(Source article was taken from: https://www.malwarebytes.com/antivirus/?utm_source=double-opt-in&utm_medium=email-internal-b2c&utm_campaign=EM-B2C-2019-March2-newsletter&utm_content=antivirusmixtape)
Antivirus
Antivirus and anti-malware. Both refer to cybersecurity software, but what do these terms mean, how do they differ, and how do they relate to today’s digital threats?
What’s the difference between antivirus and anti-malware?
For the most part, “antivirus” and “anti-malware” mean the same thing. They both refer to software designed to detect, protect against, and remove malicious software. Contrary to what the name might suggest, antivirus software protects against more than viruses–it just uses a slightly antiquated name to describe what it does. Anti-malware software is designed to protect against viruses too. Anti-malware just uses a more modern name that encompasses all kinds of malicious software, including viruses. That being said, anti-malware can stop a viral infection form happening and remove infected files. However, anti-malware isn’t necessarily equipped to restore files that have been changed or replaced by a virus. Both antivirus and anti-malware fall under the broader term “cybersecurity.”
What is cybersecurity?
Cybersecurity, or computer security, is a catchall term for any strategy for protecting one’s system from malicious attacks aimed at stealing money, personal information, system resources (cryptojacking, botnets), and a whole host of other bad things. The attack might occur on your hardware or software, or through social engineering.
Cybersecurity threats and their countermeasures are varied and nuanced nowadays, but the marketplace naturally strives for simplicity when communicating to consumers. This is why many people still see “viruses” as the biggest threat to their computer. In reality, viruses are just one type of cyberthreat that happened to be popular when computers were in their infancy. They’re far from the most common threat today, but the name stuck. It’s a bit like calling every disease a cold.
“For the most part, antivirus and anti-malware mean the same thing. They both refer to software designed to detect, protect against, and remove malicious software.”
What is a computer virus?
A computer or PC virus is a piece of (usually) harmful software defined by two characteristics:
It needs to be initiated by an unsuspecting user. Triggering a virus can be as simple as opening a malicious email (malspam) attachment or launching an infected program. Once that happens, the virus tries to spread to other systems on the computer’s network or in the user’s list of contacts.
It must be self-replicating. If the software doesn’t self-replicate, it’s not a virus. This process of self-replication can happen by modifying or completely replacing other files on the user’s system. Either way, the resulting file must show the same behavior as the original virus.
Computer viruses have been around for decades. In theory, the origin of “self-reproducing automata” (i.e. viruses) dates back to an article published by mathematician and polymath John von Neumann in the late 1940s. Early viruses occurred on pre-personal computer platforms in the 1970s. However, the history of modern viruses begins with a program called Elk Cloner, which started infecting Apple II systems in 1982. Disseminated via infected floppy disks, the virus itself was harmless, but it spread to all disks attached to a system. It spread so quickly that most cybersecurity experts consider it the first large-scale computer virus outbreak in history.
Early viruses like Elk Cloner were mostly designed as pranks. Their creators were in it for notoriety and bragging rights. However, by the early 1990s, adolescent mischief had evolved into harmful intent. PC users experienced an onslaught of viruses designed to destroy data, slow down system resources, and log keystrokes (also known as a keylogger). The need for countermeasures led to the development of the first antivirus software programs.
Early antivirus programs were exclusively reactive. They could only detect infections after they took place. Moreover, the first antivirus programs identified viruses by the relatively primitive technique of looking for their signature characteristics. For example, they might know there’s a virus with a file name like “PCdestroy,” so if the antivirus program recognized that name, it would stop the threat. However, if the attacker changed the file name, the antivirus might not be as effective. While early antivirus software could also recognize specific digital fingerprints or patterns, such as code sequences in network traffic or known harmful instruction sequences, they were always playing catch up.
Early antiviruses using signature-based strategies could easily detect known viruses, but they were unable to detect new attacks. Instead, a new virus had to be isolated and analyzed to determine its signature, and subsequently added to the list of known viruses. The antivirus user had to regularly download an ever-growing database file consisting of hundreds of thousands of signatures. Even so, new viruses that got out ahead of database updates left a significant percentage of devices unprotected. The result was a constant race to keep up with the evolving landscape of threats as new viruses were created and released into the wild.
Current status of computer viruses and antivirus programs
PC viruses today are more of a legacy threat than an ongoing risk to computer users. They’ve been around for decades and have not substantially changed. In fact, the last truly “new” virus that replicated itself through user interaction occurred in 2011 or 2012.
So if computer viruses aren’t really a thing anymore, why do people still call their threat protection software an antivirus program?
It boils down to entrenched name recognition. Viruses made sensational headlines in the 90s, and security companies began using it as shorthand for cyberthreats in general. Thus, the term “antivirus” was born. Decades later, many security firms still use the term “antivirus” to market their products. It’s become a vicious cycle. Consumers assume viruses are synonymous with cyberthreats, so companies call their cybersecurity products “antivirus” software, which leads consumers to think viruses are still the problem.
But here’s the thing. While “virus” and “antivirus” are not exactly anachronisms, modern cyberthreats are often much worse than their viral predecessors. They hide deeper in our computer systems and are more adept at evading detection. The quaint viruses of yesterday have given rise to an entire rogue’s gallery of advanced threats like spyware, rootkits, Trojans, exploits, and ransomware, to name a few.
As these new attack categories emerged and evolved beyond early viruses, antivirus companies continued their mission against these new threats. However, antivirus companies were unsure how to categorize themselves. Should they continue to market their products as an “antivirus” at the risk of sounding reductive? Should they use another “anti-threat” term to market themselves under like “anti-spyware,” for example? Or was it a better to take an all-inclusive approach, and combine everything in a single product line that addressed all threats? The answers to these questions depends on the antivirus company.
At Malwarebytes, cybersecurity is our highest-level catchall category. And that’s why it makes sense to combine our anti-threat effort into a single term that covers more than just viruses. Accordingly, the term we use to cover most of what we do is “anti-malware,” which is short for “anti-malicious software.”
“Consumers assume viruses are synonymous with cyberthreats, so companies call their cybersecurity products “antivirus” software, which leads consumers to think viruses are still the problem.”
If viruses aren’t as big of a threat anymore, why do I need cybersecurity?
Viruses are just one kind of malware. Though viruses still exist, there are other forms of malware that are more common these days. For example, here are several common threats that Malwarebytes can stop:
Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser, but sometimes within mobile apps as well. Typically, it either disguises itself as legitimate, or piggybacks on another program to trick you into installing it on your PC, tablet, or mobile device.
Spyware is malware that secretly observes the computer user’s activities without permission, then reports it to the software’s author.
A virus is malware that attaches to another program and, when triggered, replicates itself by modifying other computer programs and infecting them with its own bits of code.
Worms are a type of malware similar to viruses in that they spread, but they don’t require user interaction in order to trigger.
A Trojan, or Trojan horse, is more of a delivery method for infections rather than an infection itself. The Trojan represents itself as something useful in order to trick users into opening it. Trojan attacks can carry just about any form of malware, including viruses, spyware, and ransomware.
Ransomware is a form of malware that locks you out of your device and/or encrypts your files, then forces you to pay a ransom to get them back. Ransomware has been called the cybercriminal’s weapon of choice, because it demands a profitable quick payment in hard-to-trace cryptocurrency. The code for a ransomware attack is easy to obtain through online criminal marketplaces, and defending against it is difficult.
A rootkit is malware that provides the attacker with administrator privileges on the infected system and actively hides from the normal computer user. Rootkits also hide from other software on the system—even from the operating system itself.
A keylogger is malware that records all the user’s keystrokes on the keyboard, typically storing the gathered information, and sending it to the attacker, who is seeking sensitive information like usernames and passwords, or credit card details.
Malicious cryptomining, also sometimes called drive-by mining or cryptojacking, is an increasingly prevalent form of malware or browser-based attack that is delivered through multiple attack methods, including malspam, drive-by downloads, and rogue apps and extensions. It allows someone else to use your computer’s CPU or GPU to mine cryptocurrency like Bitcoin or Monero. So instead of letting you cash in on your computer’s horsepower, the cryptominers send the collected coins into their own account—not yours. So, essentially, a malicious cryptominer is stealing your device’s resources to make money.
Exploits are a type of threat that takes advantage of bugs and vulnerabilities in a system in order to allow the exploit’s creator to deliver malware. Among other threats, exploits are linked to malvertising, an attack that uses malicious ads on mostly legitimate websites to deliver exploits. You needn’t even click on the ad to be affected—exploits and their accompanying malware can install themselves on your computer in a drive-by download. All you have to do is visit a good site on the wrong day.
How does anti-malware work?
The old school method of signature-based threat detection is effective to a degree, but modern anti-malware also detects threats using newer methods that look for malicious behavior. To put it another way, signature-based detection is a bit like looking for a criminal’s fingerprints. It’s a great way to identify a threat, but only if you know what their fingerprints look like. Modern anti-malware takes detection a step further so it can identify threats it has never seen before. By analyzing a program’s structure and behavior, it can detect suspicious activity. Keeping with the analogy, it’s a bit like noticing that one person always hangs out in the same places as known criminals, and has a lock pick in his pocket.
This newer, more effective cybersecurity technology is called heuristic analysis. “Heuristics” is a term researchers coined for a strategy that detects threats by analyzing the program’s structure, its behavior, and other attributes.
Each time a heuristic anti-malware program scans an executable file, it scrutinizes the program’s overall structure, programming logic, and data. All the while, it looks for things like unusual instructions or junk code. In this way, it assesses the likelihood that the program contains malware.
What’s more, a big plus for heuristics is its ability to detect malware in files and boot records before the malware has a chance to run and infect your computer. In other words, heuristics-enabled anti-malware is proactive, not reactive. Some anti-malware products can also run the suspected malware in a sandbox, which is a controlled environment in which the security software can determine whether a program is safe to deploy or not. Running malware in a sandbox lets the anti-malware look at what the software does, the actions it performs, and whether it tries to hide itself or compromise your computer.
Another way heuristic analytics helps keep users safe is by analyzing web page characteristics in order to identify risky sites that might contain exploits. If it recognizes something fishy, it blocks the site.
In brief, signature-based antivirus is like a bouncer at the nightclub door, carrying a thick book of mug shots and booting anyone that matches. Heuristic analysis is the bouncer who looks for suspicious behavior, pats people down, and sends home the ones carrying a weapon.