Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Types of Malware (part 1) In today's lesson we look at Malware. We discuss the different types of Malware as well as strategies on how to mitigate their affect. You'll learn the different classifications of Malware, its definition, how the term originated and what Malware does. [toggle_content title="Transcript"] Today, we will be looking at section 3.1 of the syllabus, "Explain Types of Malware." We have different types of malware. We have to give proper classification to the malware, and look at probable ways of mitigating against these malware. The word "Malware" is derived from "Malicious Software". You see that? The word "Malware" is derived from "Malicious Software". Software designed to cause harm to your systems. Software designed to destroy your systems and your data. These are what we call malware. We have different types of malware. Classifications include: Viruses, Worms, and Trojans. A virus is a program that has been designed to cause harm to your system. A virus is very different from a worm. The key characteristics of a virus is that if a virus infects your system, the virus will attach to the file. Every time you copy the file you copy the virus. If you move the file around you are moving the virus around. Some viruses are attached to a file. If you read the file you activate the virus. We have different types of viruses. To limit the effect of viruses on our system, we will use antiviruses, to do that. Next we have worms. A worm is similar to a virus in that it is also a malicious program. Unlike a virus, a worm does not attach to any file. A worm knows how to replicate itself. Worms will replicate themselves on your network. They know how to do that. They have been designed to that. The key characteristic of the worm is that it requires no human interaction. A worm requires no human interaction. It can help itself. Trojans are malicious software that are designed to do good and also do bad. You download a piece of software on the internet and you think it's going to do good for you. Yes, it will pretend to do good for you, but it is also doing some negative things in the background. These are Trojans. All of these are malicious and they could be used to limit access of your system to the internet. They could be used to steal data on your computer or even corrupt data on your computer. Collectively, we could deal with all of these using antimalware. When we deal with malware, we could deal collectively with malware with antimalware. But sometimes the manufactures will just say antivirus because it's dealing with viruses. Anti-malware is a better word, or better classification because then it can address the Trojans worms and of course the viruses. We also have, "Adware", and this is derived from advertising software. Adware is derived from advertising software. How do we get impacted with this? In the form of pop-ups. You visit a website and all sorts of pop-ups start to show, all over the page. Why are pop-ups malicious? They advertise things to you, they distract you from your regular work and you have to stop whatever you are doing to kill the pop-ups. Some pop-ups could also deliver a malicious pay load to your system. This could be very damaging if your system gets infected because of the popups. How do we protect ourselves? You could disable pop-ups on your system. You turn the pop-up blocker. You turn it on. If you turn on popup blocker, it means that while you visit websites, pop-ups cannot appear on your system anymore. However, some sites will say, "For you to use this site, you should have pop-up enabled." So, you are fighting pop-ups, you disable popups, but some sites say, "Allow popups." How do we do it? When you get to the private see tab, in internet options, where you have turn on popup blocker. If you want to allow pop-ups from specific sites, you click on settings. The page shows up, where you can out in the address of the site for which you are making an exception. That way, when you visit other sites on the internet, there are no pop-ups. But, when you visit a desired site that requires the pop-ups, the pop-ups can show up on your systems. This is how you take care of adware. We also have spyware – Spying software. The word spyware is coined from displays spyware. When we are online and we visit websites, websites will push cookie files to our systems. These cookie files can tell what we have been looking at. Of course, if you can tell what I have been looking at, you can also tell where I've been going. By looking at our cookie files, individuals could do tracking on the internet. This could also be an invasion into your privacy. They could spy on you. "Oh, you went to this site? You visited this site? You looked at ABC?" They can spy on you to see what you are looking at, where you are going. These are called tracking cookies. They are pushed on to your systems to track your activities on these web pages. Some people could abuse the use of such to stalk you. To plant information on other sites that would trick you into clicking on malicious content. By spying on you, they can tell certain things against you. How do you take care of this? You could use software to take care of this, and we would use anti-spyware. Some people would like to go into the systems to delete their cookies. This could be inefficient in that some days you would forget. How do you know you've gotten or? - But, if you use antispyware, solutions like these would find the tracking cookies for you and they get rid of them. Periodic use of anti-spyware allows you to take care of spyware which could help or which would prevent other people from spying on your online activities. Let us discuss rootkits now. Rootkits are tools used by malicious persons to gain root access to your system. Meaning administrator access to your systems and yet hide their presence within your systems. Malicious people could remotely gain access to your system. Gaining access to tour system at the user level is of no good to them. They want to gain administrator access. With these kits, they are able to gain administrator access and also hide the presence within the system. The longer they are within your system the better for them. Because the earlier you detect them within your system you want to get them out. They use rootkits to achieve that. These are a set of tools that could be used to mask their presence within your system. Trick the operating system to escalate their privileges etcetera, so that they get administrator access. That is what the root discusses – Administrator access. Using sets of tools that allow you to gain administrator access and also hide your presence within the system can be achieved using rootkits. Backdoors – A backdoor, can be put in place by malicious persons or even by administrators. When people do programming, they might want to be able to get into the software to do correcting. To correct the program, to correct certain issues in the code but they don't want to log on every time. So they could put in a backdoor. Best practice, if your programmer is putting the backdoor so that they can better manage the software make sure they are removing the backdoor before you put the software in production. We should follow the principle of separation of duties with programming. Somebody writes the software, another person should review it before it is put on to the network. The programmer should not be the same person putting the software on the network. Malicious people could also introduce backdoor. With the use of a backdoor, this is unauthorized way of gaining access to the system without authenticating. You want to gain access to the system without authenticating. Malicious people will plant backdoors on your software so that every time they come they have guaranteed access into the system. We should do due diligence to test our code to see that there are no backdoors put in our software to facilitate malicious access. Logic bomb. A logic bomb is a piece of code that could be planted in your software, to activate at a future date or event. A logic bomb could be put in place to create a denial of service. A logic bomb could be put in place to cripple your services for a period of time. It is very difficult to detect a logic bomb, if you don't read the code. Because it could be sat in your code until that activity or event or time shows up then it will be triggered. By doing careful trend analysis you can easily observe the presence of a logic bomb within your system. Maybe certain activities periodically happen over time and you do research, then eventually you can say, "Why are they occurring on the same day? Every time we have it, is at the time or the same event around the occurrence?" Then you'll know you have a logic bomb in the system. A botnet. A botnet is a system that has been compromised. Or a collection of computers that have been compromised by malicious persons and are used in a cohesive fashion doing a distributed denial of service. Within a distributed denial of service, malicious persons will gain access to multiple systems on the internet. They plant a robot in them. That is just simply software that they can command later. A collection of computers that have all been compromised and having that software implanted in them working collectively in a cohesive fashion to attack a victim is what we call a "Botnet." A network of compromised computers. Ransomware – This is one of the newest forms of attack. Malicious persons, will infect your system with software and lock your system. They could lock the entire interface, the monitor. You can't click on anything. Your mouse clicks are not effective. The only clicks that could be effective or functioning are where they want you to pay. There's something called the money pack virus. With the money pack virus, your system is locked up. You can't click on anything. The only thing that functions is, "pay here". Where they request you to go buy a scratch card, load it with some money and give them the scratch digits at the back of the card. Organizations should follow best practice to release their systems from ransomware. Usually this is carried out on computers connected to the internet. If your antivirus or anti-malware has expired you are a possible victim for ransomware. These people would lock your database or lock your computer and request you to pay a fee. It is good practice to ensure that we have a backup of our data. Because, certain times you cannot restore your system or recover your system if they've locked your database. Certain times you cannot do that. If you have a backup you can just wipe out that machine and recover your backup. Make sure you put your antivirus, anti-malware back in place. In some other cases, if you do a system restore, you can do a system restore to a previous date, while the system has not been effected. Then you ensure security by putting in anti-malware, antivirus, you scan the system and ensure that the system is free of such infection and you're back to safe. Ransomware is the use of ransom, or use of malicious software to try to make you depart with your money by locking up your system. A polymorphic malware. The word "Poly" means many and "Morphic" means to change form. Polymorphic malware, malicious persons will design their malware so that every time it moves from one media to another it changes form. This way the malware is mutating. Its mutating, overtime it will mutate. It could mutate so much, the antivirus cannot track it anymore. The idea is you want to beat or defeat the anti-malware solutions. You design the DNA of this malware so that every time it moves form one medium to another it will change structure. To possibly prevent detection. And armored viruses – These are viruses designed with encryption on them. That way the anti-malware cannot scan the device the files, because of their encryption. Their encryption provides a shell around them so that they cannot be scanned. While they are in that form your anti-virus solutions are helpless and cannot detect the fact that your system is infected. These are multiple types of malware that could be malicious to our networks and to our systems. Overall best practice is to ensure that we have anti-malware in place, anti-spyware in place, practices to prevent ad-ware, and also keep all our solutions up to date. [/toggle_content]