Malware – CompTIA A+ 220-1102 – 2.3

Attackers have many different ways to infiltrate our systems. In this video, you’ll learn about Trojan Horses, rootkits, keyloggers, ransomware, cryptominers, and more.

If your computer’s ever been infected with malware, you know what a bad experience it can be. We often tell you that you should have antivirus and anti-malware software on your computer. And even your browser might be able to warn you if you visit a site that could potentially contain malware. But of course, there’s not just a single type of malware. There’s many different flavors of malware.

Some are able to capture keystrokes and gather private information from you. Some of them can coordinate together to work as a large group of devices. You might also have advertising and other popups display on your screen. And of course, these could be viruses and worms that encrypt or delete information from your computer. There’s many different types of malware. And they work very differently to infect and cause problems on your system.

We will look at a number of these in this video, and break down what the differences might be between all of these different forms of malware. Malware authors are very good at what they do. They spend a lot of time trying to find vulnerabilities that might exist in applications or operating systems. And they use those vulnerabilities to get their software running on your computer.

Once malware gets on your computer, it’s very common for it to start downloading even more malware and setting up other ways to get into your system, such as a remote access backdoor. This might lead to a bot being installed onto your system and it effectively gives the malware author complete access to your system. This is one of the reasons we often tell you to make sure your system is always updated with the latest set of security patches to ensure that none of these vulnerabilities can be exploited by a third party.

If your system is patched, that means that you are going to be the weakest link in this scenario. It’s very easy to have malware installed if you click a link in your email or click a pop up that might be on a web page. Or you might be browsing a website that downloads a file to your system, and from that point on you might want to click that file to see exactly what it does. In some cases, you have no control over this and it’s a worm that’s able to hop between systems without having any type of human intervention.

To best protect against all of these types of malware, you want to be sure to keep your operating system up to date with the latest security patches, continue to maintain and run your antivirus and anti-malware software, and make sure that all of your applications are up to date. You may have to visit the publisher of the applications to make sure that you’re running the latest version.

One type of malware is a Trojan Horse. This was named after the Trojan Horse that Greeks used to capture the city of Troy from the Trojans themselves. They used a large physical horse to be able to get into the gates of Troy. On your system, the Trojan Horse is software that appears to be one thing, but in reality behind the scenes is actually malware. This might be a link in an email that says click here for a funny video I found of yourself, or you might be on a website that says download the software to run this utility for your operating system.

But in reality it’s not a utility, it’s a piece of malware and it is disguised itself as a Trojan Horse. If you double click this Trojan Horse software and execute this program, it now has effectively circumvented all of the security that you had in place. Hopefully, the last thing that can protect you is your antivirus or anti-malware software which hopefully will be up to date to be able to recognize this Trojan Horse and prevent it from executing on your system.

If this application does get by your anti-malware software, then it is now embedded onto your system and it can begin downloading other software from a third party or performing any type of function that it would like in your operating system. Another type of malware that thankfully is becoming much less common is called a rootkit. This was originally a technique used in Unix, and that’s where we get the name root in rootkit. Because in Linux and Unix, the root is the Super User on the system.

One of the key characteristics of rootkits is that they embed themselves deep in the operating system. In some cases, so deep that it’s very difficult to identify that the rootkit is even installed in the system. It’s not unusual for rootkits to embed themselves within the kernel of the operating system itself, turning it into a core piece of the OS. And because it is part of the kernel, it’s able to hide from other applications that may be running on top of this operating system.

So even if you’re running anti-malware software, that software would have no idea that a rootkit is installed on your system. This means if you perform a scan of your system, your antivirus or anti-malware software will tell you your system is perfectly clean, and there’s nothing to worry about. Although it may be difficult to find a rootkit using your antivirus software, you may still notice things happening in the operating system that seem unusual or out of place.

In those cases, it might give you a clue that there’s software running on your system that might be malicious. If you have identified the type of rootkit that might be installed on your computer, then you might be able to use a third party removal utility that is specifically built for this type of rootkit. These are usually built after a rootkit is discovered, and it’s something that everyone can use to either check or remove a rootkit that’s on their system.

Many of the reasons you don’t see rootkits on systems today is that we’ve created a series of security controls built into the BIOS of our computers. If you’re running a UEFI BIOS, you have a functionality called secure boot. Secure boot checks the operating system files and the core kernel of your OS to ensure that nothing has changed, and that there’s no malware or rootkit that’s been installed without your knowledge.

We often use the term computer virus as a very general term to describe malware that may be running on our system. A virus is probably one of the most popular forms of malware that can be installed in our system. A virus is effectively malware that can replicate itself from computer to computer. It needs human intervention to be able to make this happen. But unfortunately, humans are all too good at clicking or double clicking to launch applications that perhaps they should not be running.

Once you double click this virus and it’s executing on your computer, it can then jump to other systems, either through the network or through other removable drives that you might have connected to your computer. Although there are some viruses that don’t tend to do anything on your system, the vast majority of viruses create problems with displays, performance, and other issues in your operating system.

This is why we often say to have antivirus or anti-malware software running on your system, and to keep the signatures for that software always up to date. When you start your computer the antivirus software automatically starts along with the operating system. And when you log in, that antivirus software is constantly protecting you against malicious software. But what if the malicious software was able to circumvent the operating system and avoid any detection by your antivirus software?

One type of malicious code that does this is a boot sector virus. The virus itself is part of the boot sector. So every time you start your system, that virus is automatically loaded from the boot sector on your drive. This means the malicious software is already running when your operating system begins, and your antivirus software doesn’t have a way to prevent that software from executing. Even if you were able to clean this virus or malware out of memory, the next time you rebooted your system, the malware would simply load itself again from the boot sector.

And again, one of the reasons you don’t see a lot of boot sector viruses these days is we’ve created protections against boot sector viruses in our UEFI BIOS. That same secure boot process that’s protecting you against rootkits is also protecting you against boot sector viruses. So you want to be sure that your system is using a UEFI BIOS, and that you’ve enabled secure boot in the configuration of that BIOS.

Another type of malware that’s very good at stealing your personal information is spyware. Spyware may sit on your system and provide advertising, it may wait for you to type in information about your bank accounts, or it may cause you to click on links that normally you would never click on. It’s not uncommon for this spyware to become installed on your system as a Trojan Horse.

It poses as peer to peer software, a streaming media server, maybe it appears to be some fake security software, and encourages you to install it. And once you install that software, you’re now running spyware on your computer. This can monitor your browsing habits it can see what websites you happen to visit and What you’re typing in at those websites by using a keylogger. So you might visit your bank’s website and type in a username and password to log in.

Everything that you’ve just done, including what’s on the screen and the information, you’ve typed in has now been sent to the attacker who’s managing this spyware. Keyloggers are an especially nasty form of spyware because they’re constantly storing everything that you type in at your keyboard, they take screenshots of the information that’s on your screen, and they check to see where you’re clicking on the screen. And they store all of that information and then send it to the attacker.

Imagine having all of your logins to a file server, your bank, and any other resource, all saved and sent to a third party who now has access to all of your accounts. This obviously circumvents any encryption that you may be using across the network. So even if you’re using HTTPS to encrypt to a web server, or you’re encrypting everything across the network using a VPN, the spyware and keylogger has already captured your keystrokes before that information is sent across the network.

And of course it doesn’t stop with just your keystrokes. The software may be capturing information that’s in your clipboard, perhaps information that you’re logging to the screen, instant messaging, or text messages, and anything that you’re typing in on your browser. Here’s what a keylogger looks like on the user side and on the attacker’s side. On the user side, I might have opened up a copy of Notepad and then started typing information into an empty notepad screen.

So I typed in username, Professor Messer, and my password is not a real password. This is what I would see on my desktop. But behind the scenes, a keylogger has captured all of this information. This keylogger is from a remote access Trojan called Dark Comet. And this is what the attacker would see on their side. They’d see that I opened up a documents, I started an untitled notepad session, I typed in username Professor Messer, I then typed in password not space, a real password but notice I did a backspace so that would be all one word, and then I hit Escape.

You can see that every keystroke I typed, even if I made a typo, and hit the Backspace was all recorded. And now the attacker has access to all of this information. A particularly nasty form of malware exists as ransomware. Instead of monitoring your keystrokes or presenting advertising on your screen, it instead encrypts all of the personal data that you have on your system.

So now all of the word processing documents, spreadsheets, pictures, music, and anything else that’s in your Documents folder is now encrypted and unavailable to you. The attackers are more than happy to provide you with the decryption key that will unlock all of your personal files, as long as you’re willing to send them money. Usually, this is through a cryptocurrency or some other untraceable method.

If you do find that ransomware is encrypted all of your personal files, instead of sending the attackers money, you can simply just delete everything that’s on your computer, which effectively cleans away the ransomware, and then you can restore from a known good backup. Some types of cryptocurrency require you to perform a series of tasks to be able to mine that cryptocurrency or earn different pieces of that cryptocurrency. This is usually based around a very difficult math problem dealing with prime numbers.

This means the process of mining this cryptocurrency requires a great deal of CPU resources. In most cases, a single CPU isn’t enough. You have to have multiple CPUs. And in some cases, multiple types of specialized CPUs to be able to properly crypto mine. You might already be thinking that this is a perfect opportunity for an attacker who could take over multiple systems and begin crypto mining across all of those different systems simultaneously.

This is exactly what happens if you visit a website that might have already been infected with some crypto mining software, and you’ll notice that you visit the website and your CPU utilization suddenly goes through the roof. This can also happen if you’ve installed some spyware or malware that has a crypto miner built into it and it may begin performing crypto mining on your own computer using the software that’s installed on your system.

Although this type of software doesn’t necessarily damage any data that’s on your system, it can create significant performance problems. And the only way to resolve it is to remove this crypto mining software from your system.