There are many ways that attackers can use to infect your system with malware. In this video, you’ll learn about viruses, worms, botnets, and more.
<< Previous Video: Wireless Security Next: Anti-Malware Tools >>
If you’ve ever turned on your computer and received a message like this one that says, “Your computer has been locked,” then you’re probably a victim of ransomware. Ransomware is a type of malware that locks, or appears to lock, your computer. And they request that you send them money in order to unlock your system.
The attackers are presenting a screen like this one, which might include an official logo. It might allege that you’ve done something illegal, and all you need to do is send them some money and they’ll be able to make all of this disappear.
Of course, none of this is true. This is not the Department of Justice, or Federal Bureau of Investigation. They did not detect you doing anything illegal on your system. They’re simply trying to put a barrier between you and your computer, and asking for money to have them remove that barrier.
In some cases, this particular locking of your system is not truly locking it. Instead, it’s putting up this nuisance page. And they’re providing you a way to remove the nuisance page. In some cases, you can remove this page yourself with a proper antivirus or anti-malware software.
The attackers are realizing that people are becoming more aware of these fake ransomware messages, and they’ve taken their game up a notch. And they’ve created a new type of ransomware, called crypto-malware. This is the type of malware that does encrypt all of your files on your system. And the only way to receive the decryption key is to provide some type of payment to the attackers.
This is obviously a much more significant problem. Because you can’t simply remove the malware and gain access to your files. All of your files and documents and pictures and movies have been encrypted. The operating system, of course, is still running. Which allows you to see these messages appear on your screen. But all of your personal data has now been encrypted by the bad guys.
This encryption is incredibly powerful. You’re not able to brute force or guess what that decryption key might be. The only way to receive that decryption key is to send the bad guys some money, and hope that they send you back the decryption key.
One of the best ways to avoid any of this from occurring on your system is not only to run very good anti-malware software, but to make sure that you always have an offline version of your backup available. That way if someone does encrypt all of your files, you can simply copy over your saved files from your backup. And you can continue operating normally, without having to pay the bad guy any additional ransom.
One of the ways that malware and ransomware can get onto your system is by tricking you to run that software yourself. This is something called a Trojan horse. The name comes from the Greeks that created a large wooden horse hid inside of it, and then had that horse pushed inside the city of Troy. Just as the wooden horse was pretending to be a gift to the Trojans, Trojan horse software is software that pretends to be something else as well.
It may tout itself as a Microsoft Office download, or a game that you’d like to install. Once you install that software, you may or may not see the application you were expecting to see. But you were certainly infected with malware. This is something that can easily circumvent your existing security, because you, the end user, are the one running the software on your computer.
Once the malware begins to run, if it’s recognized by your anti-malware software, you can then stop that before it gets onto your system. But some Trojan horses will disable your antivirus and your anti-malware before they install, ensuring that they’re going to embed themselves onto your system. Once the malware is installed, it may download other types of malware that would allow the bad guys access into your system from the outside.
Some malware is simply put onto your system to watch what you’re doing. This is spyware. Spyware may be trying to present you with advertising. Or it may be waiting for you to log into your bank, or present a credit card number, and capture that personal information as well.
It’s not uncommon to use the Trojan horse method to be able to embed this spyware on a system. So you may be installing peer-to-peer software. You may be installing security software that appears to be real, but in fact, is fake security software. And that, ultimately, installs this malware onto your computer.
This malware is designed to watch your browsing habits, to see what websites you happen to visit. And in some cases, even capture the keys that you’re typing into your keyboard. So every time you put in a username and password, the spyware could be capturing that information and providing it to a third party.
Indeed, keyloggers can be a significant security concern. We type so much information into our keyboards, that capturing that information could provide a third party with personal details, bank information, or credit card information.
This would also provide details about what websites you visit, information that you put into emails, and so much more. These keyloggers capture everything that you’ve typed into the keyboard. So the attackers are able to go through an entire day’s worth of information to see not only what you may have typed into a website, but what emails you may have sent as well.
Of course, any communication you make when you’re purchasing things online or visiting a bank account is all done with encrypted protocols over the network. But keyloggers are grabbing this information at the keyboard, before that encryption takes place. So even though your network may be very secure, the keylogger is able to see all of that information before it’s sent across the network.
There’re also specialized keyloggers they capture more than just what you’re typing into the keyboard. They may capture everything you send to the clipboard. They may be taking a screenshot of your system every minute.
It also might gather instant messaging or search engine queries. These keyloggers can provide a lot of details back to the attackers. And they can use that information against you.
Here’s what’s gathered with a keylogger. I have Notepad running in the background here, and I’ve typed in username and password information in the Notepad application. In this DarkComet keylogger, you can see the logs of what was typed into my keyboard.
In fact, it documented that in an untitled Notepad document at a particular time, I typed in the username: professormesser, and password: not a real password. It even recognized when I put a space and then a backspace and finished the password. This log file would then be automatically sent to a third party, and they’d be able to see everything you typed in while that keylogger was running.
Another rather serious type of malware is a rootkit. The term rootkit comes from the term “root” in the Unix operating system, where the root user is the super user, or the administrator of the system. Rootkits are different than other types of malware, because they’re modifying the kernel of the operating system itself. It’s not running as an application in the operating system. It effectively is part of the operating system, which makes it extremely dangerous. Because now it has complete control of the operating system.
Not only does it have this level of control, but because it’s part of the OS, it also is relatively invisible to the rest of the system. So if you were to open Task Manager in Windows, you would not see a separate executable or a separate piece of malware running as a separate task, because it’s part of the operating system itself.
This also means that the rootkit becomes invisible to virus and anti-malware software. So it becomes incredibly difficult to identify that a rootkit is even running. Fortunately, rootkits are relatively rare. But if one is identified, the industry acts very quickly to produce security patches that remove that rootkit from the operating system.
A virus is a generic term for malware that spreads with user intervention. You run an executable on your system, the virus is embedded inside of that executable. And it now begins running on your system.
For that virus to now move to other systems, you would need to execute that virus on those separate systems as well. This can also reproduce itself through file systems or the network. Since many times were running executables across the network, it’s very common to have viruses use that network to be able to move from system to system. A single executable can be put on a shared file, and different people running that executable would then infect their own systems.
Some viruses run behind the scenes, like spyware. And other viruses are designed to attack your system, delete files, and create problems for the operating system. This is why running antivirus software on your computer is a best practice. There are thousands of new viruses created every week. So you have to make sure that you have the latest signatures for your antivirus software, to make sure that your system remains safe.
A virus that embeds itself as part of an executable is a program virus. It simply piggybacks itself onto the executable. And when the executable is run, the virus is also run. Another type of virus is one that can exist in the boot sector of an operating system, so you don’t have to manually run an executable. All you have to do is simply start your operating system, and the virus will also execute.
Most viruses need some type of human intervention to get the virus started and running on a particular computer. But there are some types of viruses that need no human intervention at all. These viruses are categorized as worms.
Worms are able to self-replicate themselves between system to system, without needing any human to interact with those computers. This can obviously be a significant problem, because worms are able to use our high-speed networks to propagate very quickly between systems. These worms are so fast and so prevalent that you could plug in an unpatched system that is accessible from the internet, and that system would be infected in a matter of minutes.
Fortunately, worms are relatively uncommon. And usually, we can create signatures to look for these worms coming through the network, that we can then embed into an IPS to prevent that traffic from coming to the inside of your network. Of course, once the worm is inside the network, it’s also free to move from system to system. So you have to make sure that you keep all of your anti-malware updated with the latest signatures.
An example of a worm that installs ransomware on systems is the Wannacry worm. Wannacry starts on a system that is already infected. And that system begins looking across the internet to see what other devices may be available.
If it finds a system that is susceptible to a particular vulnerability, it can then be exploited. Wannacry uses a type of exploit called EternalBlue to be able to gain access to these systems. Once EternalBlue is installed onto these systems, it downloads the malware and installs Wannacry onto that operating system.
Then the process simply repeats itself. That computer now looks for other devices. And it begins installing the software on those. And the process repeats again. This process will continue to repeat itself until you patch the operating systems, or block this traffic on the network.
Sometimes the malware that gets installed onto your system is not trying to delete your files, or encrypt any of your data. Instead, it wants to turn your system into a robot. This is a type of malware called a botnet. An interesting part about this botnet software is that you may have no idea that your system is infected, or that it’s performing any of these automated functions as part of this larger botnet.
Botnets can be installed with worms, with other viruses, with a Trojan horse, or any other method that it can use to execute that malware on your computer. Once the botnet malware is installed onto your system, it usually sits and waits for instructions from some other third party. A third party will then communicate to the botnet, and tell it to participate in a denial of service, send out a series of emails, or anything else that the third party wants your system to do using that botnet software.
If you want to see botnet communication in real time across the internet, you can go out to map.lookingglasscyber.com and see a real-time map showing the botnet communications that are occurring right now over the internet.