Identifying Malware Threats
Security+ and Malware Threats
Malicious software (malware) is a wide range of different software that has malicious intent. If you’re studying for a security certification such as Security+ , it’s important to understand some basics about malware.
The term virus is sometimes used erroneously to imply all types of malware. Actually, a virus is a specific type of malware, and malware includes many other types of malicious software including viruses, worms, Trojans (or Trojan horses), logic bombs, and rootkits.
A virus is a set of malicious code that attaches itself to a host application. The host application must be executed to run, and when the host application is executed, the malicious code executes.
USB drives have become a popular method of delivering viruses. Systems automatically detect a USB drive as soon as a user plugs it in. Malware on an infected USB flash drive will often infect the computer when a user plugs it in, and the infected system will then infect any other USB drives that a user plugs in.
Here’s an interesting story about how malware was introduced to a U.S. Department of Defense DoD networks from a USB flash drive. Most DoD systems now prohibit the use of USB flash drives today due to the threat.
Master Security+ Performance Based Questions Video
A worm is self-replicating malware that travels throughout a network without the assistance of a host application or user interaction. A worm resides in memory and is able to use different transport protocols to travel over the network. In comparison, viruses must be executed.
A Trojan (or Trojan horse) appears to be something useful but instead is something malicious. Users may download pirated software, key generators, rogueware/scareware, or something else they perceive as useful. However, this software includes malicious code called a Trojan. It’s named after the Trojan horse from Greek mythology.
The following figure shows an example of rogueware/scareware. Something like this can pop up when a user visits a malicious site indicating that the user’s system is infected with malware. However, the site shows the same dialog box to every user.
If the user believes it, they’ll be encouraged to download and install free antivirus software. However, it turns out that the free version is only a trial version. If the user wants to remove the malware, they have to pay the full price. Additionally, the trial version is also malware that is difficult to remove and may join the computer to a botnet, or give an attacker remote access to the user’s system.
If you want to read more about rogueware and scareware, check out this article.
A logic bomb is a string of code embedded into an application or script that will execute in response to an event. The event may be a specific date or time, when a user launches a specific program, or any event the programmer decides on.
As an example, a UNIX engineer planted a logic bomb after being fired from his job at Fannie Mae. Their account management policy did not revoke his elevated system privileges right away and he wrote and installed malicious code set to run at 9 a.m. on January 31, 2009. If the script wasn’t detected, it would have deleted data and backups for about 4000 servers, changed passwords, and shut them down.
A rootkit is a group of programs (or in rare instances, a single program) that hides the fact that the system has been infected or compromised by malicious code. A user may suspect something is wrong, but antivirus scans and other checks may indicate everything is fine since the rootkit hides its running processes to avoid detection.
Rootkits have system level or kernel access and can modify system files and system access. A file integrity checker can detect files modified by a rootkit, and an inspection of RAM can discover hooked processes. It’s important to remember that rootkits are very difficult to detect, since they can hide so much of their activity. A clean bill of health by a malware scanner may not be valid.
Of course each of these types of malware has much more depth than I’ve shown here. However, this does provide a brief overview that may help you with the Security+ exam.