Riskware covers legitimate programs (some of which are sold publicly and commonly used for legitimate purposes), which can cause damage when they fall into the hands of malicious users (and are used to delete, block, modify, or copy data, or disrupt the performance of computers or networks).

Programs in this class include remote administration utilities, IRC clients, dialer programs, file downloaders, software for monitoring computer activity, password management utilities, and numerous Internet server services such as FTP, web, proxy and telnet.

These programs are not malicious in themselves, although they do have functions that can be used for malicious purposes.

For example, a remote administration program such as WinVNC provides access to the interface of a remote computer and uses a remote machine to control or monitor it. This is how its functions are described on the developer’s official website:

VNC stands for Virtual Network Computing. It is remote control software which allows you to view and interact with one computer (the “server”) using a simple program (the “viewer”) on another computer anywhere on the Internet. The two computers don’t even have to be the same type, so for example you can use VNC to view an office Linux machine on your Windows PC at home. VNC is freely and publicly available and is in widespread active use by millions throughout industry, academia and privately.

This is a legitimate piece of software that is publicly available and a necessity for system administrators and other technical specialists.

However, in the hands of malicious users, this program is capable of damaging user data; our Virus Lab has recorded incidents in which WinVNC was secretly installed in order to obtain full remote access to someone else’s computer.

Another example is the mIRC utility. This is an IRC network client that is also a legitimate program:

mIRC is a shareware IRC client for Windows. It is developed and copyrighted by Khaled Mardam-Bey. mIRC is a highly configurable IRC client with all the goodies other clients on UNIX, Macintosh and even on windows offer, combined with a *nice* and clean user interface. mIRC offers full color text lines, DCC File Send and Get capabilities, programmable aliases, a remote commands and events handler, place sensitive popup menu’s, a great Switchbar, World Wide Web and sound support, and… a lot more. mIRC is shareware but not crippled in any way…

The extended features of mIRC can also be used by malicious users — our Virus Lab regularly identify Trojan programs (backdoors, in particular) which use mIRC functions.

Any IRC backdoor is capable of writing its own scripts to the mIRC configurations file and successfully delivering its malicious payload without the knowledge of the user. The mIRC user won’t even suspect that a Trojan is running on his computer.

Often, malicious programs install the mIRC client themselves for later malicious use. In such cases, mIRC is usually saved to the Windows folder and its subfolders. If mIRC is detected in these folders, it almost always means that the computer has been infected with some type of malicious programs.

By default, the option to detect Riskware is disabled in Kaspersky Lab products. However, the user can always enable this option. Our opinion is that the user should make his/ her own decision.

This class includes the following behaviours:

Client-IRC

Client P2P

Client STMP

Dialer

Downloader

FraudTool

Monitor

NetTool

PSWTool

RemoteAdmin

RiskTool

Server-FTP

Server-Proxy

Server-Telnet

Server-Web

WebToolBar

Related Posts