Discuss what malware actually is, how it has changed, and what we can expect to see in the future
- [Instructor] This module will discuss what malware actually is, how it has changed, and what we can expect to see in the future. Malware is evolving just as everything in IT and the information security world does, and what makes malware so interesting is its purpose and the thought that goes into writing specifically-crafted software to cause harm. This, as well as the difficulty of detecting new variants and stopping this threat completely. Let's begin with the basics. What is malware? In its most basic element, malware is a computer program coupled with malicious intent.
The latter part of this preview statement differentiates malware from bugger software, or even software that can be used for malicious purposes but was not specifically written to knowingly cause harm. A great example of this would be the tools Nmap and Ncat. Network administrators and security professionals use these tools legitimately as part of their job to secure company, troubleshoot connectivity issues and increase proficiency. Attackers can use these same tools to cause harm, and antivirus vendors even used to categorize tools like these as malicious.
Since malware is a generic term, let's break it down into specific categories, which will be explained in more detail in the next lesson. Here we see several common malware categories. Some of these types of malware are differentiated based on how they spread, what they do, and how they are presented to a user. What they all have in common is the underlying intent. And that's not to say that adware, which presents unwanted ads in your browser, is on par with Zeus Trojan that steals your banking information, as there are levels of maliciousness and harm that different software can do.
Like all software, malware is code that has been written by an individual or team of developers, in most cases. It can be written in most any language, but it's often written in the C or C++ programming languages, which is certainly something to take into consideration when thinking about the target platform and users or organization. Let's take a closer look. This is a screenshot of a professional binary disassembler and debugger. This tool and tools like it are used by malware researchers to determine how a malware specimen works.
The history of malware is rich and exciting, with concepts dating from the mid 20th century, with modern-day research beginning in the early 1970s. An early example of a worm is Creaper, which was written in 1971. Although Creaper is a fringe case of malware, as it's not specifically malicious, nor was that the author's intent, it can be classified as unwanted software. And equally benign early version of malware was Elk Cloner, which infected the Apple II operating system.
It could replicate. Although, once again, there was no intentional damage caused by this program. Modern malware has become much more prevalent the last two decades, with the rise of personal computer ownership, advances in technology, and internet connectivity, as well as the advances seen in the World Wide Web. Early forms of malware were less harmful because there was less harm to cause, in a manner of speaking. Not as many people had computers or internet access, so there was less exposure, and the amount of sensitive information being shared was quite limited, compared to today.
Connected devices and industries were not the norm in the last century, whereas today, even people's refrigerators are connected to the internet. But it's just not the amount of people and devices that increases risk. It's the sensitivity of information stored on computer systems that is the real game changer. From a personal perspective, we have banking information and private documents on our computers at home. From the corporate perspective, we have clients' information, credit card transactions, protected health information, personally-identified information and trade secrets.
From a national perspective, there are the SCADA systems that operate our infrastructure and government secrets. All these are examples of information repositories, or systems that are accessible via the internet, potentially susceptible to malware. So we see a combination effect, where there's simply more at stake and a greater risk of impact when companies, people and governments are compromised. Malware changes to keep up with the pace of new technology and new targets of attack. This can be see in the proliferation of Android malware, which did not even exist six years ago, but is seen as common today.
The intricacies of malware do change, such as the methods of infection, payload execution, communication channels and ways to go undetected. Not just the code, though, but the intent, once again. The potential damage caused by malware is only limited by the author's imagination. And, of course, the available elements on the target platform, network and system. With the changes in malware, from a focus on proof of concepts and learning to monetization and business models, we see a greater degree of effectiveness.
Or at least, that is what it looks like. Let's take the Zeus Trojan that was already mentioned and use it as an example. Zeus, or Zbot, gained much notoriety around 2010, well after it had been initially discovered. One of the primary purposes of Zeus was to compromise victims' online banking accounts and effectively steal money. Software can't do everything, though, and what was seen in this example was the use of money mules to shift funds from compromised accounts to other accounts, where the funds could ultimately be withdrawn or used to make online purchases.
One of the things that made Zeus so effective was its difficulty in being detected and the professionalism of the criminal organizations responsible for its release and proliferation. These facts also make attribution difficult in some cases. The implications of infection can be devastating, and often include the loss of critical business data, such as in the case of ransomware, or a breach that compromises millions of records, like what happened to the Target stores. Personal and government-protected information is at risk as well, which we saw in the example of the OPM breach.
Reputation damage was evident in the case of the HBGary compromise. HBGary had a reputation as a reputable security consulting firm, until it was breached, and evidence of its particularly poor security practices were made public. What I want you to think about is, at what point does software become malware? How would one go about safely executing malware to learn what it does and how it works? Your challenge is to find malware on your current operating system by presuming that you are already compromised and the AV that you were using just doesn't have a definition for it yet.
This course was created and produced by Mentor Source, Inc. We are honored to host this training in our library.
- What is malware?
- How does malware work?
- Risks of malware
- Malware examples
- Malware protection