Malware

What is it?

• Malware, or malicious software, is any program or file that's intentionally harmful to a computer, network or server.

• These malicious programs steal, encrypt and delete sensitive data; alter or hijack core computing functions; and monitor end users' computer activity.

Viruses

​What are they?

• Viruses are the larger family of malware that refers to any piece of code that attaches itself to system processes, files, or programs.

• Viruses enact their intended effects by using these internal programs and files as carriers. They are not able to self-replicate.

Worms

​What are they?

• A worm is a virus that is capable of self-replicating. It does not have to rely on programs to spread.

​The ILOVEYOU computer worm, also known as the Love Bug or Loveletter, was a highly damaging email attachment that spread rapidly across the world in 2000, infecting millions of Windows computers

​​ILOVEYOU worm

​In 1988, this worm infected thousands of computers at colleges, research centers, and military installations. The worm was created by Robert Tappan Morris, a Cornell University grad student, and released from MIT.

​​The Morris Worm

​This worm targeted Microsoft Windows operating systems and infected millions of computers globally in 2008. Conficker spread by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). It could also spread by copying itself to network shares and removable media, such as USB drives

​​The Conficker Worm

• Guard against self-replicating techniques

  • IDS

  • IPS

• Defense in Depth

​Worm Defense

• Guard against system spread

  • Access Controls

  • Least privilege

  • User Training

  • Antimalware

  • Monitor for anomalies

Virus Defense

Virus and Worm Defense

Trojans

​What are they?

• A trojan is software that is downloaded and installed on a computer that may seem harmless but is malicious

• When the victim downloads the program or clicks on the email attachment, the malware that was hidden inside is unleashed on the victim’s computer

​A backdoor is a means to access a system or data that bypasses the system’s customary security controls including normal login processes. . Backdoors are often installed through malware like Trojans. Although some are left open accidentally by programmers during maintenance and development who forget to close them.

​​Back Doors

​A Remote Access Trojan or RAT specific type of trojan horse that includes a backdoor allowing for administrative or remote control of the infected host. A RAT allows hackers to connect via remote software. Once a RAT is installed, a hacker can remotely examine local files, log keystrokes, find passwords, take screenshots, or use the connection to download additional types of malware.

​​Remote Access Trojan

​The Downloader trojan is a type of trojan that targets a computer that is already infected by downloading and installing a new version of pre-existing malware

​​Downloader Trojan

​The Distributed Denial of Service trojan, as its name states, performs a DDoS attack attempting to take down a network by flooding it with traffic that comes from the victims infected computers.

​​DDoS Trojan

​The SMS trojan infects mobile devices and can send or intercept messages

​​SMS Trojan

Trojan Defense

Don't be fooled!

• Do not download or run unknown or untrusted software

• Verify the signatures and hashes of all software before installing

• Ensure all anti-virus and security software is up to date

• Be careful of email attachments even from trusted senders

Keyloggers

​What are they?

• A keylogger is a type of malware that tracks, or logs, the keystrokes on a target’s keyboard, including shortcut (hot) keys.

• Keystrokes can provide data such as passwords, usernames, messages, and credit card information.

• Keyloggers save all keyboard information and make it available to the attacker.

Keylogger Defense

Keystrokes can't be encrypted!

• Use caution when opening attachments.

• Consider using OTP and MFA whenever possible.

• Password managers

• Alternate keyboard layout may thwart attackers. (i.e. Dvorak or Colemak)

• Configure firewalls or security software to block unauthorized communication from unknown sources.

Rootkits

​What are they?

• A rootkit is an especially dangerous type of malware that provides administrative, or root, access to a computer with a set, or kit of tools, or scripts, while also concealing its presence.

• Rootkits have the ability to block some antivirus software because they activate before an OS can boots up. Some rootkits can remain in place and dormant for long periods of time before they are noticed.

Firmware rootkits overwrite the firmware of the system’s basic input/output system (BIOS) so the rootkit can start before the operating system

​​Firmware Rootkit

​Bootkits replace the system’s bootloader (the specific part of the firmware that starts the operating system), thereby allowing the rootkit to start before the OS.

​​Bootkit

​Kernel rootkits replace some of the OS kernel so that the rootkit can start at the same time when the OS loads. The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system.

​​Kernel Bootkit

Driver rootkits pretend to be one of the trusted drivers the OS uses to communicate with PC hardware sometimes referred to as “driver shimming” (see lesson on Driver Manipulation).

​​Driver Rootkit

NTRootkits was one of the first rootkits that targeted the Windows Operating System.

​​NTRootkit

​Machiavelli was the first rootkit to target Mac OS X, it was found in 2009.

​​Machievelli

​Stuxnet is the first known rootkit for industrial control systems (ICS).

​​Stuxnet

Rootkits Defense

Rootkits are extremely stealthy.

• Ensure your system is current with the latest patches (software updates) against known vulnerabilities.

• Be sure to keep software up to date including the operating system, applications, and security software.

• If available, enable Secure Boot, which detects tampering with bootloaders, key operating system files, and unauthorized changes in firmware by validating digital signatures.

• Antivirus software must use a specific scan to identify rootkits. (Rootkit Revealer)

Adware is software that installs extra components that feed additional advertising to a computer, often in the form of pop-up ads or a new toolbar in the web browser. Adware can increase network traffic, which can slow down computer performance and disrupt system functions. Adware is sometimes bundled with free software downloads or pirated software. The advertising from the adware offsets the cost of the free software.

​Adware

Spyware is a type of malware that monitors computer and internet usage. Most spyware monitors internet traffic, which consists of what and when websites are visited, advertisements clicked, and other browsing habits. This collection of data can be valuable to unscrupulous advertisers and companies that can use these preferences for their own marketing campaigns, such as targeted spam advertising.

​Spyware

Adware and Spyware Defense

• Keep your anti-virus and security software definitions up to date

• Keep regular system backups.

• Removing adware can be difficult and may require a removal tool created specifically for that infection. Tools such as Malwarebytes and Adware can be used to monitor and defend against adware and spyware.

Ransomware

​What is it?

• Ransomware is a type malware, that encrypts and locks a victim’s data and/or device, then demands a payment (or ransom) to restore access to the locked resources.

• In most cases, the ransomware victim must pay the attacker within a certain timeframe or risk losing access to the resource(s) forever.

​One version of crypto-malware is when a virus encrypts files, folders, or entire hard drives. Cryptomalware can also be a form of ransomware, but instead of money, the victims are forced or asked to pay in cryptocurrency since it can be much harder for law enforcement to track

​​Cryptomalware

​Also known as locker ransomware, affect the operating system and completely lock out a victim from their computer or device. Lockers make it impossible for the victim to access any files or applications. Locker-ransomware is most often Android-based.

​​Lockers

​Fake or phony software that acts as a cleaning tool or antivirus software. Scareware alerts users of issues found with the computer or device and demands money to fix the problems. Scareware can temporarily lock your computer and flood your screen with annoying popup displays.

​​Scareware

​Also known as extortionware or leakware, threatens to release stolen data online if the ransom is not paid. Many people store sensitive data and personal photos on their devices, so it is understandable that a victim would panic and pay the ransom to avoid disclosure. Often, public officials and celebrities are the victims of doxware.

​​Doxware

​In 2019, Baltimore City’s governmental computer systems were infected with a new and aggressive ransomware variant named RobbinHood. All servers, except for essential services, were taken offline. In a ransom note, hackers demanded 13 bitcoins (about $76,280) in exchange for keys to restore access. The note also stated that if the demands were not met within four days, the price would increase, and within ten days, the city would permanently lose all its data.

​​Baltimore

​In 2021, The DarkSide group stole 100 gigabytes of data and infected the Pipeline's IT network with Ransomware. 

Colonial Pipeline shut down the pipeline to stop the ransomware from spreading. The company paid the ransom of 75 bitcoin, or $4.4 million, within hours. DarkSide then provided Colonial Pipeline with an IT tool to restore the system.

​​Colonial Pipeline

​The JBS ransomware attack was a cyberattack on the Brazilian food company JBS Foods that forced the closure of some of its meat processing plants in North America and Australia. The attack had a number of consequences, including an $11M bitcoin payment and the immediate rise in wholesale meat prices.

​​JBS Meats

• Updates

  • Operating System

  • Applications

  • Security Software

• Don't Pay

  • No guarantee

  • Inviting more attacks

​Patch Management

• User Training

  • Policies

  • Procedures

• ​Backups

  • Air Gapped

  • Cloud Service

  • Beware of APTs

​Prevention is Key!

Ransomware Defense