Header Ads

Your Intelligence is the key to your Protection. A walk through the world of Malware

When it comes on compressing your cyber security, Malware's are the best and largely preferred means by any Hacker.

Must Read: Mark Zuckerberg uses tape over his webcam. 


Today we are here with an aim to guide every user on what malware actually is, how it works, what are risks associated with malware, How a malware harms your system and your security,
how you can protect yourself from malwares and list of some commonly used malwares.

I will be providing all my knowledge I've gained from 6 years of my Ethical Hacking & penetration testing Practices.



        Today Internet has become the most essential part of modern world. Well not to forget it even has given birth to highly populated cyber security risks. Although being the most important aspect of modern lifestyle it also proves a heaven for malicious softwares written and administered by cyber criminals.

       The first step in any way of protection is to know your enemy. 
So lets begin with protection of your cyber privacy by knowing your enemies which today are malwares.

Malware Defined:

        There are numerous types of malicious softwares revolving across the internet. Many of which have existed for years. The worst flaw of cyber world is that once something is on air its can never be completely eradicated.
         The one thing which goes common in any malicious software is that they have the ability to infiltrate a computer system without the owner's informed consent.
         The programs that is intended to steal personal information or masquerade as a user for financial gain. This collection of nasties has become known as malware (MALcious softWARE).
      

The most common types of malware include:

  • Viruses
  • Worms
  • Trojans
  • Keyloggers
  • Botnet agents
  • Rootkits


Must Read: Stop Using Open Wi-Fi

History is always a best teacher so Lets Talk about history of Malware:

        In the 1970's and 1980's, UNIX computers were the first targets of programs known as rootkits. Black hats, used these applications to hide their presence.
The first personal computer malware category to arise was viruses. As early as 1982, high school student Rich Skrenta wrote a gem called "Elk Cloner" for Apple II computers.
  You read it correct Apple was the first system to be affected by Virus.

         Other types of malicious programs emerged, including those which could propagate without any help from the user population. Known as worms, they are probably today's biggest challenge to malware defense.

         Over the years since beginning of Computer generation Black Hats have been busy and the count of malware has risen exponentially and still continues to do so. 

         Earlier malware were written by hackers to gain fame within the black hat community.

Today, malware is used by individual black hats as well as crime syndicates to make money.
To transfer your money to criminals' bank accounts around the world.

Lets travel across types of malware.

Viruses:

     viruses are written to perform actions on your computer which you would not allow, 
which includes:
  • Erasing files.
  • Crashing your system.
  • Taking your computer hostage.
  • Stealing intellectual property.
  • Stealing personal identity information.
  • and anything else the black hats can think of.

Must Read: Steps to take when malware is detected



        A virus is malware that cannot propagate from one computer to another without help.
They spread as users share files over a network or email infected files to friends, family, and coworkers.


Worms:

      
         Viruses were nice, but they didn't get around fast enough. So the worm was born. Worms can move between computers or networks without help from anyone. As long as the vulnerability a worm was written to exploit exists, and as long as the worm can see the vulnerability, it will do its job.

Worms can spread very quickly. One recent example is Conficker.
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer, with more than seven million government, business and home computers in over 200 countries now under its control.
    Once a worm like Conficker infects an organization's network, in can potentially spread to all connected computers within hours--or minutes for smaller networks.
      

Trojans, Keyloggers, Rootkits, and Botnet Agents:


Trojans, keyloggers and rootkits are related types. They tend to support each other.
Trojans are malware installed when a user downloads software from a Web site, typically by clicking a link. The application downloaded may appear to be something the user wants or needs. However, hidden within it is a nefarious program.
For example, a user might download a new game from his or her favorite site. During installation, everything seems to work as expected, except a keylogger application is installed silently. Keyloggers capture all keystrokes--including passwords, PINs, etc.--entered bank or other protected sites. The captured information is periodically sent to the black hat's server. If the user is lucky, the information won't be used to steal his or her identity, reduce bank balances, etc.
Anti-virus software can't always locate and remove these types of malware. Black hats often use rootkit technology to "hide" their programs. If a keylogger or botnet agent is installed with rootkit technology, it is invisible to the operating system and therefore to most, if not all, anti-virus applications.
Finally, many malware instances are used to recruit computers into black hat botnets. A botnet is a collection of computers infected with malware specifically designed to give a cyber-criminal control. By passing commands to botnet agent software located on some or all controlled systems, a black hat can contract with other criminal elements to send spam, phishing messages, or perform other tasks across the Web--for a hefty fee.
In the next article, I dig deeper into how malware works once it breaks through your computer's defenses.

Lets One By One Focus on how each one works:


How Viruses Work:

      Since a virus cannot spread by itself, a black hat has to attach it to something which he or she expects users to download and execute. For example, you might want to download a popular application available from one or more reputable sites. However, unknown to you, the copy you decide to download has something a little extra.
 A virus is attached to the executable you stored on your PC.
When you run the application, the virus also runs, performing any of a plethora of unwanted activities, including:
  • Attaching itself to other applications
  • Deleting files
  • Crashing your computer
  • Stealing information
  • Enlisting your computer in a botnet
  • Using your contacts list to send itself, attached to some executable, to all your friends, family and colleagues
Viruses are not always attached to standalone programs. Sometimes malware works by combining with documents, such as a Microsoft Word file. Certain versions of Microsoft Word come with a programming language called VBA (Visual Basic for Applications). With VBA, a black hat can write virus code and attach it to an email attachment or send it via instant message. In most cases, all you have to do is open the file to set off the virus. Having a document appear in a view pane in Outlook is enough to kick it off.



How Worms Work

Although worms perform many if not all the same tasks as an installed virus, they don't rely on anyone or anything to propagate. Well, almost no one. As you will see in this section, negligence on someone's part is very often the reason a worm finds its way around your network.Figure 3: Worm Distribution 

  • Figure 2 is a conceptual diagram of a business or home office network. The network is behind three standard perimeter defense components: a firewall, a Web filter and an intrusion prevention system (IPS). A detailed explanation of how these controls work is beyond the scope of this article. For more information, click on the links provided. Let's assume, however, that a worm would have a hard time getting into this network from the Internet. Not impossible, just difficult. Then there is the laptop user.
    In our example, a laptop user is attached to a coffee shop wireless hotspot. Although firewall, Web filtering, and IPS software are available for end-user devices, this organization does not use any of them. Further, the anti-virus software is not running the latest malware signature update. Therefore, when the worm waiting at a visited Web site saw the laptop, there was nothing to stop it from checking for the system vulnerability it was designed to exploit. Since the laptop was not patched for the vulnerability, the worm happily crawled across the network connection and made itself comfortable--without the user doing anything more than connecting to the site. It also started scanning any other computers the laptop detected in the coffee shop looking for other places to replicate.
    Figure 2: Picking Up a WormFigure 3 shows how malware works when the laptop user visited the corporate office. Since the laptop connected to the internal network, behind the perimeter controls, the worm had no difficulty in beginning a scan for vulnerable computers. In this example, a server and a PC were unpatched with out-of-date anti-virus software. The worm discovered these vulnerabilities in minutes and quickly spread to these unprotected computers. Note the protected PC was unaffected.
    This is common way a worm finds a home in a network, but it is not the only way. Laptop users are not always the cause. Any user can go to the wrong place and pick up a worm even if using a desktop system. Once on a system, a worm begins its scanning.
    Scanning by the worm, and all its replicas, can cause serious performance issues for network users. This is often the way an organization or individual discovers the infestation.
  • How Keyloggers Work

    Figure 4: Installed Keylogger
    Keyloggers, or keystroke loggers, are usually deposited on a computer using a virus or worm. However, criminals who gain physical access to one or more computers also install them. Once installed, a keylogger positions itself as shown in Figure 4.

    This common configuration allows capturing of the keystrokes sent from the keyboard controller, through the keyboard driver, to the operating system. The captured data is usually written to a text file for manual retrieval or automatic upload.
    Keyloggers are difficult to see since they are usually installed using rootkit technology, defined in the next section.

    How Rootkits Work

          Rootkits creep into networks via multiple paths, including email, instant messaging and spyware. When they reach a computer, they bury themselves so the operating system, and therefore anti-virus applications, can't see them. No matter where you look, including the list of running processes, the hidden applications will not appear. Once hidden, these applications, often taking the place of actual operating system modules, run in response to system calls, including drivers and kernel functions.
    There are two basic types of rootkits: user mode and kernel mode. Using API functions, user mode rootkits modify the paths to executables. The advantage of this approach is ease of development. The disadvantage for a black hat is that user mode malware is easier to detect.
    Although more difficult to develop, kernel mode rootkits are easier to hide. Instead of leveraging APIs, they exploit undocumented or unpatched OS structures or vulnerabilities.
    Whichever approach an attacker chooses, rootkit technology can install and hide some of the most destructive or disruptive malware. Once on a computer, the only way to be sure it is completely gone and will not reinstall itself is to format the hard drive and start over.

    Lets get ahead with Our Security now.


    Basic Security Controls:


          The first step in securing your computers from incoming malware is router configuration. The simplest routers cost around ₹ 1500 and come with wireless networking capability. Connecting them as shown in Figure 1 builds a barrier between the Internet and your internal systems.
    Figure 1: Wireless Router Placement Larger organizations will likely place a standard, non-wireless router at the Internet/internal network boundary. However, the principle is the same. Keep the bad stuff, and the black hats, off your network in the first place.
    The next step is making sure your router is properly configured. Most small office and home routers come with a secure configuration. The only thing you have to do is CHANGE THE DEFAULT PASSWORD.

    It's easy to check your configuration for holes. Simply use the free online service provided at Steve Gibson's Web site. The service, ShieldsUp!, let's you know if one or more of your router configurations is unsafe (i.e. open). Your results should look like those in Figure 2. You may have some blue boxes. That's OK. However, red boxes mean you have ports open which may allow unwanted visitors.
    If you're unsure about how to configure your router's settings, buying a popular router brand like Linksys or D-Link ensures pretty good telephone support.
        
    Now that your perimeter is secure, the next step is to prevent intentional or unintentional visits to known high risk sites. High risk sites include those known to host malware or certain site types (online free games, pornography, pirated music sharing, celebrity sites, etc.). You can purchase software to do this, or you can use a free service like OpenDNS. Using a free service ensures you are getting regular site updates. It also keeps site processing resource use off your computers.
    Finally, make sure your computer's firewall is turned on and up-to-date. Windows-based systems (XP SP2, Vista, and Windows 7) have the firewall turned on by default. Unless you specifically turn if off, this provides your last layer of defense--before hitting your anti-virus software--against unwanted activities which make it through your other controls. And don't assume if you have an operating system other than Windows that you're safe. The only thing keeping Windows at the top of the black hat hit list is popularity--the most number of installed systems. Make sure your Linux and Apple OS computers are also running firewalls.

    Free Antimalware Tools:

    Now that the network is configured, let's talk about the final component in our layered malware defense--antivirus (AV) software. In this article, I focus on free applications which answer the question, "How do I remove malware?" Although they are listed below in no particular order, they vary in effectiveness. However, they all tested as basically effective by AV-Comparatives.
    There are many others. However, these I've tried, researched, and can recommend. When selecting a free AV product, follow the following guidelines:
    1. Make sure the software was tested and is found effective by an INDEPENDENT testing organization, like AV-Comparatives or AV-Test
    2. Don't fall for black hat offerings which appear authentic but which actually install malware on your machine; examples include Antivirus 2009 and Doctor Antivirus
    3. If you decide to use free AV software, be aware that these products don't include a full set of protection components; so don't forget to implement the basic security described earlier in this article
    4. Ensure there are no "gotcha's" associated with regular (daily) updates of your AV software's list of malware it can identify and remove
    In addition to price, free malware removal tools have one other feature I like. A lot of "security stuff" isn't installed on my computer, slowing it down or causing problems with other loaded software. However, if you like full-featured security suites, be sure to read the next article in this series on that very topic.



    Powered by Blogger.