Malware

Malicious Software

  • Gather information via Keystrokes

  • Participate in a group Controlled over the internet

  • Show you advertising for Big money etc

  • Viruses and worms; encrypt your data

Types of Malware

  • Viruses

  • Crypto-malware

  • Ransomware

  • Worms

  • Trojan Horse

  • Rootkit

  • Keylogger

  • Adware/Spyware

  • Botnets

These all work together. A worm takes advantage of a vulnerability. Installs malware that includes a remote access backdoor. Bot may be installed later.

Your computer must run a program. Email link - Do not click links. Web page pop-up. Drive by download. Worm (self install). Your computer is vulnerable. Operating system - Keep OS updated. Application - The Adobe flash vulnerability of the application.

Virus

Malware that can reproduce itself. It does not need you to click anything. It needs you to execute a program. Reproduces through file systems or the network. Just running a program can spread a virus. May or may not cause problems. Some viruses are invisible, some are annoying. Anti-virus is very common. Thousands of new viruses every week. Is your AV signature file updated.

Virus Types

  • Program viruses - Its part of the application

  • Boot sector viruses - who needs an OS?

  • Script viruses - Operating system and browser-based

  • Macro viruses - Common in Microsoft office

Worms

  • A malware that self-replicates. Does not need you to do anything. Uses the network as a transmission medium. Self-propagates and spreads quickly.

  • Worms are pretty bad things. Can take over many systems very quickly.

  • Firewall and IDS/IPS can mitigate many worm infestations. Does not help much once the work gets inside.

Example: WannaCry worm / WannaCrypt Worm

Infected computer searches for vulnerable system. Next vulnerable computer is exploited with EternalBlue. A backdoor is installed and downloads WannaCry. This process repeats for all hosts on the same network with same vulnerabilities.

Your data is valuable. It can be our personal data (family pictures and videos. Important documents). Our Organization data (planning documents, employee personally identifiable information (PII), Financial information, Company private data).

How much is it worth? There is a number.

Ransomware

The bad guys want your money. They will take your computer in the meantime. May be a fake ransom. Locks your computer "by the police". The ransom may be avoided. A security professional may be able to remove these kinds of malware.

Crypto-Malware

New generation of ransomware. Your date is unavailable until you provide cash. Malware encrypts your data files. Pictures, documents, music, movies etc. Your OS remains available. They want you running, but not working. You must pay the bad guys to obtain the decryption key. Untraceable payment system. An unfortunate use of public-key cryptography.

Protecting against ransomware

Always have a backup - an offline backup ideally. Keep your operating system up to date. Patch those vulnerabilities. Keep your applications up to date via security patches. Keep your anti-virus/anti-malware signatures up to date. New attacks every hour. Keep everything up to date.

Trojan Horse

Used by Greeks to capture Troy from the Trojans. A digital wooden horse. Software that pretends to be something else so it can conquer your computer. Does not really care much about replicating. Circumvents your existing security. Anti-virus may catch it when it runs. The better trojans are built to avoid and disable AV. Once it is inside it has free reign. An it may open the gates for other programs.

Backdoors

Why go through normal authentication methods? Just walk in the back door. Often placed on your computer through malware, some malware software can take advantage of backdoors created by other malware. Some Software includes a backdoor. Old Linus kernel included a backdoor. Bad software can have a backdoor as part of the app.

Remote Access Trojans (RATs)

Remote administration Tool. The ultimate backdoor. Administrative control of a device. Malware installs the server/service/host. Bad guys connect with the client software. Control a device and do key logging, screen recording/screenshots, copy files, embed more malware.

DarkComet RAT is an example of RATs.

Protecting against trojans and RATs

Do not run unkown software. Keep anti-virus/anti-malware signatures updated. Always have a backup.

Rootkits

Originally a Unix technique. Modifies core system files-part of kernel. Can be invisible to the operating system. Also invisible to traditional anti-virus utilities. If you cannot see it, you cannot stop it.

Kernel drivers

Zeus/Zbot malware - famous for cleaning out back accounts. Now combined with Necurs rootkit which is a kernel level driver. Necurs makes sure you cannot delete Zbot (Access denied). Trying to stop the Windows process? Error terminating process (Access denied).

Finding and removing rootkits

Look for the unusual - Anti-malware scans. Use a remover specific to the rootkit which is usually built after the rootkit is discovered. Secure boot with UEFI - Security in the BIOS.

Keyloggers

Your keystrokes contain valuable information - web site login URLs, passwords, email messages. Save all of your input - send it to the bad guys. Circumvents encryption protections - your keystrokes are in the clear. Other data logging - clipboard logging, screen logging, instant messaging, search engine queries.

Preventing keyloggers

Usually installed with malware - use anti-virus/anti-malware, keep your signatures updated. Block unauthorized communication - Block the exfiltration attempt, firewall rules / monitoring. Run a keylogging scanner - Checks for keylogging activity.

Adware

Your computer is one big advertisement - Pop-ups. May cause performance issues - especially over the network. Installed accidentally - may be included with other software installations. Be careful of software that claims to remove adware - especially if you learned about it from a pop-up.

Spyware

Malware that spies on you - Advertising, identity theft, affiliate fraud. Can trick you into installing - peer to peer, fake security software. Browser monitoring - capture surfing habits. Keyloggers - capture every keystroke, send it back to the mother ship.

Why is there so much adware and spyware?

Money - your personal data and your browsing, application activities is incredibly valuable. Your computer time and bandwidth is incredibly valuable. Your bank account is incredibly valuable.

Protecting against adware/spyware

  • Maintain your anti-virus / anti-malware

  • Always know what you are installing

  • Where is your backup?

  • Run some scans - Malwarebytes

Botnets

Robot networks - skynet is self-aware. Once your machine is infected, it becomes a bot, you may not even know. How does it get on your computer? Trojan Horse (I just saw a funny video of you! Click here). OR you run a program or click an ad you THOUGHT was legit, but... OR OS or application vulnerability. A day in the life of a bot - sit around. Check in with the mother ship. Wait for instructions.

ZeuS - a botnet for stealing money

Looking Glass Threat Map is great resource to view status of cyber attacks globally.

https://map.lookingglasscyber.com/

A group of bots working together - Nothing good can come from this. Distributed Denial of service (DDoS). Botnets are for sale - Rent time from the bad guys, not a long-term business proposition.

Stopping the bot

Prevent the initial infection - OS and application patches, Anti-virus / anti-malware and updated signatures. Identify an existing infection - on demand scans, network monitoring. Prevent command and control (C&C) - Block at the firewall, identify at the workstation with a host-based firewall or host-based IPS.

Logic Bomb

Waits for a predefined event - often left by someone with grudge. Time bomb - Time or date. User event - Logic bomb. Difficult to identify and recover if it goes off.

Preventing a logic bomb

Difficult to recognize - each is unique and no predefined signatures. Process and procedures - formal change control. Electronic monitoring - alert on changes and host based intrusion detection, tripwire etc. Constant auditing - an administrator can circumvent existing systems.

Next: Phishing