023.3 Lesson 1
Certificate: |
Security Essentials |
---|---|
Version: |
1.0 |
Topic: |
023 Device and Storage Security |
Objective: |
023.3 Malware |
Lesson: |
1 of 1 |
Introduction
The term malware is a blend that combines syllables from the words mal-icious and soft-ware. It encompasses a wide range of software types ultimately aimed at compromising a computer system or network: viruses, trojan horses, ransomware, adware, etc. Most — if not all — of these types include subtypes too. Also, attacks often get most destructive when they contain various combinations of these malware types.
The reasons behind malware are diverse and varied — including pranks and activism, but also espionage, cyber theft, and other serious crimes. In any case, the vast majority of malware is designed to make money unethically and illegally. Malware can enter your computer or network through a variety of means: file downloads, email messages with suspicious attachments or links, or visiting an infected website — to name just a few.
The present lesson discusses the underlying principles of the different types of malware (their modus operandi), the extent of their potential harm, and how to protect your machines against them.
Common Types of Malware
The following subsections present some of the most common types of malware.
Viruses
Both biological and computer-based viruses alike need a host to cause harm. Thus, a computer virus is a piece of malicious executable code that gets installed on your computer and has the ability to propagate itself. Often, the propagation is carried out by sending the initial malicious email containing the virus to all the contacts in the victim’s address book. To wreak havoc, though, the virus needs human intervention. So it’s when the unsuspecting user runs the infected host file that the virus replicates itself by modifying programs or spreads to other computers, potentially infecting an entire network.
The level of harm caused by viruses can be quite devastating, since they are normally designed to do such nasty practices as overflowing a network with traffic, corrupting programs, or deleting files (or even your hard drive).
Note
|
Unlike viruses, worms need neither an infected host file nor human intervention to propagate themselves. They can be defined as a standalone kind of virus. |
Ransomware
As its name shows, this type of malware consists of holding the user information as a prisoner for ransom. Normally, the piece of malware works by restricting the users' access to certain files (or parts of the computer) until a ransom is paid. Unlike with viruses, cybercriminals in a ransomware attack are clear to the victim and explain what happened as well as the steps to follow to recover the lost information.
Ransomware often uses public-key cryptography and a symmetric key to encrypt the compromised files. These files then become inaccessible by their legitimate owners; the files can be deciphered only with the attacker’s private key. The victim receives a message with instructions on how to pay the ransom. Thus, the attackers will allegedly deliver the private key to the user only when they pay the ransom. As with viruses, ransomware can quickly escalate and bring down entire organizations by spreading across networks and targeting file and database servers.
Note
|
To safeguard their identity, ransomware cybercriminals normally ask for the payment in the form of virtual currency (e.g., Bitcoin). |
Cryptominers / Cryptojacking
Malicious cryptominers are designed to take surreptitious advantage of idle CPU (or GPU) activity. Because they run in the background, they can be difficult to detect. Thus, the malicious piece of software secretly installs on your device (or web browser) and starts mining cryptocurrencies. Although the mining takes place unnoticed by the victims, they usually report increased fan activity or other signs of intense processor work such as overheating or reduced performance.
Rootkits and Remote Access
Rootkits refer to a variety of malware intended to provide cybercriminals with remote access and control while remaining unnoticed by the victim. Rootkits normally come with a set of tools for stealing passwords as well as banking or personal information. Hence the term: root (attackers get root access) and kit (they use a toolkit).
Different types of rootkits are designed to attack different parts of the computer: kernel, applications, firmware, boot system (bootkits), or even RAM.
Spyware
Spyware is a general term for any type of malware designed to monitor your computer activity and — more often than not — also steal personal or confidential information: your credentials, payment information, navigation history, and so on. Typical types of spyware include adware, keylogging, and camera and microphone hijacking.
Adware
Normally occurring within a web browser, adware is a type of malware contrived to bombard your screen with advertisements. Most evolved adware spies on your online behaviour to target you with specific ads. To trick you into installing it on your machine, adware can disguise itself as legitimate software — however, it can also be installed through a web browser vulnerability.
Once installed on your system, adware is typically recognized by signs such as the following: New toolbars appear on your browser, website links take you to the wrong website, your web browser is slower, your web browser’s homepage changes, etc.
Keylogging
The term keylogging is self-explanatory. Thus, a keylogger is a type of malware that logs keystrokes into a file; the file is then sent to a third party over the internet. Obviously, cybercriminals can seriously harm the victim by intercepting vulnerable information such as passwords, PIN codes, or bank account numbers.
The whole point of keyloggers is to go unnoticed to the victim’s eyes so as to avoid being detected before the harm is done.
Note
|
Keyloggers can be hardware-based as well as software-based. Likewise, they can be used as a legitimate monitoring tool. |
Camera and Microphone Hijacking
This kind of hijacking malware is designed to gain unauthorized access to your microphones and cameras (both built-in and external). Thus, your image and conversations can be recorded without your consent. This may lead to numerous malicious goals and have very nasty consequences: Sensitive data is intercepted through audio recordings, videos are recorded and sold to suspicious websites, etc.
Trojan Horses
According to Homer’s Odyssey or Virgil’s Aeneid, the Greeks won the Trojan War thanks to cunning and deception: Instead of tearing down the city walls of Troy, they came up with the idea of a giant wooden horse that they left at the city gates. The gullible Trojans brought the horse in and — to their surprise — discovered that the Greek soldiers had been hidden inside the whole time. Following the analogy of this Greek mythology, a Trojan horse (or, simply, a trojan) is a piece of malware that travels undetected under the cover of legitimate software or content, such as video or audio files (or any other type of content for that matter). In fact, rather than malware, trojans can be defined as a multipurpose propagation strategy for any type of malware that cybercriminals may want to use (viruses, worms, ransomware, etc.).
Common Methods Used by Cybercriminals to Wreak Havoc
The following subsections present a couple of methods used by cybercriminals to carry out or deploy some — if not all — of the malware types that we have just described in the previous sections.
Backdoors
We can define a backdoor as a way of accessing a computer system that bypasses the legal, preestablished protocol designed for it (much in the same way as people sometimes use real backdoors to avoid being seen entering buildings in the real world). In other words: The system is accessed by an intruder who avoids any security measures. But are backdoors created intentionally or simply by chance? Well, both; let us have a look.
In the first place, bear in mind that software generally — especially software that implies remote access — has vulnerabilities, so cybercriminals work really hard to detect the so-called zero-day vulnerabilites. As their name suggests, these vulnerabilities are spotted the same day the software is released and are really dangerous because there are no current patches or solutions yet to counteract the potential harm. Thus, a port, for example, could be inadvertently left unprotected and — if discovered — provide a backdoor to intruders.
Secondly, the cybercriminals might try to create a backdoor themselves. To do so, they could resort to social engineering, for instance, and try to convince the victim to install an apparently useful piece of software that will contain the malware that can establish the backdoor (creating a tunnel between their computer and the victim’s, for example).
Last, but not least, manufacturers and developers themselves can create and place backdoors on their products for a variety of reasons (one of them being guaranteeing access to the system at any time!).
Amongst the most common nasty things that backdoors can be used for, we can name the following:
-
Delivery of malware: trojans, keyloggers, etc.
-
Spying, i.e. stealing sensitive information which can lead to identity theft or the performance of fraudulent transactions, etc.
-
Hijacking servers
-
Defacing websites
Note
|
Website defacement (or web defacement) can be defined as an attack against a website in which the cybercriminals replace part of its content with their own (e.g., the homepage is replaced by a message that says “This Site Has Been Hacked”). |
Data Exfiltration
Data exfiltration refers to any unauthorized transfer of data from an information system. One of the most common forms of data exfiltration involves cracking the DNS resolver. In such a scenario, the steps are as follows:
-
A phishing attack is carried out: An email message is sent containing a piece of malware embedded in a document.
-
The victim opens the email message. The malicious code is executed and a command and control channel is created via the DNS resolver.
-
The malware starts to propagate itself until it finds some confidential data to exfiltrate. The data is then sent to an external server.
Note
|
DNS stands for Domain Name System and plays a very important role on the internet, as it is in charge of translating hostnames into IP addresses. |
How Malware Enters a Computer and What to Do to Protect Against It
As we have already seen, malware can get to your machine in multiple ways: when a user clicks on links in deceptive email messages or website pop-ups, opens attachments, insertsd a USB drive, etc. Cryptominers, for instance, can also be delivered simply by visiting a website! In this case, a piece of malicious JavaScript has been previously embedded on the website so that all visiting hosts will start cryptomining. Likewise, viruses — and other types of malware — can make copies of critical files in the system to bypass being detected.
Trojans are normally delivered through some kind of social engineering method. Typically, the victim receives a phishing email message with an attachment containing the piece of malicious code. As soon as they click on it, the payload runs.
Note
|
Social engineering is a catch-all term that refers to illegitimate social practices to obtain confidential information. Phishing is a type of social engineering technique where an attacker sends a spoofed email message to the victim to trick them into revealing confidential or sensitive information. Within phishing, we can find more specific attacks such as spear phising (targeted to a particular individual) or whaling (targeted to high-ranking people whitin a company). |
There are serveral ways to protect against malware:
-
Use antivirus and antimalware software (scanners, etc.).
-
Keep all software (antimalware and otherwise) updated at all times.
-
Limit data access.
-
Run programs in a virtual environment (sandboxing).
-
Scan emails and attachments for malware.
-
Do not download or install executable files from untrusted sources.
-
Watch for signs of phishing email (weird domain names, grammatical errors, typos, etc.).
-
Back up devices and important data on a regular basis.
-
Strengthen your authentication systems.
Note
|
The Linux kernel comes with a powerful firewall, iptables, and some distributions include their own user-friendly front-ends to it (Ubuntu inludes Gufw, for example). Likewise, nmap (a network scanner) is offered in the repos of all major GNU/Linux distributions and can be used to protect networks against some types of malware. There are many other anti-malware solutions available for Linux, but that is outside the scope of this lesson. |
Guided Exercises
-
Consider the following symptoms and indicate to what malware type they most likely belong:
Symptom Malware type Your computer is overheating when you are simply surfing the web.
You notice a new toolbar on your browser that you have not installed.
An email message that you have not written gets sent to everyone in your address book.
You cannot access your files because they have been encrypted.
You find unauthorized photos of yourself on the web.
-
Indicate whether the following actions are risky practices or protective measures:
Action Risky practice or protective measure Limit data access
Install an executable file from an untrusted source
Click on a pop-up window
Install the latest system updates
Insert a suspicious USB key into your comptuer
Do backups on a regular basis
Send your credit card information via email
-
In what type of attack do you receive a fraudulent email message that appears to come from trusted sources (your bank, social media, relatives or acquaintances, a superior in your company)?
-
What term defines malware that passes itself off as legitimate software (or content)?
-
What type of malware covertly records the keys that you press on your keyboard?
Explorational Exercises
-
Suppose your device’s microphone has been hijacked and the cybercriminals intercept some personal information about you. How could they use this information to gain access to your online services?
-
Signature-based detection is used by antivirus software to identify malware. What do we mean by the terms virus signature or virus definition?
-
Search the web for the following terms and explain their meaning:
-
Two-Factor (or Multifactor) Authentication:
-
Botnet:
-
Summary
In this lesson, you learned about what malware is, the various types of malware, and how they operate. You also explored the different ways malware can infiltrate your computer and how to effectively protect your system from malware attacks.
Answers to Guided Exercises
-
Consider the following symptoms and indicate to what malware type they most likely belong:
Symptom Malware type Your computer is overheating when you are simply surfing the web.
Cryptomining
You notice a new toolbar on your browser that you have not installed.
Adware
An email message that you have not written gets sent to everyone in your address book.
Virus
You cannot access your files because they have been encrypted.
Ransomware
You find unauthorized photos of yourself in the web.
Camera hijacking
-
Indicate whether the following actions are risky practices or protective measures:
Action Risky practice or protective measure? Limit data access
Protective measure
Install an executable file from an untrusted source
Risky practice
Click on a pop-up window
Risky practice
Install the latest system updates
Protective measure
Insert a suspicious USB key into your comptuer
Risky practice
Do backups on a regular basis
Protective measure
Send your credit card information via email
Risky practice
-
In what type of attack do you receive a fraudulent email message that appears to come from trusted sources (your bank, social media, relatives or acquaintances, a superior in your company)?
Phishing attack
-
What term defines malware that passes itself off as legitimate software (or content)?
Trojan horses
-
What type of malware covertly records the keys that you press on your keyboard?
Keyloggers
Answers to Explorational Exercises
-
Suppose your device’s microphone has been hijacked and the cybercriminals intercept some personal information about you. How could they use this information to gain access to your online services?
Let us remember that some online services make use of security questions in case you have forgotten your password. Thus, cybercriminals could log into your service by answering correctly questions such as what your pet’s name is or what colour your eyes are.
-
Signature-based detection is used by antivirus software to identify malware. What do we mean by the terms virus signature or virus definition?
The virus signature or virus definition refers to the virus fingerprint, that is to say, the set of unique data that allows antivirus software to identify it.
-
Search the web for the following terms and explain their meaning:
-
Two-Factor (or Multifactor) Authentication:
Two-Factor Authentication (2FA) or Multifactor Authentication (MFA) are ways of providing extra layers of security when protecting user accounts.
-
Botnet:
We can define a botnet as a network of infected computers (“bots”) used to perform massive attacks such as Distributed Denial-of-Service (DDOS), etc.
-