What is Malware?
We have all heard of Malware, it was a big deal when we first started to use a computer. But now a day’s, it is something that is in the background, something we should be careful of, but is largely taken care of, right?
Wrong. Malware has evolved from its beginnings as a demonstration of prowess by programmers to sophisticated technology used to facilitate criminal activity. The lines between the different types of Malware are starting to blur, and the ways it is spreading are developing.
But what is Malware, how is it spread, and how can you defend against it?
Types of Malware
The first type of Malware you no doubt have heard of is the Virus. A Virus is a piece of software that attaches itself to an application on computer or a crucial part of computer’s hard disk. They are said to be self- replicating, meaning they are designed to be able to make copies of themselves. They date back to the 1970 but become widely known with the introduction of the internet.
In the early days, a Virus was spread using a floppy disk, or pirated software, that was passed around an office. These days Viruses are spread through an infected memory stick and can be transmitted through an internet connection.
Although some Viruses are not intended to cause harm, most are designed to do just that. They cause harm by corrupting your data, attacking your computers operating system or even creating ‘backdoors’ for an attacker to exploit and access your computer. However, whether a Virus is harmful or not, they all consume processing power, memory and hard disk space.
Another type of Malware is called a Worm. A Worm is like a Virus in that it is self-replicating, but, unlike a Virus, it is a standalone application.
There are 4 stages to a Worm attack:
- The Worm looks for a target. It is looking for a vulnerability that it can exploit to copy itself to.
- The Worm attacks. The Worm exploits the vulnerability, for example, it may detect an open network connection, through which it can get the remote machine to execute arbitrary instructions.
- The Worm waits. Often called the ‘persist’ stage, the Worm downloads and stores itself on the remote machine.
- The Worm spreads. It will propagate by picking new machines to attempt to probe.
Often Worms carry ‘payloads’, which is specific code designed to do harm such as delete or exfiltrate data. However, even ‘benign’ Worms consumer resources and can seriously affect the computer’s performance.
Another one most of us we be familiar with, is the Trojan or Trojan Horse. It is named after the deceptive wooden horse that was used in the downfall of the Ancient Greek city of Troy. Unlike Viruses and Worms, Trojans are not deigned to self- replicate, but rather rely on methods of social engineering to propagate.
A Trojan disguises itself as a legitimate program (such as a screensaver) but behind the scenes it is doing damage, such as copying or deleting personal information, monitoring keystrokes, or using email software to pass itself on to other computers. Although the ‘payload’ can be anything, many act as a backdoor, allowing an attacker to bypass the operating system’s security features and gain access to data or even control the machine.
When it comes to Malware, the new kid on the block is Ransomware, starting around 2012. Ransomware is what has recently hit the news with attacks such as ‘NotPetya’ which effected swaths of Europe and the US.
Ransomware is usually spread using a Trojan and works by taking data hostage. The ransomware threatens to publish the victim’s data or block access to it unless a ransom is paid. The ransom is usually paid with digital currencies, such as Bitcoin, making tracing and prosecuting the perpetrators difficult.
A couple of other forms of Malware include Adware, which is software that forces users to view advertising and Spyware, which attempts to access personal information and user’s passwords.
What is Malware for?
It is worth remembering that Malware is created by a programmer. Which begs the question why? And what for?
There are many reasons why it is developed in the first place, sometimes it is just intellectual curiosity. Many programmers thrive on the challenge of pushing the boundaries to see what is possible. Often there is no intention to do harm. The most famous of these is the 1988 Morris Worm, which was the first worm to spread over the internet. It was not created to cause damage, rather to gauge the size of the internet by seeing how many machines were connected to it. However, the result was to slow infected machines down dramatically and resulted in the first conviction in the US under the Computer Fraud and Abuse Act.
Despite this, the majority of modern malware has been designed with malicious intent; to cause damage to a computer’s operating system or its data; or to steal information from a user, or increasingly, from online advertisers. For example, ILOVEYOU in 2000. ILOVEYOU wreaked havoc across the globe, originating in the Philippines spreading across Asia, Europe and the US, crippling mailing systems and overwriting millions of files.
In many ways, ILOVEYOU was a harbinger of things to come, and has laid the path for more criminal Malware, such as Cryptolocker, which is a major threat today.
How does Malware get into your computer?
Malware can get into your computer via a variety of mechanisms, most of which involve exploiting a combination of human and technical factors. For example, a link to download the Malware might be inserted on an email or even attached to an email. Or it might be packaged with pirated copies of software, films or music.
The most common method used to get Malware into your computer is ‘Phishing’. Phishing is when an email is sent from what appears to be a trusted source, in the hope that you will click the link or open the attachment. First seen in late 1980s, it has become increasingly more commonplace since the 1990s.
Phishing emails are, by nature, indiscriminate. A phisher will create an email with an aim of getting the recipients worried, asking them to get in touch. They will add plausible details such as Bank logos and address and send it to millions of individuals. Amongst the recipients, a few people will have an account with that Bank and follow the instructions on the email, starting the process of eliciting further personal information.
Spear Phishing/ Whaling
Where Phishing is indiscriminate, Spear Phishing is targeted at a specific individual. Attackers will gather personal information about their target to increase the probability of success. Spear Phishing is by far the most successful on the internet today, accounting for 91% of attacks (Stephenson, 2014).
Whaling refers to Spear Phishing that is directed at senior executives or high-profile targets. The content of a Whaling attack email is often written as a legal subpoena, customer complaint, or executive issue.
Social engineering refers to psychologically manipulating of a target. For example, a user might be encouraged to click a link on social media that refers to an outrageous story or ‘fake news’. The link that might appear ‘benign’ is actually a link to a malicious attachment. The same technique can be applied to phone calls and SMS’. Where the target is encouraged to call a number or reply to a SMS where the process of eliciting further personal information will continue.
Email spoofing is the term used to describe emails that are created with forged sender addresses. In other words, pretending to be from someone they are not. In the context of Malware, an infected email is opened by ‘A’, running the Malware. The Malware will search ‘A’s’ email address book and send an infected email to all, or a selection of recipients, pretending to be from ‘A’.
In such a case, the recipient’s computers may pick up the Malware but because it is from a trusted source will open the email. Meanwhile, ‘A’ maybe completely unaware that their computer is infected in the first place.
Everyone’s favourite, Spam or junk email, is unsolicited mail sent via email. Although the majority of Spam is commercial in nature, many contain malicious links. Spammers collect email addresses from chatrooms, customer list or viruses that harvest users address books. It is estimated that Spam counts for around 90% of all email messages sent. (M3AAWG, 2014)
Not all Malware is propagated using email, there are many other ways. For example, pirated material. Malware can be distributed by including it in illegal copies of software, video games or movies. Malware can also be spread by clicking links on websites, or pop ups that claim they have identified a problem with your computer or that it is infected.
A Botnet is a group of computers that is controlled by an attacker. A Botnet is created using Malware, that once installed on the computer (often referred to as a zombie) uses the internet to contact the control computer. It can then lie dormant, periodically checking in with the control computer for instructions. Over time the number of zombies will increase and can reach up to tens of thousands and beyond.
At some point in the future, the control computer will issue a command to wake up and start doing something. Often Botnets are sold or rented out to someone or group who wants to use their capabilities.
As we have seen, a single piece of Malware can cause tremendous damage, but when thousands, or even millions of computers run the software, the results can be devastating. Botnets have been used to flood the internet with spam messages, to commit fraud against advertisers and to perform so-called distributed denial of service (DDoS) attacks on companies and governments. Botnets are so large, and so widely distributed across the internet that they can be very hard to tackle and the effects of a coordinated attack on critical parts of the network can mean even very large websites struggle to remain online while the botnet targets their computers
How to keep yourself protected
The last few years, has seen a dramatic increase in use of malicious software. But all is not lost as with it has seen the explosive growth of software designed to stop it spreading. The, so-called anti -virus software, is a multi billion pound business. At the same time, the developers of computer operating systems are incorporating a wider range of security features that try to stop malware running at all.
But there are lots of things you can do yourself to keep protected:
Anti- virus software
If you don’t already have anti-virus software, it should be a high priority to install some. There are many free packages available, but you should always check to see if they meet your requirements. Some things to consider include:
- Is it compatible with your computer? Make sure the software is going to work with your computer and operating system.
- Is it from a reputable source? Use software that comes from one of the major computer security companies. Or maybe one that has been recommended to you by your bank or Internet Service Provider (ISP).
- Does it provide updates? Ensure that the software provides updates on a regular basis, so that you remain protected against the latest Malware.
Up to date software
Computer operating systems and applications are so large that it is inevitable that they contain bugs or vulnerabilities which could compromise your security. The major companies are well aware of this and regularly release updates that fix these problems. Searching for updates and installing these updates is commonly known as patching and some of the major applications that we use day to day (Microsoft Office and Adobe) automate this process. However, you should check that the operating system that you use, along with the applications, are kept up to date.
End of life software
Software is continually being developed and replaced by a newer version. Therefore, software has a lifespan. The lifespan of software begins when it is released and ends when a newer version is available, and the old version is no longer supported or updated.
That said, software doesn’t automatically become unsafe the moment it reaches the end of its lifespan. But you should be aware that bugs or vulnerabilities that have been identified may not be addressed by the authors. Most large companies still provide support for their out of date software, but they do not prioritise it, and only for a certain period of time.
Developers of malicious software are aware of this and target vulnerabilities in older systems with greater success. As seen in the WannaCry incident effecting the NHS in 2007.
Our advice is to use operating systems and software that has not reached the end of its lifespan. If you are using end of life software, it is essential that your firewalls and anti-virus software are up to date. Also make sure your key applications, such as web browsers and email clients, that send and receive personal information, are kept up to date. However, you should make a plan to transition to more modern applications as soon as possible.
Back up your files
You should identify what business data you need most and ensure it is backed up on a regular basis. It should be kept away from members of staff and should not be connected to the internet on a permanent basis.
As a rule of thumb, your business-critical data should exist in 3 locations:
- Your day to day working copy.
- Your master back up, kept off site and not connected to the internet.
- Your local back up for easy retrieval.
Identify Phishing emails
Although you can’t expect to spot all Phishing emails, there are often tell-tale signs.
Spelling mistakes. Most English language Phishing emails are sent from Countries where English isn’t their first language. Therefore, there are quite often spelling mistakes or inaccurate use of English. Reading messages carefully can help spot these emails.
Who is it to? Unlike Spear Phishing emails, Phishing emails are sent to a mass of recipients, therefore, the introduction does not use a name, rather ‘Dear Customer’ or similar. However this is not the case in Spear Phishing so alternative methods should be used.
Images. Occasionally images are used in a Phishing email, such as logo’s. These images are often copied from websites or screens and the quality of the images can be poor. However, it is not difficult to obtain high quality images, so high-quality images should not be used as proof of the emails authenticity.
Links. In most cases, the text of the link will be different from the destination that the link takes you to. You can easily spot a fake link by hovering your mouse over the link (but do not press the button). The destination of the link will appear in a floating window next to the mouse.
- Email content. By far the most reliable way to spot a Phishing email is the content. In almost all countries, Banks and financial institutions will not email you to tell you about problems with your account. Likewise, an email that attempts to give you a sense of urgency, that your account is in trouble unless you act quickly, is likely to be false.
However, it must be understood that teaching your staff to spot a Phishing email is a near impossible task. So, you should encourage your staff to come forward if they experience a Phish, without the fear of punishment or reprisals.