2.3 Given a scenario, detect, remove, and prevent malware using appropriate tools and methods.

  • Malware
    • Trojan
    • Rootkit
    • Virus
    • Spyware
    • Ransomware
    • Keylogger
    • Boot Sector Virus
    • Cryptominers
  • Tools and Methods
    • Recovery Mode
    • Antivirus
    • Anti-Malware
    • Software Firewalls
    • Anti-Phishing Training
    • User Education Regarding Common Threats
    • OS Reinstallation

Malware Types – Trojan

A trojan is a legitimate program that hides an illegitimate program inside of it.  A user must install the trojan and/or give it permission before it can take effect.  Trojans can hide in many programs including toolbars, screensavers, games, and other applications.

Examples of Trojans

  • FinFisher (FinSpy), which is developed by Lench IT Solutions plc.  This trojan is used to infect Windows computers and all brands of phones.  It travels through e-mail, links, and security flaws in popular programs.  Many antivirus programs are unable to detect it.

    FinFisher is sold to law enforcement agencies and dictatorships, some of which are accused of numerous human rights violations.

Malware Types – Rootkit

A rootkit provides unauthorized administrative level access to a computer by changing its operating system and attempting to bypass its security functions. 

There are five types of rootkits

  • Firmware.  A firmware rootkit hides inside the device firmware (such as the BIOS, video card controller, router, network card, or hard drive controller).  The device firmware is not typically scanned by (and is out of reach of) antivirus programs.  While manufacturers such as HP have introduced BIOS integrity features that check for changes to the BIOS firmware, rootkits can infect other components such as the graphics card or hard drive.

  • Virtual.  A virtual rootkit is also known as a hypervisor rootkit.  It operates between the processor and the operating system.  It intercepts calls made by the operating system, like a “man-in-the-middle” attack.  The result is that the processor believes that it is talking to the operating system and the operating system believes that it is taking to the processor, but both are talking to the rootkit.  The rootkit sends everything it learns to a central server.

  • Kernel.  A kernel rootkit runs on a computer under the highest privileges (the same privileges as the operating system) by replacing parts of the operating system core and device drivers.  A kernel rootkit can’t be detected by an antivirus program because the rootkit is acting like part of the legitimate operating system.

  • Library.  A library level rootkit replaces legitimate operating system DLLs with fake ones.  A library is a set of code/functions that an application can reference (a software developer will include different DLL libraries with their application so that they don’t have to rewrite thousands of lines of code).  When an application references code in an infected DLL, the rootkit will also run.

  • Application Level.  An application-level rootkit replaces application files with fake versions.  The application may need to run at an elevated level to cause damage.

Malware Types – Virus

A virus is an unauthorized program that causes undesired activity.  A virus is not a standalone program, but instead latches on to another legitimate program.  When the legitimate program runs, so does the virus.

Viruses typically infect executable programs.  Viruses can also infect documents, such as Microsoft Word documents or Microsoft Excel spreadsheets.  These are known as macro viruses.  Current versions of Microsoft Office disable macros by default (a user can open a Microsoft Office document file without allowing the macro to execute).

Viruses can enter automatically through backdoors in the operating system.  A user could inadvertently introduce a virus by clicking on attachments or downloading files from the internet.

The damage that a virus does is called the payload.  Viruses can cause a wide range of effects from being simply a nuisance to deleting files.  Viruses that infect industrial control systems can cause millions of dollars in damage.  Viruses that infect medical equipment can put lives at risk.

Malware Types – Spyware

Spyware is software that spies on a user’s activity.  Spyware can include keyloggers but can also include components that take screenshots or videos, activate the webcam or microphone, and/or copy files.

Malware Types – Ransomware

Crypto-malware and ransomware are closely related.  Crypto-malware is a type of virus or malicious program that encrypts data on a computer.

The malware can be introduced through e-mail or downloaded files.  The malware usually encrypts user documents, videos, photos, and music, but not system files.

The distribution of crypto-malware is usually automated and random, although people or organizations can be specifically targeted.  It should be noted that after the crypto-malware has infected the computer, then the attacker will be able to view the contents of the computer.  At that point, he can make an assessment as to how high of a ransom to charge.

After infection, the computer will continue to boot, but the user is informed that their files have been encrypted.  The malware usually instructs the user to pay a ransom to unlock the files.  The ransom must typically be paid in bitcoin or some other form of cryptocurrency.

There are two types of crypto-malware

  • Crypto-malware that pretends to encrypt the files.  It changes each file extension to something random but does not encrypt the files.  When the extension is changed back to the original, the files can be opened.  These forms of crypto-malware are extremely rare.

  • Crypto-malware that encrypts the files.  After the files are encrypted, the key is sent to a central server.  The user receives the decryption key after paying the ransom.  Some forms of crypto-malware do not provide the option to decrypt the files, but still try to collect a ransom.

The ransom amounts have ranged from the equivalent of $500 to $20,000 depending on the person or organization that was affected.  Many organizations pay the ransom and don’t publicly admit that they have been hacked.

How to prevent ransomware

  • Proper user education to teach users how to identify potential ransomware delivered via e-mail, and to not open unusual attachments.

  • Block e-mail attachments that contain macro-enabled Microsoft Word and Excel documents.

  • Regularly install Windows operating system security updates

How to defeat ransomware once infected

  • Attempt to restore data from backup or from the Volume Shadow Copy.  This only works if the organization has backed up their data, and only the data that was backed up can be restored.  This is not effective against newer versions of ransomware, which delete the Volume Shadow Copy. 

  • Attempt to decrypt the ransomware.  Police forces in the EU have been able to provide victims with assistance in decrypting some forms of ransomware.  Some versions of ransomware use weak encryption that can be broken through brute force or other techniques.

  • Pay the ransom.  In earlier cases, it was almost certain that the hackers would automatically (or manually) provide the decryption key upon payment of the ransom.  In more recent cases, this is not guaranteed because there are many copycat ransomware viruses created by people with very little knowledge or infrastructure.  Ransomware developers have franchised their operation to “script kiddies” who are simply distributing the ransomware and collecting payments.  There are also versions of ransomware that have been put out by nation-states to cause political disruption; this type of malware only destroys data but is disguised as ransomware.

Malware Types – Keylogger

A keylogger records each key that a user presses.  It may also take screenshots, activate the webcam, or activate the microphone without the knowledge or consent of the user.

The keylogger reports all data back to a central source or records the data on the computer for further retrieval.  Data may be sent via

  • Email
  • FTP
  • Wireless/Bluetooth to a nearby receiver

A keylogger may have legitimate purposes if installed by an employer or law enforcement agency.  Some antivirus programs will detect keyloggers created by law enforcement and some will deliberately ignore them.

A keylogger may be used to invade the privacy of another person (stalking) or it may be used for financial gain (the logged data is analysed to obtain online banking passwords, e-mail passwords, etc.).

The keylogger may be introduced into a system through another type of malware such as a virus or trojan.

Whether the keylogger can be detected by an antivirus program depends on where it runs.  Keyloggers that run in the operating system kernel or through a hypervisor may be undetectable.

Keyloggers can also be hardware-based

  • Keyboard keylogger device (USB device that sits between the keyboard cable and the computer).  A keyboard’s circuitry can be covertly modified to include a keylogger.

  • Wireless keyboard sniffer (device that can intercept signals between a wireless keyboard and the dongle; this device functions when the connection is not encrypted or where the encryption method can be easily broken)

How to prevent keyloggers

  • It is difficult, if not impossible to detect a hardware based keylogger, especially one that is embedded into the device circuitry.  Keeping computer hardware physically secure is the best defense.  In addition, the use of multi-factor authentication methods can keep accounts secure even when the usernames and passwords are compromised.

  • Most software-based keyloggers are detectable by antivirus programs.  Some software-based keyloggers that take advantage of zero-day exploits or that operate on the firmware, kernel, or hypervisor level cannot be detected.

Malware Types – Boot Sector Virus

A boot sector virus infects the boot sector of the BIOS.  The virus becomes the first thing that the computer loads when it turns on.

Malware Types – Cryptominer

We mentioned bitcoins previously.  To obtain new bitcoins (or other types of cryptocurrencies), a user must run some mathematical calculations on their computer.  These calculations consume a significant amount of computer resources.  The process is known as cryptomining.

A cryptominer virus is one that hijacks your computer and uses it for cryptomining.  If a hacker infects enough computers, he will basically have the resources of an entire data center for free.   When new coins are discovered, they become the property of the hacker. 

Somebody figured out a way to put a cryptominer into an advertisement on a webpage.  If you visit some less reputable websites, one of those advertisements may start mining bitcoins in the background.

Tools and Methods – Recovery Console

If you didn’t listen of my advice, then your computer is probably infected.  But we can still help.

It may be possible to remove malware by reverting a system to a previous point in time.  Use System Restore to go back to a time when the malware was not present.  This only works if

  • The virus did not infect or delete the recovery partition

  • The virus did not infect any documents or files

Tools and Methods – Antivirus

An antivirus program detects and removes viruses.  It can be a program that is installed permanently and runs in the background or can be a “one-time use” program that is designed to detect and remove one specific virus. 

Antivirus programs detect viruses by monitoring user behavior and file downloads.  Most antivirus programs are sold on a yearly subscription (must renew the subscription to continue protection or updates).

Antivirus program can include other features such as

  • Web filter
  • SPAM filter
  • Firewall
  • Data backup tool

An antivirus program has two methods of detecting viruses

  • Definitions.  A definition is a “fingerprint” of the virus.  An antivirus program will contain hundreds of thousands of virus definitions.  It scans each new file introduced into the computer against the definitions.  If the attributes of a file match a definition, then the antivirus program knows that it has located a virus (and knows which virus it has located).

    To develop the antivirus definitions, the antivirus software manufacturer must first obtain copies of the virus and create the definition.  That means that some computers have already been infected with the virus by the time the definition has been created.  Thus, definitions do not provide complete protection against viruses.

    A polymorphic virus is one that modifies its source code each time it runs.  A polymorphic virus attempts to hide from antivirus definitions.

  • Heuristics.  A heuristic is a type of artificial intelligence.  It allows the antivirus program to determine whether a specific program is legitimate or not, based on its behavior.  For example, a program that attempts to modify critical system files is likely not legitimate.

    The latest generation antivirus programs share data with the cloud.  For example, Norton Antivirus automatically collects data regarding suspicious applications from users.  This data is sent to a response center for further analysis.  Norton Antivirus then updates all user programs with the results.  By sharing data with the cloud, the time between when a virus is introduced and when the antivirus programs are able to detect it is reduced.

Anti-malware programs are like anti-virus programs, but able to detect additional types of malware (such as trojans, keyloggers, and spyware).  Most antivirus programs are actually anti-malware programs.

Tools and Methods – Software Firewall

A firewall can block unauthorized traffic from entering the network.  A firewall might detect/block.

  • A hacker trying to connect to a computer via an unsecure protocol, on a specific port
  • A piece of spyware connecting to an external server

A basic firewall won’t block

  • An e-mail attachment containing a virus
  • A security flaw in an operating system
  • Malicious content that is encrypted

We do want to be able to protect users from viruses hiding in encrypted content.  A Third-Generation firewall can perform a deeper inspection of the data entering the network.  It can be combined with an SSL Gateway, which can decrypt all network traffic.  This allows us to inspect and block malicious content that is encrypted.

Tools and Methods – End User Education

The best way to prevent malware is to educate end users.  Some tips that we might provide include

  • Don’t open suspicious e-mail attachments
  • Don’t leave your computer unlocked
  • Don’t share sensitive information with external users
  • Don’t visit websites that are inappropriate or untrusted
  • Don’t connect USB devices that you found in the parking lot (somebody actually tested this theory by scattering USB drives in the parking lot and discovered that all of them were eventually connected to corporate computers)
  • Don’t install programs from untrusted publishers
  • Back up your data regularly
  • Download updates regularly

Some of these tips can be enforced through group policy, security software, and/or Mobile Device Management.  End user education is only one layer in a multi-layer security strategy.

One way we can test our users is to send them fake phishing e-mails and see how many of them are dumb enough to provide their credentials.  When a user responds to a fake phishing e-mail, he is flagged for further education.

Education must be interesting and interactive, or else people won’t pay attention.

Tools and Methods – OS Reinstallation

If we can’t get rid of the virus, the last resort is to erase the computer and reinstall the operating system.   Hopefully we have a back up of all the data and programs.

If the virus has infected the computer’s firmware, then the virus won’t go away even after a full OS reinstallation.