CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Explain types of Malware Tutorial

1 Explain types of Malware

If we are aware of the different types of Malware, or malicious software, and its varied impact, we can surely find ways to protect ourselves from them. Let’s begin this lesson with the objectives of malware, which can disable or damage your computer, in the next screen. After completing this lesson, you will be able to: • Describe threats and vulnerabilities, • Explain malware and their types, and • Describe ways of protection from malware.

2 Threats and Vulnerabilities

In this topic, you will learn about threats and vulnerabilities. Threats are probable attacks that might compromise an organization’s or individual’s security. These are classified into three major categories: Natural threats, Physical threats, and Human threats. For example, a system’s remote code execution vulnerability can be used for data theft, data vandalism, remote site defacement, and so on. Therefore, a single weakness may cause multiple threats. On the other hand, vulnerabilities are weaknesses, design flaws, or implementation flaws of a system through which a system can be compromised. These are classified into the following: • Application vulnerability • Operating System vulnerability • Misconfiguration vulnerability • Shrink-wrap code vulnerability

3 Malware and its Types

In this topic, you will learn about malware and its types. Screen 7: Malware – Overview Malware, more commonly referred to as malicious software, is an undesired entity in your computer or network, and it executes unwanted functions to bring down the network or the system or steal sensitive information. The different types of malware include spyware, adware, viruses, worms, Trojan horses, rootkits, backdoors, logic bombs, botnets, ransomware, polymorphic malware, and armored viruses. We will learn about each of them in the screens that follow. In the world of physical security, spies are hired to secretly identify information about an individual or an organization. Whereas in the world of networking and security, spyware is created and transmitted via a virus in one’s computer or network. The other carriers of spyware include worms, Trojan horses, shared freeware, and open source applications. With a malicious intent, spyware carries out its purpose of secretively collecting information about users and applications. The level of maliciousness in spyware may vary. The fully malicious types carry out attacks that may result in identity theft or credential stealing. Whereas, the one’s with less malicious intent aim to find the user’s precise location or browsing habits. In either case, it is very difficult for users to know that they are being mysteriously monitored. Spyware collects different information such as installed or most used applications, keystrokes, browsing history, received and sent e-mails, sensitive data, and information exchanged using instant messengers. This data is generally utilized by different technology or product companies to either create better products or know the strengths of their nearest competitors. Additionally, spyware is capable of turning-on the microphone and recording the audio or capturing a video using the connected webcam. Adware is similar to spyware. It enters a user’s computer or network without consent and executes its purpose of displaying advertisements in browsers or applications that connect to the web. Adware is an intelligent tool, and it displays advertisements by analyzing the user’s browsing history and accessed applications. In other words, adware is used to promote products to target buyers. But because the entire activity happens without the consent or knowledge of the user, this is generally seen as offensive or harmful. A computer virus is similar to its biological counterpart and is designed to mutate its bearer or host by replicating itself and denting the normal functioning of the computer or the entire network. Like any malware, viruses contain software codes, and they attack the system and network till all the resources are consumed, and no service or application can be accessed by the user. This is when viruses execute their objective of stealing, corrupting, or deleting data. Viruses cannot survive on their own and require a host. A host can be a file in the computer or the boot sector of the hard drive. So, this means, as the file is executed, or the system is turned on, the virus begins its malicious activities. The viruses that are executed from the boot sector are generally referred to as boot sector viruses. Now, let’s learn about the key virus types. We begin with polymorphic viruses. These have mastered of escaping the antivirus scanners by altering their own code. Next, we have Macro viruses. The host of these viruses are documents, data files, and e-mails, and they perform their malicious activities by utilizing the scripting capabilities of commonly used software applications. The third type is Stealth viruses. Such viruses mask themselves and avoid getting detected by the antivirus scanners. The fourth type is Armored viruses. These viruses are armed with complex codes or compiling techniques to get attached with the system, and abuse its memory. They are generally hard to detect and difficult to remove. The fifth type is Retroviruses. These types target the antivirus applications and aim at making them ineffective. The sixth type is Phage viruses. These viruses spread instantly to contaminate different parts and aspects of the system or network. So even if the user removes them from a file or certain parts, they continue to replicate themselves from the unremoved parts and perform their activities. The seventh type covered in this lesson is Companion Viruses. These types give themselves the name of the commonly used executable file and follow it with a .com extension. This is to trap users and make them believe that the virus is the actual application they intend to run. The final type is Multipart or Multipartite viruses. These viruses consist of codes with different functions and can thus infect the system or network in more ways than one.

4 Trojan

A malicious software or a piece of code that camouflages itself as a genuine application but actually intends to harm the system is referred to as a Trojan horse. Malware programmers who design or create Trojan horses generally conceal the malicious codes within stunning screensavers, or exciting games, or a version of a commonly used software application. Their aim is to fool users and get the Trojan installed on their system or network. Once done, the malicious portion of the software gets to work and gains access to the targeted secure environment. A rootkit is a software program designed to enter the heart of the Operating System, and tamper its configuration of monitoring applications and other data files. Now let’s see how rootkits function. First, they either replace the OS kernel, or shim themselves under the kernel. This way, concealing of information or even a performing malicious activity seems normal to the OS. Next, taking advantage of this, rootkits hide their presence in the system and stay away from the file management tools. Even their malicious processes are hidden from the task manager and process manager. Once the entire OS is under their control, rootkits with other malware carry out their malicious activities of stealing information, capturing keystrokes, monitoring browsing history, taking screen captures, recording audio using the microphone, capturing videos, uninstalling applications that can stop their functioning, granting backdoor access to hackers, or providing remote control access to the system or the entire network. Once a rootkit captures your computer’s OS, then it is like battling an army of soldiers with an invisible shield protecting them. If you are a developer, backdoor entry implies a no-restriction account. During the development phase, every application has such an account, which is patched later. However, for a hacker, a backdoor means a client that can be accessed and controlled remotely. Of course, this occurs without the knowledge of the owner. So, how would a hacker create such a backdoor entry? The hacker uses the same malicious ways of making the user download a software program with a hidden tool, or through a Trojan horse, or by injecting a virus, or performing any intrusion activity. As soon as the code executes on the desired client computer, the tool opens all access ports, and connects the hacker with the client and then with the network. This way a backdoor is created for the hacker to elude all security regulations and control the network activities. The closest counterpart of logic bombs are sleeper cells. Similar to the sleeper cells, logic bombs remain dormant till an event triggers them to carry out their assigned malicious activity. This triggering can be a user executing an application, accessing a banking URL, or a specific date and time. These bombs are designed to carry out any activity, right from modifying system configuration, to taking away the required data or credentials to causing the system to crash thereby deleting all data files. Botnets are generally referred to as robot networks consisting of numerous compromised systems that are controlled by a hacker, and are also known as bot herders, handlers, and masters. These systems are also termed Secondary Agents and are utilized to deploy and control malicious code, remote-controlled agents, zombies, or bots. The bot herder uses these agents and the deployed bots as a single entity to launch the attack on a primary target. The bots on the secondary agents are either controlled directly or indirectly by their bot herder. In direct control, the bots use their listening service to learn the command and execute as instructed. However, indirect control relies on the communication channel which comprises Internet Relay Chat or IRC, FTP, IMs, e-mail, tweets, and web blogging. Botnets can be used for any malicious activity, such as DoS flooding attacks, transmitting spam, cracking passwords and encryption keys, and so on. The act of hackers using this type of malware is similar to kidnapping or hijacking. Here, the kidnappers demand money or anything that’s beneficial for them in exchange for the hostages. Now, let’s see what the modus operandi of hackers using Ransomware is. First, they target a highly sensitive system or network. Once the target is under their control, they block the entire system, and make the users helpless by misusing their credentials. Next, they demand payment to release the system or network held as hostage. Finally, they release the system when the hostage system owner either makes the payment in the untraceable form of digital currency or performs a countermeasure. Polymorphic malware is designed to avoid detection by modifying or manipulating its signatures. The malware detectors are programmed to identify malware through its code or structure of the code. Taking advantage of this, the malware programmers encrypt the core code of their tool, and thus avoid detection. This way the detectors are tricked, and the polymorphic malware continues with its malicious activities in the camouflaged state.

5 Countermeasures to Avoid or Terminate Malware

In this topic, you will learn about countermeasures to avoid or remove malware from your system or network. An ideal countermeasure for any malware is prevention. But if any type of malware has managed to enter your system, we need to follow certain steps to ensure it is quarantined or removed from the system. Let’s look at each type in detail. We begin with countermeasures for Viruses: Scanning the system or network using an updated antivirus is the ideal measure to detect and counter viruses within your system. Moreover, it is recommended to install an antivirus that constantly monitors the local storage device, memory, and communication channels for viral activities. As they say, prevention is better than cure, so it is recommended that you avoid downloading software from untrusted sites, opening e-mails that are marked as spam, downloading attachments sent by unsolicited senders, and using removable media or USB devices found in the parking lots or office entrances. These steps and techniques can also be used to detect and counter spyware, Adware, and Trojan horses. However, the difference is that for spyware and adware, the scanning tool should detect spyware and adware. While dealing with rootkits, the solution is to either reconstitute or replace the entire system. We have many rootkit identifying tools, but only few of these tools help you eliminate rootkits. However, once you find there is a rootkit on your system, replacing is favorably recommended. On the other hand, reconstitution is a low-level solution that involves formatting the system and then reinstalling the OS and other required applications. Moreover, the reinstallation of OS and applications should be done from trusted and original sources and not from the backup of the corrupted OS. In other words, the battling the rootkits is not an option. You can remove or quarantine backdoor tools using virus scanners and spyware scanning tools. However, you need to undertake certain proactive steps in order to protect your system or network from Backdoors. These steps include the following: Seal the entry points that allow mobile codes and unauthorized software from being automatically downloaded and installed in your system. Then, constantly monitor the inbound and outbound traffic. Finally, ensure hardware and software signatures are mandatory before installing a new software or hardware driver. The best way to defend yourself from a botnet is to identify the open ports and patch them with appropriate security measure before they are discovered by a bot herder. In other words, the first step is to ensure you don’t become a secondary agent in the robot network. Next, implement firewall rules to monitor and block malicious outbound traffic and Unified Threat Management, or UTM, to filter the incoming web traffic. Another countermeasure would be to install anti-spyware or adware tools that support the capability of detecting and detaining bot agents. However, if you become a victim of a bot herder, there is very little that you can do. But still, you should identify and isolate the system from the network before contact your Internet Service Provider, and report the incident to the cyber law enforcement agencies. You can counter the ransomware attack generally by preventing the incident from taking place. The prevention steps include eluding risky browsing techniques, constantly scanning your system with an antimalware software, and keeping a regular backup of your system and sensitive data. However, if the hacker has left you with no option, then the only way to regain your data is by paying the ransom.

7 Summary

Let’s summarize the topics covered in this lesson: • Threats are probable attacks that might compromise an organization’s or individual’s security. • Vulnerabilities are weaknesses, design flaws, or implementation flaws of a system through which a system can be compromised. • Malware is an undesired entity in your computer or network. • Spyware, adware, viruses, worms, Trojan horses, rootkits, backdoors, logic bombs, botnets, ransomware, polymorphic malware, and armored viruses are different types of malware. • An ideal countermeasure for any malware is prevention. With this, we conclude this lesson, “Explain types of malware.” In the next lesson, we will look at “Summarize various types of attacks.”

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*