Malware is one of the greatest threats to an organization. It’s common for an advanced persistent threat to use malware to gain a foothold in a single computer and then pivot to other computers in a network. Because of this, cybersecurity certifications (including the the SY0-401 and SY0-501 Security+ certifications) typically require you to understand many of the different malware types.
As an example, see if you can you answer this question.
Q. Dr. Terwilliger installed code designed to enable his account automatically if he ever lost his job as a sidekick on a television show. The code was designed to reenable his account three days after it is disabled. Which of the following does this describe?
A. Logic bomb
B. Rootkit
C. Spyware
D. Ransomware
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Malware is a significant threat for any organization. Administrators commonly implement layered security, or a defense-in-depth plan, to protect against malware. The following are some common security controls used to protect against malware:
- Anti-malware software on mail servers. Spam often includes malware as attachments, but anti-malware software can detect and block it. The software strips potentially malicious attachments off the email, and sends a notification to the user explaining what was removed and why.
- All systems. All workstations and servers have anti-malware software installed. Servers may have additional, specialized anti-malware software installed depending on the applications running on the servers.
- Boundaries or firewalls. Many networks include detection tools that monitor network traffic through the firewall. For example, unified threat management (UTM) inspects network traffic to reduce the risk of malware entering the network.
Pop-Up Blockers
Most web browsers include a feature to block pop-up ads, and/or support pop-up blocker add-ins that users can configure with the web browser. These block most pop-ups, including the pop-ups described in the “Adware” section of Malware Types Targeting User’s Activity blog post . Most pop-up blockers allow you to list Uniform Resource Locators (URLs) that allow pop-ups, but block all pop-ups that aren’t on the allowed list. This is similar to creating a whitelist of allowed applications.
Logic Bombs
A logic bomb is a string of code embedded into an application or script that will execute in response to an event. The event might be a specific date or time, or a user action such as when a user launches a specific program.
There’s an often-repeated story about a company that decided it had to lay off an engineer due to an economic downturn. His bosses didn’t see him doing much, so they thought they could do without him. Within a couple of weeks after he left, they started having all sorts of computer problems they just couldn’t resolve.
They called him back, and within a couple of weeks, everything was fine. A few months later, they determined they had to lay him off again. You guessed it. Within a couple of weeks, things went haywire again.
The engineer had programmed a logic bomb that executed when the payroll program ran. It checked for his name on the payroll, and when it was there, things were fine, but when his name wasn’t there, ka-boom—the logic bomb exploded.
Remember this
A logic bomb executes in response to an event, such as when a specific application is executed or a specific time arrives.
Spam Filters as Anti-Spam Solutions
Organizations often implement a multipronged approach to block spam. For example, many UTM systems include spam filters to detect and block spam. The output of the UTM goes to an email server. Email servers also have methods of detecting and blocking spam. The email server sends all email to the users, except for what it detects as spam. User systems also have anti-spam filters, or junk mail options, as a final check.
The challenge with any spam filter is to only filter out spam, and never filter out actual email. For example, a company wouldn’t want a spam filter to filter out an email from a customer trying to buy something. Because of this, most spam filters err on the side of allowing spam through rather than potentially marking valid email as spam. Although the science behind spam filtering continues to improve, criminals have also continued to adapt.
Spam filters typically allow you to identify email addresses as safe, or to be blocked. You can add these as individual addresses or entire domains. For example, if you want to ensure you get email from Homer when he sends email from springfield.com, you can identify homer@springfield.com as a safe email address. If you want to ensure you get all email from springfield.com, you can designate springfield.com as a safe domain. Similarly, you block either the single email address homer@springfield.com or the entire domain springfield.com.
Anti-Spyware Software
Anti-spyware software emerged as a separate application that targets spyware. It helps protect a user’s personal information while surfing the Internet. The lines between spyware and malware have become blurry, especially since some spyware has started becoming more malicious. Over time, most antivirus software began including anti-spyware elements. However, not all antivirus software protects against spyware, so some users still run separate anti-spyware applications.
Q. Dr. Terwilliger installed code designed to enable his account automatically if he ever lost his job as a sidekick on a television show. The code was designed to reenable his account three days after it is disabled. Which of the following does this describe?
A. Logic bomb
B. Rootkit
C. Spyware
D. Ransomware
Answer is A. A logic bomb is code that executes in response to an event. In this scenario, the logic bomb executes when it discovers the account is disabled (indicating Dr. Bob Terwilliger is no longer employed at the company) and the logic bomb is creating a backdoor. A rootkit includes hidden processes, but it does not activate in response to an event. Spyware is software installed on user systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Ransomware demands payment as ransom.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
or
Chapter 6 of the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
for more information on malware and social engineering.