How Can We Help?

CompTIA Security – Malware

You are here:
< All Topics

CompTIA IT Security Course

Section 6

Malware

 

Malware is any s/w designed to maliciously harm a computer

 

needs 2 things:

 

threat vector – the specific method used to attack eg

 

via
unpatched s/w
installing code
phishing campaign
other vulnerabilities

 

the attack vector
means by which the attacker gains access.. how they break and and how they infect..

 

eg via
unauthorized login
social engineering

 

 

viruses
worms
trojans
RATs
ransomware
zombies/botnets
rootkits
backdoors/logic bombs
keloggers
spyware/bloatware

 

virus

 

multipartite virus is a combination of boot sector virus and a program virus

it gets loaded every time computer reboots, and then installs itself in a program.

even if a antivirus program removes the program virus, it may have missed the boot sector virus!

 

encrypted virus

hides itself by encrypting itself

 

polymorphic virus

advanced version of encrypted virus ; also changes the virus code each time it is executed in order to decrease change of detection

 

metamorphic virus

can rewrite themselves entirely before infecting – a further advance on polymorphic

 

stealth virus

a technique a virus uses to avoid being detected by AV S/W

 

armored virus

have a layer of protection to protect the virus from being detected.

 

hoax virus

tech isnt a virus but a form of social engineering trying to claim your system is infected, eg in order to demand a ransom

 

 

WORM

is a virus which can replicate itself between diff computers

v dangerous for 2 reasons:

1. can infect computers

2. can disrupt network traffic and processing power

eg DoS attack

they can spread in very short period of time

eg Nimda (admin backwards) infected much of worlds PCs in 25min, also
Conficker one of the largest worms, infected up to 15 mill systems!

needed an MS patch

 

 

BOTNETS and ZOMBIES

Botnets are networks of comprimised machines called zombies who perform the task using remote commands

a botnet can have a lot of processing power

zombie is the individual comprimised computer node in the botnet

 

 

ROOTKIT

v powerful and difficult to detect as AVs cant easily find them

gives admin/root level control without being detected – highest level of OS ring 1 or 0

DLL injection – forcing a dll library file to be loaded – which has been infected, using a shim…

shim = s/w code placed between 2 components

 

 

BACKDOORS = orig created by programmers to give a legit way into a program if there is a problem..

nowadays they are not in vogue as are regarded as security risk

easter eggs = jokes/gaps which pop up

logic bomb = only executes when certain conditions are met

 

KEYLOGGERs

can be s/w or h/w based.

s/w often use phishing or soc eng to infect

h/w has to be physically connected eg usb thumb drive

data theft a big risk with keyloggers

both for consumers domestic users and corporates

how to counter:

update s/w patches regularly

use AV up to date scanning

phishing/soc eng awareness for staff

use MFA systems

encrypt keystrokes when sent to systems, eg ssh

physical checks of PCs laptops, servers

 

SPYWARE/BLOATWARE

 

spyware:
malicious s/w which gathers and send info about a user or org to an outside person

can be bundled with normal s/w
inst via malicious website

via clicking on a popup

 

bloatware:

any s/w preinstalled on a pc or device – regardless of whether you want or need it… takes up processing power and drive space

a marketing technique

can also be toolbars extensions etc for browsers etc

can cause security issues

can represent a potential threat vector.

best is to remove all bloatware which you dont need = there are tools, or you can remove manually

 

MALWARE ATTACK TECHNIQUES

Code injection – uses a legit process to add the code to the program

Masquerading

DLL Injection

DLL Sideloading

Process Hollowing

 

the “living off the land” process… threat actors exploit standard OS tools, eg on Win – utilizing power shell cmds
rather than trying to use own homemade commands

 

 

INDICATIONS OF MALWARE ATTACKS

 

9 indications

 

Account lockouts – malware can trigger multiple lockouts, can be a red flag if many users have this problem all of a sudden

 

Concurrent session utilization – many users may only have one session active, but if one or more suddenly have multiple sessions open, this can be an indication

 

blocked content – if more and more content than usal is getting blocked

 

impossible travel – someone logging from one geog location and then a few mins or so later from a much further location which is impossible to travel to in that short time!

 

resource consumption – botnets worms etc can consume large amounts of resources – memory, processes, network traffic

 

resource inaccessiblity – if machines or volumes suddenly not responding or cannot be logged into or connected to

 

out of cycle or out of hourse logging – can be indication if people are usually just 9-5

 

missing logs – this can be a good sign

 

published or documented attacks = if news media finds out and reports that you are comprimised before you do!

 

 

 

 

 

 

 

 

 

 

 

Table of Contents