Malware

Objectives

• Define the term "malware" and differentiate between various forms of malware, highlighting their potential to harm computer systems, networks, or user data.
• Explain the characteristics of viruses, including their attachment to host files, methods of spreading, and triggers for activation.
• Explore the motives behind creating viruses, encompassing profit, political messages, amusement, software vulnerabilities, sabotage, and cyber security exploration.
• Differentiate between viruses and worms, emphasizing the autonomous replication and rapid spreading capabilities of worms.
• Define Trojans as a type of malware, emphasizing their deceptive nature and reliance on social engineering tactics.
• Define spyware and outline its primary goal of secretly monitoring and collecting information without user knowledge.
• Identify preventive measures against malware, including the use of antivirus and anti-malware software, regular software updates, and the implementation of firewalls.

Malware means malicious software. Malware refers to any software designed to harm, exploit, or compromise the integrity of computer systems, networks, or user data. Malware comes in various forms, each with its own set of malicious objectives.

Virus

The term was first used back in 1985 (Fred Cohen). A virus attaches itself to another program file which infects the host computer when the user is tricked into running or opening that file. Once executed the virus can replicate itself and thus spread through the computer system.

In order to be released, or triggered, the virus requires the user to do something such as open a rogue email attachment, run an infected executable etc..

There may be many motives for creating a virus e.g. profit (ransomware), sending political messages, amusement, to reveal vulnerabilities in software, sabotage or just to explore cyber security issues.

Typical examples of viruses include:

• memory-resident virus: installs itself as part of the operating system and sits in RAM;
• non-memory-resident: when run it scans the system for files to infect, propagates itself to those files and then exits;
• macro-virus: many programs e.g. Microsoft office, allow macro programs to be written to work inside the main program (MSword document, email/outlook etc), triggered when the user opens the file;
• boot sector virus: target the Master Boot Record of a hard drive or other storage device;
• email virus: intentionally use the email system to propagate usually targeting a particular email system (e.g. Microsoft Outlook), harvest addresses, send themselves as attachments and so on.

Viruses can cause havoc and be very expensive to deal with. Read more about the 10 worst viruses in computer history

Worm

A worm is another kind of malware but differs from a virus in how they spread and they do not attach themselves to host files. A worm can replicate and spread without requiring any user interaction. They can propagate rapidly which makes them a significant threat.

Worms can access systems by:

• Exploiting vulnerabilities in network protocols or software
• Email attachments
• Drive-by downloads: a user visits a compromised website and teh worm is automatically downloaded
• USB drives: Worms can spread via USB drives and other removable media. If an infected device is connected to a system, the worm may copy itself onto the new device, ready to infect other systems when the device is connected elsewhere.

Once on a system, worms execute autonomously. They don't necessarily need to be triggered by a user action or a specific event to activate and start their propagation.

Worms can modify or delete files, inject other malware into the system, replicate itself over and over (recursively) consuming system resources and storage space or overloading network bandwidth. Worms can steal data, or create a backdoor for hackers to gain control of a computer.

Perhaps the most famous worm was Stuxnet (2010) which aimed to sabotage an Iranian power plant and was written to bring down industrialised control systems. It failed but Stuxnet remains an active threat. Robert Morris became the first person to be tried and convicted under the 1986 Computer Fraud and Abuse Act following the release of his worm, the Morris worm.

Networks of such machines are called botnets and are a common source of junk email (spam).

Worms almost always cause some harm to the network if only to consume bandwidth; a virus almost always corrupts files and data on a system. A worm is usually more contagious than a virus infecting not just local computers but servers and clients on the local computer network.

You can minimise risk of worms gaining access to a system via a variety of measures including technical measures, user education, and proactive security practices including:

• Use Antivirus and Anti-Malware Software
• Apply Regular Software Updates and Patches
• Implement firewalls to monitor and control incoming and outgoing network traffic.
• Employ email filtering solutions to scan and block emails containing malicious attachments or links and train users to recognize and avoid phishing emails, as they can be a common vector for worm infections.
• Educate users about safe browsing habits and the risks associated with downloading files or clicking on links from unknown or suspicious sources.
• Disable unnecessary services, ports, and features to reduce the attack surface of the system.
• Use device control measures to restrict the use of external devices, such as USB drives, which could introduce worms to the system.
• Regularly back up critical data and ensure that backup systems are isolated from the main network. In the event of a worm infection, having reliable backups allows for a quicker recovery process.

Trojan

A Trojan is short for Trojan Horse, a type of malware that disguises itself as legitimate or desirable software but, in reality, contains malicious code. Unlike viruses or worms, Trojans do not replicate on their own but rely on social engineering tactics to trick users into installing them.

Trojans often masquerade as legitimate and trustworthy software to deceive users. They may present themselves as useful applications, games, or files, enticing users to download and install them.

Once executed, Trojans typically perform their malicious activities silently without the user's knowledge. Users may believe they are installing a harmless program while, in reality, the Trojan is executing its hidden agenda in the background.

Trojans can carry a variety of payloads, enabling them to perform different malicious activities. Common payloads include backdoors for unauthorized access, spyware for data theft, or keyloggers for capturing keystrokes.

Trojans do not possess the ability to replicate on their own. Their success relies on social engineering and the user's willingness to install the seemingly harmless software.

To prevent against Trojans:

• Maintain updated antivirus software to detect and remove Trojans before they can cause harm.
• Exercise caution when downloading and installing software, especially from untrusted sources. Verify the legitimacy of applications before installation.
• Keep operating systems, software, and security applications up-to-date to patch vulnerabilities that Trojans may exploit.
• Provide user education and awareness training to recognize phishing attempts and avoid falling victim to social engineering tactics.
• Implement firewalls and intrusion detection systems to monitor and block malicious network traffic associated with Trojans.

Spyware

Spyware is designed to secretly monitor and collect information about a user's activities, without their knowledge or consent. It can capture keystrokes, log browsing history, record login credentials, and gather sensitive personal information.

The primary goal of spyware is to obtain valuable data for malicious purposes, such as identity theft, financial fraud, or unauthorized surveillance. Unlike viruses, worms, or Trojans, spyware is not typically associated with directly damaging or replicating itself.

To protect against spyware, users often use dedicated anti-spyware or anti-malware software that can detect and remove these types of threats. Users are advised to practice safe browsing habits, avoid clicking on suspicious links, refrain from downloading software from untrustworthy sources, and regularly update their security software.

Questions

1. What is malware primarily designed to do?

Improve the performance of a computer system

Protect sensitive information

Harm, exploit, or compromise the integrity of systems or data

Enhance user experience by providing useful software

Malware is designed to harm, exploit, or compromise systems, networks, or user data.

Submit

2. How does a virus typically spread and infect a computer?

By attaching to host files and being triggered by user actions

By exploiting network vulnerabilities and spreading autonomously

By tricking users into downloading legitimate software

By passively collecting user data without any interaction

A virus attaches to host files and requires a user to execute it, spreading through the infected system.

Submit

3. Which of the following best describes a worm?

A malicious program that requires user action to spread

A type of malware that autonomously replicates and spreads

A form of social engineering disguised as legitimate software

A program that monitors user activity in secret

A worm can replicate and spread without user interaction, making it more autonomous than a virus.

Submit

4. What is the primary goal of spyware?

To damage system files

To secretly monitor and collect information about users

To encrypt files for ransom

To spread itself across networks

Spyware is designed to monitor and collect information about user activities without their knowledge.

Submit

5. Which malware type does NOT replicate on its own and relies on social engineering tactics?

Virus

Worm

Trojan

Spyware

Trojans rely on social engineering to trick users into installing them and do not replicate on their own.

Submit

6. What was the primary purpose of the Stuxnet worm?

To steal financial data

To disrupt an Iranian power plant

To send spam emails

To collect sensitive information for espionage

Stuxnet was designed to sabotage industrial control systems at an Iranian power plant.

Submit

7. Which of the following is NOT a type of virus?

Memory-resident virus

Non-memory-resident virus

Macro-virus

Drive-by virus

The term 'Drive-by virus' does not exist. The correct term is 'Drive-by download,' which is associated with worms.

Submit

8. How does a worm typically enter a system?

Through a phishing email requiring user action

By exploiting software vulnerabilities to spread autonomously

By users manually installing it from a suspicious website

Through physical access to the device

Worms often exploit software vulnerabilities or network protocols to spread without requiring user action.

Submit

9. What is a key difference between a virus and a worm?

Viruses replicate on their own, while worms need user action

Worms replicate autonomously, while viruses need user action to trigger

Worms always delete files, while viruses only replicate

Viruses only spread through email, while worms spread through USB drives

Worms replicate and spread autonomously, whereas viruses need a user action to activate and spread.

Submit

10. Which of the following is a common method to protect against Trojans?

Keep antivirus software up-to-date

Disable email attachments

Avoid using USB devices

Regularly change the system passwords

Up-to-date antivirus software helps detect and block Trojans before they can cause harm.

Submit