These definitions are derived from Microsoft's Security Glossary. They are consistent with most industry expert definitions, but you may find some resources that differ. I will describe the words in abstract terms, but, in reality, many types of malware demonstrate the behaviors of two or more malware classes, which I will detail in later tips.
Malware, also called malicious software, is designed to be deliberately harmful when executed by an attacker. Viruses, worms and spyware are all examples of malware.
Viruses copy themselves from computer to computer by automatically attaching to host programs. For a virus to propagate, the victimized user usually has to take some action, like opening an infected e-mail attachment or executing an infected program.
Worms are similar to viruses in that they are self-propagating malware, but rather than attach themselves to files, they automatically infect remote computers through network connections by exploiting security vulnerabilities.
Adware and spyware
Adware and spyware can be difficult to distinguish, but it is important that you understand the differences. Adware software is included with
Spyware, unlike adware, is software that collects personal information without the user's permission. Some forms of spyware deliver advertising, while others collect interesting data, such as usernames, passwords or account numbers, and forward them to the spyware creators. Datview.exe, as another example, is a keystroke logger (marketed as Invisible KeyLogger Stealth) that may be legitimately used by a law officer monitoring a suspected criminal, but would be considered spyware if a private individual installs it on another person's computer.
Some adware behaves a lot like spyware. For example, the previously mentioned Cydoor software is described by some industry experts as spyware because it cannot be easily removed. Other adware forces the user to pay a fee to purchase a removal tool. Which category these frustrating programs fall under depends on who you talk to. So far, at least one adware operator has begun suing people who label its programs as malware. (CastleCops, NetRN, Sunbelt Software, InternetWeek and BroadbandReports)
The previous list of programs might also be described by some as Trojan horses: programs that appear to be useful or harmless but include hidden code designed to exploit or damage systems.
Most forms of malware tend to be noisy: Their behavior draws attention to them because they often damage files or consume system resources. On the other hand, rootkits are designed to stay hidden. The name 'rootkit' refers to its origin in Unix-based operating systems, where the most powerful account is referred to as 'root.' An attacker first compromises a system through a security vulnerability, such as a missing patch or a weak password, and installs his collection ('kit') of tools, which will facilitate his ongoing use of the compromised system. Rootkits are stealthy and non-destructive, providing backdoors for ongoing remote access to Windows systems.
Attackers have various motivations for using rootkits to retain access to previously compromised computers. They may want to use the compromised computer to:
- Collect private information from victims, such as credit card numbers or usernames and passwords.
- Host a collection of pirated software and digital media that they are selling to other people.
- Stage a more complex attack against other people or organizations.
About the author:
Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including Windows Server 2003 Security Guide and Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. He has also co-authored two books on computer software and operating systems.
This tip originally appeared on our sister site SearchWindowsSecurity.com.
This was first published in May 2005