VIDEO intypedia006en
LESSON 6: MALWARE
AUTHOR: Bernardo Quintero
Hispasec – Virustotal Founder ALICE
Hello and welcome to Intypedia. Today we will talk about the exciting world of malicious codes and the business that surrounds them. Join us!
SCENE 1. INTRODUCTION TO MALWARE: CONCEPTS ALICE
Hi Bob! I wanted to ask you something about my computer. Lately, many pop‐up ads appear randomly, without me doing anything. I've also noticed that it runs rather slow when browsing the Internet... Do you think it could be infected by a virus?
BOB
It could be some kind of malware. If you want to, I can take a look and see if we can find the cause of that strange behaviour.
ALICE
Great, here you go. You said it could be some type of malware... Is that a type of virus? BOB
Malware is a generic term to refer to any malicious or annoying software that is installed in the system. Another characteristic is that they carry out unwanted actions without the user's consent. Computer viruses are actually a subset within the larger malware family, like other specimens such as worms, Trojan horses, adware, keyloggers, diallers, etc... Script Intypedia006en 1
ALICE
Wow, I didn't know there were so many types of malware! What are the differences between them? BOB
Computer viruses have the ability to attach or embed themselves onto other software, self‐
replicating to infect other programs. This way, a legitimate application, such as a computer game or an accounting program could get infected with a virus if it comes into contact with it on an infected system. Worms don't have the ability to enter and infect other programs. Instead, they replicate making copies of themselves. One of the best known worms, for example, was ILOVEYOU which replicated by sending a copy of itself via email pretending to be a love letter. If someone opened the file containing the alleged love letter, the worm would execute itself and send a message to the user's entire contact list. Adware is any software that presents unwanted or non‐consented advertisements to the user. Keyloggers are programs that capture keystrokes so that they act as spies of what the infected user types into his system. Diallers make premium rate calls through a modem with the consequential increase in the telephone bill of the affected users. Trojan horses deserve a special mention due to their current distribution. Trojan horses—unlike viruses and worms—
are unable to infect other programs or self‐replicate themselves and are usually presented as a legitimate program waiting for the user to accept it and run it. In fact, the name comes from the famous wooden horse the Greeks used to enter the city of Troy, making them believe that it was a gift when, in fact, ready to attack soldiers were hidden inside. Nowadays, Trojan horses represent the largest family within malware and can be divided into many subspecies. Thus we speak of backdoor Trojan horses which install a backdoor that allows an attacker to access the system, banking Trojan horses that specialize in stealing login credentials to online banks, etc. ALICE
How interesting! So the windows that appear on my computer can be caused by adware... Are there any other types of malware?
BOB
Yes, there are many more. And malware can be classified in different ways according to different criteria: distribution mechanisms, system installation methods, the way they are remotely controlled, etc. Nowadays, malware specimens usually have many features, so they are usually classified according to their main feature. For example, there could be a Trojan horse with rootkit capabilities able to remain hidden from expert users and security solutions. It could also be a bot in a network of infected computers that are remotely controlled. At the same time, it could make advertisements appear and capture keystrokes, so it would also be part of the adware and keylogger families. That is, it would be a Trojan horse‐rootkit‐bot‐
adware‐keylogger... All in one! In fact, this example is quite common. Script Intypedia006en 2
SCENE 2. MALWARE DISTRIBUTION. HOW DO THEY INFECT?
ALICE
Bob, now I have a much better understanding of the different types of malware. Perhaps Trojan horses and adware are the most common. How do they infect computers? BOB
Nowadays, most of the malware is distributed via the Internet. One of the most common methods is known as the "drive‐by download". It downloads and runs the malicious file, for example through the Web or executing an attachment received via email, like a malicious PDF file. In many cases, the user is deceived into believing that a program or data is useful for them, for example, for a software to play video. In other cases, the infection is hidden to the user who just has to visit a Web page that takes advantage of vulnerabilities in the Web browser to download and execute the malware. However, nearly any Internet protocol can be used to distribute malware, for example, P2P or instant messaging. We mustn’t forget about physical storage devices that can propagate malware; the distribution through USB drives is very common. SCENE 3. THE BUSINESS OF MALWARE ALICE
Bob, there's something I don't quite understand: why would anyone want to create malware? Perhaps to prove their intelligence? BOB
Well, more or less. When the first computer viruses appeared, malware writers were very skilled in assembly language programming and their only purpose was to experiment and show off their abilities to others. We can say that the beginning was a "romantic" decade, given that virus writers had no profit purposes. Today, the situation is very different: there is a whole business of malware and there is real organised crime behind these creatures. ALICE
But how can they make money with malware? Where is the profit? BOB
There are many ways to earn money through malware. For example, there are specimens specialized in financial crimes like Trojan horses that steal login credentials to online banking, so that attackers can transfer money from the victim's account. This type of malware is also known as crimeware. Another example would be adware that makes money by selling intrusive advertisements on infected computers. Often, advertisers are unaware of these practices and think that they are paying for legitimate advertising campaigns. Similarly, there is Script Intypedia006en 3
malware that sends spam; mass mailing advertisements sent through infected systems. Botnets are a collection of compromised computers which are used in many cases to perform distributed denial‐of‐service attacks against websites, such as online stores. Basically, thousands or even millions of infected computers are ordered to visit or send traffic to a website, causing it to collapse. In these cases, the sites are extorted in exchange for not being attacked. But that's not all... There are many other scams associated with malware. We have the ransomware type of malware based on blackmailing. It encrypts documents and photos on the infected computers and demands for ransom if the user wants to receive the password to decrypt and recover them. Another upcoming fraud model is classified as rogueware, which is a fake antivirus that charges users to eliminate alleged infections. Obviously, these products don't remove anything; all the detections and alleged disinfections are false. The only certainty is that the user will have paid for scam software. SCENE 4. COUNTERMEASURES: DETECTING AND REMOVING MALWARE
ALICE
How's my computer analysis going, Bob? Have you discovered anything? BOB
Yes, I found two specimens of malware installed: "AdWare.Win32.Axarq.a" and "Trojan.Bredolab." The first one is what caused those annoying pop‐up ads. The second was a Trojan horse that received remote orders, so your computer was part of a botnet. It's likely that you were first infected with "Trojan.Bredolab" and that, a few days later, this Trojan horse downloaded and installed the adware onto your computer. A hypothesis is that your computer was infected automatically while you were surfing the Web, since you are using an old version of Internet Explorer that has vulnerabilities. ALICE
But I have an installed and updated antivirus? Shouldn't it have protected me? BOB
An antivirus is a recommended security solution, but it's not foolproof. Although many antiviruses implement heuristic systems, generic signatures and behaviour‐based detection to try to identify new specimens, the truth is that much of the protection provided against next‐
generation malware is still reactive. That is, there will always be a certain number of cases where the antivirus cannot protect effectively. ALICE
Script Intypedia006en 4
Would it be safer to install a different operating system other than Windows? Maybe Linux or Mac? BOB
All operating systems are prone to malicious software. In fact, there are many specimens specially designed for Linux and Mac. However, it is true that the vast majority of malware is designed for Windows since it is widely used. Don't forget that malware is a business and, therefore, its creators try to maximize benefits by affecting as many victims as possible. That is, although any operating system may get infected, it is true that Windows has more possibilities. My recommendation is to use the operating system and software that best suits your needs in general. ALICE
So what do you recommend to prevent these infections? BOB
Nowadays, the most important thing is to update the operating system and software on your computer, especially some critical applications such as PDF viewers or office suites. Don't forget to update your Web browser and the most popular extensions that allow you to view multimedia content such as videos, flash, etc. Of course, even if it's not an infallible measure, to have installed an updated antivirus program adds one more layer to the security of your computer. In any case, to this we must add common sense and critical attitude before executing unknown programs or before clicking on links received by e‐mail. These simple guidelines will prevent many dangerous situations. ALICE
Thanks Bob! I will follow your advice. BOB
Well, Alice, I've removed the malware from your computer and have upgraded the operating system and all your applications. That's enough for today. On the Intypedia website you will find additional documentation for this lesson. Goodbye! ALICE
See you at our next lesson! Script Intypedia006en 5
Script adapted to the Intypedia format from the document delivered by Bernardo Quintero
Madrid, Spain. April 2011
http://www.intypedia.com
http://twitter.com/intypedia
Script Intypedia006en 6