The Many Faces of Malware: A Tour of Real-World Samples
Most people never come face-to-face with malware, but having tested security software at PCMag for decades, I’m not most people. Let’s take a deep dive into the dark web to see what malware actually looks like.
Unless you’re a wretched victim of ransomware, you’ve probably never had a close-up view of a virus, Trojan, or other malicious software. Even if you ignored common wisdom and visited dangerous websites or clicked treacherous links, your antivirus software probably wiped out any offending program on sight. So, you might wonder, just what does malware look like? Would you even recognize a malware program if you saw it?
In truth, a lot of malicious programs don’t look like anything at all. A virus, for example, tries its best to hide from view while infecting other files and computers. A bot sits quietly on your computer until it gets orders from the command and control center to spew some spam or participate in a DDoS attack on a major website. Trojans, by contrast, appear to be useful, legitimate programs, putting up a pretty facade to hide background activities like stealing your personal data. And when ransomware hollers for your attention, it’s bad news.
In the process of gathering and analyzing new samples for my hands-on malware protection tests, I’ve seen all these variations. I start with thousands of malware-hosting URLs, download their nasty payloads, and put them through their paces. In the course of testing, I play the fool, launching unknown files, clicking through to let them install, and giving them any permissions they request. This article showcases some of the oddities I’ve encountered in my latest quest for the best worst test samples.
The Horror of Ransomware
If a ransomware attack targets your computer, you won’t know until it’s too late. The ransomware stays out of sight, quietly encrypting your important files. Once the dirty work is done, the malware totally demands your attention with its ransom note. The perpetrators promise that if you pay the specified ransom (usually in Bitcoin or some other untraceable currency) you’ll get your files back, but if they take your money and run, you can’t exactly report them to the Better Business Bureau. You really don’t want a direct encounter with ransomware.
The ransomware called Petya, shown above, doesn’t merely encrypt your files. It fakes a blue-screen error and then fakes a lengthy CHKDSK recovery upon reboot. But it’s not recovering your data—it’s encrypting your disk. When finished, it flashes a garish ASCII-art skull to get your attention. Press any key and you get the bad news, along with instructions for paying the ransom.
Screen locker malware doesn’t encrypt your files. It just covers up the desktop and all programs, so you can’t use your computer. Often such attacks claim to be from some division of law enforcement, demanding that you pay a fine in untraceable currency. In some cases, you can call such ransomware’s bluff with simple recovery techniques. Of course, you’re better off using ransomware protection and avoiding the need to recover from it.
If you’re going to suffer having your computer access locked away, maybe it’s better when done beautifully? The screen locker shown above, while just as problematic as an ugly one, at least gives you flowers and a pretty anime girl. I defeated this one easily, which the perpetrators may have expected, given that the filename is ForNowLock.exe, not ForeverLock.exe.
Foreign Installers Aren’t for You
Malware doesn’t respect national boundaries. Wherever there are people, whatever language they speak, you’ll find malware trying for a foothold. If you happen to get hit with a Trojan meant for China, or Vietnam, or Brazil, you should certainly reject the installer, just as folks in China or Brazil may reject a purely English-language install program.
This colorful montage pulls together four of the many foreign-language installers I encountered on my latest hunting trip. There’s nothing special about this group except for the fact that they fit together nicely. Acting like a proper fool, I clicked through each installer all the way to the end. You’re smarter than that.
Want Some Malware Bundled With Your Order?
Sometimes the problem with an installation isn’t the program itself, but the software that’s bundled with it. You may find completely legitimate software—even antivirus programs—bundled with adware, spyware, or other unwanted trash. In a case like that, the security vendor isn’t to blame. A third party created the deceptive bundle. AppEsteem is a young company with a mission to expose these deceptions and to warn legitimate companies when they stray too far toward the dark side of bundling.
The installer shown here installs two legitimate security programs, but the main program is a BitTorrent client with unwanted behaviors. The best thing that can happen with this kind of bundling is that you’re forced to install a program you didn’t want.
Now here’s something handy: a multi-utility install program. If you read Russian, you know it’s “the fastest and most convenient way to install programs.” Just check the boxes for the ones you want and turn the installer loose. The list includes browsers, messenger programs, video players, even antivirus utilities. But when you install them, you also get a dose of malware.
Trojan Horses Open Your Gates to Malware
The historical Trojan Horse was a literal wooden horse, a “gift” from the Greek army besieging Troy. When the Greeks seemingly gave up and left, the Trojans brought the horse inside the city walls as a victory trophy. Unlike Monty Python’s King Arthur, the Greek troops remembered to hide inside the horse. When nightfall came, they slipped out and opened the city gates, letting in the rest of the Greek army.
Modern Trojan Horses are made of bits and bytes, not wood, and they breach your PC’s gates to release malware, not soldiers. But they’re still big trouble.
Here, we have a sharp-looking utility designed, apparently, to ensure that your PC doesn’t limp along with old, outdated drivers. However, if you try to update any drivers, or back up your existing drivers, you must pay. This is a model used both by some legitimate programs and by rogue antivirus scareware utilities. Lucky you, though: There’s a promotional price that ends today. I couldn’t determine exactly what chicanery this Trojan perpetrated in the background, but its overt activities are just a wee bit suspicious.
Want to get into smartphone repair? This set of tools and manuals looks like it might be a big help. Alas, you can’t see just what you’re getting until you pay for your registration. While you’re perusing schematics, it collects personal information behind the scenes and takes orders for further unwanted activity from a remote command and control server.
Fun and Games
Over the years, every time I’ve slung my net to capture new malware samples, I’ve always reeled in a few with a similar dramatic appearance. They typically display a highly detailed image of a sword-wielding warrior, a scantily clad sorceress, or some other game character, along with a screenful of information and prompts in Chinese. Yes, they come burdened with adware, but they are quite striking.
Dropping the image above on the OCR image translator from Yandex reveals phrases like “Big Broadcast” and “Medium VIP.” Perhaps of more interest are the advice nuggets across the bottom edge. According to Yandex, they read, “Paper-made bad games, refuse pirated games, pay attention to protecting yourself, beware of being fooled, moderate games, benefit brain flow, betting games, hurt the body, reasonably arrange time to enjoy a healthy life.” Got that?
These game-related artworks show up often, as you can see in this montage. Most of them simply invite you to register or log in (and thereby suffer unwanted advertising). Most come with a moderately clean bill of health from VirusTotal, with perhaps 20 of 70 engines flagging them as unwanted. They’re not useful for our testing, but they certainly provide an aesthetic interlude.
Let’s Hope You Don’t See These
As you can see, malicious programs, like legitimate programs, run the gamut in appearance from sad-looking and lame to totally professional. With any luck, and with powerful, up-to-date antivirus protection, these images are the only malware you’ll ever see. You should also check out our tips for staying secure online; malware is just one of many threats to your devices and private information.
Originally published at https://www.pcmag.com.