This website uses cookies 🍪 – by using this website you accept privacy policy. [×] Show
// Cybersecurity clarified.
2022-01-03 Dawid Farbaniec Malicious programs are much more dangerous than computer viruses in a cybernetic world. These evil apps can steal, blackmail and even control infected machines remotely. Virus Definition (Microbiology)Virus in the sense of microbiology is the smallest of all microbes. This creature is a very interesting phenomenon because it can only live when attached to another living cell. The most characteristic feature of viruses is theirreplication. They attach to the cells of living organisms and replicate. Living organisms infected with viruses are called hosts. A virus is made up of genetic material (DNA or RNA) surrounded by a protective shell.Definition of Computer VirusAlthough the subject of computer viruses is somewhat shrouded in mystery, there is no magic to it. The term computer virus is certainly loaded with negative emotions. It happens that computer viruses are credited with virtually everything from stealing funds from internet wallets to deleting files and even damaging hardware. In fact, a traditional computer virus, just like a virus in biology, exists to replicate itself. On the other hand, computer programs that destroy data, steal, blackmail or spy on us should be referred to as malware. A traditional computer virus requires a host "organism" to replicate. Other programs are just such a host. A computer virus has code written by programmer, which usually consists of a mechanism that searches for objects to be infected (files) and a payload. A sample scenario might look like this: We have run a program that is a computer virus. The application stuck its code to the files found on the disk. An unaware user copies infected files for example to an USB flash drive or sends it to other unaware people. Subsequent users then run the infected programs, which spreads the virus code even more. Let us return to the concept of payload. The virus can carry a code (payload) that is launched after a certain condition is met for example playing a tune from the speakers at a given time or something more malicious, such as deleting user files.How Antivirus Software Works?The task of antivirus software is to detect threats and prevent the computer from being infected by viruses or malicious applications. In order to identify a threat, the antivirus program must contain the characteristics of a malicious application. The antivirus can trigger an alarm if, for example, it finds a piece of code in the program that is similar to the code of a known computer virus. There are also heuristic analysis techniques that are designed to recognize unknown threats. For this purpose, the antivirus program can, for example, perform a simulation that will tell us what changes have been made to the system and on this basis mark the program as malicious or not. Some may have encountered false positives from antivirus software. This is a false detection of malware in legitimate program.Funny Jokes and Cyber-CrimeMany young people are fascinated about computer viruses. In school years, my friends and I liked to test various hacking programs, such as virus generators or remote control tools. There was no intent to destroy something or get an illegal way to make money. We were just happy when a colleague could control my computer, which we infected for testing purposes. Unfortunately, not everyone stays ethical. Many crimes are committed by people associated with computer viruses and malware.AdwareThe adware means advertisement software. This type of software contains ads but often these ads are not subtle. Application of this kind can be often categorized as PUA (Potentially Unwanted Application). Sometimes adware is connected with spyware to log user activities.BackdoorThe attacker may leave a hidden entrance in the system, which will allow him to access a compromised system or application in the future. The backdoor can be also left by author of the program for example to spy users.BotnetThe term botnet can most simply be defined as a network of computers infected with malware that allows an evil hacker (there are good ethical hackers too) to control compromised machines. It is worth noting that if someone infected several computers then it is not a botnet. A small botnet begins when several hundred to several thousand machines are infected. History tells that the zombie computer army has grown to millions of bots. For example, the Bredolab botnet compromised around 30 million machines. Following this, it can be concluded that the intentions of the evil hacker are different when the Remote Access Trojan is used and fewer computers are targeted than during a mass infection. If an evil hacker takes control of fewer machines, he can afford to browse files manually or other individual actions. However, the harmful effects change when it comes to tens of thousands of machines or more. It is then possible to efficiently execute a distributed denial of service attack, for example, causing a specific website to be disabled. The sales platform is the easiest example to imagine. Turning our site off equals stopping sales, which means no profit.Crypter (Evader)Crypters (or cryptors) are tools for evading detection by antivirus software. In black markets for non–ethical hackers there can be found programs or services which try to make the life of malware analysts harder. Programs of this type, if detected by the anti–virus, require immediate update. One thing is sure with crypters: they makes a little delay in analysis.Cryptojacking (Miner)Cryptocurrency is, in simple words, virtual money. Along with the growing popularity of cryptocurrency, malware has appeared, the purpose of which is to use the computing power of an infected machine to mine the cryptocurrency. These malicious miners can appear as executable files or even as a scripts on infected websites.DownloaderThe label downloader can be attached to malicious software which gets additional modules or payloads from the Internet. These application are often used when attacker needs for example small executable file and large malicious modules are downloaded later.Dropper (Loader)Imagine dropper as a delivery man who carries a payload. After executing dropper there are malicious modules installed in system. Carried payloads are often encrypted or obfuscated to evade detection by antivirus software. There can be distinguished two main types of droppers:
ExploitExploits are programs which break system or application security through programming bug. There can be many types of bugs made by programmers. Some can give access to execute malicious code or simply crash the vulnerable application. Attackers are building exploit kits to target more vulnerabilities. It is very important for security to install software and system updates recently. It is worth noting the term zero day. The zero day is a vulnerability for which software author has not created the fix (patch) yet. Exploits are powerful attack tools which can target operating systems, web browsers, document readers etc. Machines can get infected for example by opening the malicious link in web browser or opening a malicious document. So not only executable (*.exe) files are affected.Fileless MalwareThe fileless malware can execute malicious code without touching the hard drive. This technique can evade security software. All malicious code execution is performed in operating memory. How is this achieved? Often by using legitimate programs like for example PowerShell. The PowerShell in Windows operating systems was designed to help administrators in their tasks by scripting. For typical antivirus software it is less suspicious when legitimate PowerShell (built in system) is run than executable dropped on hard disk is run.Form GrabberMethod called form grabbing is used to get login credentials and other sensitive data from online forms. Collecting data by web code injection allows to steal form values before they are encrypted (HTTPS) and sent to server.HoaxHoaxes are fake messages about new dangerous viruses or other emotional situations. Hoaxes can be about politics, penalty, serious diseases, etc.Computer JokeComputer jokes are connected with the VX scene and computer science lessons in schools. Some jokes are harmless and really funny. The other can be destructive or very irritating.KeyloggerPrograms called keyloggers are used for spying. There are software keyloggers (programs) and hardware keyloggers (devices). Basic functionality of these applications is to log key strokes and create reports. This way the attacker can get victim’s private conversations, passwords and everything written on computer keyboard. Advanced keyloggers take screenshots, record audio, record webcam, monitor system clipboard etc. What about hardware keyloggers? Hardware keylogger can be installed as adapter between keyboard and computer or even built in our keyboard!Logic BombLogic bombs can be imagined as triggers. Program has a condition and when it is met then payload is executed. These triggers can base on system date and time, specific key press, existing of specific file etc. Example logic bombs:
Potentially Unwanted Application (PUA)Programs classified as PUA can install advertisement software (adware) or even spying software (spyware). These applications can track visited websites, show disturbing advertisements and download other junk.Ransomware, Scareware, DoxwareClassic ransomware program locks important user files and forces to pay a ransom. The scareware tries to scare the user. The doxware threatens the user with publishing private data for example photos. When ransomware uses a symmetric encryption then there is the same key used for encryption and decryption. Ransomware programs evolved to use asymmetric encryption, where the public key is for encryption and the private key is for decryption.Remote Access TrojanTools called Remote Access Trojans, shortly RATs are kind of backdoors but powerful and advanced. Functionality of typical Remote Access Trojans:
RootkitTools labeled rootkit are stealth mechanisms for malicious code. These programs can hide processes, files, registry entries and other objects in infected system. There are user mode and kernel mode rootkits. More dangerous and more difficult to detect are kernel mode modules. Notice that Windows operating system architecture uses privilege levels called rings. Typical programs run in ring 3 (user mode). Device drivers run in ring 0 (kernel mode). Code in kernel mode is more privileged. Falsifying the result of system functions in the kernel mode will cause that user mode program result will be false. For example task manager will not show all running processes.SpywareSpyware applications are a type of software that spy on a computer user. These programs can collect information about visited websites, collect information on what the user is interested in, and even steal confidential data such as e–mail addresses, passwords or bank credentials.StealerWe live in digital world. The more sensitive data equals the more valuable data. Programs called information stealers get sensitive data from infected computer and transfer this information to attacker. The typical browser stealer can just dump passwords from web browser and send this data to attacker via various medium like e–mail, web panel, FTP etc.WormA traditional computer virus uses files (other programs) as a medium to replicate itself. On the other hand, the Internet worm uses network for replication and infection. It can scan devices for various vulnerabilities or try default passwords, hoping that the user has a weak password to the service.Hack ToolsDuring my school years, I had the antivirus that saved me from committing a cyber–crime! Yes, antivirus software can detect hacking tools as malicious programs. Even when running a hacking tool does not infect the local system, the antivirus program marks the hacking tool as harmful. The hack tools are also called riskware. In my opinion these warnings are good idea. Example hack tools:
Sample Infection ScenariosThis chapter presents sample infection scenarios that may have occurred. Familiarizing with them will help us to avoid these dangerous situations.game_hack.exeDavid is very fond of computer games. His friend Dominic persuaded him to look for a hacking program that would give him free extra points in a computer game. On a website of an anonymous hacker, they have found a program that allows to cheat in computer games. The file game_hack.exe has been executed on David’s computer. The program did not respond. David thought the application is broken. He deleted the file and forgot about it. After a few days, he wanted to open his e-mail inbox to check for new messages. The password he typed and he was sure it was correct was not working. What happened to David's computer? Non–ethical hackers often made their hacking tools backdoored. This causes novice hackers to get infected. Sometimes there is instruction with hacking program to turn off the antivirus which makes the compromising easier. Conclusion Not every malicious program will be identified by antivirus software. Do not trust on files downloaded from the Internet. When learning ethical hacking use open source tools or execute suspicious programs in isolated environment (virtual machine).Not a Typical E-MailEva is a nurse and a happy mother and wife. She is not an IT specialist. Some day, she received an email about that she need to change her Internet wallet password for security reasons. The e-mail contained a link with which the password can be changed. The entire password change procedure seemed correct. However, the next day her internet wallet has been cleaned out of money. What happened to Eva's computer? The e-mail was a phishing. Link led to false website which grabbed Eva’s login and password. Additionally, Eva's account did not have two factor authentication enabled. Conclusion Whenever possible, we should enable two-factor authentication. Then, when we try to log in, we will receive a special code through other medium, which protects against unauthorized login.MalvertisingDominic has just returned from school. He turned on the computer to play some computer game. However, all the games he had installed were boring for him. He started downloading a great car racing game. After successful download the game did not run. There was an anti–piracy protection. Dominic started looking for a crack (illegal patch). After launching site with cracks a message was displayed on the computer screen. His files have been encrypted (locked). There was a message that he must pay a ransom to get his data back. He thought. How? I did not download any malicious program! What happened to Dominic's computer? There was an exploit on illegal website which executed malicious code. This way his computer was infected. Conclusion Website advertisements which contain malicious scripts can infect our machine. These malicious ad campaigns are called malvertising.PendriveJohn was an office worker. Day like any other. He came to the office. He left his coat in the cloakroom and went to the kitchen to drink a coffee. The coffee is brewing. John looks around and notices a flash drive on the floor. Probably one of the employees have lost it. Coffee was already brewed. John went to his office and plugged in a flash drive to check the data. A few weeks later, customer data leaked from the corporate server. What happened to John's computer? John broke the security regulations and connected an unknown flash drive to the corporate computer. The flash drive was intentionally dropped there to infect corporate network. Conclusion Unknown devices can break our system security or spy on us.SummaryThese are only sample scenarios. Attackers can be really very inventive. Professional attacks are surprising and well planned.Do not get VXed 🦠and stay secure! 🛡️ https://microbiologysociety.org/why-microbiology-matters/what-is-microbiology/viruses.html [access: 2022-01-03]https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html [access: 2022-01-03] Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross, 2007 — Botnets: The Killer Web App, ISBN: 9781597491358 Robert Slade, Urs Gattiker, David Harley, 2002 — Viruses Revealed, ISBN: 9780072228182 |