This lesson presents material from chapter 10. Objectives
important to this lesson:
What is malware?
Viruses and worms
Trojan horse issues
Spyware, adware, scareware, ransomware
chapter, like several others, should be familiar material to most
people in this class. It begins with a definition, telling us that
malware is a category that includes software that may be annoying, intrusive, bothersome, hostile, or destructive.
It includes software that only displays advertising or prank messages,
as well as software that has infected, disabled, or destroyed systems
and applications. More modern instances have been used to extort money from victims
(ransomware) or steal personal information or payment card information.
This list is not exhaustive, but it applies to many malware
The text goes into some detail about several types of malware.
The first two are there to viruses and worms.
viruses - A virus typically
requires a carrier to infect a system, like an email, an instant
message, or a program that the user runs. A virus typically has two
tasks: replicate and damage. Some viruses have historically been rather
benign, just displaying a message to the user. Others have been
worms - Once it is started, a worm can replicate
itself across connected computer systems by itself. It does not
need a carrier. A worm can attack any running computer that is
connected to a network that an infected computer is on. It does not
require cooperation from the user. Worms are more dangerous due to
their self driven nature. Once a worm is detected in a system, each
device on the network must be scanned for it, cleaned if necessary, and
prevented from accessing the network until this is done. Until that
cleaning is done, you run the risk of continued propagation of the worm.
The text discusses several more
types that are notable for their method of hiding from a user or an
Trojan horse - Trojan horse
programs are named for the myth of a wooden horse
that was used to smuggle Greek soldiers inside the walls of Troy. A
program of this sort has two aspects: what we are told it does, and
what it actually does. In some cases, Trojans may do
what they say, but they also have a hidden malicious purpose which is
what puts them in this category. A classic ploy used by Trojans is to
pretend not to be a program at all. The text gives an example of a file
that has a .exe extension, but the characters .docx occur in the name
immediately before it. If a Windows computer is using the default
(idiotic!) configuration, the actual .exe extension will be hidden
from the user, and the user may think it is only a Word document.
The text seems to discuss Trojans for several pages, but the threats
and capabilities it describes on pages 251 through 256 apply to other
malware types as well. The essence of a Trojan horse is that it
deceives the victim, not what it does after the deception.
rootkit - A rootkit replaces all or parts of
operating system files
with its own. The rootkit obtains elevated privileges
to carry out its stealth actions by impersonating
files that run in kernel mode. By impersonating OS files, the rootkit
opens a door for lots of other malware. How? Have you
ever seen a movie about a robbery in which the robbers send false
information to security staff (like a video loop) that shows
all is well, while the robbers proceed to steal whatever they want?
That's kind of what a rootkit does. The rootkit assumes the role of a
trustworthy part of the operating system. It will stand between the user
and security software on one side, and other malware
that it loads, doing whatever it wants on the other side.
spyware - Spyware is typically a program that loads
with another program that the user wants. It may, or may not, be a
separate file. It gathers information about the user, which it reports
to its home base.
ransomware - Ransomware hides itself, but also
announces its intentions when it runs, which are to demand a payment
from the victim.
If the payment is not made, files that the ransomware has already
encrypted (which could be the entire hard drive) will be deleted, or
will remain encrypted until a higher payment is made later. The user is
led to believe that they have no other recourse, which may not be true,
and that their computer will be restored if the ransom is paid, which
also may not be true.
backdoor - This is
a general term for any method or software that allows access to a
system by other than normal means. The text mentions password crackers,
rootkits, services that make themselves available on a known port, and
hidden processes started by an attacker
.Software that creates a sense of fear and urgency in the mind of the
victim, often to get them to buy a product that has no real value. This
video below discusses (at length) a particular vendor who seems to be a
classic example, making the lies told to the victim scarier and scarier.
On page 258, the text starts a separate category for covert communication, which includes
several methods listed at the bottom of that page. The idea is to send
information to an attacker without that information being noticed. In
the pages that follow, the text discusses some related hacking programs:
key loggers -
programs that capture what is typed on a keyboard; a log of this
information is sent to or harvested by a hacker, often being
transmitted by covert methods
port redirection -
The text discusses an example program, Netcat, which can be used for
several unclean and unsavory actions across a network. This
link will take you to an article on Github about this utility. It
shows you how to test ports, copy files and folders, and capture
traffic sent to a particular port.
The text presents some thoughts about defense. It
begins with a warning that a virus can come in an email, on a memory
stick, on a disc, or by any other means that adds a new file to a
network or a computer.
Network connection is not the only way to pass a virus. This is worth
remembering, as is the advice to clean everything that is or has been
in contact with a computer that has been infected.
In a well managed
environment, users would not be allowed to install any software except
by approved means, and even then only curated programs that had been
examined, tested, and approved by properly trained staff.
Antivirus software is highly recommended. There are
many well known vendors. The text does not list any brands. A
list of ten brands is reviewed in this
article from PC Magazine. I have enjoyed their reviews for many
years. The text explains that most antivirus products examine files and
processes in memory for similarities to the code signatures of
known viruses. If you buy and install an antivirus product, you
typically have a one year subscription to their updated signature files
which should be downloaded to your computer frequently to maintain the
best protection available for that product.
Some products also feature heuristic
scanning, which means
that the antivirus program can look for activity in the system that
matches the known activities of viruses. This is different from looking
for a similarity to a known program itself. It offers a second line of
defense that can be valuable.
In both cases, protective software products mainly guard
against known threats. A new virus that exploits an
unknown exploit might not be detected by such a product. The text
refers to an attack from such a virus as a zero-day attack,
meaning that victims, and the world in general, have had zero days of
notice about the exploit. For this reason, it is best to update your
antivirus and anti-adware signature files every time there is an update
from your vendor. It is also important to practice safe computing:
do not expose your computer to hazards that can be avoided.
Configure your protective software to scan new files that
are added or downloaded to your computer. Your text refers to this as
using the shield function of the product.
Run regular scans on the entire hard drive.
Update signature files often, but be aware that a
new signature file means that a new exploit may have been attacking
computers for an unspecified amount of time.
Review items that the protective software has placed in the
vault (or quarantine) area it has set aside
for detected threats. Files in this area are not trophies. They are
live threats stored in a part of the hard drive where they,
theoretically, cannot be executed. This area is available for
examination by forensic staff who are looking for clues or data about
Consult the website of your vendors for data about known
exploits, new updates, and new signature files to protect against
When there has been a successful infection of a machine under
your protection or responsibility, try this procedure:
Disconnect the affected computer from the network.
This means wired and wireless connections.
Use a clean computer to download a cleaning tool
from a trusted vendor. Install or save it on
Use the removable media to run or install
the cleaning tool on the infected computer.
Scan, quarantine, and clean the
infected computer if all three are possible.
Follow special instructions for the situation at
hand. In the early days of a new virus, it is less likely that a simple
scan and clean will be all you need to do.
Lab 5 is due this week, and Lab 6 is assigned, due next week.