Categories:

Exploring Malware and how to Recognize them

Avatar image of
Posted by Michael Sedique

What is malware?

Malware is a blanket term for viruses, worms, trojans, ransomware, and other harmful computer programs that a hacker would utilize to breach sensitive data; the term malware is short for malicious software. The most common delivery for malware is in the format of a link or a file that would be sent through an email and would execute if the user were to open/access the link or file.

Malware has been around threatening organizations and individuals since the early 1970s, starting with the Creeper virus. Ever since the debut of the first malware, the world has encountered thousands of variants of malware that share a common goal: disruptions.

What can malware do?

A malware attempts to deliver a payload in various ways. It can try to demand a ransom to even stealing sensitive data; cybercriminals have been evolving and pushing for more sophisticated methods to achieve their goals.

Types of malware

The following are types of malware:

  • Ransomware: [1] Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
  • File-less: [2] Fileless malware is a variant of computer-related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It does not write any part of its activity to the computer’s hard drive meaning that it’s very resistant to existing Anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity. As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.
  • Spyware: [3] Spyware describes software with malicious behavior that aims to gather information about a person or organization and send such information to another entity in a way that harms the user; for example by violating their privacy or endangering their device’s security. This behavior may be present in malware as well as in legitimate software. Websites may also engage in spyware behaviors like web tracking. Hardware devices may also be affected. Spyware is frequently associated with advertising and involves many of the same issues. Because these behaviors are so common and can have non-harmful uses, providing a precise definition of spyware is a difficult task.
  • Adware: [4] Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a “pay-per-click” basis if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, full screen, a video, a pop-up ad, or in some other form. All forms of advertising carry health, ethical, privacy, and security risks for users.
  • Trojan: [5] In computing, a Trojan horse (or simply trojan) is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Trojans may allow an attacker to access users’ personal information such as banking information, passwords, or personal identity. It can also delete a user’s files or infect other devices connected to the network. Ransomware attacks are often carried out using a trojan. Unlike computer viruses, worms, and rogue security software, Trojans generally do not attempt to inject themselves into other files or otherwise propagate themselves.
  • Worms: [6] A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behavior will continue. Computer worms use recursive methods to copy themselves without host programs and distribute themselves based on the law of exponential growth, thus controlling and infecting more and more computers in a short time. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
  • Virus: [7] A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. When this replication succeeds, the affected areas are then said to be “infected” with a computer virus.
  • Rootkits: [8] A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software. The term rootkit is a compound from “root” (the traditional name of the privileged account on Unix-like operating systems) and the word “kit” (which refers to the software components that implement the tool). The term “rootkit” has negative connotations through its association with malware.
  • Keyloggers: A keylogger aims to monitor each and every keystroke that a user inputs. The malware manages to track each keystroke, and stores the information locally; the hacker would, at a later point, would require physical access to obtain the user data that was stored.
  • Bots/Botnets: Bots are also referred to as spiders, crawlers or even web bots. They are often utilized to facilitate repetitive tasks, such as being able to index a search engine, but often times will come in the format of malware. Malware bots are utilized to obtain total control over a computer. Some of the things that they can do are exploiting back doors, launching DoS attacks, obtain financial data, etc. The bots are used to infect computers in bulk, the computers will then form a botnet (also known as a bot network).
  • Mobile Malware: [9] Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.
  • Greyware: Greyware refers to malicious software that falls in the “grey area,” which is between normal software and viruses. Greyware is also a term that other malicious/irritating software (such as adware) would fall under.
  • Malvertising: [10] Malvertising (a portmanteau of “malicious advertising”) is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Online advertisements provide a solid platform for spreading malware because the significant effort is put into them in order to attract users and sell or advertise the product. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is “attractive to attackers because they ‘can be easily spread across a large number of legitimate websites without directly compromising those websites’.”
  • Backdoor: A backdoor is an undocumented method of obtaining access to a system. A backdoor will bypass authentication mechanisms. A backdoor, sometimes known as a trapdoor, will often pose as a potential security threat that someone would develop and would only be known to that developer.
  • Browser Hijacker: A browser hijacker, also known as a form of unwanted software that makes modifications to a web browser’s settings/preferences without the consent of the user. As a result, it would lead to the placement of unwarranted advertising into a browser, which can often replace the default search/home page with what the hijacker intends to place.
  • Crimeware: Crimeware is a type of malware that was created to automate cybercrime. [11] Crimeware (as distinct from spyware and adware) is designed to perpetrate identity theft through social engineering or technical stealth in order to access a computer user’s financial and retail accounts for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the cyberthief. Alternatively, crimeware may steal confidential or sensitive corporate information. Crimeware represents a growing problem in network security as many malicious code threats seek to pilfer confidential information.
  • RAM Scraper: this is a type of intrusion that focuses on the RAM of a terminal (specifically a retail terminal) that attempts to steal credit card information from consumers. This is also called a point-of-sale (POS) attack since the target is a terminal that is used to process retail transactions.
  • Rogue Security Software: [12] Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. Two of the earliest examples to gain infamy were BraveSentry and SpySheriff.
  • Cryptojacking: Cryptojacking is a rising threat that emphasizes cryptocurrencies. The way it works is that the malware would hide in a device and utilizes the machine’s resources to “mine” cryptocurrency. This is also called malicious cryptomining.
  • Hybrid Malware: Hybrid malware is also referred to as “combo malware.” This is a combination of multiple types of attacks (such as a Trojan combined with a worm and other adware). Hybrid malware could act like a bot, focusing on making an infected machine as a piece of a larger botnet. Once the infected machines are connected to the botnet, a hacker can rent them out to other hackers for other means. Also, a hybrid malware could combine a virus’s capability to modify a program’s code with a worm’s ability to bury itself within the memory; it is also able to propagate without the user doing any actions.
  • Social Engineering/Phishing Bugs: [13] In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.

How does malware spread?

The most common ways a malware spreads:

  • Vulnerabilities
  • Backdoors
  • Drive-by downloads
  • Homogeneity
  • Privilege escalation
  • Blended threats

How to identify and remove malware

As of today, malware is becoming more and more sophisticated; this results in further complications in identifying and removing them. Most malware show up in forms of a trojan horse or a worm and then add the victim’s computer to a botnet, which enables a hacker access to the victim’s device and network. If one is lucky, it may be possible to identify a malware executable in the active processes. However, with file-less malware, this task has become much more complicated.

The downside is that being able to identify and remove a malware is much more complicated now due to the fact that one may not know the extent of how far the infection may have gone. Similar to a human body, one may able to identify an issue externally or internally, but until they dive in and run tests, they may not know what other issues could be affected the patient. Typically, one’s best approach may possibly be to just backup data or reimage a device.

The key to stopping malware is to prevent it. One’s system should always be up-to-date with patches and should always be monitored for possible vulnerabilities. As an individual that is part of an organization and is utilizing a device connected to a network, one should always be educated on possible phishing and dangers of executing malicious content.

Also, there could be risks with third and fourth-parties. One should ensure that third-party risk management frameworks and vendor risk management programs enforces the vendors to maintain secure systems that are free of any malware. Customers are not concerned over who is responsible for the breaches in an organization, they are concerned over whether or not everything is secured and that their data is protected.

References

  1. https://en.wikipedia.org/wiki/Ransomware
  2. https://en.wikipedia.org/wiki/Fileless_malware
  3. https://en.wikipedia.org/wiki/Spyware
  4. https://en.wikipedia.org/wiki/Adware
  5. https://en.wikipedia.org/wiki/Trojan_horse_(computing)
  6. https://en.wikipedia.org/wiki/Computer_worm
  7. https://en.wikipedia.org/wiki/Computer_virus
  8. https://en.wikipedia.org/wiki/Rootkit
  9. https://en.wikipedia.org/wiki/Mobile_malware
  10. https://en.wikipedia.org/wiki/Malvertising
  11. https://en.wikipedia.org/wiki/Crimeware
  12. https://en.wikipedia.org/wiki/Rogue_security_software
  13. https://en.wikipedia.org/wiki/Social_engineering_(security)
Tags: