Malware 101: Potentially unwanted programs

Malware is a portmanteau of malicious software, and while the vast majority of malware is indeed malicious, there are a few types that fall into the gray area a bit and are more annoying or potentially dangerous than outright malicious. Similar to the distinction of spam versus phishing for most, they are still things that anti-malware software tries to block (just like email protection software typically tries to block spam as well), but their impact is less harmful to most other malware.

One of the more generic labels for this sort of software is PUP (potentially unwanted program). PUPs typically exhibit suspicious behaviors or may have been installed through less deceitful trickery than the typical Trojan, but they haven't done anything to specifically harm the user, device, or network. PUPs might collect more usage data than Facebook and Google combined while not specifically going after sensitive information like spyware would. PUPs might be in the form of a browser toolbar or a second application bundled with software you intended to install. The main commonality is that most users would not want the PUP installed if they knew all the information about it and were asked in a very direct way if they wanted it. A layer of user deception is common with PUPs.

Adware

A specific type of PUP common enough to warrant its own type label is adware. Adware, as the name suggests, displays advertisements to a user. This may be through popping up windows in the operating system directly, injecting ads into other software (such as the software the user intended to install), or by hijacking the advertising space already being displayed on web pages to show different ads.

While any software that includes advertisements could fall under the adware label, from a malware standpoint it becomes more of a concern when these ads are particularly intrusive or additionally collect a large amount of usage data. The reputation of the ad networks being used is also a factor because ad networks lacking proper security and content validation could lead to malicious ads being served to users, which in turn could lead to more dangerous malware attacks.

FakeAV

Perhaps the counterfeit COVID test of malware, FakeAV pretends to be legitimate antivirus software. Often going so far as to mimic the effects of a more serious malware infection on the system, FakeAV will claim that a system is infected with malware in an attempt to get the user to buy a software license in order to remediate the nonexistent malware it claims is on the system.

Aside from decreasing system performance in this simulation, FakeAV doesn't do anything particularly malicious to the system it is on but rather relies on scamming the user into buying the software. Much like with some adware, frequent and obtrusive popup windows are quite common with FakeAV.

Hacktools

Unlike other PUPs that don't necessarily do anything as malicious as most other malware, hacktools are generally malicious software used by penetration testers. While some hacktools are packaged in and used by other malware, the hacktool alone will generally require a user or program to activate any malicious functionality. The hacktool label helps differentiate the software from other malware so that anyone who knowingly downloaded and/or installed it can disable the alert, while others can be notified that something potentially dangerous is on their device.

Obviously penetration testers aren't the only ones using such tools — they’re not even the largest demographic — but regardless it is common for the user to know about and want the hacktool on their system. From a network defense perspective, however, hacktools being detected could be indications of an attacker in the system intending to use those tools against it, so it is nothing to ignore. Given that many hacktools are obtained from less than reputable sources, it is also always possible that other malware such as a backdoor is hidden within the hacktool.

Evolving objectives

While the types of infection and propagation methods tend to remain the same, objectives and evasion (which is the next section of this series) are diverse and constantly evolving. I'm sure there are many objectives out there that were not covered, but these should include the vast majority of objectives worth being familiar with right now.

Much like malware combines infection methods with objectives and sometimes propagation methods, objectives themselves are often combined to achieve multiple tasks with the same malware or adapt to a wider variety of systems. The goals and objectives of malware are the most important part to attackers, but achieving those requires using a variety of other techniques while evading security software.

You can read the rest of the Malware 101 series here.