In this weeks post I will go over the basics of malware: what they are, how they are detected and what we can do in response. This information will be important in understanding next weeks post which will be on phishing and the other most common ways attackers compromise our systems and data. I’ll also be touching on backups and why they are so critical in regards to malware, especially ransomware.
When I use the term ‘malware’, what I’m really referring to is a lot of different things all at once. Malware, as you can probably tell from it’s name is software(ware) with malicious(mal) intent. Here are a few of the most common variations you might have heard of:
Viruses: User executed code that self replicates and leads to further exploitation and/or system damage. Often unsafely downloaded content will have virus code added in to infect your system when you access it. Some viruses are designed to delete all your files. Some are designed to let the attacker have remote access to your system and data.
Worms: Code that spreads on it’s own, often with no other purpose but to spread. Often spread through email attachments, once the worm code is accessed, can automatically send itself to all your email contacts as in the ILOVEYOU worm.
Trojans: Malware that disguises itself as a legit application that when installed exploits the host. Can be used for many purposes but usually for installing a back door allowing unlimited remote access to your system by attackers.
Ransomware: The most commonly discussed of this type of malware are CryptoLocker and CryptoWall. This code encrypts all your personal data with the RSA-2048 algorithm(which uses keys that are 2,048 bits long) and offering to decrypt it if you pay them. In most cases data encrypted but ransomware is irrecoverable. This is where backups become very important.
Spyware: This is software that runs silently in the background and silently exists to collect and send personal information, browsing habits, and private data to a remote destination.
Adware: Malware that usually gets packaged with dubiously attained downloaded content that serves advertisements in the form of pop-ups to drive traffic and revenue for the author.
Scareware: A subset of the adware class, these are usually pop-ups that advise a user that their system has been infected by a virus or requires critical maintenance. They write the pop-ups to look like system notifications or legitimate warnings and scare users in clicking which further exploits the system of leads to exposing credit card information to scammers.
It is important to distinguish that antivirus or malware scanners operate on different levels. Some can actively protect us from real time threats, while others exist to let us know that an infection has occurred. This is very important information and is in each instance actionable.
The real time protection is running at the kernel level in the operating system. The kernel is what manages the way software interacts with the CPU much in the same way a lot of viruses and malware also do. The software can scan incoming requests and downloaded data to “fingerprints” or known behaviors of malware and stop them before any damage can be done or exploits can be executed.
Passive protection does the same thing, but only retroactively. This is still useful however in that it allows us to repair any damage, remove the malicious software and patch the system. There are many options when it comes to anti-virus and anti-malware software, including many free versions. Users of Windows have the option to use Windows Defender which is a built-in anti-malware scanner.
Making sure that we keep our anti-malware software and operating systems up to date with patches and updates is crucial. A lot of these malicious programs and code take advantage of bugs and system issues.
Patches and updates are constantly written to fix issues as they are identified out in the world. Attackers in the wild routinely scan target systems for known exploits that haven’t been patched yet. Installing security and system updates as soon as they come out are in my opinion best practice for most users and workstations.
To wrap up this weeks post I’ll briefly comment on backups. This topic certainly necessitates a dedicated post and it is already on my to-do list.
Sometimes malware can destroy data in such a way that can’t be recovered. Ransomware such as CryptoWall also deletes Shadow Volume Copies, and system restore points. It will also propagate itself to cloud storage and backups. These days backups, including offline solutions such as backing up to an external drive and locking up somewhere safe, are extremely important. When using a cloud backup provider, try to find one that offers off-site data protection as part of their service.
If you have a good backup protocol in place, the remediation after data loss is a simple matter of restoring from backups.
If you have any specific questions or ideas for future posts, please send your ideas to firstname.lastname@example.org Thanks for reading. Stay safe.