What is malware?
Malware (malicious software), not virus, is the general term for software that is designed to behave badly. Malware encompasses the complete line of viruses (boot sector, stealth, polymorphic, multipart, self-garbling), worms, trojan horses, logic bombs, rootkits, etc. As you can see by the list above, malware comes in many shapes and sizes. We previously talked about viruses, so let’s briefly address some of the other forms of malware.
A trojan horse is malware that comes packaged along with something that the user does desire (data, software, whatever). Open source software has been attacked a few notorious times via trojan horse attacks. The most infamous is probably the time in 2002 that the OpenSSH server was compromised and versions of OpenSSH were replaced with trojaned versions of SSH. You can still read the CERT Advisory about the attack.
A worm is a piece of software that exploits a vulnerability to get itself established on a host and then uses that host to attack other systems. A worm is self-replicating and stand alone. The most notorious worm that affected many Linux systems was called L10n and attacked via bind in 2001.
A rootkit is a program designed to hide that malware in on the system. Rootkits have taken the form of kernel modules, binary replacements for key system utilities (ls, ps, etc.) which hide malware processes and files from the output that administrators uses to see what is happening on the system.
A botnet is a network of subverted machines that are running a rootkit or other malware on their system that makes them remotely directable. Botnets are frequently used to launch distributed denial of service attacks. The evolution of botnets is fascinating because they have gained sophistication in command and control structure to avoid single points of failure. In a very interesting turn of events, two Symantec researchers discovered the first Mac botnet. The botnet malware was distributed as a trojan horse connected to pirated iWork ’09 software.
This covers just a few of the additional types of malware and as you can see there are many. The study of malware is one of the “cooler” (or just more flashy) specialties of the computer security profession.
This article was part three in a multi-part series about anti-virus and Linux which was announced in the article Anti-virus for Linux Redux.