One of my pet peeves working in computer security has always been the use of emotive language. I have always felt that using highly emotive terms to discuss malware greatly adds to the already-considerable FUD (fear, uncertainty and doubt) that surrounds a lot of malware information. The FUD, in turn, leads users to think that this is a problem that is too big for them – too daunting, too scary – when that simply isn’t true.
Malware are computer programs just like other computer programs; what makes them different is that they have been created with the intent to benefit their author to the detriment of an affected user.
However, seeing as it’s that time of the year, I thought we’d take a look back at a few of the "terrifying" terms that have been used to describe malware over the years. Those of a piquish disposition should look away now and unplug your Ethernet cable. You have been warned.
- Virus. The original big bad. Once a useful metaphor to describe programs that replicate by infecting and utilizing a host file (similar in behavior to their biological namesake). These days, more often used as a catchall for any malicious program.
- Spyware. This would have to be my least favorite descriptor (and by saying ‘least favorite’, I'm really just being polite). Sure, you could say that the creation of a spyware category to describe the behavior of a set of programs that capture personally identifiable information and send it to a remote location was a necessary evil as the nature of online marketing became more insidious, and the value of personal data increased. Or you could say that the term was created and used indiscriminately by some software purveyors that sought to scare users into thinking that they needed to pay for additional protection beyond antivirus. Regardless, the term remains in use today (we detect some programs as spyware) but perhaps doesn't instill the same dread it did in the early days of grayware research.
- Scareware. Another term for Rogue antivirus software. These programs display false and misleading malware infection alerts to scare users into paying to have these so-called infections removed. Not a bad descriptive term, really, when ultimately they're a set of programs that perform fraud via extortion via fear. I doubt these programs would have flourished if less fear was used in marketing security software in the past (see above).
- Ransomware. Speaking of extortion, here's another class of programs that stop you from using your computer by either locking your screen or encrypting your files, and then asking for money to unlock your computer or decrypt your files. I don’t like this term as it smacks of sensationalism. However, it does describe what’s happening pretty well, as affected users’ computers are unusable until the ransom is paid. More recent examples of this class of program add additional incentive to hand over the money by masquerading as local law enforcement agencies and telling the user that they have been caught accessing illicit material online – the ransom becoming a fine.
- Browser Hijacker. Was using the term hijacker really necessary? Surely "redirector" would have sufficed. A browser hijacker (*sigh*) is a program that interefers with your Internet experience by directing your browser to places not of your choosing.
- Crimeware. A particularly unnecessary term that is used to describe malware that exists for the purposes of committing crime. We have another term for this behavior. It's "malware".
- Badware. Aren’t they all?
- Cocktail threat – ok, so this isn’t such a scary term, but one I always remember when I think of possibly inappropriate security terms. Also known as a ‘blended’ threat, or rather a threat that combines malware with vulnerability exploitation. It doesn’t scare me, but it does make me think of cool bars and tall drinks. Not really the glamorous image I generally associate with the world of AV Research. ;-)
Malware is bad, but FUD is worse. I hope I haven’t scared you too much with these gruesome details.
Hope you all have a safe and happy Halloween online.
Heather Goudey
MMPC Melbourne