Chapter 6- Malicious Software

Malware

Software intentionally designed to damage, disrupt, steal, or gain unauthorized access to computer systems.

Three main goals of malware

Confidentiality, integrity, and availability.

Adware

Displays unwanted ads.

Spyware

Secretly collects user data.

Advanced Persistent Threat (APT)

A long-term, targeted, and often state-sponsored cyberattack using multiple intrusion techniques against specific organizations.

Why APTs are dangerous

They are well-funded, persistent, stealthy, and target high-value information over extended periods.

Attack kits

Tools that allow even unskilled users to create and deploy malware, increasing attack volume and variety.

Examples of attack kits

Zeus and Angler.

Virus

Malicious code that attaches to executable files and replicates when those files run.

Three main components of a virus

Infection mechanism, trigger, and payload.

Macro virus

Infects document macros instead of executables and spreads through documents.

Worm

Self-replicating malware that spreads automatically across networks, often exploiting software vulnerabilities.

Morris Worm (1988)

One of the first major Internet worms, disrupting thousands of UNIX systems and highlighting network vulnerability.

WannaCry worm (2017)

Encrypted user files and demanded ransom payments using Bitcoin; spread through SMB vulnerabilities.

Mobile code

Executable code (like JavaScript or ActiveX) sent over the internet that can run on local systems, often used for exploits.

Drive-by download

Malware that installs automatically when a user visits a compromised or malicious website.

Watering-hole attacks

Target victims by compromising legitimate websites that specific groups of users are likely to visit.

Malvertising

Using online ads containing hidden malware that infects visitors without compromising the host website.

Clickjacking

Tricking users into clicking invisible or disguised elements that execute unwanted actions.

Social engineering in cybersecurity

Manipulating people into performing actions or revealing confidential information to aid attacks.

Trojan horse

A seemingly legitimate program that hides malicious functionality to compromise the system.

Ransomware

Malware that encrypts a victim's data and demands payment for decryption.

WannaCry

It combined ransomware with worm-like propagation, spreading automatically between vulnerable systems.

Logic bomb

Executes malicious actions when specific conditions or dates are met.

Botnet

A network of infected computers controlled remotely to launch coordinated attacks or perform automated tasks.

Difference between worm and bot

Worms self-activate and spread automatically; bots are controlled remotely via command-and-control systems.

Keylogger

Capturing keystrokes to steal sensitive information like passwords or credit card numbers.

Phishing

By sending fake messages or links impersonating trusted sources to trick users into revealing credentials.

Spear-phishing

A targeted form of phishing customized for specific individuals or organizations.

Backdoor (trapdoor)

A hidden access method allowing attackers to bypass authentication or security controls.

Rootkit

Software that hides malicious activity by manipulating the operating system to conceal files, processes, or connections.

Kernel-mode rootkits

Rootkits that operate at the OS kernel level, making them difficult to detect or remove.

Stealthing malware

To remain undetected while maintaining unauthorized control or data access.

Four main elements of malware prevention

Policy, awareness, vulnerability mitigation, and threat mitigation.

Main steps if malware prevention fails

Detection, identification, and removal.

First generation of antivirus software

Simple scanners relying on known malware signatures.

Heuristic scanners

They use behavioral rules and integrity checks to identify unknown malware variants.

Activity traps

They monitor behavior in real time rather than relying on static malware signatures.

Sandbox analysis

Running suspicious code in an isolated environment to observe and analyze its behavior safely.

Host-based behavior blocking

Software that monitors and blocks potentially malicious actions on a local machine before they cause harm.

Perimeter scanning approaches

By scanning email and web traffic at firewalls or intrusion detection systems to block suspicious content before it reaches users.