Viruses, worms, Trojan horses – the terminology of malicious code sounds like some strange mix between a medical
reference and a history textbook! To the new network security practitioner, the sea of definitions can be somewhat confusing. Understanding how each piece of malware works is the first step in hardening a network against those attacks. Let's take a look at each of the major types of malicious code and some of their less notable variations.
Most computer users are familiar with the concept of a computer virus. These nasties have two goals in life: to spread themselves from system to system (propagate) and to perform some action (the virus payload) on each system they infect. The payload varies significantly from virus to virus. Some of the more benevolent viruses out there just display an annoying message on the screen or alter the appearance of your desktop. More malicious viruses might destroy data stored on your hard drive or perform something similarly destructive.
There are several types of viruses out there. File infector viruses attack executable files on your hard drive. Each time you run the file, you unknowingly invoke the virus which, in turn, delivers its payload to your system. Boot sector viruses infect the portion of your hard drive that contains the operating system instructions telling the computer how to start up. These viruses are invoked each time the computer starts. Finally, macro viruses infect application documents (typically Microsoft Office documents) by using the application's powerful scripting language to hide unwanted instructions within the documents themselves.
Worms are big in the news today because of the major impact they have on the Internet as a whole. In general, worms are very similar to viruses. They share the same goals – propagation and payload delivery. However, they differ in one important respect. While viruses typically require some action on the part of the user (e.g. sharing files or using an infected floppy) to propagate, worms are self-replicating. They exploit vulnerabilities in common operating systems and applications to spread from system to system under their own power. The more systems they infect, the greater the amount of traffic they generate. Several recent worm incidents, such as the SQL Server Slammer worm and the Blaster worm made big news because they impacted thousands of systems around the world.
Trojan horses, like their historical counterpart, prey upon the naivetÉ of unsuspecting computer users. They hide themselves within seemingly useful programs (such as a bug fix or Solitaire game) that users download from the Internet. When the program runs it acts normally, but the Trojan silently delivers its payload in the background. The reality of this threat has lead many enterprises to forbid the downloading of software from the Internet.
Take some time to review these definitions and follow up with some reading on recent malware incidents. As a network security professional, it's important that you're familiar with these terms. After all, the first step to building a solid defense is to understand your adversary! While it's true that there's a significant threat out there from malicious code, there are simple measures you can take to protect your organization.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
For more information on this topic, visit these resources:
- Learning Path: Malware
- Test: Malicious code -- What's what
- Infosec Know IT All Trivia: Virus prevention