Malware, a portmanteau word from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Many computer users are unfamiliar with the term, and often use “computer virus” for all types of malware, including true viruses.
Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most root kits, spyware, dishonest adware, crimeware and other malicious and unwanted software. Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.
Many early infectious programs, including the first Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks generally intended to be harmless or merely annoying rather than to cause serious damage to computers. However, since the rise of widespread broadband Internet access, malicious software has come to be designed for a profit motive, either more or less legal (forced advertising) or criminal. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation. Infected “zombie computers” are used to send email spam, to host contraband data, or to engage in distributed denial-of-service attacks as a form of extortion.
Another strictly for-profit category of malware has emerged in spyware, e.g., programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally installed by exploiting security holes or are packaged with user-installed software, such as peer-to-peer applications. It is not uncommon for spyware and advertising programs to install so many processes that the infected machine becomes unusable, defeating the intention of the attack.
The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virus is used for a program which has infected some executable software and which causes that software, when run, to spread the virus to other executable software. Viruses may also contain a payload which performs other actions, often malicious. A worm, on the other hand, is a program which actively transmits itself over a network to infect other computers. A worm may also carry a payload.
During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank (although some viruses were spread only to discourage users from illegal software exchange.) More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.
Since 2003 or so, the most costly form of malware in terms of time and money spent in recovery has been the broad category known as spyware. Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called “stealware” by the media, overwrite affiliate marketing codes so that revenue goes to the spyware creator rather than the intended recipient.
In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet scenario, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures.
As malware attacks become more frequent, attention has begun to shift from viruses and spyware protection, to malware protection, and programs have been developed to specifically combat them. Current anti-malware programs can combat malware in two ways. First, anti-malware programs can provide real time protection against the installation of malware software on a user's computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-malware software scans all incoming network data for malware software and blocks any threats it comes across. Secondly, anti-malware software programs can be used solely for detection and removal of malware software that has already been installed onto a user's computer. This type of malware protection is normally much easier to use and more popular. This type of anti-malware software scans the contents of the windows registry, operating system files, and installed programs on your computer and will provide a list of any threats found, allowing a user to choose what they want to delete and what they want to keep, or compare this list to a list of known malware components, removing files which match.
However, modern malware and other unauthorized software within an enterprise typically rely upon encrypted communications for either command and control or for identification of distribution nodes for peer-to-peer network applications (e.g., Skype®, file sharing, etc.). (Skype is a registered trademark of Skype Limited or other related companies, in the United States, other countries, or both.) In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g., “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e., to make it unencrypted).
Because these malware and other unauthorized software communications are encrypted, it is not typically possible to investigate the actual data being communicated. Thus, current technologies for malware detection that focus on signature matching of data within these protocols are insufficient from a protection perspective when the malware utilizes encrypted communications.
Thus, malware remains an ongoing problem for, e.g., computer users and/or service providers. Accordingly, there exists a need in the art to overcome the deficiencies and limitations described hereinabove.