Malicious software (malware) and social engineering are two common attack categories that any organization will face, but there are some complexities to each category. If you’re planning to take the SY0-501 exam, you should have a basic understanding of determining malware types given a scenario.
For example, can you answer this practice test question?
Q. Security administrators recently discovered suspicious activity within your network. After investigating the activity, they discovered malicious traffic from outside your network connecting to a server within your network. They determined that a malicious threat actor used this connection to install malware on the server and the malware is collecting data and sending it out of the network. Which of the following BEST describes the type of malware used by the threat actor?
A. APT
B. Organized crime
C. RAT
D. Crypto-malware
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Malware (malicious software) includes a wide range of software that has malicious intent. Malware is not software that you would knowingly purchase or download and install. Instead, it is installed onto your system through devious means.
RAT
A remote access Trojan (RAT) is a type of malware that allows attackers to take control of systems from remote locations. It is often delivered via drive-by downloads. Once installed on a system, attackers can then access the infected computer at any time, and install additional malware if desired.
Some RATs automatically collect and log keystrokes, usernames and passwords, incoming and outgoing email, chat sessions, and browser history as well as take screenshots. The RAT can then automatically send the data to the attackers at predetermined times.
Additionally, attackers can explore the network using the credentials of the user or the user’s computer. Attackers often do this to discover, and exploit, additional vulnerabilities within the network. It’s common for attackers to exploit this one infected system and quickly infect the entire network with additional malware, including installing RATs on other systems.
Ransomware
A specific type of Trojan is ransomware. Attackers encrypt the user’s data or take control of the computer and lock out the user. Then, they demand that the user pay a ransom to regain access to the data or computer. Criminals often deliver ransomware via drive-by downloads or embedded in other software delivered via email. Attackers originally targeted individuals with ransomware. However, they have increasingly been targeting organizations demanding larger and larger ransoms.
Many organizations indicate that ransomware attacks continue to grow and are becoming one of the greatest cyber threats:
- Symantec reported that ransomware attacks grew by 35 percent in 2015 (compared with 2014).
- The Cyber Threat Alliance (CTA) reported that CryptoWall 3, a specific version of ransomware, resulted in $325 million in losses in 2015 alone. It’s difficult to know how much money has been lost by all versions of ransomware.
- In a public service announcement (Alert Number I-091516-PSA), the FBI reported that a single variant of ransomware infected as many as 100,000 computers a day in the first quarter of 2016.
- In their 2017 Annual Threat Report, SonicWall reported that the number of ransomware attacks observed by the SonicWall GRID Threat Network increased from 4 million in 2015 to 638 million in 2016.
Ransomware types continue to evolve. In early versions, they sometimes just locked the user out of the system. However, this is rarely done anymore. Instead, attackers typically encrypt the user’s data to ensure that users can’t retrieve it. Ransomware that encrypts the user’s data is sometimes called crypto-malware.
Some ransomware has added in a new blackmail technique called doxing. If the user doesn’t pay the ransom to decrypt the files, the attacker threatens to publish the files along with the victim’s credentials. Malware that uses doxing is sometimes called doxingware.
Spyware
Spyware is software installed on users’ systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Spyware takes some level of control over the user’s computer to learn information and sends this information to a third party. If spyware can access a user’s private data, it results in a loss of confidentiality.
Some examples of spyware activity are changing a user’s home page, redirecting web browsers, and installing additional software within the browser. In some situations, these changes can slow a system down, resulting in poorer performance. These examples are rather harmless compared with what more malicious spyware (called privacy-invasive software) might do.
Privacy-invasive software tries to separate users from their money using data-harvesting techniques. It attempts to gather information to impersonate users, empty bank accounts, and steal identities. For example, some spyware includes keyloggers. The spyware periodically reads the data stored by the keylogger, and sends it to the attacker. In some instances, the spyware allows the attacker to take control of the user’s system remotely.
Spyware is often included with other software like a Trojan. The user installs one application but unknowingly gets some extras. Spyware can also infect a system in a drive-by download. The user simply visits a malicious web site that includes code to automatically download and install the spyware onto the user’s system.
Adware
When adware first emerged, its intent was primarily to learn a user’s habits for the purpose of targeted advertising. As the practice of gathering information on users became more malicious, more people began to call it spyware. However, some traditional adware still exists. Internet marketers have become very sophisticated and use a combination of web analytics with behavioral analytics to track user activity. They then provide targeted ads based on past user activity.
The term adware also applies to software that is free but includes advertisements. The user understands that the software will show advertisements and has the option to purchase a version of the software that does not include the ads. All of this is aboveboard without any intention of misleading the user.
Q. Security administrators recently discovered suspicious activity within your network. After investigating the activity, they discovered malicious traffic from outside your network connecting to a server within your network. They determined that a malicious threat actor used this connection to install malware on the server and the malware is collecting data and sending it out of the network. Which of the following BEST describes the type of malware used by the threat actor?
A. APT
B. Organized crime
C. RAT
D. Crypto-malware
Answer is C. The scenario describes a remote access Trojan (RAT), which is a type of malware that allows attackers to take control of systems from remote locations.
While the threat actor may be a member of an advanced persistent threat (APT) or an organized crime group, these are threat actor types, not types of malware.
Crypto-malware is a type of ransomware that encrypts data, but there isn’t an indication that the data is being encrypted in this scenario.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on malware types.