Editing Malware (section)

==Types==
Malware can be classified in numerous ways, and certain malicious programs may fall into two or more categories simultaneously.<ref name=":4" /> Broadly, software can categorised into three types:<ref name=":5">{{Cite journal|last1=Molina-Coronado|first1=Borja|last2=Mori|first2=Usue|last3=Mendiburu|first3=Alexander|last4=Miguel-Alonso|first4=Jose|date=2023-01-01|title=Towards a fair comparison and realistic evaluation framework of android malware detectors based on static analysis and machine learning|url=https://www.sciencedirect.com/science/article/pii/S0167404822003881|journal=Computers & Security|language=en|volume=124|pages=102996|doi=10.1016/j.cose.2022.102996|arxiv=2205.12569|s2cid=252734950|issn=0167-4048|access-date=10 January 2023|archive-date=10 January 2023|archive-url=https://web.archive.org/web/20230110063747/https://www.sciencedirect.com/science/article/pii/S0167404822003881|url-status=live}}</ref> (i) goodware; (ii) grayware and (iii) malware.
{|class="wikitable"
|+Classification of potentially malicious software<br/>Data sourced from: Molina-Coronado et al. (2023)<ref name=":5" />
!Type
!Characteristics
!Examples
|-
|Goodware
|Obtained from trustworthy source
|{{Plainlist|* [[Google Play]] apps
* [[Software bug|Buggy software]]}}
|-
|Grayware
|Insufficient consensus and/or metrics
|{{Plainlist|* [[Potentially unwanted program]]s
* [[Spyware]]
* [[Adware]]}}
|-
|Malware
|Broad consensus among antivirus software that program is malicious or obtained from flagged sources.
|{{Plainlist|* [[Virus (computing)|Virus]]es
* [[Worm (computing)|Worm]]s
* [[Root kit]]s
* [[Backdoor (computing)|Backdoor]]s
* [[Ransomware]]
* [[Trojan horse (computing)|Trojan horse]]s}}
|}

===Malware===

====Virus====
{{Main|Computer virus}}
[[File:Kuku virus for MS-DOS.png|thumb|Output of the MS-DOS "Kuku" virus]]
A computer virus is software usually hidden within another seemingly harmless program that can produce copies of itself and insert them into other programs or files, and that usually performs a harmful action (such as destroying data).<ref>{{cite web|title=What are viruses, worms, and Trojan horses?|url=https://kb.iu.edu/d/aehm|access-date=23 February 2015|website=Indiana University|publisher=The Trustees of Indiana University|archive-date=4 September 2016|archive-url=https://web.archive.org/web/20160904162213/https://kb.iu.edu/d/aehm|url-status=live}}</ref> They have been likened to [[Virus|biological viruses]].<ref name=":1" /> An example of this is a portable execution infection, a technique, usually used to spread malware, that inserts extra data or [[executable code]] into [[Portable Executable|PE files]].<ref name="Szor2005">{{cite book|author=Peter Szor|url=https://books.google.com/books?id=XE-ddYF6uhYC&pg=PT204|title=The Art of Computer Virus Research and Defense|date=3 February 2005|publisher=Pearson Education|isbn=978-0-672-33390-3|page=204}}</ref> A computer virus is software that embeds itself in some other [[executable]] software (including the operating system itself) on the target system without the user's knowledge and consent and when it is run, the virus is spread to other executable files.

====Worm====
[[File:Blaster hex dump.png|thumb|[[Hex dump]] of the [[Blaster (computer worm)|Blaster worm]], showing a message left for [[Microsoft]] co-founder [[Bill Gates]] by the worm's programmer]]
A [[Computer worm|worm]] is a stand-alone malware software that {{em|actively}} transmits itself over a [[Computer network|network]] to infect other computers and can copy itself without infecting files. These definitions lead to the observation that a virus requires the user to run an infected software or operating system for the virus to spread, whereas a worm spreads itself.<ref>{{cite encyclopedia|title=computer virus – Encyclopædia Britannica|encyclopedia=Britannica.com|url=https://www.britannica.com/EBchecked/topic/130688/computer-virus|access-date=28 April 2013|archive-date=13 May 2013|archive-url=https://web.archive.org/web/20130513221333/http://www.britannica.com/EBchecked/topic/130688/computer-virus|url-status=live}}</ref>

====Rootkits====
{{Main|Rootkit}}

Once malicious software is installed on a system, it is essential that it stays concealed, to avoid detection. Software packages known as ''rootkits'' allow this concealment, by modifying the host's operating system so that the malware is hidden from the user. Rootkits can prevent a harmful [[process (computing)|process]] from being visible in the system's list of [[process (computing)|processes]], or keep its files from being read.<ref>{{cite web|last=McDowell|first=Mindi|title=Understanding Hidden Threats: Rootkits and Botnets|url=http://www.us-cert.gov/ncas/tips/ST06-001|access-date=6 February 2013|publisher=US-CERT|archive-date=29 March 2017|archive-url=https://web.archive.org/web/20170329025139/https://www.us-cert.gov/ncas/tips/ST06-001|url-status=dead}}</ref>

Some types of harmful software contain routines to evade identification and/or removal attempts, not merely to hide themselves. An early example of this behavior is recorded in the [[Jargon File]] tale of a pair of programs infesting a Xerox [[CP-V operating system|CP-V]] time sharing system:

{{blockquote|Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently stopped program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.<ref>{{cite web|url=http://catb.org/jargon/html/meaning-of-hack.html|title=The Meaning of 'Hack'|publisher=Catb.org|access-date=15 April 2010|archive-date=13 October 2016|archive-url=https://web.archive.org/web/20161013133924/http://www.catb.org/jargon/html/meaning-of-hack.html|url-status=live}}</ref>}}

====Backdoors====
{{Main|Backdoor (computing)}}

A [[backdoor (computing)|backdoor]] is a broad term for a computer program that allows an attacker persistent unauthorised remote access to a victim's machine often without their knowledge.<ref name=":6">{{Citation|last=Gill|first=Harjeevan|title=Malware: Types, Analysis and Classifications|date=2022-06-21|url=https://engrxiv.org/preprint/view/2423|access-date=2024-06-22|language=en|doi=10.31224/2423}}</ref> The attacker typically uses another attack (such as a [[Trojan horse (computing)|trojan]], [[Computer worm|worm]] or [[Computer virus|virus]]) to bypass authentication mechanisms usually over an unsecured network such as the Internet to install the backdoor application. A backdoor can also be a side effect of a [[software bug]] in legitimate software that is exploited by an attacker to gain access to a victim's computer or network.

The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. It was reported in 2014 that US government agencies had been diverting computers purchased by those considered "targets" to secret workshops where software or hardware permitting remote access by the agency was installed, considered to be among the most productive operations to obtain access to networks around the world.<ref>{{cite news|last=Staff|first=SPIEGEL|date=2013-12-29|title=Inside TAO: Documents Reveal Top NSA Hacking Unit|newspaper=Spiegel Online|publisher=SPIEGEL|url=http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html|access-date=23 January 2014|archive-date=20 April 2017|archive-url=https://web.archive.org/web/20170420112316/http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html|url-status=live}}</ref> Backdoors may be installed by Trojan horses, [[computer worm|worms]], [[NSA ANT catalog|implants]], or other methods.<ref>{{cite web|last=Edwards|first=John|title=Top Zombie, Trojan Horse and Bot Threats|url=http://www.itsecurity.com/features/top-zombie-trojan-bots-092507|url-status=dead|archive-url=https://web.archive.org/web/20170209142725/http://www.itsecurity.com/features/top-zombie-trojan-bots-092507/|archive-date=9 February 2017|access-date=25 September 2007|publisher=IT Security}}</ref><ref>{{cite news|last=Appelbaum|first=Jacob|date=2013-12-29|title=Shopping for Spy Gear:Catalog Advertises NSA Toolbox|newspaper=Spiegel Online|publisher=SPIEGEL|url=http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html|access-date=29 December 2013|archive-date=20 April 2017|archive-url=https://web.archive.org/web/20170420112319/http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html|url-status=live}}</ref>

====Trojan horse====
A Trojan horse misrepresents itself to masquerade as a regular, benign program or utility in order to persuade a victim to install it. A Trojan horse usually carries a hidden destructive function that is activated when the application is started. The term is derived from the [[Ancient Greece|Ancient Greek]] story of the [[Trojan horse]] used to invade the city of [[Troy]] by stealth.<ref>{{Cite conference|last=Landwehr|first=C. E|author2=A. R Bull|author3=J. P McDermott|author4=W. S Choi|year=1993|title=A taxonomy of computer program security flaws, with examples|url=https://apps.dtic.mil/sti/pdfs/ADA465587.pdf|publisher=DTIC Document|archive-url=https://web.archive.org/web/20130408133230/http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA465587|archive-date=8 April 2013|access-date=5 April 2012|url-status=live}}</ref><ref>{{Cite web|title=Trojan Horse: [coined By MIT-hacker-turned-NSA-spook Dan Edwards] N.|url=http://www.anvari.org/fortune/Miscellaneous_Collections/291162_trojan-horse-coined-by-mit-hacker-turned-nsa-spook-dan-edwards-n.html|url-status=live|archive-url=https://web.archive.org/web/20170705103553/http://www.anvari.org/fortune/Miscellaneous_Collections/291162_trojan-horse-coined-by-mit-hacker-turned-nsa-spook-dan-edwards-n.html|archive-date=5 July 2017|access-date=5 April 2012}}</ref>

Trojan horses are generally spread by some form of [[Social engineering (security)|social engineering]], for example, where a user is duped into executing an email attachment disguised to be unsuspicious, (e.g., a routine form to be filled in), or by [[drive-by download]]. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller (phoning home) which can then have unauthorized access to the affected computer, potentially installing additional software such as a keylogger to steal confidential information, cryptomining software or adware to generate revenue to the operator of the trojan.<ref>{{cite web|title=What is the difference between viruses, worms, and Trojan horses?|url=http://www.symantec.com/business/support/index?page=content&id=TECH98539|access-date=10 January 2009|publisher=Symantec Corporation|archive-date=13 February 2015|archive-url=https://web.archive.org/web/20150213213523/http://www.symantec.com/business/support/index?page=content&id=TECH98539|url-status=dead}}</ref> While Trojan horses and backdoors are not easily detectable by themselves, computers may appear to run slower, emit more heat or fan noise due to heavy processor or network usage, as may occur when cryptomining software is installed. Cryptominers may limit resource usage and/or only run during idle times in an attempt to evade detection.

Unlike computer viruses and worms, Trojan horses generally do not attempt to inject themselves into other files or otherwise propagate themselves.<ref>{{Cite web|date=9 October 1995|title=VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00 (Question B3: What is a Trojan Horse?)|url=http://www.faqs.org/faqs/computer-virus/faq/|access-date=13 September 2012|archive-date=24 September 2015|archive-url=https://web.archive.org/web/20150924041119/http://www.faqs.org/faqs/computer-virus/faq/|url-status=live}}</ref>

In spring 2017, Mac users were hit by the new version of Proton Remote Access Trojan (RAT)<ref>{{cite web|title=Proton Mac Trojan Has Apple Code Signing Signatures Sold to Customers for $50k|date=14 March 2017|url=http://appleinsider.com/articles/17/03/14/proton-mac-trojan-has-apple-code-signing-signatures-sold-to-customers-for-50k|publisher=AppleInsider|access-date=19 October 2017|archive-date=19 October 2017|archive-url=https://web.archive.org/web/20171019163245/http://appleinsider.com/articles/17/03/14/proton-mac-trojan-has-apple-code-signing-signatures-sold-to-customers-for-50k|url-status=live}}</ref> trained to extract password data from various sources, such as browser auto-fill data, the Mac-OS keychain, and password vaults.<ref>{{cite web|date=24 August 2017|title=Non-Windows Malware|url=https://betanews.com/2017/08/24/non-windows-malware|publisher=Betanews|access-date=19 October 2017|archive-date=20 October 2017|archive-url=https://web.archive.org/web/20171020033721/https://betanews.com/2017/08/24/non-windows-malware/|url-status=live}}</ref>

====Droppers====
{{Main|Dropper (malware)}}

[[Dropper (malware)|Droppers]] are a sub-type of Trojans that solely aim to deliver malware upon the system that they infect with the desire to subvert detection through stealth and a light payload.<ref>{{cite web|date=2020-01-30|title=Trojan Dropper|url=https://www.malwarebytes.com/blog/threats/trojan-dropper|access-date=31 October 2022|publisher=MalwareBytes|archive-date=31 October 2022|archive-url=https://web.archive.org/web/20221031235424/https://www.malwarebytes.com/blog/threats/trojan-dropper|url-status=live}}</ref> It is important not to confuse a dropper with a loader or stager. A loader or stager will merely load an extension of the malware (for example a collection of malicious functions through reflective dynamic link library injection) into memory. The purpose is to keep the initial stage light and undetectable. A dropper merely downloads further malware to the system.

====Ransomware====
{{Main|Ransomware}}
Ransomware prevents a user from accessing their files until a ransom is paid. There are two variations of ransomware, being crypto ransomware and locker ransomware.<ref>{{Cite journal|last1=Richardson|first1=Ronny|last2=North|first2=Max|date=2017-01-01|title=Ransomware: Evolution, Mitigation and Prevention|url=https://digitalcommons.kennesaw.edu/facpubs/4276|journal=International Management Review|volume=13|issue=1|pages=10–21|access-date=23 November 2019|archive-date=5 October 2022|archive-url=https://web.archive.org/web/20221005110429/https://digitalcommons.kennesaw.edu/facpubs/4276/|url-status=live}}</ref> Locker ransomware just locks down a computer system without encrypting its contents, whereas crypto ransomware locks down a system and encrypts its contents. For example, programs such as [[CryptoLocker]] [[Encryption|encrypt]] files securely, and only decrypt them on payment of a substantial sum of money.<ref>{{cite news|last=Fruhlinger|first=Josh|date=2017-08-01|title=The 5 biggest ransomware attacks of the last 5 years|publisher=CSO|url=https://www.csoonline.com/article/3212260/ransomware/the-5-biggest-ransomware-attacks-of-the-last-5-years.html|access-date=2018-03-23|archive-date=24 March 2018|archive-url=https://web.archive.org/web/20180324041022/https://www.csoonline.com/article/3212260/ransomware/the-5-biggest-ransomware-attacks-of-the-last-5-years.html|url-status=dead}}</ref>

Lock-screens, or screen lockers is a type of "cyber police" ransomware that blocks screens on Windows or Android devices with a false accusation in harvesting illegal content, trying to scare the victims into paying up a fee.<ref>{{cite web|url=https://www.welivesecurity.com/wp-content/uploads/2016/02/Rise_of_Android_Ransomware.pdf|title=Rise of Android Ransomware, research|publisher=[[ESET]]|access-date=19 October 2017|archive-date=19 October 2017|archive-url=https://web.archive.org/web/20171019221531/https://www.welivesecurity.com/wp-content/uploads/2016/02/Rise_of_Android_Ransomware.pdf|url-status=live}}</ref>
Jisut and SLocker impact Android devices more than other lock-screens, with Jisut making up nearly 60 percent of all Android ransomware detections.<ref>{{cite web|url=https://www.malwarebytes.com/pdf/white-papers/stateofmalware.pdf|title=State of Malware, research|publisher=[[Malwarebytes]]|access-date=19 October 2017|archive-date=21 May 2017|archive-url=https://web.archive.org/web/20170521075657/https://www.malwarebytes.com/pdf/white-papers/stateofmalware.pdf|url-status=dead}}</ref>

Encryption-based ransomware, like the name suggests, is a type of ransomware that encrypts all files on an infected machine. These types of malware then display a pop-up informing the user that their files have been encrypted and that they must pay (usually in Bitcoin) to recover them. Some examples of encryption-based ransomware are [[CryptoLocker]] and [[WannaCry ransomware attack|WannaCry]].<ref name="w174">{{cite journal|last1=O'Kane|first1=Philip|last2=Sezer|first2=Sakir|last3=Carlin|first3=Domhnall|title=Evolution of ransomware|journal=IET Networks|volume=7|issue=5|date=2018|issn=2047-4954|doi=10.1049/iet-net.2017.0207|pages=321–327}}</ref>

According to Microsoft's Digital Crimes Unit in May 2025, Lumma Stealer ("Lumma"), which steals passwords, credit cards, bank accounts, and cryptocurrency wallets, is the favored info-stealing malware used by hundreds of cyber threat actors and enables criminals to empty bank accounts, hold schools for ransom, and disrupt critical services.<ref>{{cite news |last=Masada |first=Steven |url=https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/ |title=Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool |work=Microsoft |date=21 May 2025 |access-date=23 May 2025 |archive-url=https://web.archive.org/web/20250523194945/https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/ |archive-date=23 May 2025}}</ref>

====Click Fraud====
Some malware is used to generate money by [[click fraud]], making it appear that the computer user has clicked an advertising link on a site, generating a payment from the advertiser. It was estimated in 2012 that about 60 to 70% of all active malware used some kind of click fraud, and 22% of all ad-clicks were fraudulent.<ref>{{cite web|title=Another way Microsoft is disrupting the malware ecosystem|url=http://blogs.technet.com/b/mmpc/archive/2012/11/29/another-way-microsoft-is-disrupting-the-malware-ecosystem.aspx|url-status=dead|archive-url=https://web.archive.org/web/20150920143940/http://blogs.technet.com/b/mmpc/archive/2012/11/29/another-way-microsoft-is-disrupting-the-malware-ecosystem.aspx|archive-date=20 September 2015|access-date=18 February 2015}}</ref>

===Grayware===
{{See also|Privacy-invasive software|Potentially unwanted program}}

Grayware is any unwanted application or file that can worsen the performance of computers and may cause security risks but which there is insufficient consensus or data to classify them as malware.<ref name=":5" /> Types of grayware typically include [[spyware]], [[adware]], [[dialer#Fraudulent dialer|fraudulent dialers]], joke programs ("jokeware") and [[remote desktop software|remote access tools]].<ref name=":6" /> For example, at one point, [[Sony BMG]] compact discs [[Sony BMG copy protection rootkit scandal|silently installed a rootkit]] on purchasers' computers with the intention of preventing illicit copying.<ref name="russinovich">{{cite web|last=Russinovich|first=Mark|date=31 October 2005|title=Sony, Rootkits and Digital Rights Management Gone Too Far|url=http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx|access-date=29 July 2009|work=Mark's Blog|publisher=Microsoft MSDN|archive-date=2 June 2012|archive-url=https://web.archive.org/web/20120602231838/http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx|url-status=dead}}</ref>

====Potentially unwanted program====
[[Potentially unwanted program]]s (PUPs) are applications that would be considered unwanted despite often being intentionally downloaded by the user.<ref>{{cite web|date=2009-12-15|title=Rating the best anti-malware solutions|url=https://arstechnica.com/security/2009/12/av-comparatives-picks-eight-antipua-winners/|access-date=28 January 2014|publisher=Arstechnica|archive-date=2 February 2014|archive-url=https://web.archive.org/web/20140202092753/http://arstechnica.com/security/2009/12/av-comparatives-picks-eight-antipua-winners/|url-status=live}}</ref> PUPs include spyware, adware, and fraudulent dialers.

Many security products classify unauthorised [[Keygen|key generators]] as PUPs, although they frequently carry true malware in addition to their ostensible purpose.<ref name=":7">{{Cite book|last1=Kammerstetter|first1=Markus|last2=Platzer|first2=Christian|last3=Wondracek|first3=Gilbert|title=Proceedings of the 2012 ACM conference on Computer and communications security|chapter=Vanity, cracks and malware|date=2012-10-16|chapter-url=https://doi.org/10.1145/2382196.2382282|series=CCS '12|location=New York, NY, USA|publisher=Association for Computing Machinery|pages=809–820|doi=10.1145/2382196.2382282|isbn=978-1-4503-1651-4|s2cid=3423843}}</ref> In fact, Kammerstetter et al. (2012)<ref name=":7" /> estimated that as much as 55% of key generators could contain malware and that about 36% malicious key generators were not detected by antivirus software.

====Adware====
Some types of adware turn off anti-malware and virus protection; technical remedies are available.<ref name="Casey">{{cite web|last1=Casey|first1=Henry T.|date=25 November 2015|title=Latest adware disables antivirus software|url=https://www.yahoo.com/tech/s/latest-adware-disables-antivirus-software-152920421.html|access-date=25 November 2015|work=Tom's Guide|publisher=[[Yahoo.com]]|archive-date=27 November 2015|archive-url=https://web.archive.org/web/20151127070904/https://www.yahoo.com/tech/s/latest-adware-disables-antivirus-software-152920421.html|url-status=live}}</ref>

====Spyware====
Programs designed to monitor users' web browsing, display [[unsolicited advertisement]]s, or redirect [[affiliate marketing]] revenues are called [[spyware]]. Spyware programs do not spread like viruses; instead they are generally installed by exploiting security holes. They can also be hidden and packaged together with unrelated user-installed software.<ref>{{cite web|title=Peer To Peer Information|url=http://oit.ncsu.edu/resnet/p2p|access-date=25 March 2011|publisher=NORTH CAROLINA STATE UNIVERSITY|archive-date=2 July 2015|archive-url=https://web.archive.org/web/20150702143115/http://oit.ncsu.edu/resnet/p2p|url-status=dead}}</ref> The [[Sony BMG copy protection rootkit scandal|Sony BMG rootkit]] was intended to prevent illicit copying; but also reported on users' listening habits, and unintentionally created extra security vulnerabilities.<ref name="russinovich" />