Welcome to this video on protection from malicious software.

Malicious software covers a broad range of things like:

·        Worms and viruses

·        Spyware

·        Botnets

·        Denial of Service attacks

·        Zero-day attacks, and

·        Code injection

This video will define and contrast the different types of malware and outline the impact that each one can have on an organization’s computer systems. It will also cover the main types of service attacks before looking at the technical and non-technical measures that can be used to counter those attacks.

Malware is a combination of the words ‘malicious’ and ‘software.’ It’s a generic name for any type of illegal software that runs on a computer system to instruct it to do something the attacker wants it to.

Malware includes viruses, worms, keyloggers, rootkits, ransomware, scareware, or any other software that shouldn’t be on a computer system. It can be used in many ways, including:

·        To steal personally identifiable information

·        To steal user account information for websites, like Amazon or eBay, to facilitate fraudulent transactions

·        To delete files or entire disks

·        To hold an organization to ransom by encrypting files

·        To steal credit card numbers to facilitate fraud

·        To use someone else’s computer to commit a crime, maybe as part of a botnet, and

·        For enjoyment, some groups of hackers do it for fun and heroism in their own community

Malicious code often masquerades as legitimate software and, in some cases acts like a virus by attaching itself to software that’s already on the system, in the same way that a biological virus attaches itself to existing cells in a body.

Some malicious programs need host programs to run on whilst others exist and propagate independently. There are many ways they can infect a system – sometimes referred to as infection vectors – and there are many different propagation methods.

Whilst there are many different individual types of malware, more advanced attacks combine Trojan horses, rootkits and worms, working for different purposes at different stages of the attack. These attacks are known as blended attacks and use one method to get the malware onto the system, another to set up the primary infection and another to remove data from the system.

Each kind of malware has its own strengths and weaknesses so advanced attackers now customise attacks to avoid detection and create the best possible chance of success.

We’re now going to move on and look at some of the different types of malware in more detail, starting with viruses.

A computer virus is defined as:

 “A piece of code that inserts itself into a host [program], including operating systems, to propagate. It cannot run independently. It requires the host program to run to activate it.”

The term virus is often misused to refer to other types of malware, including adware and spyware programs. However, these types don’t have a reproductive capability. Viruses are also sometimes confused with worms and Trojan horses, which technically have different infection vectors and modes of operation.

One of the most common classes of virus is the macro virus. These are written in a macro, or scripting, language like Visual Basic and are often found in Microsoft Office files, such as Word and Excel. They’re usually spread throughout a system by infecting documents and spreadsheets.

Perhaps the most infamous macro virus was called Melissa. When a document containing the Melissa code was opened in Microsoft Word, the user’s system would be infected. Melissa would then email itself to the first 50 people in their address book, sending the infection to those users as well.

Due to the high replication rate, organizations would be infected extremely quickly. This is one reason why many organizations are nervous about allowing users to write Microsoft Office macros.

A worm is similar in some ways to a virus. It spreads from computer to computer but, unlike a virus, it propagates independently of human action. A worm uses emails, file sharing, or any other means of propagation, to spread to other host computers.

A worm is defined as:

“A program that can run independently and will consume the resources of its host [machine] from within in order to maintain itself and can propagate a complete working version of itself on to other machines.”

The biggest threat from a worm is its ability to replicate. Just like the Melissa virus, a self-replicating worm could send copies of itself to all contacts in an address book. The impact of this is that it consumes considerable computer resources and processing bandwidth.

Therefore, it’s common practice for servers and networks to slow down and even stop if they are subject to an excessive replication load. This leads to a Denial of Service.

A Trojan gets its name from the original Trojan Horse from Greek history. It can appear to be a normal, useful program, but can cause damage when it’s installed or run on a computer.

Some Trojans have been designed to simply be annoying, doing things like changing the desktop or displaying threatening messages. However, there are examples of Trojans that have caused serious damage to computer systems by, for example, deleting files, encrypting files, and creating system ‘backdoors’ that provide access to confidential or personal information for malicious users.

Unlike viruses and worms, Trojans don’t propagate by infecting other files; instead, they operate and execute independently on a computer. Trojan infections can infect a system by executing code delivered through an email, as a download from a website or wrapped up in some other guise, like a PDF or a ZIP file.

Trojans are frequently used as the so-called ‘zombie endpoints’ in a network of botnets, which we’ll look at shortly.

A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer system. They often have full administration privileges and can hide themselves. So, the rootkit could be running as a process on the system but won’t appear in the list of running processes in Task Manager. When the file system is reviewed, the rootkit code will be hidden and maybe even protected using access control lists, so users can’t get to it.

Think of a rootkit as malware that infects the core of the operating system and becomes inexorably intertwined with it. Rootkits are very difficult to detect and even harder to remove. Specific software is needed to detect rootkit indicators of compromise and specialist help is generally required to remove the infection.

Backdoors, also known as trapdoors, are entry points to code within a program. They take an abnormal input construction and use the action of the software receiving the input to achieve an unexpected result. This could be user input from a website form or a message received over the network.

Backdoors are sometimes discovered in commercial off-the-shelf products and freeware products. One notorious form of backdoor was found in early versions of Microsoft Excel where small snippets of embedded code did unusual things if a specific input triggered them. These were known as Easter Eggs and one example used a special key sequence to launch a computer game.

Trojans often use backdoors to support an attack. For example, if a Trojan was accidentally downloaded onto a system, it might appear benign to begin with then open a backdoor to receive instructions through the network. This technique is often used in botnet infections.

Logic bombs are similar to backdoors. It’s malware which ‘explodes’ when a specific date, time, system event or other condition occurs. When the malware is executed it does some kind of damage, like deleting all the files on the hard disk.

A common misconception is that Trojans, worms and viruses are the same thing, and the terms can be used interchangeably. However, as we’ve seen they exist and operate in very different ways.

In summary:

·        A virus is computer code embedded in another, possibly legitimate, file or program

·        Backdoors and Trojans operate within programs

·        Viruses and Trojans rely on human intervention

·        Worms are self-contained and may spread autonomously

·        Viruses and worms are self-replicating

Rootkits are not shown on this diagram because they’re designed as stealth programmes that hide themselves and other malware programmes from detection. They’re often used to conceal malware which then executes from the hidden location.

Now, let’s look at spyware. Spyware is a type of malware that monitors and collects a user’s activity and sends that information to a third party without their knowledge.

The presence of spyware is typically hidden from the user and is difficult to detect.

Spyware is used for:

·        Theft of personal information, including financial information like credit card numbers

·        Secretly monitoring users, and

·        Monitoring of web browsing activity for marketing purposes

Unlike viruses and worms, spyware doesn’t typically self-replicate. However, it can be deployed by a worm or a Trojan. Some spyware will install a software program known as a keylogger. These programmes record keyboard activity and, when a username and password is entered, it passes it over the network to the attacker.

We’ve mentioned botnets a few times. A botnet is a collection of compromised computers connected to the Internet. Each compromised computer is known as a bot (derived from the word robot). When a computer is compromised, the malware receives commands from a command and control server instructing the bots to perform certain functions. The command and control centres are ultimately under the control of an individual, often referred to as the botmaster.

Typical uses of botnets include:

·        Distributed denial-of-service attacks

·        Distribution of spam email

·        Deploying and managing keyloggers, and

·        Spreading new malware

There have been many stories about websites being taken down or hacked. In many cases, they’ve been subject to a Distributed Denial of Service, or DDoS, attack. A Denial of Service attack occurs when a service, such as a website, becomes non-operational. This is typically because it can’t function under the extreme load placed on it by attackers. In some cases, the website will grind to a halt and appear unresponsive to users, while in other cases it will simply crash and users see an error code.

A Distributed Denial of Service attack is a special form of Denial of Service attack where many sources are responsible for the extreme loading on the target. For example, a botmaster uses the command and control centre to communicate with all the bots in the botnet. Then the command and control centre instructs the botnet to send multiple webpage requests to the target website; this could be as simple as just repeatedly requesting the website homepage over and over again.

A botnet could comprise many thousands of bots. So, if they were all accessing a website simultaneously, and the website was only capable of dealing with a few hundred hits at any time, the site will become unresponsive or crash.

This is the approach that the hacktivist group Anonymous, uses for most of its attacks.

Active content is the automatically downloadable code on a website that interacts with browsers.

Web developers use a variety of techniques to provide active content to a user’s web browser, including JavaScript, ActiveX, Flash and Java Applets. However, these programming languages have inherent risks. If active content based on any of these technologies is downloaded, especially from an unknown or untrusted source, there’s a chance it can include a Trojan or other malware.

Most of these technologies have damage limitation capabilities, but they generally rely on the developer to use them properly. ActiveX has notoriously been the worst culprit for allowing rogue code to damage computer systems. As a result, many organizations have a blanket ban on users downloading and running ActiveX controls.

Zero-day attacks are the worst kind of threats to IT systems. These include malware and attack techniques which attempt to exploit vulnerabilities that are previously unknown to IT and security specialists.

Anti-malware software provides a line of defence against zero-day attacks by using heuristic, or behaviour-based, methods to detect anomalous activity.  These rely on being able to ‘train’ the software to recognize normal behaviour. Heuristic methods are prone to generating false positives, especially during the initial training period.

Once a zero-day attack has been discovered and the cause of the vulnerability identified, product vendors can develop and distribute a patch. If the vulnerability’s particularly severe, the patch is classified as critical; in these cases, it should be applied as quickly as possible.

The last type of attack we’ll look at is content injection or code injection, which is one of the most common methods of attack against web applications. Most code injection issues are introduced through poor programming practices where the developer doesn’t validate user input correctly, or at all.

The most common forms of content injection attacks include:

·        Cross-site scripting, or XSS. For example, if a user enters a message into a blog or website, they might place JavaScript code into the post. When another user opens the blog, their browser automatically downloads the JavaScript and executes it, leading to an attack.

·        SQL injection. A typical SQL injection attack occurs when users are logging onto a system or application and a database is used to store usernames and passwords. If a website is vulnerable to SQL injection, the usernames and passwords are at risk. The attacker injects an SQL statement, rather than a standard username or password into an input field, which is then executed by the database to return a dump of all the usernames, passwords and other private data.

To mitigate content injection attacks, developers must validate all user input prior to submission to a database or web server and ensure that only legitimate text has been entered. 

Threat vectors are how infections get into a computer system. Examples include:

·        Visiting a compromised or malicious website.

·        Downloading or installing software: software should only be downloaded from legitimate and trusted sources, or trusted vendors, who have some liability and privacy statement.

·        An unsuspecting employee installing infected media. This might be through an infected program on a USB drive; the user might think they’re only copying a document from the removable drive to their computer, however, because of the autorun feature on the operating system which executes when removable media is connected to Windows, they’ve inadvertently allowed a malicious piece of software to be executed. These types of infections can occur with any kind of removable media, like CDs, DVDs, back-up tapes and portable hard drives.

·        Email attachments: care should be taken to ensure that any attachment doesn’t include a macro virus or that a downloaded link doesn't have a virus embedded within it.

·        Through Ethernet, wireless and Bluetooth connections. PCs, Apple Macs, tablets and mobile phones support multiple forms of communication. If all these communications services are turned on, an attacker could target the system even when it’s not being used. For example, if wireless is turned on, the computer might act as a wireless access point for others to access the network. An attacker might break into the device over Bluetooth and then move from there into the corporate network over the LAN.

Now we’re going to look at some technical countermeasures that can be used to mitigate the risks to IT systems.

·        Every computer system in an organization should have an antivirus product installed and this should be updated when patches or new signatures are released to ensure it can detect and prevent the spread of new malware. However, installing antivirus software doesn’t guarantee safety from infection, particularly from zero-day attacks.

·        Many antivirus products come with embedded personal firewalls and Microsoft Windows comes with its own firewall. The firewall should be switched on to help prevent unwanted communication to and from client machines.

·        In many organizations, boundary controls are used to control traffic in and out of the network, in particular email and web traffic.

·        Import/export controls are associated with boundary controls. They permit only designated, trusted users to import or export programs or data on removable media. This may involve special training and clearance. Import/export controls use a combination of antivirus and content checking technologies to ensure data or programs can be imported and exported safely.

·        Intrusion detection systems detect possible attacks by signature matching or anomalous behaviour, while intrusion prevention systems can prevent as well as detect attacks. They require expert management and are typically only implemented in larger organizations due to their cost. Intrusion prevention needs to be carefully managed to recognize ‘normal’ behaviour. False positives will result in legitimate activity being blocked, causing a denial of service.

·        Application control technologies are used to prohibit users from executing unauthorised code on a system; if a user downloads malware to their system, the application control technology would stop the code being executed. The Windows operating system comes with a feature called AppLocker that provides this level of protection.

·        Device control relates to users being prevented from reading or writing to unauthorised devices attached to their computer systems. For example, the system could be designed so that users can’t read from or write to DVDs without specific authority. Device control can also be used to prevent users from accessing USB drives, due to the threat of malware exploiting the autorun feature.

·        Hardening refers to locking down the system’s configuration through the operating system, end user applications or middleware. Most organizations perform some degree of hardening on their systems, with the approach documented to ensure it’s applied consistently across the business.

For example, web browsers might be configured to prevent the downloading of ActiveX controls. The approach to hardening should be based on a risk management decision as it often means some loss of functionality for the end user. Security generally comes with some trade-off.

There are many different types of software that can be used to implement countermeasures. These include:

·        Antivirus checks on email systems before email gets to the user. The architecture can use different antivirus products at the boundary and on desktops.

·        Spam filters to prevent certain types of attachments coming in, like executable code.

·        Scanning website traffic for unsafe downloads, preventing them from getting onto the user’s computer. Some security products permit integration of antivirus and malware scanners.

·        Content checkers to implement blacklists and whitelists for accessing websites. Blacklists are lists of prohibited websites that users aren’t allowed to access, such as gambling and pornography sites. Whitelists are lists of websites that users are permitted to access.

·        Using a sheep dip, which is an isolated computer system, to load and test new software for the presence of malware without the risk of the malware spreading to other systems on the network.

While it’s possible to mitigate many of the risks with technical controls, there are ways to mitigate risks that aren’t of a technical nature. A culture of security awareness can be supported by adding clauses to employment contracts, creating security operating procedures, and providing staff training and communication campaigns. The security team should also be available to consult and support staff.

We’ve seen why patching is so important, but it’s surprising how many organizations don’t have a robust approach to updating their systems. A patching policy should include how patch notifications from vendors should be analysed to ensure the critical ones that affect security are applied urgently.

Many organizations develop their own software applications either for internet facing websites or the corporate intranet, using web technologies. It’s easy for less experienced developers to introduce vulnerabilities into those applications, so secure coding standards developed by expert organizations like the Open Web Application Security Project should be adopted.

That’s the end of this video on protection from malicious software.