Domain 8: Malicious Software
tunneling virus
A self-replicating malicious program that attempts installation beneath antivirus software by directly intercepting the interrupt handlers of the operating system to evade detection.
rootkit
A set of tools that is placed on the compromised system for future use. Once the rootkit is loaded, the attacker can use these tools against the system or other systems it is connected to whenever he wants to
polymorphic virus
A virus that can change its own code or periodically rewrites itself to avoid detection
Crimeware toolkit
Allows people to create their own tailored malware through GUI-based tools Provide predeveloped malicious code that can be easily customized, deployed, and automated
signature-based detection
Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures. Only detect viruses that hae been identified and where a signature is created
Bayesian logic
Applies statistical modeling to the words that make up an email message and evaluates if it is spam or not
Immunizers
Attaches code to the file or application, which would fool a virus into "thinking" it was already infected. This would cause the virus to not infect this file (or application) and move onto the next file. Immunizers are usually virus specific, since a specific virus is going to make a distinct call to a file to uncover if it has been infected.
bootsector virus
Attaches itself to the first part of the hard disk that is read by the computer during the boot up process. Virus is initiated when a system boots up. Some of the code is in the boot sector whereas the rest of their code are in sectors on the hard drive that the virus has marked off as bad - the OS won't overwrite those sectors
worms
Different from viruses in that they can reproduce on their own without a host application, and are self-contained programs
stealth virus
Hides the modifications it has made to files or boot records. This can be accomplished by monitoring system functions used to read files or sectors and forging the results. This means that when an antivirus program attempts to read an infected file or sector, the original uninfected form will be presented instead of the actual infected form. Once the system is infected, the virus can make modifications to make the computer appear the same as before. The virus can show the original file size of a file it infected instead of the new, larger size to try to trick the antivirus software into thinking on changes have been made.
script viruses
Lists of commands that are executed without your knowledge. Collect info about you.
Remote Access Trojan (RAT)
Malicious programs that run on systems and allow intruders to access and use a system remotely
Meme virus
Not actual computer viruses, but types of email messages that are continually forwarded around the internet chain-letters, email hoax virus alerts, pyramid selling schemes
botherder
Owner of the botnet Controls the systems remotely, usually through the Internet Relay Chat (IRC) protocol. The common steps of the development and use of a botnet are listed next: 1. A hacker sends out malicious code that has the bot software as its payload. 2. Once installed, the bot logs into an IRC or web server that it is coded to contact. The server then acts as the controlling server of the botnet. 3. A spammer pays the hacker to use these systems and sends instructions to the controller server, which causes all of the infected systems to send out spam messages to mail servers
Assessing the Security of Acquired Software
The essential question to ask is: How is the organization affected if this software behaves improperly? Improper behavior could be the consequence of either defects or misconfiguration. The defects can manifest themselves as computing errors (e.g., wrong results) or vulnerability to intentional attack. A related question is: What is it that we are protecting and this software could compromise? Is it PII, intellectual property, or national security information? The answers to these and other questions will dictate the required thoroughness of our approach. Internal assessments can measure the acquired software. If none of the above works we can still mitigate risks by deploying the software only in specific subnetworks, with hardened configurations, and with restrictive IDS/IPS rules monitoring its behavior
heuristic detection
This approach analyzes the overall structure of the malicious code, evaluates the coded instructions and logic functions, and looks at the type of data within the virus or worm. So, it collects a bunch of information about this piece of code and assesses the likelihood of it being malicious in nature. It has a type of "suspiciousness counter," which is incremented as the program finds more potentially malicious attributes. Once a predefined threshold is met, the code is officially considered dangerous and the antimalware software jumps into action to protect the system.
Multipart virus, also called Multipartite virus
This has several components to it and can be distributed to different parts of the system. It infects and spreads multiple ways, which makes it harder to eradicate when identified.
Are diskless workstations vulnerable to viruses?
Yes. Although they do not have a hard disk or a full operating system, they can still get viruses that load and reside in memory
trojan horse
a program that is disguises as another program Users are commonly tricked into downloading some type of software from a website that is actually malicious.. Can set up back doors, install keystroke loggers, implement rootkits, upload files from victim's system, install bot software, and perform many other types of malicious acts
virus
a small application, or string of code, that infects software main function - to reproduce and deliver its payload and requires a host application to do this cannot replicate on their own
bots
a type of malware and are being installed on thousands of computers even now as you're reading this sentence. They are installed on vulnerable victim systems through infected e-mail messages, drive-by downloads, Trojan horses, and the use of shared media.
spyware
a type of malware that is covertly installed on a target computer to gather sensitive information about a victim information may be gathered for malicious activites
macrovirus
a virus written in one of these macro languages and is platform independent infect and replicate in templates within documents - common because they are easy to write and are used extensively in commonly used products (Microsoft Office)
Behavior-blocking software
allows the suspicious code to execute within the operating system unprotected and watches its interactions with the operating system, looking for suspicious activities. The antimalware software would be watching for the following types of actions: • Writing to startup files or the Run keys in the Registry • Opening, deleting, or modifying files • Scripting e-mail messages to send executable code • Connecting to network shares or resources • Modifying an executable logic • Creating or modifying macros and scripts • Formatting a hard drive or writing to the boot sector
logic bombs
executes a program, or string of code, when a certain set of conditions is met
antimalware software
scans files, e-mail messages, and other data passing through specific protocols, and then compares them to its database of signatures. When there is a match, the antimalware software carries out whatever activities it is configured to do, which can be to quarantine the file, attempt to clean the file (remove the virus), provide a warning message dialog box to the user, and/or log the event
adware
software that automatically generates (renders) advertisements Goal is to generate sales revenue, not carry out malicious activities
spam
unsolicited junk email
A standard should cover the do's and don'ts when it comes to malware, which are listed next:
• Every workstation, server, and mobile device should have antimalware software installed. • An automated way of updating malware signatures should be deployed on each device. • Users should not be able to disable antimalware software. • A preplanned malware eradication process should be developed and a contact person designated in case of an infection. • All external disks (USB drives and so on) should be scanned automatically. • Backup files should be scanned. • Antimalware policies and procedures should be reviewed annually. • Antimalware software should provide boot malware protection. • Antimalware scanning should happen at a gateway and on each device. • Virus scans should be automated and scheduled. Do not rely on manual scans. • Critical systems should be physically protected so malicious software cannot be installed locally.
Six Main Elements for Malware
• Insertion Installs itself on the victim's system • Avoidance Uses methods to avoid being detected • Eradication Removes itself after the payload has been executed • Replication Makes copies of itself and spreads to other victims • Trigger Uses an event to initiate its payload execution • Payload Carries out its function (that is, deletes files, installs a back door, exploits a vulnerability, and so on)
but the main reasons that they are all increasing in numbers and potency are as follows:
• Many environments are homogeneous, meaning that one piece of malware will work on many or most devices. • Everything is becoming a computer (phones, TVs, game consoles, power grids, medical devices, etc.), and thus all are capable of being compromised. • More people and companies are storing all of their data in some digital format. • More people and devices are connecting through various interfaces (phone apps, Facebook, websites, e-mail, texting, e-commerce, etc.). • Many accounts are configured with too much privilege (administrative or root access). • More people who do not understand technology are using it for sensitive purposes (online banking, e-commerce, etc.).
The most commonly used schemes for making money through malware are as follows:
• Systems are compromised with bots and are later used in distributed denial-of-service (DDoS) attacks, spam distribution, or as part of a botnet's command and control system. • Ransomware encrypts some or all of the users' files with keys that are only given to the users after they pay a ransom, typically using cryptocurrencies. • Spyware collects personal data for the malware developer to resell to others. • Malware redirects web traffic so that people are pointed toward a specific product for purchase. • Malware installs key loggers, which collect sensitive financial information for the malware author to use. • Malware is used to carry out phishing attacks, fraudulent activities, identity theft steps, and information warfare activities.