Security+: Types of Malware (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
In the cyber world today, malware/spyware/adware, worms, trojan horses, etc. have become commonplace in the forms of attack vectors. These kinds of threats have been around for a long time, but their level of sophistication keeps growing on an almost daily basis. Not only does wreak great havoc upon the end user, but it causes many complications for the security professional. For example, they are tasked not only to determine the point of origin for these attacks, but they also have to find out the best way to prevent them from happening in the future.
It would be one thing if these attacks occurred on a random basis, but as described, these are continually happening, thus increasing the ever burdening workload on the security professional. Thus, the primary goal of this article is to review the significant types of malware out there, and how to deal with them. The content is also angled to be sort of a preparatory guide for the Security+ exam, which is offered by CompTIA.
If you are preparing for the Security+ exam, it is essential to have a basic understanding of the following:
Adware is a type of malware application that includes advertisements embedded in the software. The advertisements can play before, during or after the installation. The advertisements either earn revenue for the publisher or promote products & services. The term adware can sometimes be used to describe a type of spyware that gathers information about users to display ads in their web browser. When the adware becomes so intrusive that it tracks your browsing habits, it then becomes a thing to avoid for security and privacy reasons.
A virus is best described as a malicious code that attaches itself to a host software. The user has to execute the host software to run it, and when it is executed, the malware also executes of delivering a virus is through a USB drive. Virus on an infected flash drive will quickly infect the PC as soon as the user plugs it in, and the infected system can then infect other flash drives that are plugged in by the user. 16 million households have experienced severe virus problems from 2014 to last year.
At present, one of the most more efficient means to deliver a virus is by installing it onto a USB drive, and from there giving it to an unsuspecting victim in the hopes that they will plug that into their own device. However, this is not the only method, there are others as well, such as drive-by downloads, phishing, etc.
A worm is another form of malware. However, what differentiates this from other types and kinds of threats is that it is self-replicating and can infect not just hundreds, but millions of both computers and wireless devices in just a matter of a few minutes. It works its way into a device by penetrating into the weaknesses of the Operating System in question. Some of the most common ways by which a worm can be delivered is by downloading infected attachments, as well as phony websites which are meant to look like the real thing. Worms do not need the “guidance” of a Cyber attacker to spread itself; instead, it does it automatically through the malicious code which is attached to it. Worms are often confused with viruses, but the two are entirely different amongst one another. With the latter, it stays locally onto the device and does not spread itself automatically. Instead, it requires the intervention of the Cyber attacker to accomplish this task.
Spyware secretly screens your internet and device use. Keyloggers are one of the most dangerous forms of spyware. They record screenshots or keystrokes and send them to remote servers, which are operated by adversaries who hope to collect passwords, credit card numbers, social security IDs, and other sensitive data. Spyware monitoring can link your system’s IP address and MAC address, correlate it with your browsing habits and then associate it with any personal data gathered when you enter data on web forms or register for any course/program online.
A Trojan is often perceived as useful but is malware in the shape of critical generators, pirated software, rougeware, or something else of malicious nature. Because it is disguised as legitimate software, it typically tricks users into loading and executing the software file on their systems. Trojans cannot make copies of themselves like viruses do, but they can allow viruses to be installed on the infected machine since they give the control of the system to the author of the Trojan.
A rootkit is a type of malware that hides deep inside the system that has been compromised, sometimes replacing vital files in the computer. It enables malware and viruses to stay undercover in plain sight by taking the shape of important applications, which means it could remain undetected by your anti-virus software. Rootkits are often used to hide worms, bots, and malware. What’s unique about them is that they can go much deeper than the typical virus, and even infect BIOS of a system, making them difficult to remove.
This is a form of malware that distorts standard authentication procedures to gain access to a system. The installation of a backdoor is typically achieved by leveraging vulnerable elements in web applications. A programmer inserts a piece of code in vulnerable areas that would enable him/her to access a secure website or system using a password only known to specific individuals or groups. After installation, files become obfuscated, which makes it difficult to detect a backdoor. Backdoor malware also plays an essential role in uniting a group of infected devices to create a botnet that can be leveraged for cybercrime.
Hackers use Trojan viruses to infect several computer systems, take control of them and organize them into a “botnet” that can be managed remotely. Cybercriminals will attempt to control as many computers as possible so that they can act as the owner of a big bot-or-zombie network that can conduct a massive spam campaign or DDoS (distributed-denial-of-service) attack. Sometimes, the access to infected machines is sold to other cybercriminals who either buy or rent a network to conduct large-scale cyber attacks.
- Polymorphic Malware
This is a spyware, Trojan, worm or virus that constantly changes, therefore making it difficult for users to detect its existence. The name is derived from the term “morph” which implies changes. The malware’s code evolves in a variety of ways, such as relying on variable keys to perform encryption and changing the filename. It is created by bundling a mutation engine with malware, which then changes the malware’s appearance by pre-pending or appending data, or via encryption.
Ransomware defined as follows: “is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively categorized as crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.” (SOURCE: 1). Moreover, demands that you pay a ransom to regain access to your system. Highly skilled computer programmers build ransomware. Users are usually targeted through websites that are already infected with malware or through email attachments. In the latter case, the actual ransomware attack hides inside an that is within another legit-looking document, which enables it to get past most anti-virus filters.
- Macro Viruses:
This kind of virus is typically embedded into either Word-based documents or Excel spreadsheets. They very often come in the form of attachments. Once it is downloaded, the infected macro starts to spread itself throughout the end user’s computer or wireless device. A macro is very much similar to that of a Trojan Horse, since it may appear benign or “innocent” at first. In this regard, a macro virus simply adds more malicious code to already what is found in a single macro. The most significant risk associated with this is that it can spread very quickly, and quite quickly erase or entirely eradicate any data which is stored in memory.
New malware threats may surface in the next few years, but the forms mentioned above are the ones that currently exist. Bookmark this page and use it as a learning resource when preparing for the Security+ exam.