1

What can Malicious Software do to you?

Malicious Softwares are programs that make your computer sick. These applications can perform a variety of nasty tasks, such as stealing personal information, slowing your computer down, or launching attacks at other systems. Many people consider all malicious software to be viruses. However, this is not the case there are many different types of malware, such as viruses, worms, rootkits, backdoors/trojans, botnet agents, and keyloggers, to name a few. Each of these threats are malicious in nature, but the intent of the threat (or payload) is different. VIRUSEs: Viruses are programs designed to replicate and spread to other computers. Although the term virus is often given a negative connotation, a virus is not necessarily malicious some viruses have been known to carry a benevolent payload. That being said, the majority of viruses are malicious in nature, and any program that performs unauthorized modifications of files should be considered undesirable. A traditional virus will generally require a user to perform some action in order to launch the virus program and allow it to infect the system and propagate. To make this process less obvious, the viruses frequently attach themselves to other executable files on a system, and then run along with an authorized program. Viruses also hide as safe file types by overloading the displayed file extensions on Windows, such as a photo.jpg.exe file, which may appear to be a picture but is actually a program in disguise (it is not the best disguise, but it works well enough for people to keep using this technique). Fortunately for the viruses writers (and less fortunately for the security staff), users are often all too eager to run these applications, triggering an infection. Some virus infections can be prevented simply by preventing users from installing applications locally without authorization (the lock down). Other viruses are able to install, run, and spread on any type of user account. WORMs: A worm, on the other hand, is a type of virus that is able to spread without any user interaction. You might wonder, How is this possible? Computers have a tendency to like to talk and share with each other they apparently get lonely or something. And like teenage girls, the things they talk about dont make much sense to the normal person (although personally, Id take a packet capture any day, but weve already established that I dont fit into the normal category). Many times, certain services will be allowed to talk to each other on the network, and others will be restricted (in the context of people, consider a situation where texting is permitted, but Skype is not). Unfortunately, some of these services have vulnerabilities that may be exploited. Suppose for example there was a bug that existed in your cell phone whereby a specially crafted text message would cause the phone to explode randomly. This would be considered a wormable vulnerability, since this could be exploited without any user activity or intervention. Lets take this example one step further, and have the phone text your entire address book (or a subset of it) prior to executing the explode message. As you can imagine, the impact of this interaction would be immediate and significant. Some of the most devastating computer worms have spread in a similar matter, compromising the majority of vulnerable machines on the Internet in hours or even minutes. TROJAN HORSEs: A Trojan horse is even more valuable to an attacker, since they are often used to gain and give full control of a system back to an outsider. Trojans are widely used to provide a means of access to a system from the Internet. The bad guys love to have anonymous systems available on the Internet that they can use for whatever purposes they require. A system compromised with a Trojan horse can be used to steal information (through keystroke or screen logging), modify or delete files, as anonymous proxies for Internet browsing, or as pivot points for compromising other systems. Because of the many uses for a compromised system (including the possibility of financial gain for the attacker), Trojan horses represent one of the most popular forms of malware in use on the Internet today. BOTNETs: When a single party controls a large number of compromised machines, a botnet is formed. A typical botnet is composed of many machines that were initially compromised by a Trojan horse or other similar method. These nodes, or zombies, connect back to centralized controllers for instruction. A large botnet is essentially an army of individual machines across the Internet, which can be deployed for any purposes the master desires. Unfortunately, botnet owners often have much more sinister goals than calculating larger and larger versions of pi. These botnets are often used for illegal activities such as distributed denial of service attacks or information theft. A distributed denial of service attack occurs when a large number of machines repeatedly connect to a website or server to the point where it becomes overloaded. Consider what would happen if Amazon decided to sell TVs for $1 each on Christmas Eve the sheer volume of visitors would bring the site to a crawl and quite possibly prevent Amazon from being able to process other orders during this surge in traffic. This technique is often used for political protest reasons, where a botnet owner will launch attacks against sites they find undesirable in order to make them unavailable. Other botnet agents may install keyloggers and form grabbers to steal information such as passwords, banking account information, or personal information such as social security numbers. This information can be used to manipulate victims banking accounts, open or raid accounts, or purchase items in their names. The moral of the story here is that Malware is bad, and different types of malware are bad in different ways. If there are topics you would like to see us explain, let us know!

- By Hemant Pandya, Pre Sales Consultant - Security at Redington Gulf, Hemant.pandya@redingtongulf.com Riyadh Saudi Arabia