Computer "Malware": Worms, Trojans, Back Doors and Viruses
Over the last several years, the term "malware" has come to be used
to describe various kinds of malicious software written and engineered to compromise
personal computers in a variety of methods. The four main categories of malware
- "Back Doors"
Hackers are becoming more and more sophisticated and adept at coming up with
exploits that combine two or more of these categories to produce programs that
threaten networked computers on multiple levels. Here are brief descriptions
of each category:
In their simplest form, viruses are individual programs that, when placed on
a target computer in such a way that they are subsequently executed (thus "infecting"
the computer) can produce results ranging from the innocuous placement of a
"test" file to complete deletion of data and reformatting the hard
drive. Not all viruses are malicious - some are written by "white hat"
programmers as tests to help discover vulnerabilities and remove or strengthen
them. There are many "families" of viruses with variations or strains
that have been around for many years, and new viruses appear almost daily. To
combat viruses, it is essential to install anti-virus software and update it
frequently. For more information on anti-virus efforts at Penn, visit www.upenn.edu/computing/virus
Technically speaking, worms are programs whose sole purpose is to replicate
and spread themselves to other computers. Some programmers write them with no
other purpose or intent than to see how far they will spread, and in many cases
there is no actual payload or threat from a worm. However, in recent years,
worms have been used as the vehicle by which viruses are primarily spread. Commonly,
once a computer has been infected by a virus/worm (usually by opening an infected
e-mail attachment), the virus component will set up and begin running an SMTP
mail server, and the worm component will begin to replicate the virus/worm and
e-mail it to addresses found in the computer's e-mail address book (this most
frequently occurs with computers using Microsoft Outlook), with the "From:"
header also taken from the address book.
...as in "Trojan Horse", these are programs that are designed and
written to look like normal, useful programs, but contain hidden code that can
perform a wide variety of compromises up to and including granting a remote
user complete control of the compromised computer. For example, the Trojan may
be a version of a common command-line utility, such as 'ls' in Unix, with the
same file name and which performs all the normal command functions in addition
to other functions known only to the attacker.
In traditional computer programming parlance, a "back door" is an
entry point into a program that the programmer leaves himself in order to gain
quick access without having to go through all the normal, built-in security
checks. In theory, the back doors are taken out of the final release of the
software, but history has shown that often they are not. In the current network
climate, though, a back door is generally considered to be a program that has
been placed on a computer (usually surreptitiously) that allows a remote user
to gain and maintain complete administrative control over the computer - almost
always without the knowledge of the computer's owner or primary user. The most
famous and widespread examples of back door programs over the years have been
SubSeven and Back Orifice, but there are many, many others, and new ones appear
regularly. There are several ways that back doors can be placed on a computer
(though, this can never be a truly complete list):
- Opening an infected e-mail attachment (they are often combined with viruses
- Exploiting a computer left vulnerable by a previous, existing virus infection
- Clicking on a URL to a malicious website that surreptitiously downloads
the back door to the computer
- Exploiting a vulnerable, unpatched software application or operating system
service (this is what happened with the famous Code Red exploits)
- Leaving the computer unattended and unsecured (no password-protected screen
saver), so that the back door can be loaded directly from floppy disk, "thumb drive", CD-ROM, etc.
- Active FTP server on the computer (especially one that allows "anonymous"
For best protection against malware (as against many other threats), be sure
to install, use and update anti-virus software, keep operating system patches
and service packs up to date, and never open an e-mail attachment unless absolutely
sure it is harmless.
For a computer that has been corrupted or compromised by one or more of the
above types of malware, the remedy depends almost exclusively on the nature
of the specific virus, worm, Trojan and/or Back Door (it is possible to have
"all in one"). In some cases, vendors such as Symantec, McAfee and
eEye make available software "tools" that can effectively remove the
exploit and repair the damage.
However, in many cases, the exploit has either installed
and activated a back door or other program that permits remote administrative
access, or has left the computer vulnerable and open to placement of such a
program. In any case where a computer has been exposed to a possible administrative,
"root-level" compromise, Penn Information Security requires that the
computer be disconnected from the network, all hard drives be reformatted, the
operating system be re-installed from original media and all current patches
and service packs be applied before the computer can be re-attached to the network.
Once the possibility of a back door exists, it is not possible to be certain
that multiple additional back doors have not also been installed, and there
is virtually no possibility that all can be found and removed.
For a more detailed explanation of why this is an industry-recommended remedy
for compromised computers, please read Help: I Got Hacked! Now What Do
I Do? on Microsoft's website at:
Last updated: Friday, July 13, 2007