Do you REALLY need to know the difference between malware types?

Explaining Malware Types is Hard To Do

One of the stranger perils of being a technical writer involves being ambushed at odd moments by people demanding on-the-spot explanations of complex technical concepts.  I was out on the town one night and somehow found myself having to explain to a not-too-tech-savvy friend how to differentiate between a virus, a trojan and a worm.

After patiently listening to a lengthy, rambling answer, my friend thought it over for a minute and then asked, “So, why should I care? Why is this important to me? Do I really need to know the difference between different types of malwares?

My automatic reaction was to say, “Of course you need to!” – but to my surprise,  I couldn’t coherently express why I felt that way (though to be fair,  I was having trouble thinking clearly about anything that night).

Thinking it over in the sober light of day,  I realized that he’d actually asked a pretty good question. For most computer users, the difference between malware types is academic and irrelevant – at least,  right up until their computer gets infected. If everything’s working just fine, why in the world should they be able to distinguish between an exploit and a backdoor?

A Technical Person’s Answer

To get a expert’s opinion on this,  I relayed my friend’s question to an Analyst in our Response Lab. His reply was (and I’m paraphrasing here):

“Yes,  so that if anything happens, you’d know how the computer got infected, how to deal with the infection, and how to prevent it from spreading.”

Now, that’s the condensed version of a technical person’s answer. The real answer was actually a long, in-depth and detailed explanation covering how certain malware types had specific behaviors and particular vectors for distribution, as well as recommendations for dealing with particular types of infection.

And that there was the problem in a nutshell – it’s a lot of information to absorb. It was a thorough answer, but not an easy one to communicate to people with little interest in technicalities.  Some parts of the explanation also assumed more computer knowledge than most users would probably have or want.

Having said that, I thought the condensed version of our Analyst’s answer seemed like a helpful, ‘user-friendly’ answer. It summarizes all the main points effectively, puts it in a context most users would understand  and – this is important – it isn’t long-winded. I’ll come back to this again a little later.

Why A User Doesn’t Need To Know Malware Types

Trying to find a simple, all-encompassing answer to my friend’s question made me wonder if he really had a point and that users didn’t really need to know something as technical as malware types. So I decided to turn the question around and ask:

“Are there any cases in which ‘the average user’ doesn’t need to know the difference between malware types?”

The following four scenarios were the only ones I could think of where knowing malware types wouldn’t be helpful (if you can think of others, feel free to leave a comment). Of course,  I included some reasons why I think knowing malware types would be helpful even in these situations.

  1. I don’t do anything that might harm my computer.

    If you can honestly claim this, you’re probably what I’d call an Exemplary User: someone who diligently updates the operating system and programs, never installs programs or uses removable media without thoroughly vetting it first, doesn’t download from untrusted sources and basically, just does computer security right.

    An Exemplary User can laugh with scorn at looming malware outbreaks.  If this describes you, great! You can stop reading now. (Heck, you probably know the malware types already, anyway).

    Since the vast majority of users will never qualify for Exemplary Userhood however (myself included), the second best scenario is:

  2. MY computer can’t be infected.

    No, I’m not starting a PC versus Mac debate. What I mean is that even if malware does get onto your computer, it needs to find a suitable environment before it can have an effect. A Linux virus that somehow manages to get onto a Windows machine usually can’t do anything except blush sheepishly. Ditto for a backdoor that uses HTTP to connect to a remote site but ends up on a standalone computer without Internet acess.

    If your computer happens to be set up so that the majority of malware doesn’t target it or affect it (now you can start the PC/Mac debate), then our query becomes moot. Again, congratulations!

    Of course, most people have very little choice in the kind of operating system or programs they have on their computer, particularly business users. Even home users usually have to consider familiarity and affordability over specifically tailoring their computer to be malware resistant. To fix that, most users use antivirus protection. Which leads to reason 3:

  3. Why worry? My antivirus will remove it.

    Actually, since I work for a computer security company, I’d reeeaaally like it if more people could claim this. And hey – shameless plug – our Internet Security is doing pretty well in independent tests!

    Unfortunately, this solution isn’t 100% bulletproof, especially if you’re not an Exemplary User or are just plain unlucky.  Sometimes, the antivirus doesn’t catch the malware. Or it makes an error and the wrong file get fingered, causing all sorts of mayhem. Worse still, the antivirus turns out to be rogueware.

    In other words, the program you’re depending on to sort out all the problems….doesn’t. What then? Ah, then we move on to reason 4:

  4. Not my department. (IT/Tech Support/the computer guy) will just clean out any infection for me.

    OK, so the person fixing an infected computer should be the one with the technical knowledge, true. That person may not be the user, true. If you have someone dependable, willing and trustworthy, who can fix anything that goes wrong…can I have their number? Such a person is a godsend. Treasure him/her.

    Still, even if you’re that lucky, it’s often a great help to the actual technician if the user can pinpoint the probable cause. Knowing what type of dastardly program is screwing around with the computer gives the technician a good place to start investigating, and maybe also some idea of how to fix it.

    Or, to use an analogy, it’s the difference between driving to a workshop and telling the mechanic, “My car’s making a funny sound”, and saying, “The fan belt’s busted.”‘

And the Conclusion Is…

If you’re not in one of the 4 ‘Ideal Situations’ listed above, then it would probably be helpful for you to know the different kinds of malicious programs that can damage your computer, because…well, refer to condensed Analyst’s answer above.

Realistically though, learning about malware types, even superficially, requires investing time and energy that not every user can spare – which is why technical writers (ahem) have to find ways of communicating these concepts in ways that are interesting and easily accessible for everyone. Which brings us back to the condensed Analyst’s answer. It’s short, to the point and gives just enough information without being overwhelming. And if more information is asked for, well that’s the time to start going in-depth.

Personally, I like it – but since my part of my work deals with malware types anyway, I freely admit to being biased about this. So really, the best people to evaluate how useful that answer is – You, dear reader. So how about it? Do you think the condensed Analyst’s answer is a helpful, informative reply?


Oh and since we’re on the topic, here are the Types F-Secure uses to classify the samples – the good, the bad and the merely suspicious. You can also find plenty of other sites with excellent information on this topic – for example, has great articles explaining how trojans, viruses and worms work.

More posts from this topic

Hillary Clinton, email scandal, phishing scam

A phishing scam may hurt Hillary Clinton’s career — could it cost you yours?

This email was one of five phishing scams found in the 6,400 pages of Hillary Clinton's emails released on Wednesday. While there's no confirmation that former First Lady fell for the scam, her political opponents are using it to attack her for the security risks of the unconventional private server she used while in office -- even though a recent report found that 1 of 7 emails received on official U.S. Defense Department servers were either spam, phishing or other malware attacks. Receiving such attacks is inevitable. Cyber criminals have long known that one the best ways to hack into something is to simply ask you for the password. This technique has long relied on the fact that most of are used to entering our credentials so if a site looks trustworthy enough, we'll just type our credentials. From there, the bad guys can use these keys to unlock our digital life. As we've become more savvy in recognizing untrustworthy emails like the one above, criminals have taken advantage of our growing desire to share information about ourselves online to pioneer a more advanced technique called "spear phishing," which usually arrives in the form of a personalized email from an person or business you have a relationship with. This sort of attack was pioneered to hack high-value targets like Clinton. The Russian-backed Dukes group used this method in its 7-year campaign against western interests and others. In our Business Insider blog, Eija offers an inside look at how the CEO of a Finnish startup was the victim of an attempted spear phishing. "However, anyone can be a target..." Eija explains. And if you work in the U.S. government your chances of being hit with a very personalized attack have greatly increased as a result of the recent hack of the Office of Personnel Management. “Every bit of my personal information is in an attacker’s hands right now,"Paul Beckman, the Department of Homeland security’s chief information security officer, said at the Billington Cybersecurity Summit in September. "They could probably craft my email that even I would be susceptible to, because they know everything about me virtually.” Beckman said he regularly sends fake phishing emails to his staff to see if they fall for them, and “you’d be surprised at how often I catch these guys.”' Getting caught results in mandatory security training. But even after two or three rounds of instruction, the same people still fall for similar scams. “Someone who fails every single phishing campaign in the world should not be holding a [top secret clearance] with the federal government,” he said. “You have clearly demonstrated that you are not responsible enough to responsibly handle that information.” Beckman said he has proposed that those who prove they cannot detect a scam be stripped of their clearance, which could limit their career possibilities or even cost them a job. If you're the CEO of a startup, you recognize that security of your business is essential to your success. But if you're just an employee, your incentives for protecting intellectual property are nowhere as strong. Criminals only need one victim to make one mistake to succeed. So what are employers to do when education just isn't good enough? How about positive reinforcement for those who successfully avoid a scam? The truth is we're all only as secure as our training and focus. Organizations need to work on the best methods for developing both. Whether it's at work or at home or in the U.S. State Department, you're likely to be faced with a phishing attempt before long. Here's basic guidance from Eija on how to avoid being hooked: Be vigilant when entering your password anywhere Enable two-factor authentication Use Google’s built-in Security Checkup and Privacy Checkup tools Periodically review forwarding and mail filter settings, Connected apps & sites, Devices and Activities, shared files Disable POP and IMAP access if you don’t need them for a desktop or mobile client Cheers, Sandra

September 29, 2015
The Dukes

“The Dukes” – Ask the Experts

Last week, F-Secure Labs published a new study that provides a detailed analysis of a hacking group called “the Dukes”. The Dukes are what’s known as an advanced persistent threat (APT) – a type of hacking campaign in which a group of attackers is able to covertly infiltrate an organization’s IT network and steal data, often over a long period of time while remaining undetected. The report provides a comprehensive analysis of the Dukes’ history, and provides evidence that security researchers and analysts say proves the various attacks discussed in the report are attributable to the Duke group. Furthermore, the new information contained in the report strengthens previous claims that the group is operating with support from the Russian government. Mikko Hypponen has said that attacker attribution is important, but it’s also complex and notoriously difficult, so the findings of the report have considerable security implications. I contacted several people familiar with the report to get some additional insights into the Dukes, the research, and what this information means to policy makers responsible for issues pertaining to national cybersecurity. Artturi Lehtiö (AL) is the F-Secure Researcher who headed the investigation and authored the report. He has published previous research on attacks that are now understood to have been executed by the Dukes. Patrik Maldre (PM) is a Junior Research Fellow at the International Center for Defense and Security, and has previously written about the Dukes, and the significance of this threat for global security. Mika Aaltola (MA) is the Program Director for the Global Security research program at the Finnish Institute for International Affairs. He published an article of his own examining how groups like the Dukes fit into the geopolitical ambitions of nations that employ them.   Q: What is the one thing that people must absolutely know about the Dukes? PM: They are using their capabilities in pursuit of Russian strategic interests, including economic and political domination in Central and Eastern Europe, as well as the Caucasus region, and a return to higher status at the international level. AL: They are a long-standing key part of Russian espionage activity in the cyber domain. MA: The geopolitical intention behind the vast majority of targets. Q: We now know the Dukes are responsible for a number of high profile attacks, and seemingly target information about politics and defense. But what kind of information might they obtain with their attacks, and why would it be valuable? AL: They might obtain information like meeting notes, memos, plans, and internal reports, not to mention email conversations. In essence, the Dukes aim to be a fly on the wall behind the closed doors of cabinets, meeting rooms, and negotiating tables. PM: The targets of the Dukes include government ministries, militaries, political think tanks, and parliaments. The information that can be gained from these organizations includes, among other things, sensitive communication among high-level officials, details of future political postures, data about strategic arms procurement plans, compromising accounts of ongoing intelligence operations, positions regarding current diplomatic negotiations, future positioning of strategic military contingents, plans for future economic investments, and internal debates about policies such as sanctions. MA: The targets are high value assets. Two things are important: data concerning the plans and decisions taken by the targeted organizations. Second, who is who in the organizations, what are the key decision-making networks, what possible weaknesses can be used and exploited, and how the organization can be used to gain access to other organizations. Q: The Dukes are typically classified as an APT. What makes the Dukes different from other APTs? MA: APT is a good term to use with the Dukes. However, there are some specific characteristics. The multi-year campaigning with relatively simple tools sets Dukes apart from e.g. Stuxnet. Also, the Dukes are used in psychological warfare. The perpetrators can even benefit from they actions becoming public as long as some deniability remains. AL: The sophistication of the Dukes does not come as much from the sophistication of their own methods as it comes from their understanding of their targets’ methods, what their targets’ weaknesses are, and how those can be exploited. PM: They are among the most capable, aggressive, and determined actors that have been publicly identified to be serving Russian strategic interests. The Dukes provide a very wide array of different capabilities that can be chosen based on the targets, objectives, and constraints of a particular operation. They appear to be acting in a brazen manner that indicates complete confidence in their immunity from law enforcement or domestic oversight by democratic bodies. Q: There are 9 distinctive Duke toolsets. Why would a single group need 9 different malware toolsets instead of just 1? AL: The Dukes attempt to use their wide arsenal of tools to stay one-step ahead of the defenders by frequently switching the toolset used. MA: They are constantly developing the tools and using them for different targets. Its an evolutionary process meant to trick different “immunity” systems. Much like drug cocktails can trick the HIV virus. PM: The different Duke toolsets provide flexibility and can be used to complement each other. For example, if various members of the Dukes are used to compromise a particular target and the infection is discovered, the incident responders may be led to believe that quarantines and remediation have been successful even though another member of the Dukes is still able to extract valuable information. Q: Many people reading this aren’t involved in geopolitics. What do you think non-policy makers can take away from this whitepaper? AL: This research aims to provide a unique window into the world of the Dukes, allowing people not traditionally involved with governmental espionage or hacking to gauge for themselves how their lives may be affected by activity like the Dukes. PM: It is important for people to understand the threats that are associated with these technological developments. The understanding of cybersecurity should grow to the point where it is on par with the wider public’s understanding of other aspects of international security, such as military strategy or nuclear non-proliferation. This knowledge is relevant for the exercise of fundamental liberties that are enjoyed in democratic societies, including freedom of speech, freedom of the press, freedom of association, as well as of basic rights such as voting in elections. MA: The geopolitical intent is clearly present in this activity. However, the developments in this realm affects other types of cyber-attacks. Same methods spread. There is cross-fertilization, as in the case of Stuxnet that was soon adapted for other purposes by other groups.   F-Secure’s Business Security Insider blog recently posted a quick breakdown on how the Dukes typically execute their attacks, and what people can do to prevent becoming a victim of the Dukes or similar threats. Check it out for some additional information about the Dukes.

September 22, 2015
The Dukes, Russian cyber attacks, ATP attacks, Russian hackers

F-Secure report details Russian cyber attacks on the U.S., NATO and others

Much of the world woke to headlines Thursday morning featuring revelations from a new F-Secure whitepaper on an advanced-persistent threat (ATP) group known as “the Dukes”. In our News from the Labs blog, Labs researcher Artturi Lehtiö wrote: We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The reports note that the targets include many entities that the Russian government isn't particularly friendly with: "The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.” The Verge's Russell Brandom walked through the evidence that led to the Labs' conclusion that the attacks are likely Russian-backed: "A Russian-language error message was found within one part of the code base, and the group operating the programs seemed to act largely within working hours on Moscow time — suggesting the group was Russian, although not necessarily aligned with the Russian government. From there, F-Secure looked at the group's targets and apparent resources. Duke's growth suggested a steady flow of resources aimed at a string of government-related targets: embassies, parliaments, and ministries of defense. Notably, the group never targeted the Russian government. Even after security firms made their activities public, the Duke group didn't change tactics, suggesting they weren't concerned about being apprehended." ArsTechnica's Sean Gallagher explicated the evidence and noted the Labs' conclusion, "Such an organization operating in Russia would most likely require state acknowledgement, if not outright support." Artturi explained to Brandom that recent attacks on White House and the State Department appear to be linked the attacks detailed in his report: "The US State Department and White House are both the type of organizations that we know the Dukes primarily target. Based on what has been reported in the news, we believe it is possible that the Dukes are also behind the recent compromises of the State Department and the White House." Jarno Limnell, a professor of cybersecurity at Finland's Aalto University,told the International Business Times' David Gilbert that he fears that if this report is true, escalation is inevitable: "Losing digital information is so important for a society's competitiveness, I think we are not far from the situation where response to cyberespionage will be physical." "It is, of course, the most recent in a long line of reports linking Russia to significant cybercrime," Gizmodo's Jamie Condliffe wrote. "How it’s stopped remains anyone’s guess." We, of course, are not so pessimistic. NBC News' Arjun Kharpal highlighted described the somewhat sophisticated social engineering used to mask the infection: "The Duke group mainly uses 'spear-phishing' to attack victims – a tactic that involves sending an email with a malicious web link. Often the group would use decoys – image files or videos – to distract a victim during the infection process and malicious activity taking place. In one instance, a video of a TV commercial showing monkeys at an office was sent." Advanced threats are most likely to target organizations that are protecting high value data. Generally, but not always, these groups, especially governments, have the resources in order to prevent easy access to hackers. In our Business Insider blog, Eija wrote: "It is clear that educating employees is one very important tool in trying to fight spear-phishing campaigns such as these. Employees exposed to threats of phishing and watering holes need to understand these risks, and to learn to recognize the most common tactics employed to distract the user. These employees also need to have the best protection against phishing and watering hole attacks, and so organizations need to make sure they’re providing security strong enough to mitigate these kinds of attacks." F-Secure Cyber Security Advisor Erka Koivunen notes that smart security can prevent many risks: Why use macro-enabled Office documents that the recipient is just expected to accept, or PDF files that include JavaScript for no obvious reason? Cutting down on these types of insecure practices would easily help minimize the attack surface available for the criminals.

September 17, 2015