attacks.

•Proxy trojans provide anonymous internet access to a malicious actor through a victim’s computer.

In addition, trojans can also change the start page in a web browser or delete certain files. However, these actions can also be performed by other types of threats (viruses and worms).

Hacktools

Hacktools are programs designed to assist an intruder with hacking. The most common among them are port scanners that detect vulnerabilities in firewalls and other components of a computer protection system. Besides hackers, such tools are used by administrators to test security of their networks. Occasionally, programs that use social engineering techniques are classified as hacktools.

Adware

Usually, this term refers to program code embedded in freeware programs that forces displaying of advertisements to a user. However, sometimes such code can be distributed via other malicious programs and display advertisements, for example, in web browsers. Many adware programs operate with data collected by spyware.

Jokes

Like adware, this type of malware cannot be used to inflict any direct damage to the system. Joke programs usually just generate messages about errors that never occurred and threaten to perform actions that will lead to data loss. Their purpose is to frighten or annoy users.

Dialers

These are special programs that are designed to scan a range of telephone numbers and find those where a modem answers. These numbers are then used to mark up the price of telephoning facilities or to connect the user to expensive telephone services.

Riskware

These programs were not created for malicious purposes, but due to their characteristics they can pose a threat to the system security. Riskware can accidentally damage or delete data or be used by malicious actors or other programs to harm the system. Riskware includes various remote chat and administrative tools, FTP servers and so on.

Suspicious Objects

Suspicious objects include any potential threats detected by a heuristic analyzer. Such objects can potentially relate to any type of computer threats (even unknown to information security specialists) or appear to be safe in case of false positives. It is recommended that files containing suspicious objects are quarantined and sent to Doctor Web anti-virus laboratory experts for analysis.