Malware 101: An IT primer on malicious software
This feature first appeared in the Winter 2015 issue of Certification Magazine. Click here to get your own print or digital copy.
Malware is perhaps the most dangerous threat to the security of the average computer system. Research by Microsoft recently estimated that 17.8 percent of computers worldwide were infected by malware during a three-month period. That is an astonishing number that underscores the clear and present danger posed by malicious software on the modern internet.
Information technology professionals must educate themselves about the risks posed by malware and use that knowledge to defend their organizations against the malware threat. In this article, we provide background information on malware and describe ways that you can create a defense-in-depth approach to protecting your computing assets.
What is malware?
Malware is a shorthand term for “malicious software.” While software developers normally create programs for a useful purpose, such as editing documents, transferring files, or browsing the web, some have more malicious intent in mind. These developers create malware that they design to disrupt the confidentiality, integrity, or availability of information and computing systems. The intent of malware varies widely — some malware seeks to steal sensitive information while other malware seeks to join the infected system to a botnet, where the infected system is used to attack other systems.
The three major categories of malware are viruses, worms and Trojan horses. They mainly differ in the way that they spread from system to system. Viruses are malware applications that attach themselves to other programs, documents, or media. When a user executes the program, works with the document, or loads the media, the virus infects the system. Viruses depend upon this user action to spread from system to system.
Worms are stand-alone programs that spread on their own power. Rather than waiting for a user to inadvertently transfer them between systems, worms seek out insecure systems and attack them over the network. When a worm detects a system vulnerability, it automatically leverages that vulnerability to infect the new system and install itself. Once it establishes a beachhead on the new system, it uses system resources to begin scanning for other infection targets.
Trojan horses, as the name implies, are malware applications that masquerade as useful software. An end user might download a game or utility from a website and use it normally. Behind the scenes, the Trojan horse carries a malicious payload that infects the user’s system while they are using the program and then remains present even after the host program exits.
Hackers create new malware applications every day. Many of these are simple variants on known viruses, worms and Trojan horses that hackers alter slightly to avoid detection by antivirus software. Some viruses, known as polymorphic viruses, actually modify themselves for this purpose. You can think of polymorphism as a disguise mechanism. Once the description of a virus appears on the “most wanted” lists used by signature-detection antivirus software, the virus modifies itself so that it no longer matches the description.
Malware and the Advanced Persistent Threat
Recently, a new type of attacker emerged on the information security horizon. These attackers are groups known as Advanced Persistent Threats (APTs). APTs differentiate themselves from a typical hacker because they are well-funded and highly talented. The typical APT receives sponsorship from a government, a national military, or an organized crime ring.
While normal attackers may develop a malware application and then set it free, seeking to infect any system vulnerable to the malware, APTs use a much more precise approach. They carefully select a target that meets their objectives, such as a military contractor with sensitive defense information or a bank with sensitive customer records. Once they’ve identified a target, they study it carefully, looking for potential vulnerabilities. They then select a malware weapon specially crafted to attack that particular target in a stealthy manner.
The advanced nature of APTs means that they have access to malware applications that are custom-developed and unknown to the rest of the world. These attacks, known as zero-day attacks, are especially dangerous because signature-based detection systems do not know they exist and are unable to defend against them.
One of the most well-known examples of an APT in action was an attack in 2010 using malware termed “Stuxnet.” In this attack, believed to have been engineered by the U.S. and Israeli governments, malware infected and heavily damaged an Iranian uranium enrichment plant. Analysis of the malware by security researchers later revealed that it was very carefully developed by talented programmers with access to inside information about the enrichment plant.
Defending against malware
Organizations seeking to defend themselves against malware attacks should begin by ensuring they have active and updated antivirus software installed on all of their computing systems. This is a basic control, but one where organizations often fall short. There are many quality signature detection products on the market that will help protect systems against known threats. This base level of protection will easily defend against the majority of attacks.
Of course, these signature detection systems are not effective against zero-day attacks. That’s where more advanced systems come into play. Businesses seeking defense against APT-style attacks should consider implementing advanced malware defense techniques, such as application detonation and browser isolation. Application detonation systems “explode” new software in a safe environment and observe it for signs of malicious activity. New applications are only allowed on endpoint systems after passing this test.
The most common source of malware infection is unsafe web browsing. Users visit a website containing malware and inadvertently download a file containing malicious code that installs on their system. Education and awareness programs can help reduce this threat, but browser isolation systems go a step further. In this approach, users browse the web through an isolation appliance located outside of the network firewall. The isolation appliance handles all of the web processing and presents the user with a safely rendered version of the website. Any code execution takes place on the appliance and never reaches the end user’s system, isolating it from the malware.
If you are unlucky enough to experience a malware infection, you have a few options at your disposal. If it is a straightforward infection, your antivirus software may be able to completely resolve it. If you experience more complex symptoms, you may need to either rebuild the system from scratch or call in a malware removal specialist.
Malware and you
Would you like to become a malware specialist? If you plan to design or implement a malware defense program for your organization, many of the basic security certifications may come in handy. The Security+, SANS GIAC Security Essentials and CISSP certifications all offer basic training in malware prevention, removal and analysis.
If you’re looking to dive more deeply into malware studies, consider pursuing the SANS GIAC Reverse Engineering Malware (GREM) certification. This certification program prepares individuals to perform advanced analysis of malware for forensic investigations, incident response and system administration. Candidates for the credential must successfully pass a two-hour 75-question examination with a score of 70.7 percent or higher.
Malware remains the most common threat to cybersecurity today. Thousands of viruses, worms and Trojan horses exist on the Internet, seeking to quickly pounce on vulnerable systems. You can defend your organization by educating yourself on the threat, installing antivirus software and considering the deployment of advanced malware defense mechanisms.