With October being Cyber Security Awareness Month, we thought we’d talk about common types of malware, and let you know about some emerging threats in the security landscape. We continuously strive to 'arm' our readers with the latest information about new attack methods and techniques so that they can be ready to make informed decisions about how to best protect their environments.
Malware, short for malicious software, is basically any software on a system that is not installed intentionally by the user / administrator. Malware behavior can range from being a simple annoyance, like causing advertising to pop-up, to actions which are much more damaging, like stealing passwords and data or infecting other machines on the network.
According to Verizon’s 2016 Data Breach Investigations Report (DBIR), the nine major security incident classification categories are: web application attacks, point-of-sale intrusions, insider and privilege misuse, miscellaneous errors, physical theft and loss, crimeware, payment card skimmers, cyber-espionage, and denial of service attacks. The 2016 report analyzed 64,199 incidents, of which 2260 were data breaches. Financial gain was far and away the most common motivation for attacks, with 89% of breaches having a financial or espionage motive. Malware was involved in the vast majority of these attacks.
With malware playing such a significant role in breaches, knowing how to detect infections can be very valuable – especially for incident responders. There are many different types of malware in the threat landscape, and in this blog, we’ll discuss their characteristics, infection methods and potential impact. Although new types of malware are constantly under development, they will generally fall under a few broad categories:
Viruses & Worms
virus, which consists of harmful programs designed to infect legitimate software programs. Once a person installs and runs the infected program, the virus activates and spreads itself to other programs installed on the computer before taking further malicious action like deleting critical files within the operating system. Similarly, worms are stand-alone programs that are able to transmit themselves across a network directly. Unlike a computer virus, a worm does not need to attach itself to an existing program. However, both worms and viruses can cause severe damage to systems because they are able to exploit shared files and databases.
Another common type of malware is a Trojan Horse. Similar to the Greek myth, Trojans present themselves as harmless, useful gifts in order to persuade victims to install them on their computers. While Trojans typically appear to be regular software, they are often bundled with other software that can introduce backdoors allowing unauthorized access to your computer. Trojans do not attempt to inject themselves into other files or applications like computer viruses do; instead, they use tactics such as drive-by downloads or installing via online games in order to reach their targets. According to the 2016 DBIR, banking Trojans were a critical component in the majority of all crimeware incidents (e.g. Zeus, Dyre, and Dridex).
Shadyware, PUPs, Adware and Keyloggers
The next type of malware that we’re going to talk about is “shadyware”. Although these types of malware do not technically fit into the virus category because they are identified as “potentially undesirable processes” (PUPs), they may still invade your privacy, contain malicious code, or at the very least become a nuisance.
Adware is a form of financially-supported malware that usually presents itself in the form of unwanted advertisements displayed to a user. The Internet is filled with these types of programs that can hijack your PC for profit. Most of them are hidden inside so-called “free” downloads and pop-up ads that forcibly install software on systems with active vulnerabilities.
Similarly, spyware/keyloggers constitute another type of malware that surreptitiously collects information and transmits it to interested parties. Information gathered includes websites visited, browser and system information and IP address. Spyware does not have any infection mechanisms and is usually dropped by a Trojan. Once dropped, it installs itself on the victim’s computer and then begins collecting information silently so as to avoid detection. The use of keyloggers, a spyware variant that records the keys pressed by a user, is especially common in web app attacks and POS intrusions.
Quick tip: To better secure web apps, assume that your users might have already been infected with a keylogger, so you should use multi-factor authentication (MFA) as much as possible. MFA is a simple best practice that adds an extra layer of protection on top of your user name and password. It typically requires a second form of verification such as entering a text message code, phone call, answering a security question, etc.
The 2016 DBIR authors note that they’ve seen an evolution from simple keyloggers to more sophisticated RAM scrapers. RAM scraping is an old technique that has been given new life as a tool for stealing payment information from compromised point-of-sale (POS) systems. Successful examples of this include the well-known Target and Home Depot breaches, but POS compromises remain an ongoing problem. RAM scraping malware exploits a weakness in the transaction process where data is stored unencrypted in system memory for just a couple of milliseconds. RAM scrapers use this minute window of time to grab card data during each transaction and save it as a .txt file for exfiltration at a later date.
Botnets/bots work in a way that is similar to spyware in reporting back. The difference is that malware that turns a computer into a bot does not usually collect information like spyware does. Instead, it just sits there waiting until it receives commands from a command-and-control server (C2) controlled by the attacker. Attackers typically exploit security vulnerabilities to infect tens of thousands of computers or other devices to turn them into bots. When the server issues commands to the whole botnet, every bot simultaneously sends network requests to a target host, overwhelming it with traffic. This is also known as a DDoS or distributed denial of service attack. In September 2016, Brian Krebs’ website was recently taken down by the largest DDoS attack on record launched by Mirai, a huge botnet of internet-connected devices. Recent attacks against Twitter, Spotify, the NY Times and other major sites have also been attributed to the same botnet, and data from our Open Threat Exchange (OTX) suggests that such attacks may be just the tip of the IoT botnet threat iceberg.
Backdoor attacks are accomplished using methods similar to botnet/C2 attacks in their infection tactics, often using watering hole attacks and other methods to compromise systems and are used to secure unauthorized remote access to a computer or obtain access to plaintext in cryptographic systems. The type of attack bypasses normal authentication in a product by exploiting a vulnerability or by leveraging a previously-installed backdoor program. In many cases, programs with unpatched security vulnerabilities, like a website’s content management system, can become the vector for backdoor attacks.
The biggest change to the malware landscape in the past few years has been the emergence of ransomware and ransomware-as-a-service (RaaS). Ransomware uses spam, social engineering, drive-by download and malvertising as infection methods. It basically locks up the files on a computer and holds them for ransom, usually to be paid by bitcoin. Ransomware falls under the “crimeware” category in the Verizon report, which cites 7,951 total crimeware incidents in 2015 (and 6,858 additional instances where crimeware was the secondary motivation in the survey), and 49 with confirmed data disclosure. According to the report, “When the functionality of the malware was known, C2, ransomware, spyware/ keyloggers, and backdoor and export data were the top five functionalities”, behind incidences in the category of crimeware. Cerber, a ransomware-type malware that infiltrates systems, is an interesting RaaS situation where it is thought that the authors of Cerber are taking a 40% cut out of their customers’ earnings with the software. It basically enables even technically illiterate criminals to leverage ransomware for profit.
Tip: Don’t click on email attachments from a sender that you didn’t expect an attachment from. Instead, pick up the phone and ask them if they sent it.
With so many different types of threats out there, what can you do to protect your system from malware infection? There are, of course, some basic defenses that you can deploy:
- Running antivirus, anti-malware and anti-exploit tools regularly
- Keeping your firewall rules up-to-date
- Using strong passwords/passphrases
- Disabling auto-run applications
- Conducting traffic analysis
- Securing email usage and filter out spam emails
- Removing software you don’t use (especially legacy programs)
- Thinking before you click
However, preventative security can only go so far, so you also need to be vigilant about detecting potential issues. With so many threats to address, risks to calculate and systems to rectify, the only effective way to handle the deluge of threats is to adopt a just-in-time approach: focus on discovering when things are becoming an issue and then respond to particular situations and rectify them at that time.
By using built-in security capabilities like asset discovery, inventory, vulnerability assessment and host- and network-intrusion detection and more, AlienVault® Unified Security Managment (USM)™ provides accurate, timely and comprehensive detection of malware infection and system compromise so you can focus on the threats that matter. Additionally, AlienVault's Open Threat Exchange (OTX) is the largest collaborative threat intelligence sharing system. OTX provides real-time, actionable information and tools to learn about the latest threats and defensive tactics. Test drive AlienVault for yourself today to see how it can help with malware detection!