The dangers of malicious code

What do you think the cost of cyber-crime is in the UK?

According to police, in 2020-21 there were over 31,000 reports of cybercrime in the UK, with reported losses of £9.6 million – and let’s not forget the emotional distress and psychological impact of these crimes on victims.

This threat is only going to increase, so it’s imperative that you are ready to deal with the danger posed by malicious code in the world of cybersecurity, the old cliché of ‘know your enemy’ holds true.

So how prepared are you? Here’s a recap of some common methods for spreading malicious code to help fill in any gaps in your understanding.

What is malicious code?

The US government’s cybersecurity agency defines it as unwanted files or programs that can cause harm to a computer or compromise data stored on a computer.

Also called malware, it can appear on devices and computers as legitimate software, or it can attach itself to a host program much like a biological virus attaches itself to a host organism.

How does malicious code infect a system?

The way in which malicious code infects a system is called an infection vector and its means of spreading is a propagation method.

You can categorise malicious code under many familiar names - viruses, worms, trojan horses - that differ in the way that they infect systems and propagate. You’ll find out about these in more detail in the next step.

Here’s an overview of some common malware:

Viruses

A virus is a piece of code that inserts itself into a host program - including operating systems - to propagate and spread. It requires a host program as it’s not able to run independently. When the host program is run it activates and begins to replicate.

A common class of virus is the macro virus which is written in a macro, or scripting language like Visual basic. Macro Viruses are often found in Microsoft Office files, such as Word and Excel, and spread throughout a system by infecting documents and spreadsheets.

Worms

A worm is a program that can run independently and will consume the resources of its host machine from within in order to maintain itself. It can propagate a complete working version of itself onto other machines without the need of a host program.

Its ability to consume considerable resources means that the servers or networks affected slow down and even stop when subject to excessive replication loads, leading to denial of service.

Trojans

Borrowing its name from the wooden horse of Greek myth, a Trojan appears to be a normal, useful program, but causes damage when installed or run on a computer. Trojans infect a system by executing code delivered through an email, as a download from a website or wrapped up in some other guise, like a PDF or a ZIP file.

Some Trojans have been designed to simply be annoying, doing things like changing the desktop or displaying threatening messages. But some cause serious damage by deleting or encrypting files and creating system ‘backdoors’ that provide access to confidential or personal information for malicious users.​

Unlike viruses and worms, Trojans don’t propagate by infecting other files; instead, they operate and execute independently on a computer.

Rootkits

A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer system.

​They often have full administration privileges – root access – and can hide themselves. So, the rootkit could be running as a process on the system but won’t appear in the list of running processes in Task Manager.

​When the file system is reviewed, the rootkit code will be hidden and maybe even protected using access control lists, so users can’t get to it. ​Think of a rootkit as malware that infects the core of the operating system and becomes inexorably intertwined with it.​

​Rootkits are very difficult to detect and even harder to remove. Specific software is needed to detect rootkit indicators of compromise and specialist help is generally required to remove the infection.

Backdoors

Backdoors, also known as trapdoors, are entry points to code within a program. They take an abnormal input construction and use the action of the software receiving the input to achieve an unexpected result. ​This could be user input from a website form, or a message received over the network.​

Backdoors are sometimes discovered in commercial off-the-shelf (COTS) products and freeware products. One notorious form of backdoor was found in early versions of Microsoft Excel where small snippets of embedded code did unusual things if a specific input triggered them. These were known as Easter Eggs and one example used a special key sequence to launch a computer game. ​

Trojans often use backdoors to support an attack. For example, if a Trojan was accidentally downloaded onto a system, it might appear benign to start with, then open a backdoor to receive instructions through the network. This technique is often used in botnet infections.​

Logic bombs are similar to backdoors. It’s malware which ‘explodes’ when a specific date, time, system event or other condition occurs. When the malware is executed, it does some kind of damage – like deleting all the files on the hard disk.

Ransomware

In June 2021, the chief of the UK’s National Cyber Security Centre warned that ransomware was the key threat facing the UK and urged the public and business to take it very seriously.

Ransomware is a type of malicious software that infects a computer and encrypts a victim's files, which restricts users' access to it until a ransom is paid to unlock it. Ransomware attacks have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert.  Ransomware then establishes a foothold, expands to other endpoints, and moves to discover, collect, stage, and encrypt target data. Once the damage is done, it covers its tracks and exfiltrates data for use or sale on the deep or dark web.

Ransomware as a Service (RaaS) is a business model used by ransomware developers, selling, or leasing malware to users on dark web forums. These affiliate schemes provide low-level attackers with the ability to distribute and manage ransomware campaigns, with the developer behind the ransomware receiving a cut of each ransom victim's pay for the decryption key. If you’re a victim, there is no guarantee if you pay that you will get your data back.

Zero day attacks

Blended attacks

A popular infection strategy is to use a blended attack. This is a multi-pronged attacked that combines several methods simultaneously to give the best chance of success.

Blended attacks are designed to propagate quickly, like worms, but instead of relying on a single attack vector (such as email), they use whatever propagation paths exist to initiate, transmit and spread an attack.

Here’s a hypothetical blended attack to give you an idea of what one might look like:

Step 1

The attackers use a Distributed Denial of Service (DDoS) to take down a bank's website.

Step 2

Once the site is down, the bank's customers receive emails apologising for the inconvenience, directing them to an ‘emergency site'. This site is, of course, fake, and malicious, set up by the attackers to fool customers into revealing confidential information such as login or banking details.

Social engineering attacks

Another vector of attack is through manipulating and exploiting human behaviour to gain access to a system or to infect a system with malicious software. Here’s a quick outline of some social engineering attack techniques:

Phishing

The act of attempting to acquire information such as usernames, passwords, credit card details, etc., by masquerading as a trustworthy entity in an electronic communication – typically email.

Spear phishing

These are phishing attempts directed at specific individuals or companies. Attackers may gather personal information before launching an attack to increase their probability of success.

Clone phishing

A legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email.

Whaling

Several recent phishing attacks have been directed specifically at senior executives and other high-profile targets within businesses. The term whaling has been coined for these kinds of attacks.

SMiShing

This is a security attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto his cellular phone or other mobile device. SMiShing is short for 'SMS phishing'.

Vishing

Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorised entities. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or mobile phone.

Pharming

A cyber-attack intended to redirect a website's traffic to another – fake – site. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software.

Clickbait/malvertising

A form of false advertisement, uses hyperlink text or a thumbnail link that is designed to attract attention and to entice users to follow that link and read, view, or listen to the linked piece of online content, with a defining characteristic of being deceptive, by being typically sensationalised or misleading.

Waterhole

A watering hole attack works by identifying a website that is frequented by users within a targeted organisation, or even an entire sector – such as defence, government, or healthcare. That website is then compromised to enable the distribution of malware.

Pretexting

Diversion

Tab napping or tab nabbing

Deepfake

What’s next?

Next up, QA’s cyber-security expert is going to talk you through a number of attack methods in detail.