ITI581 CYBER SECURITY FUNDAMENTALS

Topic 3
Malicious Code
Topic Reading

• Chapter 3: Malicious Code.

• Interact content.
Malware

• Malware describes a broad range of software that is designed specifically

to cause harm to systems, devices, networks or users.

• Can be used to gather information, gain unauthorized access, elevate

privileges and perform unwanted actions resulting in breaches to C, I or A.

• Comes in many forms:

• Ransomware.
• RA Trojans/Trojans.
• Bots.
• Command-and-control.
Ransomware

• Increasingly common malware that takes over target systems and

demands ransom.

• Crypto ransomware encrypts target systems, rendering them useless, until

a ransom is paid.

• Other ransomware might may threaten to release confidential information

unless a ransom is paid.

• Can be very difficult to recover from but best protection is a plain and
simple backup.

• Cryptanalysis can be difficult and often fruitless.

Trojans

• Software that masquerades as legitimate software but actually provides

unauthorized access to attackers.

• Require some form of human interaction to spread and operate.

• Remote Access Trojans (RATs) provide unauthorized remote access.

• Often combated using antimalware tools and security awareness training.

Worms

• Are self-replicating.

• Often associated with spreading via attacks on vulnerable services but can
also propagate through automated means such as e-mail or file shares.

• Because they can self-install without human interaction they can be quick
to spread and difficult to stop.
Rootkits

• Malware specifically written to permit unauthorized access to systems via a

backdoor.

• Modern rootkits are very good at concealing their presence through:

• Use of filesystem drivers.
• Infection of master boot records (MBR) of disks.

• Detection can be tough because systems infected with rootkits is

untrustworthy.

• Best to use a trusted system to inspect suspect infected systems.

• Rootkit detection looks for signatures and known behaviours.

Backdoors

• Methods and tools that allow bypassing of regular authentication methods.

• Like rootkits they are sometimes used by manufacturers to provide ongoing

access to systems and software.

• Backdoors can sometimes be detected by finding unexpected open ports

or services but some may use legitimate services.
Bots

• Groups of remote-controlled systems or devices that have a malware

infection.

• Groups more commonly referred to as botnets.

• Botnets are used to control targets in order to use them to launch various
types of attacks against further target systems.

• Many botnet command and control systems operate in client-server mode.

 Botnets

Source: https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fblog.eccouncil.org%2Fwp-content%2Fuploads%2F2018%2F12%2Fthe-structure-of-a-botnet.png&f=1&nofb=1
Keyloggers

• Programs that, once loaded, may capture keyboard keystrokes, mouse

movement, touchscreen inputs or credit care swipes from infected devices.

• Can work in various ways including capturing via the kernel, through APIs
or scripts, or directly from memory.

• Best defense is through best practice software maintenance and

comprehensive AV/Malware solution.
Logic Bombs

• Functions or codes maliciously placed inside other programs.

• Are activated when defined conditions are met.

• Uncommon but when activated can create significant issues.

Viruses

• Most well known, widespread and understood of the malware types.

• Are spread via varied infection mechanisms and have many different
attacks methods and targets.

Virus Type Description

Memory resident Remain in memory while the device is running.
Non-memory Execute, spread and then shutdown to prevent
resident detection.
Boot sector Reside on disk boot sectors.
Macro Use macros or code inside common applications to
spread.
E-mail Spread via e-mail attachments or flaws within clients.
Spyware

• Designed to obtain information about a target.

• Many different variants and deployment methods.

• May be innocuous but certain types are quite malicious.

• Often associated with identity theft and fraud.

• Most frequently combated using anti-malware tools.

• User awareness is also an important tool.

Potentially Unwanted Programs (PUPs)

• Many types of malware are malicious and cause damage.

• PUPs are different in that they may not cause any harm directly.

• Installed without users knowledge or permission.

• Can include adware, browser toolbars, tracking programs and other types.

• PUPs don’t always indicate that a system has been seriously

compromised.
Malicious Code

• Includes scripts or bespoke code that isn’t malware but is may still be used
by attackers.

• Attacks can happen locally or remotely.

• May leverage built-in OS tools such as PowerShell, Visual Basic and

macros in Windows environments or Bash or Python in Linux
environments.

• Can be difficult to guard against because they leverage legitimate and well
used tools.
Adversarial Artificial Intelligence (AAI)

• A developing field where AI used to launch attacks.

• Focus is typically on poisoning of data, inserting malicious analytics or

algorithms into systems or privacy based attacks.
Big Picture

• Malware has many variants.

• Some is malicious and some is simply used to spy on us, advertise

products or somehow socially manipulate us.

• Depending on the type of malware prevention of infection and protection

against can be very challenging.

• Best practice software configuration, patching and AV tools are a good

start.

• Security awareness training assist greatly.

Thanks for watching!