{{Use dmy dates|date=March 2014}}
{{Information security}}
{{refimprove|date=July 2013}}
'''Malware''', short for '''malicious software''', is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.<ref>{{cite web|url=http://techterms.com/definition/malware| title=Malware definition| publisher=techterms.com |accessdate=27 September 2015}} Before the term malware was coined by Yisrael Radai in 1990, malicious software was referred to as computer
viruses.<ref name="Elisan2012">{{cite book|author=Christopher Elisan|title=Malware, Rootkits & Botnets A Beginner's Guide|url=https://books.google.com/books?id=jOsFlLPg1KkC&pg=PA10|date=5 September 2012|publisher=McGraw Hill Professional|isbn=978-0-07-179205-9|pages=10–}} The first category of malware propagation concerns parasitic software fragments that attach themselves to some existing executable content. The fragment may be machine code that infects some existing
application, utility, or system program, or even the code used to boot a computer system.<ref name="Stallings 2012 p.182 ">{{cite book | last=Stallings | first=William | title=Computer security : principles and practice | publisher=Pearson | location=Boston | year=2012 | isbn=978-0-13-277506-9 | page=182}} Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that causes unintentional harm due to some
deficiency.

Malware may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge, as for example Regin (malware)|Regin, or it may be designed to cause harm, often as sabotage (e.g., Stuxnet), or to extort payment (CryptoLocker). 'Malware' is an umbrella term used to refer to a variety of forms of hostile or intrusive software,<ref>{{cite web|url=http://technet.microsoft.com/en-us/library/dd632948.aspx|title=Defining Malware:
FAQ|publisher=technet.microsoft.com|accessdate=10 September 2009}} including computer viruses, Computer worm|worms, Trojan horse (computing)|trojan horses, Ransomware (malware)|ransomware, spyware, adware, scareware, and other malicious programs. <!--rootkits, keyloggers, dialers, BHOs are not types of malware. These are function groups, and not necessarily (or even typically) malware. It would be just as incorrect to assert that that malware
includes (say) drivers or macros.--> It can take the form of executable code, script (computing)|scripts, active content, and other software.<ref>{{cite web|url=https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/CaseStudy-002.pdf |title=An Undirected Attack Against Critical Infrastructure |publisher=United States Computer Emergency Readiness Team(Us-cert.gov) |date= | format=PDF| accessdate=28 September 2014}}  Malware is often disguised as, or
embedded in, non-malicious files. {{As of|2011}} the majority of active malware threats were worms or trojans rather than viruses.<ref>{{cite web|url=http://www.microsoft.com/security/sir/story/default.aspx#!10year_malware |title=Evolution of Malware-Malware Trends |publisher=Microsoft.com |date= | work=Microsoft Security Intelligence Report-Featured Articles |accessdate=28 April 2013}}

In law, malware is sometimes known as a '''computer contaminant''', as in the legal codes of several United States|U.S. states.<ref>{{cite web| publisher=National Conference of State Legislatures |url=http://www.ncsl.org/issues-research/telecom/state-virus-and-computer-contaminant-laws.aspx| title=Virus/Contaminant/Destructive Transmission Statutes by State| date=2012-02-14| accessdate=26 August 2013}}<ref>{{cite
web|url=http://jcots.state.va.us/2005%20Content/pdf/Computer%20Contamination%20Bill.pdf|title=§&nbsp;18.2-152.4:1 Penalty for Computer Contamination|format=PDF|publisher=Joint Commission on Technology and Science|accessdate=17 September 2010}}

Spyware or other malware is sometimes found embedded in programs supplied officially by companies, e.g., downloadable from websites, that appear useful or attractive, but may have, for example, additional hidden tracking functionality that gathers marketing statistics. An example of such software, which was described as illegitimate, is the Sony rootkit, a Trojan embedded into Compact disc|CDs sold by Sony, which silently installed and concealed itself on purchasers' computers
with the intention of preventing illicit copying; it also reported on users' listening habits, and unintentionally created vulnerabilities that were exploited by unrelated malware.<ref>{{cite web |last=Russinovich |first=Mark |url=http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx |title=Sony, Rootkits and Digital Rights Management Gone Too Far |work=Mark's Blog |publisher=Microsoft MSDN
|date=2005-10-31 |accessdate=2009-07-29}}

Software such as anti-virus and firewall (computing)|firewalls are used to protect against activity identified as malicious, and to recover from attacks.<ref>{{cite web|title=Protect Your Computer from Malware|url=http://www.onguardonline.gov/media/video-0056-protect-your-computer-malware|publisher=OnGuardOnline.gov |accessdate=26 August 2013}}

 Purposes 
File:Malware statics 2011-03-16-en.svg|thumb|alt=This pie chart shows that in 2011, 70 percent of malware infections were by trojan horses, 17 percent were from viruses, 8 percent from worms, with the remaining percentages divided among adware, backdoor, spyware, and other exploits.|300px|Malware by categories on 16 March 2011.

Many early infectious programs, including the Morris worm|first Internet Worm, were written as experiments or pranks. Today, malware is used by both black-hat hacking|black hat hackers and governments, to steal personal, financial, or business information.<ref>{{cite web|title=Malware|url=http://www.consumer.ftc.gov/articles/0011-malware|publisher=FEDERAL TRADE COMMISSION- CONSUMER INFORMATION|accessdate=27 March 2014}}<ref>{{cite
web|last=Hernandez|first=Pedro|title=Microsoft Vows to Combat Government Cyber-Spying|url=http://www.eweek.com/security/microsoft-vows-to-combat-government-cyber-spying.html|publisher=eWeek|accessdate=15 December 2013}}

Malware is sometimes used broadly against government or corporate websites to gather guarded information,<ref>{{cite web |last=Kovacs |first=Eduard |title=MiniDuke Malware Used Against European Government Organizations|url=http://news.softpedia.com/news/MiniDuke-Malware-Used-Against-European-Government-Organizations-333006.shtml|publisher=Softpedia|accessdate=27 February 2013}} or to disrupt their operation in general. However, malware is often used against individuals to gain
information such as personal identification numbers or details, bank or credit card numbers, and passwords. Left unguarded, personal and Computer network|networked computers can be at considerable risk against these threats. (These are most frequently defended against by various types of firewall (computing)|firewall, anti-virus software, and Network switch|network hardware).<ref>{{cite news|title=South Korea network attack 'a computer virus'
|url=http://www.bbc.co.uk/news/world-asia-21855051|newspaper=BBC|accessdate=20 March 2013}}

Since the rise of widespread broadband Internet access, malicious software has more frequently been designed for profit. Since 2003, the majority of widespread computer virus|viruses and worms have been designed to take control of users' computers for illicit purposes.<ref>{{cite web|title=Malware Revolution: A Change in Target|url=http://technet.microsoft.com/en-us/library/cc512596.aspx|date=March 2007}} Infected "zombie computers" are used to send email
spam, to host contraband data such as child pornography,<ref>{{cite web|title=Child Porn: Malware's Ultimate Evil|url=http://www.itworld.com/security/84077/child-porn-malwares-ultimate-evil|date=November 2009}} or to engage in distributed denial-of-service Attack (computing)|attacks as a form of extortion.<ref>[http://www.pcworld.com/article/id,116841-page,1/article.html PC World – Zombie PCs: Silent, Growing Threat<!-- Bot generated title -->].

Programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues are called spyware. Spyware programs do not spread like computer virus|viruses; instead they are generally installed by exploiting security holes. They can also be hidden and packaged together with unrelated user-installed software.<ref>{{cite web|title=Peer To Peer Information|url=http://oit.ncsu.edu/resnet/p2p|publisher=NORTH CAROLINA STATE
UNIVERSITY|accessdate=25 March 2011}}

Ransomware affects an infected computer in some way, and demands payment to reverse the damage. For example, programs such as CryptoLocker Encryption|encrypt files securely, and only decrypt them on payment of a substantial sum of money.

Some malware is used to generate money by click fraud, making it appear that the computer user has clicked an advertising link on a site, generating a payment from the advertiser. It was estimated in 2012 that about 60 to 70% of all active malware used some kind of click fraud, and 22% of all ad-clicks were fraudulent.<ref>{{cite web|url=http://blogs.technet.com/b/mmpc/archive/2012/11/29/another-way-microsoft-is-disrupting-the-malware-ecosystem.aspx|title=Another way Microsoft is
disrupting the malware ecosystem|publisher=|accessdate=18 February 2015}}

Malware is usually used for criminal purposes, but can be used for sabotage, often without direct benefit to the perpetrators. One example of sabotage was Stuxnet, used to destroy very specific industrial equipment. There have been politically motivated attacks that have spread over and shut down large computer networks, including massive deletion of files and corruption of master boot records, described as "computer killing". Such attacks were made on Sony Pictures Entertainment
(25 November 2014, using malware known as Shamoon or W32.Disttrack) and Saudi Aramco (August 2012).<ref>{{cite web|url=http://www.computerweekly.com/news/2240161674/Shamoon-is-latest-malware-to-target-energy-sector|title=Shamoon is latest malware to target energy sector|publisher=|accessdate=18 February 2015}}<ref>{{cite
web|url=http://www.computerweekly.com/news/2240235919/Computer-killing-malware-used-in-Sony-attack-a-wake-up-call-to-business?asrc=EM_MDN_37122786&utm_medium=EM&utm_source=MDN&utm_campaign=20141203_Computer-killing%20malware%20used%20in%20Sony%20attack%20a%20wake-up%20call_|title=Computer-killing malware used in Sony attack a wake-up call|publisher=|accessdate=18 February 2015}}

 Proliferation 
Preliminary results from Symantec published in 2008 suggested that "the release rate of malicious Executable|code and other unwanted programs may be exceeding that of legitimate software applications."<ref>{{cite journal|title=Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary)|publisher=Symantec Corp.|volume=XIII|page=29|date=April
2008|url=http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xiii_04-2008.en-us.pdf |format=PDF|accessdate=11 May 2008}} According to F-Secure, "As much malware [was] produced in 2007 as in the previous 20 years altogether."<ref>{{cite press release|title=F-Secure Reports Amount of Malware Grew by 100% during 2007|url=http://www.f-secure.com/f-secure/pressroom/news/fs_news_20071204_1_eng.html|date=4 December
2007|publisher=F-Secure Corporation|accessdate=11 December 2007}} Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the World Wide Web.<ref>{{cite web|title= F-Secure Quarterly Security Wrap-up for the first quarter of 2008|url=http://www.f-secure.com/f-secure/pressroom/news/fsnews_20080331_1_eng.html|publisher=F-Secure|date=31 March 2008|accessdate=25 April 2008}}

The prevalence of malware as a vehicle for Internet crime, along with the challenge of anti-malware software to keep up with the continuous stream of new malware, has seen the adoption of a new mindset for individuals and businesses using the Internet. With the amount of malware currently being distributed, some percentage of computers are currently assumed to be infected. For businesses, especially those that sell mainly over the Internet, this means they need to find a way
to operate despite security concerns. The result is a greater emphasis on back-office protection designed to protect against advanced malware operating on customers' computers.<ref>{{cite web|title= Continuing Business with Malware Infected Customers|url=http://www.technicalinfo.net/papers/MalwareInfectedCustomers.html|publisher=Gunter Ollmann|date=October 2008}} A 2013 Webroot study shows that 64% of companies allow remote access to servers for 25% to 100% of their workforce
and that companies with more than 25% of their employees accessing servers remotely have higher rates of malware threats.<ref>{{cite web|title= New Research Shows Remote Users Expose Companies to Cybercrime|url=http://www.webroot.com/En_US/pr/web-security/ent/new-research-shows-remote-users-expose-companies-to-cybercrime-042313.html|publisher=Webroot|date=April 2013}}

On 29 March 2010, Symantec Corporation named Shaoxing, China, as the world's malware capital.<ref>{{cite web|url=http://www.engadget.com/2010/03/29/symantec-names-shaoxing-china-worlds-malware-capital |title=Symantec names Shaoxing, China as world's malware capital |publisher=Engadget |date= |accessdate=15 April 2010}} A 2011 study from the University of California, Berkeley, and the Madrid Institute for Advanced Studies published an article in ''Software Development
Technologies'', examining how entrepreneurial Hacker (computer security)|hackers are helping enable the spread of malware by offering access to computers for a price. Microsoft reported in May 2011 that one in every 14 downloads from the Internet may now contain malware code. Social media, and Facebook in particular, are seeing a rise in the number of tactics used to spread malware to computers.<ref>{{cite news|url =
https://online.wsj.com/article/SB10001424052748704904604576332812592346714.html |title = Malware Is Posing Increasing Danger |publisher = Wall Street Journal | first=Ben |last=Rooney |date=2011-05-23}}

A 2014 study found that malware is being increasingly aimed at mobile devices such as smartphones as they increase in popularity.<ref>{{cite journal |last1=Suarez-Tangil|first1=Guillermo|author2=Juan E. Tapiador, Pedro Peris-Lopez, Arturo Ribagorda|title=Evolution, Detection and Analysis of Malware in Smart Devices|journal=IEEE Communications Surveys & Tutorials|year=2014 |url=http://www.seg.inf.uc3m.es/~guillermo-suarez-tangil/papers/2013cst-ieee.pdf}}

 Infectious malware 
{{Main article|Computer virus|Computer worm}}
The best-known types of malware, computer virus|viruses and worms, are known for the manner in which they spread, rather than any specific types of behavior. The term ''computer virus'' is used for a program that embeds itself in some other executable software (including the operating system itself) on the target system without the user's consent and when that is run causes the virus to spread to other executables. On the other hand, a ''computer worm|worm'' is a
stand-alone malware program that ''actively'' transmits itself over a Computer network|network to infect other computers. These definitions lead to the observation that a computer virus|virus requires the user to run an infected program or operating system for the virus to spread, whereas a worm spreads itself.<ref>{{cite web|url=http://www.britannica.com/EBchecked/topic/130688/computer-virus |title=computer virus – Encyclopædia Britannica |publisher=Britannica.com |date=
|accessdate=28 April 2013}}

 Concealment 
These categories are not mutually exclusive, so malware may use multiple techniques.<ref>[http://techacute.com/malware-information-privacy/ All about Malware and Information Privacy] This section only applies to malware designed to operate undetected, not sabotage and ransomware.
{{See also|Polymorphic packer}}

= Viruses =
{{Main article|Computer virus}}
A computer program usually hidden within another seemingly innocuous program that produces copies of itself and inserts them into other programs or files, and that usually performs a malicious action (such as destroying data).<ref>{{cite web|title=What are viruses, worms, and Trojan horses?|url=https://kb.iu.edu/d/aehm|website=Indiana University|publisher=The Trustees of Indiana University|accessdate=23 February 2015}}

= Trojan horses =
{{Main article|Trojan horse (computing)}}
In computing, Trojan horse, or '''Trojan''', is any malicious computer program which misrepresents itself to appear useful, routine, or interesting in order to persuade a victim to install it. The term is derived from the Ancient Greek story of the Trojan Horse|wooden horse that was used to help Greek troops invade the city of Troy by stealth.<ref>{{Cite conference
 | publisher = DTIC Document
  | last = Landwehr
   | first = C. E
    | author2=A. R Bull |author3=J. P McDermott |author4=W. S Choi
     | title = A taxonomy of computer program security flaws, with examples
      | url = http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA465587
       | year = 1993
        | accessdate = 2012-04-05
}}<ref>{{Cite web
 | title = Trojan Horse Definition
  | accessdate = 2012-04-05
   | url = http://www.techterms.com/definition/trojanhorse
}}<ref>{{Cite news
 | title = Trojan horse
  | work = Webopedia
   | accessdate = 2012-04-05
    | url = http://www.webopedia.com/TERM/T/Trojan_horse.html
}}<ref>{{Cite web
 | title = What is Trojan horse? – Definition from Whatis.com
  | accessdate = 2012-04-05
   | url = http://searchsecurity.techtarget.com/definition/Trojan-horse
}}<ref>{{Cite web
 | title = Trojan Horse: [coined By MIT-hacker-turned-NSA-spook Dan Edwards] N.
  | accessdate = 2012-04-05
   | url = http://www.anvari.org/fortune/Miscellaneous_Collections/291162_trojan-horse-coined-by-mit-hacker-turned-nsa-spook-dan-edwards-n.html
}}

Trojans are generally spread by some form of Social engineering (security)|social engineering, for example where a user is duped into executing an e-mail attachment disguised to be unsuspicious, (e.g., a routine form to be filled in), or by drive-by download. Although their payload can be anything, many modern forms act as a Backdoor (computing)|backdoor, contacting a controller which can then have unauthorized access to the affected computer.<ref>{{cite web|title=What is the
difference between viruses, worms, and Trojans?|url=http://www.symantec.com/business/support/index?page=content&id=TECH98539|publisher=Symantec Corporation|accessdate=2009-01-10}}  While Trojans and backdoors are not easily detectable by themselves, computers may appear to run slower due to heavy processor or network usage.

Unlike computer viruses and Computer worm|worms, Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves.<ref>{{Cite web
 | title = VIRUS-L/comp.virus Frequently Asked Questions (FAQ) v2.00 (Question B3: What is a Trojan Horse?)
  | date = 9 October 1995
   | accessdate = 2012-09-13
    | url = http://www.faqs.org/faqs/computer-virus/faq/
}}

= Rootkits =
{{Main article|Rootkit}}
Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection. Software packages known as ''rootkits'' allow this concealment, by modifying the host's operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process (computing)|process from being visible in the system's list of process (computing)|processes, or keep its files from being read.<ref>{{cite
web|last=McDowell|first=Mindi|title=Understanding Hidden Threats: Rootkits and Botnets|url=http://www.us-cert.gov/ncas/tips/ST06-001|publisher=US-CERT|accessdate=6 February 2013}}

Some malicious programs contain routines to defend against removal, not merely to hide themselves. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V operating system|CP-V time sharing system:

:Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently stopped program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.<ref>{{cite web|url=http://catb.org/jargon/html/meaning-of-hack.html |title=Catb.org |publisher=Catb.org |date= |accessdate=15 April 2010}}

= Backdoors =
{{Main article|Backdoor (computing)}}
A backdoor (computing)|backdoor is a method of bypassing normal authentication procedures, usually over a connection to a network such as the Internet. Once a system has been compromised, one or more backdoors may be installed in order to allow access in the future,<ref name=AAA>{{cite news |url=http://www.spywareloop.com/news/malware|title=Malware in SpyWareLoop.com|author= Vincentas |newspaper=''Spyware Loop'' |date=11 July 2013 |accessdate=28 July 2013}} invisibly
to the user.

The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. It was reported in 2014 that US government agencies had been diverting computers purchased by those considered "targets" to secret workshops where software or hardware permitting remote access by the agency was installed, considered to be among the most productive operations to obtain access to
networks around the world.<ref>{{cite web|last=Staff|first=SPIEGEL|title=Inside TAO: Documents Reveal Top NSA Hacking Unit|url=http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html|publisher=SPIEGEL|accessdate=23 January 2014}} Backdoors may be installed by Trojan horses, computer worm|worms, NSA ANT catalog|implants, or other methods.<ref>{{cite
web|last=Edwards|first=John|title=Top Zombie, Trojan Horse and Bot Threats|url=http://www.itsecurity.com/features/top-zombie-trojan-bots-092507|publisher=IT Security|accessdate=25 September 2007}}<ref>{{cite web|last=Appelbaum|first=Jacob|title=Shopping for Spy Gear:Catalog Advertises NSA Toolbox|url=http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html|publisher=SPIEGEL|accessdate=29 December 2013}}

= Evasion =
Since the beginning of 2015, a sizable portion of malware utilizes a combination of many techniques designed to avoid detection and analysis.<ref>[http://www.net-security.org/malware_news.php?id=3022 Evasive malware]

The most common evasion technique is when the malware evades analysis and detection by Fingerprint (computing)|fingerprinting the environment when executed.<ref>{{cite conference |title= Barecloud: bare-metal analysis-based evasive malware detection|last1= Kirat |first1= Dhilung| last2= Vigna|first2= Giovanni| last3 = Kruegel| first3 = Christopher |date=2014 |publisher= ACM|book-title= | pages = 287–301| isbn =  978-1-931971-15-7 }}
The second most common evasion technique is confusing automated tools' detection methods. This allows malware to avoid detection by technologies such as signature-based antivirus software by changing the server used by the malware.<ref>[http://www.tripwire.com/state-of-security/security-data-protection/the-four-most-common-evasive-techniques-used-by-malware/ The Four Most Common Evasive Techniques Used by Malware]. April 27, 2015.
The third most common evasion technique is timing-based evasion. This is when malware runs at certain times or following certain actions taken by the user, so it executes during certain vulnerable periods, such as during the boot process, while remaining dormant the rest of the time. 
The fourth most common evasion technique is done by obfuscating internal data so that automated tools do not detect the malware.<ref>{{cite conference |title= Deniable Password Snatching: On the Possibility of Evasive Electronic Espionage|last1= Young |first1= Adam|last2= Yung|first2= Moti|date=1997|publisher= IEEE|book-title=Symp. on Security and Privacy | pages = 224–235| isbn =  0-8186-7828-3}}
An increasingly common technique is adware that uses stolen certificates to disable anti-malware and virus protection; technical remedies are available to deal with the adware.<ref name="Casey">{{cite web |url=https://www.yahoo.com/tech/s/latest-adware-disables-antivirus-software-152920421.html |title=Latest adware disables antivirus software |work=Tom's Guide |first1=Henry T. |last1=Casey |authorlink1=Henry T. Casey |publisher=Yahoo.com |date=25 November 2015
|accessdate=25 November 2015}}

Nowadays, one of the most sophisticated and stealthy ways of evasion is to use information hiding techniques, namely stegomalware.

 Vulnerability 
{{Main article|Vulnerability (computing)}}
 In this context, and throughout, what is called the "system" under attack may be anything from a single application, through a complete computer and operating system, to a large Computer network|network.
 Various factors make a system more vulnerable to malware:

{{anchor|Security defect}}

= Security defects in software =
Malware exploits security defects (security bugs or Software vulnerability|vulnerabilities) in the design of the operating system, in applications (such as browsers, e.g. older versions of Microsoft Internet Explorer supported by Windows XP<ref>{{cite web|title=Global Web Browser... Security Trends|publisher=Kaspersky lab|date=November 2012|url=http://www.kaspersky.com/images/Kaspersky_Report_Browser_Usage_ENG_Final.pdf}}), or in vulnerable versions of
browser plugins such as Adobe Flash Player#Security|Adobe Flash Player, Adobe Acrobat#Security|Adobe Acrobat or Reader, or Java SE#Critical security issues with the Java SE plugin|Java SE.<ref>{{cite web|last=Rashid|first=Fahmida Y.|title=Updated Browsers Still Vulnerable to Attack if Plugins Are Outdated|publisher=pcmag.com|date=27 November 2012|url=http://securitywatch.pcmag.com/none/305385-updated-browsers-still-vulnerable-to-attack-if-plugins-are-outdated}}<ref>{{cite
web|last=Danchev|first=Dancho|title=Kaspersky: 12 different vulnerabilities detected on every PC|publisher=pcmag.com|date=18 August 2011|url=http://www.zdnet.com/blog/security/kaspersky-12-different-vulnerabilities-detected-on-every-pc/9283}} Sometimes even installing new versions of such plugins does not automatically uninstall old versions. Security advisories from Plug-in (computing)|plug-in providers announce security-related updates.<ref>{{cite
web|url=https://www.adobe.com/support/security/ |title=Adobe Security bulletins and advisories |publisher=Adobe.com |date= |accessdate=19 January 2013}} Common vulnerabilities are assigned Common Vulnerabilities and Exposures|CVE IDs and listed in the US National Vulnerability Database. Secunia#PSI|Secunia PSI<ref>{{cite web|last=Rubenking |first=Neil J. |url=http://www.pcmag.com/article2/0,2817,2406767,00.asp |title=Secunia Personal Software Inspector 3.0
Review & Rating |publisher=PCMag.com |date= |accessdate=19 January 2013}} is an example of software, free for personal use, that will check a PC for vulnerable out-of-date software, and attempt to update it.

Malware authors target Software bug|bugs, or loopholes, to exploit. A common method is exploitation of a buffer overrun vulnerability, where software designed to store data in a specified region of memory does not prevent more data than the buffer can accommodate being supplied. Malware may provide data that overflows the buffer, with malicious executable code or data after the end; when this payload is accessed it does what the attacker, not the legitimate
software, determines.

= Insecure design or user error =
Early PCs had to be booted from floppy disks. When built-in hard drives became common, the operating system was normally started from them, but it was possible to boot from another Booting#Boot devices (IBM PC)|boot device if available, such as a floppy disk, CD-ROM, DVD-ROM, USB flash drive or network. It was common to configure the computer to boot from one of these devices when available. Normally none would be available; the user would intentionally insert, say, a CD into
the optical drive to boot the computer in some special way, for example, to install an operating system. Even without booting, computers can be configured to execute software on some media as soon as they become available, e.g. to autorun a CD or USB device when inserted.

Malicious software distributors would trick the user into booting or running from an infected device or medium. For example, a virus could make an infected computer add autorunnable code to any USB stick plugged into it. Anyone who then attached the stick to another computer set to autorun from USB would in turn become infected, and also pass on the infection in the same way.<ref name=dodusb>{{cite web|url=http://www.cnet.com/uk/news/usb-devices-spreading-viruses/|title=USB devices
spreading viruses|publisher=CBS Interactive|work=CNET|accessdate=18 February 2015}} More generally, any device that plugs into a USB port - even lights, fans, speakers, toys, or peripherals such as a digital microscope - can be used to spread malware. Devices can be infected during manufacturing or supply if quality control is inadequate.<ref name=dodusb />

This form of infection can largely be avoided by setting up computers by default to boot from the internal hard drive, if available, and not to autorun from devices.<ref name=dodusb /> Intentional booting from another device is always possible by pressing certain keys during boot.

Older email software would automatically open HTML email containing potentially malicious JavaScript code. Users may also execute disguised malicious email attachments and infected executable files supplied in other ways.{{Citation needed|date=July 2013}}

= Over-privileged users and over-privileged code =
{{Main article|principle of least privilege}}

In computing, Privilege (computing)|privilege refers to how much a user or program is allowed to modify a system. In poorly designed computer systems, both users and programs can be assigned more privileges than they should be, and malware can take advantage of this. The two ways that malware does this is through overprivileged users and overprivileged code.

Some systems allow all users to modify their internal structures, and such users today would be considered Administrative privileges|over-privileged users. This was the standard operating procedure for early microcomputer and home computer systems, where there was no distinction between an ''administrator'' or ''root'', and a regular user of the system. In some systems, system administrator|non-administrator users are over-privileged by design, in the sense that
they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status.

Some systems allow code executed by a user to access all rights of that user, which is known as over-privileged code. This was also standard operating procedure for early microcomputer and home computer systems. Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many script (computing)|scripting applications allow code too many privileges, usually in the sense that when a user
Executable|executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of e-mail attachments, which may or may not be disguised.

= Use of the same operating system =
 Homogeneity can be a vulnerability. For example, when all computers in a Computer network|network run the same operating system, upon exploiting one, one Computer worm|worm can exploit them all:<ref name="UKan">"LNCS 3786 – Key Factors Influencing Worm Infection", U. Kanlayasiri, 2006, web (PDF): [http://www.springerlink.com/index/3x8582h43ww06440.pdf SL40-PDF]. In particular, Microsoft Windows or Mac OS X have such a large share of the market that an
  exploited vulnerability concentrating on either operating system could subvert a large number of systems. Introducing diversity purely for the sake of robustness, such as adding Linux computers, could increase short-term costs for training and maintenance. However, as long as all the nodes are not part of the same directory service for authentication, having a few diverse nodes could deter total shutdown of the Computer network|network and allow those nodes to help with recovery of
  the infected nodes. Such separate, functional redundancy could avoid the cost of a total shutdown, at the cost of increased complexity and reduced usability in terms of single sign-on authentication.

   Anti-malware strategies 
  {{Main article|Antivirus software}}
  As malware attacks become more frequent, attention has begun to shift from computer virus|viruses and spyware protection, to malware protection, and programs that have been specifically developed to combat malware. (Other preventive and recovery measures, such as backup and recovery methods, are mentioned in the Computer virus#Antivirus software and other preventive measures|computer virus article).

  = Anti-virus and anti-malware software =
  A specific component of anti-virus and anti-malware software, commonly referred to as an on-access or real-time scanner, hooks deep into the operating system's core or operating system kernel|kernel and functions in a manner similar to how certain malware itself would attempt to operate, though with the user's informed permission for protecting the system. Any time the operating system accesses a file, the on-access scanner checks if the file is a 'legitimate' file or not. If
  the file is identified as malware by the scanner, the access operation will be stopped, the file will be dealt with by the scanner in a pre-defined way (how the anti-virus program was configured during/post installation), and the user will be notified.{{Citation needed|date=March 2013}} This may have a considerable performance impact on the operating system, though the degree of impact is dependent on how well the scanner was programmed. The goal is to stop any operations the
  malware may attempt on the system before they occur, including activities which might exploit Software bug|bugs or trigger unexpected operating system behavior.

  Anti-malware programs can combat malware in two ways:
# They can provide real time protection against the installation of malware software on a computer. This type of malware protection works the same way as that of antivirus protection in that the anti-malware software scans all incoming Computer network|network data for malware and blocks any Threat (computer)|threats it comes across.
# Anti-malware software programs can be used solely for detection and removal of malware software that has already been installed onto a computer. This type of anti-malware software scans the contents of the Windows registry, operating system files, and installed programs on a computer and will provide a list of any threats found, allowing the user to choose which files to delete or keep, or to compare this list to a list of known malware components, removing files that match.<ref>{{cite
  web|url=https://antivirus.comodo.com/how-antivirus-software-works.php |title=How Antivirus Software Works? |accessdate=2015-10-16}}

  Real-time protection from malware works identically to real-time antivirus protection: the software scans disk files at download time, and blocks the activity of components known to represent malware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many malware components are installed as a result of browser exploits or user error, using security software (some of which are anti-malware, though many are not) to "sandbox"
  browsers (essentially isolate the browser from the computer and hence any malware induced change) can also be effective in helping to restrict any damage done.{{Citation needed|date=March 2013}}

  Examples of Microsoft Windows anti-virus|antivirus and anti-malware software include the optional Microsoft Security Essentials<ref>{{cite web | title=Microsoft Security Essentials | url=http://windows.microsoft.com/en-US/windows/products/security-essentials | publisher=Microsoft |accessdate=21 June 2012}} (for Windows XP, Vista, and Windows 7) for real-time protection, the Windows Malicious Software Removal Tool<ref>{{cite web | title=Malicious Software
  Removal Tool | url=http://www.microsoft.com/security/pc-security/malware-removal.aspx |publisher=Microsoft |accessdate=21 June 2012}} (now included with Windows Update|Windows (Security) Updates on "Patch Tuesday", the second Tuesday of each month), and Windows Defender (an optional download in the case of Windows XP, incorporating MSE functionality in the case of Windows 8 and later).<ref>{{cite web | title=Windows Defender |
  url=http://www.microsoft.com/en-us/download/details.aspx?id=17 |publisher=Microsoft |accessdate=21 June 2012}} Additionally, several capable antivirus software programs are available for free download from the Internet (usually restricted to non-commercial use).<ref name="PCmag">{{cite web|last=Rubenking|first=Neil J.|title=The Best Free Antivirus for 2014|publisher=pcmag.com|date=8 January 2014|url=http://www.pcmag.com/article2/0,2817,2388652,00.asp}} Tests found some
  free programs to be competitive with commercial ones.<ref name="PCmag" /> Microsoft's System File Checker can be used to check for and repair corrupted system files.

  Some viruses disable System Restore and other important Windows tools such as Task Manager and Command Prompt (Windows)|Command Prompt. Many such viruses can be removed by booting|rebooting the computer, entering Windows safe mode with networking,<ref>{{cite web|title=How do I remove a computer virus?| url=http://windows.microsoft.com/en-US/windows7/how-do-I-remove-a-computer-virus  |publisher=Microsoft |accessdate=26 August 2013}} and then using
  system tools or Microsoft Safety Scanner.<ref>{{cite web| title=Microsoft Safety Scanner| url=http://www.microsoft.com/security/scanner/en-us/default.aspx |publisher=Microsoft |accessdate=26 August 2013}}

  Hardware NSA ANT catalog|implants can be of any type, so there can be no general way to detect them.

  = Website security scans =
  As malware also harms the compromised websites (by breaking reputation, blacklisting in search engines, etc.), some websites offer vulnerability scanning.<ref>{{cite web |url=http://www.unmaskparasites.com/ |title=An example of a website vulnerability scanner |publisher=Unmaskparasites.com |date= |accessdate=19 January 2013}}<ref>{{cite web|url=http://aw-snap.info/file-viewer/ |title=Redleg's File Viewer. Used to check a webpage for malicious redirects or malicious
  HTML coding |publisher=Aw-snap.info |date= |accessdate=19 January 2013}}<ref>{{cite web|url=http://www.google.com/safebrowsing/diagnostic?site=http://google.com/ |title=Example Google.com Safe Browsing Diagnostic page |publisher=Google.com |date= |accessdate=19 January 2013}}<ref name=Google>{{cite web | title= Safe Browsing (Google Online Security Blog) | url=http://googleonlinesecurity.blogspot.jp/2012/06/safe-browsing-protecting-web-users-for.html |accessdate=21 June
  2012}}
  Such scans check the website, detect malware, may note outdated software, and may report known security issues.

  = "Air gap" isolation or "Parallel Network" =
  As a last resort, computers can be protected from malware, and infected computers can be prevented from disseminating trusted information, by imposing an air gap (networking)|"air gap" (i.e. completely disconnecting them from all other networks). However, malware can still cross the air gap in some situations. For example, removable media can carry malware across the gap. In December 2013 researchers in Germany showed one way that an apparent air gap air gap malware|can
  be defeated.<ref>{{cite journal|title=On Covert Acoustical Mesh Networks in Air|first1=Michael|last1=Hanspach|first2=Michael|last2=Goetz|date=November 2013|journal=Journal of Communications|doi=10.12720/jcm.8.11.758-767}}

  "AirHopper",<ref>M. Guri, G. Kedma, A. Kachlon and Y. Elovici, "AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies," ''Malicious and Unwanted Software: The Americas (MALWARE), 2014 9th International Conference on'', Fajardo, PR, 2014, pp. 58-67. "BitWhisper",<ref>M. Guri, M. Monitz, Y. Mirski and Y. Elovici, "BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations," ''2015 IEEE 28th
  Computer Security Foundations Symposium'', Verona, 2015, pp. 276-289. "GSMem" <ref>GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies. Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky, and Yuval Elovici, ''Ben-Gurion University of the Negev; USENIX Security Symposium 2015''
    and "Fansmitter" <ref>https://arxiv.org/ftp/arxiv/papers/1606/1606.05915.pdf  are four techniques introduced by researchers that can leak data from air-gapped computers using electromagnetic, thermal and acoustic emissions.

   Grayware 
  {{See also|Privacy-invasive software|Potentially unwanted program}}
  Grayware is a term applied to unwanted applications or files that are not classified as malware, but can worsen the performance of computers and may cause security risks.<ref name=autogenerated1>{{cite news |url=http://www.spywareloop.com/news/grayware|title=Grayware in SpyWareLoop.com|author=  Vincentas |newspaper=''Spyware Loop'' |date=11 July 2013 |accessdate=28 July 2013}}

  It describes applications that behave in an annoying or undesirable manner, and yet are less serious or troublesome than malware. Grayware encompasses spyware, adware, dialer#Fraudulent dialer|fraudulent dialers, joke programs, remote desktop software|remote access tools and other unwanted programs that harm the performance of computers or cause inconvenience. The term came into use around 2004.<ref>{{cite web|title=Threat Encyclopedia – Generic
  Grayware|url=http://about-threats.trendmicro.com/us/archive/grayware/GENERIC_GRAYWARE|publisher=Trend Micro|accessdate=27 November 2012}}

  Another term, potentially unwanted program (PUP) or potentially unwanted application (PUA),<ref>{{cite web|title=Rating the best anti-malware solutions|url=http://arstechnica.com/security/2009/12/av-comparatives-picks-eight-antipua-winners/|publisher=Arstechnica|accessdate=28 January 2014}} refers to applications that would be considered unwanted despite often having been downloaded by the user, possibly after failing to read a download agreement. PUPs
  include spyware, adware, and fraudulent dialers. Many security products classify unauthorised key generators as grayware, although they frequently carry true malware in addition to their ostensible purpose.

  Software maker Malwarebytes lists several criteria for classifying a program as a PUP.<ref name="PUP Criteria">{{cite web|title=PUP Criteria |url=https://www.malwarebytes.org/pup/|publisher=malwarebytes.org|accessdate=13 February 2015}}  Some adware (using stolen certificates) disables anti-malware and virus protection; technical remedies are available.<ref name="Casey"/>

   History of viruses and worms 
  Before Internet access became widespread, viruses spread on personal computers by infecting the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever a program is run or the disk is booted. Early computer viruses were written for the Apple II and Apple Macintosh|Macintosh, but they became more widespread with the dominance of the IBM PC and
  MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot-able floppies and thumb drives so they spread rapidly in computer hobbyist circles.{{Citation needed|date=March 2013}}

  The first worms, Computer network|network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Morris worm|Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes (vulnerability (computing)|vulnerabilities) in network Server (computing)|server programs and started
  itself running as a separate process (computing)|process.<ref>{{cite web |url=https://antivirus.comodo.com/blog/computer-safety/short-history-computer-viruses/ |title= Computer Virus history |author= William A Hendric |date= 4 September 2014 |work= The Register|accessdate=29 March 2015}} This same behavior is used by today's worms as well.{{Citation needed|date=March 2013}}<ref>{{Cite web|url=https://www.easytechguides.com/malware.html#worm|title=Malware: Types,
  Protection, Prevention, Detection & Removal - Ultimate Guide|last=|first=|date=|website=EasyTechGuides|archive-url=|archive-date=|dead-url=|access-date=}}

  With the rise of the Microsoft Windows platform in the 1990s, and the flexible macro (computer science)|macros of its applications, it became possible to write infectious code in the macro language of Microsoft Office Word|Microsoft Word and similar programs. These ''macro virus (computing)|macro viruses'' infect documents and templates rather than applications (executables), but rely on the fact that macros in a Word document are a form of executable
  code.{{Citation needed |date=March 2013}}

   Academic research 
  {{Main article|Malware research}}
  The notion of a self-reproducing computer program can be traced back to initial theories about the operation of complex automata.<ref>John von Neumann, "Theory of Self-Reproducing Automata", Part 1: Transcripts of lectures given at the University of Illinois, December 1949, Editor: A. W. Burks, University of Illinois, USA, 1966. John von Neumann showed that in theory a program could reproduce itself. This constituted a plausibility result in computability theory
  (computer science)|computability theory. Fred Cohen experimented with computer viruses and confirmed Neumann's postulate and investigated other properties of malware such as detectability and self-obfuscation using rudimentary encryption. His doctoral dissertation was on the subject of computer viruses.<ref>Fred Cohen, "Computer Viruses", PhD Thesis, University of Southern California, ASP Press, 1988. The combination of cryptographic technology as part of the payload
  of the virus, exploiting it for attack purposes was initialized and investigated from the mid 1990s, and includes initial ransomware and evasion ideas.<ref>{{cite book |title= Malicious cryptography - exposing cryptovirology| last1= Young |first1= Adam|last2= Yung|first2= Moti|date=2004|publisher= Wiley|pages = 1–392| isbn = 978-0-7645-4975-5}}

   See also 
  {{Columns-list|colwidth=20em|

   Browser hijacking
   Command and control (malware)
   Comparison of antivirus software
   Computer security
   Cyber spying
   File binder
   Identity theft
   Industrial espionage
   Linux malware
   Malvertising
   Phishing
   Riskware
   Web application#Development|Security in Web apps
   Social engineering (security)
   Targeted threat
   Typosquatting
   :Category:Web security exploits
   Web server#Overload causes|Web server overload causes
   Zombie (computer science)
  }}

   References 
  {{reflist|30em}}

   External links 
  {{Wiktionary|malware}}
  {{commons category}}
   {{dmoz|Computers/Security/Malicious_Software|Malicious Software}}
   [http://www.idmarch.org/document/Malware Further Reading: Research Papers and Documents about Malware on IDMARCH (Int. Digital Media Archive)]
   [http://technet.microsoft.com/en-us/sysinternals/Video/gg618529 Advanced Malware Cleaning] – a Microsoft video
  {{Malware}}
  {{Software distribution}}

  {{Portal bar|Information technology|Internet|Computer security}}

  {{Authority control}}

  Category:Malware| 
  Category:Computer security exploits

