A computer worm is a type of Trojan that is capable of propagating or replicating itself from one system to another. It can do this in a number of ways. Unlike viruses, worms don’t need a host file to latch onto. After arriving and executing on a target system, it can do a number of malicious tasks, such as dropping other malware, copying itself onto devices physically attached to the affected system, deleting files, and consuming bandwidth.
Downloaders and droppers are helper programs for various types of malware such as Trojans and rootkits. Usually they are implemented as scripts (VB, batch) or small applications.
They don’t carry any malicious activities by themselves, but just open a way for attack by downloading/decompressing and installing the core malicious modules. To avoid detection, a dropper may also create noise around the malicious module by downloading/decompressing some harmless files.
Very often, they auto-delete themselves after the goal has been achieved.
Trojan is a malware that uses simple social engineering tricks in order to tempt users into running it. It may pretend to be another, legitimate software (spoofing products by using the same icons and names). It may also come bundled with a cracked application or even within a freeware.
Once it is installed on the computer, it performs malicious actions such as backdooring a computer, spying on its user, and doing various types of damage.
Trojans are not likely to spread automatically. They usually stay at the infected host only.
The term “rootkit” comes from “root kit,” a package giving the highest privileges in the system. It is used to describe software that allows for stealthy presence of unauthorized functionality in the system. Rootkits modify and intercept typical modules of the environment (OS, or even deeper, bootkits).
Rootkits are used when the attackers need to backdoor a system and preserve unnoticed access as long as possible. In addition, they may register system activity and alter typical behavior in any way desired by the attacker.
Depending on the layer of activity, rootkits can be divided into the following types:
Usermode (Ring 3): the most common and the easiest to implement, it uses relatively simple techniques, such as IAT and inline hooks, to alter behavior of called functions.
Kernelmode (Ring 0): the “real” rootkits start from this layer. They live in a kernel space, altering behavior of kernel-mode functions. A specific variant of kernelmode rootkit that attacks bootloader is called a bootkit.
Hypervisor (Ring -1): running on the lowest level, hypervisor, that is basically a firmware. The kernel of the system infected by this type of a rootkit is not aware that it is not interacting with a real hardware, but with the environment altered by a rootkit.
The rule states that a rootkit running in the lower layer cannot be detected by any rootkit software running in all of the above layers.
Remote Access Trojans are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC. Remote Access Trojans often mimic similar behaviors of keylogger applications by allowing the automated collection of keystrokes, usernames, passwords, screenshots, browser history, emails, chat lots, etc. Remote Access Trojans differ from keyloggers in that they provide the capability for an attacker to gain unauthorized remote access to the victim machine via specially configured communication protocols which are set up upon initial infection of the victim computer. This backdoor into the victim machine can allow an attacker unfettered access, including the ability to monitor user behavior, change computer settings, browse and copy files, utilize the bandwidth (Internet connection) for possible criminal activity, access connected systems, and more.