MALWARE

• Malicious software, or malware, has become a serious problem in today’s

network environment.
• Malware is software designed to harm a user’s computer or data.
• As a security professional, you must recognize malicious code and know
how to respond appropriately.
• The most serious malware typically takes advantage of system
vulnerabilities, which makes the malware more dangerous and enables it to
spread more effectively.
• These threats, known as blended threats, involve various types of malware.
• Endpoint protection technologies defend against malware by identifying
and remediating security threats.
• Such software often provides a first line of defence by identifying that a
machine has been targeted or compromised.
• Other symptoms of infection include unexpected system behaviour
and system instability.
• To determine whether a system has been infected, examine
the following critical areas:
▪ Memory: After malware is executed, it might reside in memory. Tools
such as Windows Task Manager and Activity Monitor for Macs provide
insight into all running processes in memory and can help identify rogue
processes.
▪ Registries: The Windows registry, for example, provides various
system settings that malware often targets. Specifically, the Windows
registry provides various entries that enable software to automatically
start upon login. Malware can take advantage of these entries to ensure
that malicious executables are run each time the computer starts up.
▪ Macros: Office applications such as Microsoft Word provide a
powerful ability to automate procedures through the use of macros.
However, these macros also give malware an opportunity to
automatically generate instructions when such documents launch.
Viruses
• A virus is a program or piece of code that runs on a computer, often
without the user’s knowledge and certainly without the user’s
consent.
• Viruses are designed to attach themselves to other code and
replicate.
• A virus replicates when an infected file executes or launches.
• It then attaches to other files, adds its code to the application’s code,
and continues to spread.
• Even a simple virus is dangerous because it can use all available
resources and bring the system to a halt.
• They infect other machines only if a user on another machine
accesses an infected object and launches the code.
• Viruses are classified and subclassified in several ways. The following
classifications are based on how a virus lives in a system:
▪ Resident virus: This type of virus resides in memory, which means it
is loaded each time the system starts and can infect other areas based on
specific actions.
▪ Non-resident virus: Once executed, this type of virus looks for targets locally
and also across the network. The virus then infects those areas and exits.
▪ Boot sector virus: This type of virus is placed into the first sector of the hard
drive so that when the computer boots, the virus loads into memory. As a
result, the virus loads before the operating system even starts.
▪ Macro virus: This type of virus is inserted into a Microsoft Office document
and emailed to unsuspecting users. A macro virus uses the macro language
and executes when the document opens.
• Viruses exhibit several potential characteristics that further define their
classifications:
▪ Program- and file-infecting virus: The virus infects executable
program files and becomes active in memory. It then seeks out other
files to infect. This type of virus is easily identified by its binary pattern,
or signature, which works essentially like a fingerprint.
▪ Polymorphic virus: A polymorphic virus can change form or signature each time it is
executed to avoid detection. Polymorphic malware is malicious code that is capable
of changing shape. Heuristic scanning is used to identify these viruses, it examines
the instructions running within a program and not signature.
▪ Armored virus: As the name suggests, armored viruses go one step further by
making it difficult to analyze functions, creating a metaphorical layer of armor
around the virus. In addition to seeking to defeat heuristic countermeasures, they
try to prevent disassembly and debugging.
▪ Stealth virus: This memory-resident virus also uses techniques to avoid detection,
such as temporarily removing itself from an infected file or masking a file’s size.
▪ Multipartite virus: A multipartite virus infects executable files and also attacks the
master boot record of the system.
Worms
• Worms are similar in function and behaviour to viruses, with one
exception: Worms are self-replicating and do not need a host file.
• A worm is built to take advantage of a security hole in an existing
application or operating system,
• Then find other systems running the same software, and then
automatically replicate itself to the new host.
• This process repeats and needs no user intervention.
• When the worm is successfully running on a system, it checks for
Internet connectivity.
• Common methods of replicating include spreading through email,
through a network, and over the Internet.
Trojan
• Trojans, or Trojan horses, are programs disguised as useful
applications.
• Trojans do not replicate themselves as viruses do, but they can be
just as destructive.
• Trojans can perform actions without the user’s knowledge or
consent, including collecting and sending data and causing a
computer to malfunction.
• Trojans are often classified by their payload or function.
• The most common include backdoor, downloader, infostealer, and
keylogger Trojans.
• Keylogger Trojans monitor and send keystrokes typed from an
infected machine.
Rootkits
• A rootkit is a piece of software that can be installed and hidden on a
computer mainly to compromise the system and gain escalated
privileges, such as administrative rights.
• A rootkit is usually installed on a computer when it first obtains
user-level access.
• The rootkit then enables the attacker to gain root or privileged access
to the computer, which can lead to compromise of other machines on
the network as well.
• If a rootkit has been installed, traditional antivirus software cannot
always detect it because many rootkits run in the background.
• You can usually spot a rootkit by looking for memory processes,
monitoring outbound communications, and checking for newly
installed programs.
• Vendors offer applications that can detect rootkits, including
RootkitRevealer.
• When a system is infected, the only definitive way to get rid of a
rootkit is to completely reformat the computer’s hard drive and
reinstall the operating system.
• In addition, rootkit functionality requires full administrator rights.
• Therefore, you can avoid rootkit infection by running Windows from
an account with lesser privileges.
Logic Bombs
• A logic bomb is a virus or Trojan horse designed to execute malicious
actions when a certain event occurs or after a certain period of time.
• For a virus to be considered a logic bomb, the user of the software must be
unaware of the payload.
• A programmer might create a logic bomb to delete all code from the server
on a future date, most likely after he or she has left the company (fired).
• A logic bomb is also referred to as slag code. The malicious code is usually
planted by a disgruntled employee.
• During software development, it is a good idea to evaluate the code to
keep logic bombs from being inserted.
• Unfortunately, code evaluation cannot keep someone from planting a logic
bomb after programming is complete.
Bots
• A bot, short for robot, is an automated computer program that needs no
user interaction.
• Bots are systems that outside sources can control.
• A bot provides a spam or virus originator with a venue to propagate.
• A botnet is a large number of computers that forward transmissions to
other computers on the Internet.
• You might also hear a botnet referred to as a zombie army.
• A bot can be created through a port that has been left open or an
unpatched vulnerability.
• The computers that form a botnet can be programmed to conduct a
distributed denial-of-service (DDoS) attack, distribute spam, or perform
other malicious acts.
Crypto-Malware
• Crypto-malware is specifically designed to find potentially valuable data on a
system and uses cryptography to encrypt the data to prevent access.
• The decryption key is then required to access the data.
• Crypto-malware is often associated with ransomware.
• The attacker provides the decryption key only after the victim has made a
ransom payment.
• Payment is typically demanded in cryptocurrency such as bitcoin.
• In 2017, crypto-malware known as WannaCry affected hundreds of
thousands of systems around the world.
• WannaCry specifically exploited unpatched vulnerabilities on Windows
systems.
• It even targeted hospitals, holding data hostage and demanding that
infected users pay for access to their files.
An example of what users see when they are
infected with ransomware; WannaCry
Potentially Unwanted Programs (PUPs)
• A potentially unwanted program (PUP) is a program that is most likely
unwanted, despite the possibility that users consented to download
it.
• PUPs include spyware, adware, and dialers, and these programs are
often downloaded in conjunction with programs that users actually
want.
Spyware
• Undesirable code sometimes arrives with commercial software
distributions or downloaded from the Internet.
• Basically, spyware is software that communicates information from a
user’s system to another party without notifying the user.
• However, spyware monitors user activity on the system, potentially
including keystrokes typed, and sends this logged information to
the originator.
• Some clues indicate that a computer might contain spyware:
▪ The system is slow, especially when browsing the Internet.
▪ The Windows desktop is slow in coming up.
▪ Clicking a link does nothing or takes you to an unexpected website.
▪ The browser home page changes, and you might not be able to reset it.
▪ Web pages are automatically added to your favourites list.

Adware
• Advertising-supported software, or adware, is a form of spyware that
gives advertisers an online way to make a sale.
• Companies offer to place ads in their web properties.
• A portion of the revenue from banner sales goes to the company
placing the ad.
• These companies also install tracking software on your system that
remains in contact with the company through your Internet
connection.
• The software reports data to the company, such as your general
surfing habits and the sites you visit.
Cryptomining Software
• Many cryptocurrencies, such as bitcoin, are “mined” using computer
resources in a process known as cryptomining.
• Cryptomining software is often on dedicated mining hardware;
however, organizations have been concerned about such software
being on their systems.
• Cryptomining software consumes compute resources, making heavy
use of the CPU.
• Criminals have been using malware to deliver malicious cryptomining
software in order to use distributed resources of others (often as part
of a botnet) to mine for cryptocurrency.
• Such an attack is known as cryptojacking.
• Such an attack can also take place in a web browser, when a user visits
an infected website or ad that automatically executes a script.