Virus = Malware? Like calling every insect a "mosquito"!

(To Bruno Riccio)
24/01/25

In the world of cybersecurity, the terms “virus"and "malware” are often used interchangeably, but this confusion is especially common among newbies and those unfamiliar with the technical terminology. Although both pose threats to computer systems, it is important to understand the differences between these two concepts.

A virus is a type of malware, but not all malware is a virus. The most common mistake is to define every type of computer threat as a virus, when in reality there are many other types of malicious software that fall into the broader category of malware.

This confusion is understandable for a non-expert user who does not feel the need to distinguish between the individual variants. However, having a clear understanding of the difference between viruses and malware is vital for anyone who works, even sporadically, in the sector.

MALWARE

“Malware” is defined as: any program created with the sole purpose of causing more or less serious damage to the computer on which it is run. The term derives from the contraction of the English words malicious e from software and therefore has the literal meaning of "malicious program".

Nowadays the term malware has become a generic term used to describe the entire family of hostile or intrusive software; although often present in the form of subcategories, they are divided into seven main types: Viruses, Worms, Trojan viruses, Spyware, Adware, Fileless malware and Ransomware1Malware can be obvious and easy to identify, as its damage is easily seen, or it can be very hidden and nearly impossible to detect, at least in the short term.

VIRUS

A "virus" is a malicious executable code attached to another legitimate file, such as a Word file; it can be activated immediately, at a specific time or date.

Computer viruses usually spread in three ways: from removable media, from download and email attachments. Viruses can be harmless and “playful,” or they can be destructive, such as those that modify or delete data. A boot sector, or file system virus, infects USB flash drives and can spread to the system’s hard drive. Once the program virus is active, it typically infects other programs on the user’s computer or other computers on the network.

"Brain”, the first true PC virus (MS-DOC), began infecting 5,25-inch floppy disks in 1986. It was the work of two brothers, Basit and Amjad Farooq Alvi2, who ran a computer shop in Pakistan. Tired of customers making illegal copies of their software, they decided to teach them a lesson and develop Brain, which replaced the boot sector of their programs' floppy disk with a virus. The virus, which was also the first virus Stealth, contained a message from copyright hidden, but did not actually damage any data. The virus presented itself with an image containing the brothers' address, three phone numbers, and a message telling the user that their machine was infected and that they needed to call them to fix the problem (the opening image shows the boot screen containing the "Brain" virus)

The easiest way to differentiate computer viruses from other forms of malware is to think of viruses in biological terms; the flu virus, for example. Influenza requires some sort of interaction between two people to get it, such as shaking hands, kissing, or touching something an infected person has touched. Once the flu virus enters a person's system, it attaches itself to healthy human cells, using those cells to create more virus cells.

A computer virus works more or less the same way:

  • A computer virus requires a host program;
  • A computer virus requires user action to transmit from one system to another;
  • A computer virus attaches bits of its own malicious code to other files or replaces files directly with copies of itself.

It is that second characteristic of the virus that tends to confuse people. Viruses cannot spread without some sort of action by a user, such as opening an infected Word document.. Worms, on the other hand, are capable of spreading themselves across systems and networks, making them much more widespread and dangerous.

Worms

A worm is a form of malware that replicates and can spread to multiple computers over a network. While a virus requires a host program to run, worms “execute themselves”; they share similar patterns. The main goal of worms is to consume system resources, such as memory and bandwidth, and slow down the system to the point where it stops responding. Many of them have been isolated and are now routinely detected and removed by most major antivirus software. However, new worms are being developed almost every day and can sometimes go unnoticed by the user until it is too late.

There is no universal classification of computer worms, but they can be organized into three types based on the attack vector.

The common types are as follows:

1. Internet Worms

As with computer networks, worms also target popular websites with insufficient security. Once they infect the site, Internet worms can replicate themselves on any computer used to access the website in question. From there, Internet worms are distributed to other computers connected via the Internet and local network connections.

2. E-Worm or Email Worm

Email worms are often distributed via compromised email attachments. They usually have double extensions (for example, .mp4.exe or .avi.exe) so that the recipient thinks that they are media files and not malicious computer programs. When victims click on the attachment, copies of the same infected file will be automatically sent to the addresses in their contact list.

An email message may not contain a downloadable attachment to distribute a worm. Instead, the body of the message may contain a shortened link so that the recipient cannot tell what the link is about without clicking it. When the link is clicked, the victim will be taken to an infected website that will automatically begin downloading malicious software to the host's computer.

3. Instant Messaging Worm

Instant messaging worms are similar to email worms, the only difference is their distribution method. Again, they are disguised as attachments or clickable links to websites. They are often accompanied by short, catchy messages such as “You can't miss this offer” or "You have to see this!" to trick the victim into thinking that there may be an immediate source of “profit” in clicking on such an offer.

When the user clicks on the link or attachment, be it WhatsApp, Skype, Instagram or any other popular messaging app, the exact same message will then be sent to their contacts. Unless the worm has replicated itself on their computer, users can resolve this issue by changing their password.

The worm “Morris” (pictured Floppy disk containing the source code for the “Morris Worm, housed at the Computer History Museum in Mountain View, California) was created by a 23-year-old student at Cornell University in Ithaca; his name is Robert Morris. He had spent his early childhood working with computers and designing code, and while in school he was known as a “nerd.” Morris worked in a very different environment than we do today. In 1998, there were fewer than 100 connected machines, and most online organizations seemed to trust each other; there were few passwords, and everyone wanted to get along; in short, there was little malice.

The security issues are clear and obvious in a system like this, and Morris intended to highlight them. He just wanted his worm to reveal how quickly an attack could spread, but he made a devastating coding mistake.

The Morris worm was structured as follows; it asked each computer it encountered whether it already had a copy of the code, giving it two options.

  • "No". If the computer is not infected, the code is executed.
  • "Yup". If the computer is infected, the worm is not copied.

This algorithm seems innocent, but Morris did not want the few programmers smart who worked around him, noting the worm's simple modus operandi, made every computer answer “yes” to avoid infecting the next computer.

Then, Morris modified the code so that after seven "Yes" answers, the code would duplicate itself. Many people had multiple versions of the code running at the same time, and the performance of the computers slowed to a crawl; some systems even crashed altogether.

The worm did not damage or destroy any files, but it still caused a fair amount of problems. Network functions, both at the military and at universities, were slowed. Email sending was delayed for days. The computer community worked to understand how the worm worked and how to remove it. Some institutions wiped their systems; others disconnected their computers from the network for more than a week. The exact damage was difficult to quantify, but estimates ranged from a hundred thousand dollars to millions.

The protest was swift and heavy and Morris was the first person convicted under the “Computer Fraud and Abuse Act”, a U.S. computer security bill enacted in 1986 as an amendment to the existing Computer Fraud Act, The “Comprehensive Crime Control Act of 1984”. He was sentenced to three years of probation, 400 hours of community service, a $10.050 fine, plus costs for his supervision.3

The incident had a huge impact on a nation that was just coming to terms with how important and vulnerable computers had become. From that point on, the idea of ​​computer security became something that personal computer owners began to take more seriously. A few days after the attack, for example, the country's first computer emergency response team was created in Pittsburgh under the direction of the Department of Defense. Developers also began creating computer intrusion detection software, what would become commonly called antivirus.

At the same time, the Morris Worm inspired a new generation of hackers and a wave of Internet-driven attacks that continue to plague our digital systems to this day. Whether accidental or not, the first Internet attack was a wake-up call for the country and the information age to come.

TROJAN

The definition of a “Trojan” virus does not specifically explain what it does, only how it spreads. Trojan Horses always impersonate some kind of legitimate software. It differs from a virus in that it attaches itself to files not executable, such as image files, audio files, or games. For example, many types of Trojan Horses They appear to be updates for common software, such as Adobe Flash. They are commonly classified based on the software they “impersonate.” Here are some of the most common types of Trojan viruses:

  • Fake Antivirus. This variety is particularly insidious, as the Trojan pretends to be an antivirus, which is often considered the pinnacle of security for the average general user.
  • Trojan Downloader. These types of malware do not do anything inherently harmful on their own. Instead, they are used as tunnels to download other malware.
  • Backdoor Trojan. Backdoors, methods of bypassing normal authentication systems, give outside hackers control over a user's computer.
  • Banking Trojans. Software that takes the form of keyloggers, which is a type of program Stealth which allows you to record the log of a computer keyboard, that is, intercepting anything that is typed on it without the user noticing; all this in order to steal information such as debit card numbers, email accounts and social networks.

"Rakhni Trojan”, in circulation since 2013, is one of the most feared Trojans by Windows users. A recent update has granted it the function of cryptojackers (allowing criminals to use the victim device to mine cryptocurrency) to infected computers. "The growth of coin mining in the last months of 2017 has been immense", notes the 2018 Internet Security Threat Report. "Overall coin mining activity increased by 34.000% during the 2017-2018 year."4

Confusing viruses and malware is just like calling every insect a mosquito.: a common mistake that risks making us underestimate the variety and complexity of cyber threats.

Knowing the differences is an important first step, but not an end in itself: even more crucial is understanding how these threats work in order to be able to to prevent. Prevention, in fact, is the key to avoid falling victim to attacks that often focus on the ignorance or superficiality of users.

In addition to the distinction between viruses and malware, there are many other nuances in the digital threat landscape that deserve attention. Each type - from worms to Trojans, through spyware and ransomware - has specific characteristics and requires targeted defense approaches. Not dwelling on these differences means not caring about YOUR OWN safety..

1What is Malware? Adapted from https://www.cisco.com

2Brain, the first computer virus. Adapted from https://www.thevintagenews.com/

3 Ruling of the United States Court of Appeals for the Second Circuit, “United States v. Robert Tappan Morris”, adapted from https://www.justice.gov/osg/brief/united-states-v-philip-morris-petition