2.3A & B - Malware & Anti-Malware Tools
What is a rootkit? !TIP!: The name of this malware uses Unix terminology, since it originally only effected Unix/Unix-like systems. Root = admin; and kit = software components.
Rootkit: an increasingly rarer type of malware that grants attackers access to an OS's core (system files, kernel, firmware, etc.) in order to modify them. Since rootkits change and imbed themselves deep into the core of a system, they are often invisible to humans, OSes, and anti-malware programs alike.
Humans and machines alike have a difficult time finding and removing rootkits in a system. What is one way a user may attempt at finding and removing a rootkit?
A rootkit may never be noticed in a system's lifetime, making them especially nefarious. The best hope for users is to be wary of any unusual, out-of-place behavior that a system may be displaying. Once a rootkit has been identified, a user should look for a reputable, third-party rootkit remover. They are often made once a rootkit has been widely identified within the industry.
What are some ways to educate users in malware prevention?
- Anti-Phishing training (e.g. send phishing email to test users) - One-on-one personal training - Physical informational posters and signs throughout a workspace - Digital messages (login message, home page of company's Intranet)
What are some ways to boot WinRE? After its WinRE has booted, where should users go to attempt to remove malware from their system?
- Hold shift key while clicking the Restart button. - Boot from installation media. - Windows 10: Settings > Update & Security > Recovery > Advanced startup - Windows 11: System > Recovery > Advanced startup > Restart now - After its booted: Troubleshoot > Advanced Options > Command Prompt
What is the difference between an antivirus and an anti-malware?
Antivirus: came first, primarily used for legacy threats (viruses, worms, etc.) Anti-malware: came afterwards, used for a wide-array of malware types, typically more advanced (can detect malicious activity as oppose to just signatures), often includes antivirus inside of it However, the distinction between the two is really not important, as both consumers and companies will use the terms interchangeably. Companies may still refer to their programs as antiviruses, even though they align more with what an anti-malware program is. This is most likely due to marketing/what consumers are more familiar with.
What is a backdoor in the context of malware?
Backdoor: a vulnerability of a system's security structure that may be identified and repeatedly exploited by malware, unbeknownst to users. The term alludes to the fact that houses may appear perfectly secure from the front, but may be covertly snuck in and out of through the "backdoor".
What is a boot sector virus and how does it differ from a rootkit?
Boot Sector Virus: an older type of virus that specifically infects the boot sector of an HDD, as oppose to the OS like a traditional virus. A boot sector virus could be seen as a type of rootkit, rather than a distinct form of malware. Boot sector viruses/rootkits are becoming increasingly rare due to the advent of UEFI BIOS.
What is cryptojacking?
Cryptojacking: the act of hijacking computers to perform cryptomining, either through websites, or through installed malware. Cryptomining requires extensive power and CPU processing, so attackers figured out that covertly using the computers of unsuspecting victims is a way to circumvent this. Computers that have this malware installed will more often than not perform horribly, as all of their processing power is being used for mining. Users could suspect a website of cryptojacking if their computer's CPU usage is suddenly spiking.
What is a keylogger?
Keylogger: a program that logs every keystroke inputted on a device's keyboard and relays it to a third-party; usually in the form of spyware. Keyloggers can be especially heinous, as it provides an easy, straightforward way to steal a user's passwords. Keyloggers can even circumvent encryption, because what is the point of encryption if an attacker knows the password that decrypts the data?
What is malware?
Malware: (a portmanteau for malicious software) software that was specifically designed to disrupt, damage, or gain unauthorized access to a computer system. The harm that malware can cause can range drastically. It be may implemented just to annoy users, or it may be implemented to access their bank accounts. Either way, a computer infected with malware should be "disinfected" immediately, so to speak.
What is one reason that rootkits are rarer today?
Most modern PC systems use UEFI BIOS instead of Legacy BIOS. UEFI BIOS offers a lot more security features and controls that make rootkit infections harder to deploy in a system. Even if users suspect that their system is infected with a rootkit, they can use secure boot in UEFI, which verifies that the system's core files and kernel have not been compromised.
What is ransomware?
Ransomware: an especially cruel form of malware that blocks and/or threatens to expose a user's personal data until a ransom is paid. Ransomware typically holds data hostage by encrypting it, and the attackers will supposedly give the user the decryption key after they are paid. The attackers will usually demand an untraceable form of payment, like cryptocurrency. Instead of paying the attackers, the most straightforward options users have is to restore the system with a known-good backup (with an image that does have the malware installed).
What is a software firewall?
Software Firewall: a security program that is essentially the software equivalent of a hardware firewall. They are designed to constantly monitor, alert the user of any unknown/unauthorized interactions, and prevent malware from interacting with the network. Some advanced programs may combine the functionality of a firewall and an anti-malware together. Windows includes a software firewall by default, called the Microsoft Defender Firewall.
What is spyware?
Spyware: malware that is loosely defined as any malicious program that is designed to covertly enter a user's device, gather confidential/personal data, and relay it to a third party. Spyware typically comes in the form of a trojan, like a peer-to-peer or security software, so users are tricked into downloading it. Spyware can monitor a users surfing habits on a browser, implement keyloggers, among other nefarious actions.
What is a Trojan horse? !TIP!: The name of this malware uses the Greek Trojan Horse fable as a metaphor for how it is implemented on a system.
Trojan Horse: any malware that deceives users of its true intent, usually appearing as a well-to-do application or file that tricks users into downloading them. Trojans generally do not attempt to replicate themselves, but rather to open a backdoor for other types of malware to infect a system. A system's anti-malware may catch a trojan, but better-built trojans may avoid or even disable them.
What is a virus signature?
Virus Signature: a set of data/code that is unique to a specific virus, allowing it to be identifiable by an anti-malware program (almost like a virus's "fingerprint").
What is a virus and a worm in the context of malware? How do they differ from one another?
Virus: a type of malware that replicates and spreads itself by inserting its code into programs/files; viruses are triggered by user interaction. Worm: a malware that is essentially the same as a virus, but it does not have to "piggyback" off programs to be spread, and does not require user interaction to be executed. The distinction between a virus and a worm may be disputed, and is altogether not too relevant. Even the term "virus" is often erroneously used as a catch-all for any type of malware.
What is the Windows Recovery Environment (WinRE)?
Windows Recovery Environment (WinRE): an area in Windows that provides users powerful tools to troubleshoot and repair a compromised OS, like a CLI that can be used to remove viruses. WinRE should only be used as a last resort, as users can accidently modify core files in way that leaves a computer inoperable. WinRE can also enable/disable specific services during startup, and modify/repair a system's file system, among other options.
