Problem solve Get help with specific problems with your technologies, process and projects.

Adware, rootkits and worms: Translating malware speak

Learn basic translations for common malware terms, including adware, rootkits and worms.

Do you know your malware lingo? Even if you think you do, you may want to scan this tip. Some authors define malware terms differently from others. To benefit the most from this tips series, you will want to be sure you understand exactly what I mean when I use these malware terms.

These definitions are derived from Microsoft's Security Glossary. They are consistent with most industry expert definitions, but you may find some resources that differ. I will describe the words in abstract terms, but, in reality, many types of malware demonstrate the behaviors of two or more malware classes, which I will detail in later tips.

Malware, also called malicious software, is designed to be deliberately harmful when executed by an attacker. Viruses, worms and spyware are all examples of malware.

Viruses copy themselves from computer to computer by automatically attaching to host programs. For a virus to propagate, the victimized user usually has to take some action, like opening an infected e-mail attachment or executing an infected program.

Worms are similar to viruses in that they are self-propagating malware, but rather than attach themselves to files, they automatically infect remote computers through network connections by exploiting security vulnerabilities.

Adware and spyware
Adware and spyware can be difficult to distinguish, but it is important that you understand the differences. Adware software is included with other software that delivers various forms of advertising, such as pop-up ads. It may also direct specific ads to users based on the personal information it collects. When users install the primary software, they agree to have the adware run on their computers. It is possible to uninstall or disable the adware, but typically doing so also disables the primary software. For instance, Kazaa is a free file-sharing application that is financed by bundling in adware like Cydoor.

Spyware, unlike adware, is software that collects personal information without the user's permission. Some forms of spyware deliver advertising, while others collect interesting data, such as usernames, passwords or account numbers, and forward them to the spyware creators. Datview.exe, as another example, is a keystroke logger (marketed as Invisible KeyLogger Stealth) that may be legitimately used by a law officer monitoring a suspected criminal, but would be considered spyware if a private individual installs it on another person's computer.

Some adware behaves a lot like spyware. For example, the previously mentioned Cydoor software is described by some industry experts as spyware because it cannot be easily removed. Other adware forces the user to pay a fee to purchase a removal tool. Which category these frustrating programs fall under depends on who you talk to. So far, at least one adware operator has begun suing people who label its programs as malware. (CastleCops, NetRN, Sunbelt Software, InternetWeek and BroadbandReports)

Trojan horses
The previous list of programs might also be described by some as Trojan horses: programs that appear to be useful or harmless but include hidden code designed to exploit or damage systems.

Most forms of malware tend to be noisy: Their behavior draws attention to them because they often damage files or consume system resources. On the other hand, rootkits are designed to stay hidden. The name 'rootkit' refers to its origin in Unix-based operating systems, where the most powerful account is referred to as 'root.' An attacker first compromises a system through a security vulnerability, such as a missing patch or a weak password, and installs his collection ('kit') of tools, which will facilitate his ongoing use of the compromised system. Rootkits are stealthy and non-destructive, providing backdoors for ongoing remote access to Windows systems.

Attackers have various motivations for using rootkits to retain access to previously compromised computers. They may want to use the compromised computer to:

  • Collect private information from victims, such as credit card numbers or usernames and passwords.
  • Host a collection of pirated software and digital media that they are selling to other people.
  • Stage a more complex attack against other people or organizations.
Typically they hide themselves and other programs, and provide false information to the legitimate owners of the computer.

About the author:
Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including
Windows Server 2003 Security Guide and Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP. He has also co-authored two books on computer software and operating systems.

This tip originally appeared on our sister site

This was last published in May 2005

Dig Deeper on Malware, virus, Trojan and spyware protection and removal