Can I use penicillin on my malware infection?
No, you cannot. Malware is like herpes: lurking everywhere and anti-biotics can’t kill it…YIKES! When it comes to malware, best to learn how it can be prevented. So, we’ll cover identification and prevention as well as how it’s covertly installed on our machines. Also, it’s super handy to be able to recognize symptoms of infection. Plus tips on malware removal!
When talking about infections we need to be aware of two concepts: threat vector and attack vector. The threat vector refers to a method by which an attacker can gain access to a victim’s machine. Examples of threat vectors include unpatched software, phishing campaign, USB flash drive, and so many more. Typically this just describes potential vulnerabilities that allow for unauthorized access. On the other hand, we have attack vectors. Attack vectors go a step further and refer to methods used to gain access to a victim’s machine AND infect it with malware.
Common Delivery Methods
Typically there are three vehicles by which malware is delivered. These include
- software — like from a download
- messages — emails and instant messaging
- media devices — CDs, USBs, and floppy discs(from back in the day)
Another thing to be wary of is the idea of a watering hole. It’s helpful to think of one of those nature documentaries where they show zebras drinking at a watering hole despite the presence of lions or hyenas. In the digital sense, a watering hole refers to something like a website that someone frequents daily, like Facebook or an online student dashboard for school. An attacker can make use of a watering hole to cherry pick a victim to target, among other things.
An attacker can leverage a watering hole by implementing a strategy called typo-squatting. This basically takes advantage of people misspelling a URL. The attacker will make a copy-cat website of Facebook, but will use the url fasebook.com to traffic victims who accidently misspelled the URL. On this copy-cat site, the attacker can harvest any data a victim user might input, such as login credentials.
Attackers can also use a watering hole to prepare for a phishing campaign by using it to gather emails.
Botnets and Zombies
Attackers can use your computer’s resources to carry out their nefarious intentions. They will turn your computer into a zombie! A zombie refers to a compromised computer that is under the control of a hacker’s masternode(C2). When a hacker has several zombie computers under their control then it’s called a botnet. Put another way, zombie computers fall under control of a C2 (command and control) node operated by a malicious hacker to create a botnet.
They are pretty sneaky because most of the time you’ll have full access and functionality of your computer but in the background an almost unnoticeable portion of the resources will be siphoned off for the hacker’s use. It may not seem like much, but when a hacker accumulates a few thousand zombies then they can harness some serious computing power.
When a hacker accumulates the zombies it needs it will then start to use them as pivot points/proxies to serve up their porn site or other type of darkweb site. They can also use their botnet to send spam emails, conduct DDoS attacks, or even mine cryptocurrencies. Basically, botnets are leveraged when a hacker needs to carry out a processor intensive function.
Active Interception & Privilege Escalation
Active Interception is another term for “man-in-the-middle.” For those unaware with the term, it refers to when a hacker computer is placed between the sender and receiver and is able to capture or modify the traffic between.
Privilege Escalation occurs when a hacker exploits a design flaw or bug in the system to gain access to resources that a normal user isn’t able to access. This is where a hacker will go for root access/admin.
Backdoors, Logic Bombs & Easter Eggs
Backdoors were initially used to bypass normal security and authentication. This was a means of convenience so developers could access whatever without needing to login. However, this came out of the 80’s and 90’s when attacks were not commonplace. Nowadays, coding in a backdoor is considered very bad security practice. However, a hacker these days will try to create their own backdoors by placing a remote access trojan (RAT) on a victim machine to maintain persistent access.
A logic bomb is malicious code that has been inserted inside a program and will execute only when specific conditions are met, like only executing on a specific day.
In addition, easter eggs are also worth mentioning, not because they’re malicious but because they create more vulnerability. When this type of code is invoked a hidden message or secret feature might be unlocked. These are generally harmless and intended to be fun but they do create more potential for exploitation.
In general, regardless of intention, backdoors and easter eggs should not be used according to secure coding standards!
Symptoms of Infection
Your computer might have an infection if it exhibits one or several of these symptoms:
- running slower
- locking up/frequently stops
- if computer restarts or crashes often
- new icons appear or old icons disappear
- antivirus is prevented from running
- hard drives, files, or applications not accessible anymore
- strange noises occur
- unusual error messages
- display looks strange
- jumbled printouts
- double file extensions are being displayed, such as
- new files/folders created or files/folders missing or corrupted
- system restore will not function
- pop-up ads
- default homepage changes on your browser
- Identify symptoms of malware infection — if malware suspected then backup any important files and run a scan.
- Quarantine infected systems — turn off network card/disconnect network cable to separate the infected machine from the production network
- Disable System Restore (if using a Windows machine) — to make sure Windows doesn’t take snapshots of an infected computer
- Remediate the infected system — reboot to safe mode and go to pre-install environment, then run anti-malware
- Enable System Restore and create a new restore point — you’re going to need a last ‘known good backup’
- Afterwards, provide end user security awareness training (if you’re doing this at an organization)
- If a boot sector virus is suspected, reboot the computer from an external device then scan it
Below I’ll list out the various types of malware and the prevention methods you can use to protect yourself:
Viruses — anti-virus, service pack updates, OS patches, good host based-firewalls, try to avoid inputting data on non-HTTPS sites
Worms, trojans, ransomware— anti-malware, make sure your anti-malware is up-to-date, these types of malware are prevented by detecting them in their delivery form
Spyware — anti-spyware software, must be kept up-to-date; set browser security settings to a non-trusted method to prevent pop-ups and tracking cookies
Rootkits — difficult to detect, but some scanners can detect a file containing a rootkit before it is installed; removal is difficult and best to reimage the machine from a known-good-baseline
Spam — spam filters
Some other quick prevention tips an organization should be implementing:
- verify email servers aren’t configured as open mail relays or SMTP open relays
- remove email addresses from websites
- use whitelists and blacklists
Lastly, and this is usually considered the most cost-effective prevention strategy, train and educate end users within the organization to:
- automatically update anti-malware and scan their machines
- update and patch the OS and applications regularly
- use safe internet surfing practices a.k.a. good digital hygiene
… And there you have it. I hope this helps you identify, prevent and/or remove any nasties from your machine.
Thanks for reading