Malware Attacks | CompTIA Security+ SY0-601 | 1.2a

In this video you will learn about malware attacks such as: ransomware, trojans, worms, potentially unwanted programs, fileless viruses, command and control, bots, cryptomalware, logic bombs, spyware, keyloggers, remote access trojans, rootkits, and backdoors.

Malware

Ransomware

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid.  While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion.  It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.[1]  In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Bitcoin or other cryptocurrencies that are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Trojans

A Trojan horse is any type of malware which misleads users of its true intent. Trojans are generally spread by some form of social engineering, such as, executing an email attachment disguised to not appear suspicious, or by clicking on fake advertisements on social media or anywhere else. Trojan payloads can be anything, but modern forms act as a backdoor to contact a controller which can then have unauthorized access to the affected computer.

Worms

A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behavior will continue. Phishing and other human errors are not required for worms to thrive.

Potentially Unwanted Programs (PUPs)

A potentially unwanted program (or potentially unwanted application) is software that a user may perceive as unwanted or unnecessary.  It is used as a subjective tagging criterion by security & parental control products.  Such software may use an implementation that can compromise privacy or weaken the computer’s security.  Companies often bundle a wanted program download with a wrapper application & may offer to install an unwanted application, and in some cases without providing a clear opt-out method.  Antivirus companies define the software bundled as potentially unwanted programs[2] which can include software that displays intrusive advertising (adware), or track the user’s Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user.[3]  A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project’s knowledge or consent.  Nearly every third-party free download site bundles their downloads with potentially unwanted software.[4]  The practice is widely considered unethical because it violates the security interests of users without their informed consent.  Some unwanted software bundles install a root certificate on a user’s device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings.  The US Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks.[5]  Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

Fileless Virus

A fileless virus is a variant of computer related malware that exists exclusively as a computer memory-based artifact in RAM.  It does not write any part of its activity to the computer’s hard drive meaning that it’s very resistant to existing anti-computer forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify illegitimate activity.  As malware of this type is designed to work in-memory, its longevity on the system exists only until the system is rebooted.

Command and Control

A command and control (C2 or C&C) attack is a computer that is controlled by a hacker or any cybercriminal which is maliciously used for commanding the various systems that have already been exploited or compromised by malware, and these servers are also used for receiving the desired data by the hacker from the compromised machines covertly on the target network.[6]  Things that a hacker can accomplish through command and control are:[7]

  • Data theft:  sensitive company data, such as financial documents, can be copied or transferred to an attacker’s server.
  • Shutdown:  an attacker can shut down one or several machines, or even bring down a company’s network.
  • Reboot:  infected computers may suddenly & repeatedly shutdown and reboot, which can disrupt normal business operations.
  • Distributed Denial of Service:  DDoS attacks overwhelm servers or networks by flooding them with internet traffic.  Once a botnet is established, an attacker can instruct each bot to send a request to the targeted IP address, creating a jam or request for the targeted server.  The result is like traffic clogging a highway which prevents legitimate traffic from being granted access to the IP address.  This type of attack can be used to take down a website.

Bots

A botnet attack is a large-scale cyber attack carried out by malware-infected devices which are controlled remotely.  It turns compromised devices into ‘zombie bots’ for a botnet controller.  Unlike other malware that replicates itself within a single machine or system, botnets pose a greater threat because they let a threat actor perform a large number of actions at the same time.  Botnet attacks are akin to having a threat actor working within the network, as opposed to a piece of self-replicating software.  Attackers use botnets to compromise systems, distribute malware and recruit new devices to the brood.  A botnet attack may be mostly for disruption or a means of blazing a path to launch a secondary attack.[8]

Crypto Malware

Crypto malware is a type of malware that allows threat actors to use someone else’s computer or server to mine for cryptocurrencies.  It has become one of the most prominent malware types since 2017.  Crypto malware’s rise in popularity has to do with the fact that crypto-mining is a resource intensive process that jacks up a user’s electricity bill for one and uses up his or her computer’s processing power, disallowing other tasks to be performed at the same time.[9]

Logic Bombs

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.  For example, a programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company.  Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a predefined time or when some other conditions is met.  This technique can be used by a virus or worm to gain momentum and spread before being noticed.  Some viruses attack their host systems on specific dates, such as Friday the 13th or April Fools’ Day.  Trojans and other computer viruses that activate on certain dates are often called “time bombs”.  To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software.

Spyware

Describes software with malicious behavior that aims to gather information about a person or organization and send such information to another entity in a way that harms the user; for example, by violating their privacy or endangering their device’s security. This behavior may be present in malware as well as in legitimate software. Multiple unwanted pop-up windows when surfing the Internet may be an indicator of spyware on your system.

Keyloggers

Keystroke logging is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can be retrieved by the person operating the logging program. Keylogger viruses can be delivered by way of a Trojan, phishing, or a fake email attachment. Applying multifactor authentication is one way to prevent a software keylogger attack. Keyloggers can be either software or hardware.

Remote Access Trojan (RAT)

A remote access trojan is a type of malware that provides attackers with the ability to control a computer or a device via an established remote connection.  One of the goals of this malware is to steal information and spy on your system or network.  Typically, a RAT trojan enters your system by disguising itself as legitimate software. But once it has entered your network, it gives attackers unwanted access by creating a backdoor into your system.[10]

Rootkit

A collection of computer hacking software designed to enable access to a computer or an area of its software that is not otherwise allowed & often masks its existence or the existence of other software. Some rootkits can perform keylogging while other rootkits just simply take over the entire computer. Ridding a computer with a rootkit usually involves wiping the drive and reinstalling the operating system of the computer.

Backdoor

A backdoor attack uses a specific type of malware so hackers can avoid normal authentication procedures to gain access to a target system.  As a result, perpetrators can go through all resources such as file servers & databases to issue commands and change system settings without being discovered.  Hackers install backdoors to take control of vulnerable network components, allowing them to carry out targeted attacks.  These attacks include website defacement, data theft, server hijacking, watering hole attacks, and DDoS attacks, amongst others.[11]

References

  1. Cryptovirology: Extortion-Based Security Threats & Countermeasures. IEEE Symposium on Security and Privacy.
  2. PUP Reconsideration Information. Malwarebytes.
  3. Rating the Best Anti-Malware Solutions. ARS Technica.
  4. Mind the PUP:  Top Download Portals to Avoid. EMSI Soft.
  5. Finkle, J. (2015). U.S. Urges Removing Superfish Program from Lenovo Laptops. Reuters.
  6. Cyber Security – Attacking Through Command and Control. Geeks for Geeks.
  7. Command and Control Explained. Palo Alto Networks.
  8. Greenlee, M. (2021). What is a Botnet Attack? A Guide for Security Professionals. Security Intelligence.
  9. What is a Crypto Malware? Techslang.
  10. Analyzing Remote Access Trojan (RAT). Remote Access Itarian.
  11. What is a Backdoor Attack? Techslang.