Greetings, dear reader! In the first part of a series of blogs about information security, I described how a computer can most often be infected with various types of malware. Now let’s see who’s who of the main threat types.
Worms
The name speaks for itself. Network worms are capable of penetrating system/information perimeter vulnerabilities, be it a vulnerability in the OS, browser, file server, or, say, email. Like real live worms that eat plant leaves and gnaw “tunnels” in apples in our gardens, their online counterparts can also literally riddled files. What is interesting is the simplest, but very effective against an inexperienced user, distribution scheme, when a worm (note that this is also typical for other “little animals”, in particular viruses) spreads in the form of an executable file or a JS/VBS script disguised as a text document or, for example, a picture. The point is simple: a malicious file, for example, let’s take worm.exe, renamed to worm.txt.exe, that is, it has a double extension. A user whose system displays file extensions is disabled only sees worm.txt. To complete the picture, the worm assigns a corresponding icon to the file containing it so that the user does not sense a trick.
An example of disguising an exe file as a text document: hidden file extensions and displayed ones. The first is a text document, the second is an executable file disguised as it.
To ward off unnecessary suspicions when distributing, for example, via mail, a bunch of spaces are added between the fake and real extensions of the distribution file so that the real extension will not be visible even if the display of real extensions is turned on:
As you can see, the name of the second file is “off” due to spaces. In list display mode, such as in email clients, it will not move.
However, some email services do not allow you to send an executable file. For example, Google Mail wouldn’t let me send a file to myself worm.txt .exe, not to mention more whitespace between extensions, citing a security issue. He did not allow me to send it even after renaming the file to program.exe – that is, for security reasons, you can’t send executable files without better disguise.
The action of worms can be either actively harmful or indirectly harmful: malicious ones cause destructive harm, and the goal of “dummy” worms is to simply spread and infect as many computers and networks as possible – and if a computer is infected with such a worm, it automatically becomes the source of its distribution, which causes a load on the Internet channel and hardware resources. Among other things, the harm from such “indirect” worms is that they can download another infection, that is, other malicious programs cause direct harm. Also, recently a type of worm has been gaining momentum, making it possible to create t.n. botnets. bot – robot, bot and net – network). A botnet is a network of “zombified” computers and/or mobile/other computing devices created by an attacker for some purpose. These goals can vary from the banal hacking of a specific fortified network (more computing resources – hacking is faster and more efficient) to the currently popular cryptocurrency mining (the same thing – more computing power means a larger amount of mined cryptocurrency in one period of time). In this case, distribution plays a huge role. More details later in this post.
As already mentioned, worms can damage and modify user and/or operating system files. For example, the recently notorious Conficker worm (also known as Kido) made changes to Windows OS configuration files, blocking access to online resources for antivirus developers, disabling system services, launching multidirectional network attacks from the computer it infected, and in addition, it was eating up computing resources quite a bit. Worms can also collect various types of information, including passwords, for subsequent sending to the attacker.
Distinctive features: mobility, independence, ability to self-modify. Worms spread uncontrollably once they are activated on the victim’s computer. They can gain access to the address book of a mail client, to the local network, can be found in spam mailings, and can be distributed on any writable media. The speed of spread sometimes reaches colossal values. They can enter the computer in the body of almost any file, using the vulnerabilities of the host program: for example, if the code is infected in the body of the image, the virus can enter the computer through a hole in the image viewer. The worm can additionally download other malware (for example, the well-known ILOVEYOU worm in the past also integrated a Trojan into the system). Well, the number of modifications of various worms (and some modifications of individual worms arose in the process of independent mutation) causes a severe headache for antivirus software developers. Worms also often install a BackDoor element in the system. But more on that a little later.
Trojans
This type of threat owes its name to the Trojan Horse from the ancient Greek poem “The Iliad” by Homer. And oh, for good reason – the Trojan software acts exactly the same way as the ancient poet narrates. He described how, in honor of a false truce in the war, the glorious settlement of Troy was given a wooden horse, from which the following night Greek soldiers climbed out and opened the gates of Troy for their troops, who captured it. Likewise, modern Trojans can penetrate a system under the guise of a friendly application – while the promised functionality may work – and after activation they will begin their destructive deeds.
The reason for the fall of gullible Troy.
Cracks and keygens are often infected with Trojans. In this case, the risk of infection is higher, since uninfected software cracking programs are themselves detected by antiviruses as malware, and experienced users are accustomed to ignoring these warnings. Honestly, it’s quite reasonable if such software is developed by a team that values its “Warez” reputation. But these parasites are not spread by pirated software alone. The Trojan can also be inserted into an existing program for its further distribution – I already mentioned such a mechanism in the first post. Infecting system files and disguising Trojans as them is not uncommon.
The class of Trojans is rich in functionality. This includes theft of personal data, gaining the ability to remotely access, destroying/damaging files and the file system, downloading other malicious files, creating the above-mentioned botnets, deactivating system services/applications, and harming hardware resources..
One of the types of Trojan programs is rootkits. root – administrator in unix-like systems, kit – set). They are designed to hide various processes, files, or even registry branches in the system so that the user does not notice traces of other malicious programs.
Trojans whose goal is denial of service (DoS, Denial of Service), as a rule, are distributed in the form of archives of 30 – 600 KB. When you try to unzip such an archive, the system freezes completely and eventually ends up in a general system failure, and the type and version of the OS does not matter. Despite the fact that this type of DoS Trojan is no longer so widespread nowadays, it caused a lot of trouble both to the owners of file servers and to the antiviruses of ordinary users: when trying to scan such an “archive bomb” for viruses, the antivirus itself went into deep meditation. These archives are structured, as a rule, in two ways: either it is a recursive archive, which is literally packed into itself, causing endless unpacking and consuming RAM, or an incredible number of the same file is packed into the archive, due to which the archive can weigh a few tens of kilobytes, and when unpacking, again, cause a system failure. A striking example of a ZIP bomb (as such archives are usually called) is the relatively recently famous 42.zip. With a volume of just over 42 kilobytes, it contained 16 other ZIP archives, which contained another 16 archives, which contained another 16 archives, which again contained 16 archives, which contained 16 archives, each containing one file of 4.29 GB in size and 16 more archives:
Today, ZIP bombs occupy the https://cupcake-bingo-casino.co.uk/games/ niche of Trojans for targeted DoS attacks and are practically never found in the wild. And antiviruses already understand what a recursive archive is, for example.
Let’s move on to ransomware Trojans. These impudent creatures can greatly harm the system, demanding an nth amount of money to restore it to its original state. Quite common are Trojans that encrypt user files on a computer and require you to send an SMS to receive the code and decrypt your precious data. Well, or the Trojan only blocks work with the system, without damaging files. Of course, for the sake of credibility, so that the user believes and is imbued with the importance of the situation, the attacker presents his craft as an official utility and puts forward some “official” reason, most often related to alleged violations of the license or rules of use. Here’s an example:
Would you like to see an even dumber example?? Here you go, BSOD stylization.
Technologies of the future. Send an SMS, enter a code and your computer will repair itself!
And there are also cases when a student extorts money from such a student that it would be time for him to further study the features of various encodings:
No chance. Even if an inexperienced user comes across.
Some blockers of this kind inform the user that he must transfer a certain amount of money to the specified phone number, and the unlock code will be indicated on the receipt. Honestly, I can’t imagine it. In order for the payment terminal to display the unlock code on the receipt, the author of the winlocker must at least cooperate with the payment system operator, which, for obvious reasons, is impossible.
Winlockers usually spread through infected sites (although this more often applies to worms), files from such sites, file hosting services or using false archivers (remember the last post), removable media. The prevalence and a bunch of all sorts of variations of even one Winlocker, again, forces anti-virus software developers to bother, who make something like keygens for blatant infections. For encryption Trojans, special decryptors have been developed that can work for a couple of days or a whole week, decrypting your data. It is worth noting that even if you send an SMS, the Trojan is unlikely to disappear – in some versions of Winlockers, the fields for entering the code are not controlled at all for the entered characters, and even after receiving the money, the attacker will no longer care about you. Why bother sending out unlock codes if the main goal – extortion – has already been achieved??
As mentioned above, Trojans can also steal information. There are plenty of ways to do this. Let’s look at the main.
One of the simplest methods that a novice programmer can implement is keylogging. This is, at a minimum, logging (recording) keystrokes. From the finished log you can extract quite a lot of useful information – for example, logins and passwords, and if the victim made an online purchase – then bank card details. The log itself can be stored in RAM with further transfer of the received data to the attacker, on the hard drive, transferred to the attacker’s FTP server, or sent to him by email.
Another method of obtaining information is SpyWare, mentioned in the previous post, spyware. As a rule, it collects information without the user’s knowledge, and under the threat of leakage – information about hardware, software installed on the computer, saved logins and passwords, files. They can also change system settings if they need it to obtain the necessary data. There are also formgrabbers, programs for stealing data from forms – in particular, from filled text fields, including password fields. The received form grabber data is formed into a log and sent to the attacker – this could be a login, password, bank card data, or, for example, this text, which I am now entering in the same way into a text web form. In addition to the usual keyloggers and form grabbers, there are other programs for obtaining data – for example, programs that take screenshots at a certain frequency or when a certain signal is received. As is already clear, the received screenshots are sent to the attacker.
Backdoors (back – back, door – door) – software for the possibility of repeated or more complete access to the victim’s system, up to the use of remote access. Of course, in this case there are essentially no restrictions on the data that is at risk. An attacker can steal everything and control your computer remotely. As a rule, a backdoor is installed after a preliminary infection or hacking, and rootkits or bootkits are usually used to hide backdoors.
Distinctive features: Trojans are a huge class of malware and often the boundaries between them and other classes are blurred. But the main difference between Trojans and viruses and worms is the method of propagation: they do not have the ability to spread independently and cause harm separately. These are extremely powerful programs (if they are written by people who understand), but because of this they are clumsy and quite easy to detect even without an antivirus, if no aids like rootkits or fake antiviruses are used to hide them. The main goal is to gain control of the system (to obtain any data or for extortion).
Viruses
These little animals, like worms, are able to spread independently, without human intervention. They initially grew out of programs that did not cause harm to the system and were developed out of interest and curiosity in code that could “live” its own binary “life”. They were able to be called full-fledged viruses decades after the appearance of self-propagating code, already in the 70-80s of the last century. It was then that the most common computer viruses appeared, infecting computers and destroying data on them. And off we go: worms, Trojans, and the first antiviruses appeared.
Viruses have the advantages of both worms and Trojans – they are mobile and easy to spread, like worms, and their functionality is amazing – like Trojans. Viruses can “parasitic” files, inserting themselves into them and thereby damaging the file, or they can simply run through the file system, destroying everything in their path without introducing their code. They can be written in assembly language to take up less disk space and so that their code can be executed quickly and quietly, or they can be embedded in JS/VBS scripts and even Microsoft Office macros. They can spy on you, or they can act openly, not hesitating to demonstrate their actions to the user and not hesitating to exploit the vulnerabilities of other programs. A class of polymorphic viruses generally modify their code to reduce the likelihood of detection. That’s why viruses today are a rather vague class of programs. This concept is usually used to refer to any type of infection that gets onto a computer.
Viruses can spread in almost any way – from the simplest flash drive to the use of XSS (cross-site scripting). Often they are not distributed alone, or, once on the victim computer, they download their “friends”.
Viruses, in fact, do not care which file to infect – however, to spread they need to infect a file containing almost any command to execute. With Windows executables*.exe everything is clear. With files *.bat, *.com and scripts *.js and *.vbs, in general, too. Many people remember the epidemic of worms and viruses that used the autorun file autorun.inf, located at the root of flash drives and logical volumes of a hard drive.
When you open this flash drive, a suspicious file will be launched. As you can see, the icon will not give us away. Click to enlarge the picture.
Then there was one more point – the settings for displaying hidden files and folders, including system ones, as well as the settings for displaying extensions were always controlled by malware. If the user changed these parameters, the threat of ignominious detection hung over the infection even without an antivirus, so it had to set these options according to its own template – which, however, already gave away its presence.
I apologize for the English screenshot.
This way it was possible to force the computer to execute the executable file when opening the flash drive. To say more – in Windows XP, I remember, it was possible to register a flag in the autorun file
, then Windows will not ask the user at all what he wants to do with the flash drive – just open it to view files, play music from it through the player, or look at pictures in the program for actually viewing them. For security reasons, this key was removed in subsequent versions of Windows. In general, the autorun file is a huge hole in Windows security, given how easily it can be modified and what customization capabilities it has.
As for the polymorphism of viruses, this is a very interesting property that allows the virus to remain undetected longer by modifying its own code during its execution, without losing its functionality. The point is that when an antivirus scans, it checks to see if the file contains pieces of malicious code known to it as viruses (as well as other types of threats), comparing the blocks of the file with blocks of its antivirus signatures – roughly speaking, the same viruses – and if the file code matches a sample of a virus, the antivirus marks it as infected. Polymorphism allows a virus to infect a file so that the injected code will differ from the anti-virus signature and will pass verification.
Exploits
The most well-known concept of an exploit is in the web hacking environment, where they represent a piece of code or a command – or rather, a request – which, using the vulnerability of a site or its engine, allows you to gain access to sensitive information. Often exploits use a Java or Flash vulnerability. But there are also local exploits, the purpose of which is the same – either to “crash” the system (or server), or to expand your rights, for example, to install a rootkit. The operating principle of any exploit is the same – exploiting system vulnerabilities.
Others
It seems that although I mentioned the concept of “bootkit”, I have not yet explained it. It comes from the English words boot – loading and kit – set. This is an incredibly difficult malware to detect, the peculiarity of which is that it can completely take control of the system, even at the boot stage: the malicious code is embedded in the master boot record on the disk (MBR, Master Boot Record), which allows it to be activated before the OS boots and control it, while the OS will not even suspect that it is infected.
In the paragraph about worms I mentioned botnets. They became popular with the development of peer-to-peer (P2P, Peer-to-Peer) networks and, in particular, cryptocurrencies. The fact is that almost any type of “harmful living creature” can turn a computer into a “zombie” that will work for the benefit of the attacker. This very “good” may consist in organizing a DDoS attack (Distributed Denial of Service, distributed DoS attack), when each computer of the botnet bombards the target server with packets. Owners of computers included in the “zombie network” may not suspect anything about the hidden activities of their pets, and the attacked server collapses under the pressure of a huge number of packets. As for the botnet used for mining, I think I described this process in a previous post. Its essence is that zombified computers are used to mine cryptocurrency. And most often, users don’t even know about it: for example, the mining process can be activated only when the computer is idle, and the user will not even notice the load on the computing cores of the processor(s). There are already known cases of the creation of such botnets for Android devices, when mining was activated only when the device was idle and provided that it was charging – then the heating of the device can be considered not heating from the load, but heating from charging.
Data theft can be accomplished using sniffer programs. sniff – to smell). They analyze the traffic sent and/or received by the user. It’s clear that before analyzing someone else’s traffic, you need to somehow receive it and intercept it, because the sniffer only picks up traffic that passes through the attacker’s network card. This can be done by having access to the victim’s network equipment – many routers and switches allow you to duplicate traffic from one port to another (usually called port mirroring). Or the attacker must connect to the gaps in the channel, thereby organizing a MitM (Man in the Middle) attack. In fairness, I should note that sniffers are often used in the work practice of probably any system administrator, usually when diagnosing a connection, as well as to check traffic for “infectiousness”. For example, I had to use a sniffer to find the reason why SIP telephony was not working, so sniffers can be useful.
Looks pretty awful if you don’t filter traffic by type, doesn’t it??
Joke programs, or “dirty” programs, I believe, do not need any introduction. In general, they do not harm the computer, but the user can tear out some of the hair on his head if he notices that some kind of poltergeist is happening to his computer.
To summarize, I will say that I described the main types of malware rather superficially, because a blog full of details will not be so interesting to read – and even if you describe everything in detail and detail, such a blog will be no less than the above-mentioned “Iliad” by Homer. Yes, and it turned out a little too chaotic, but I hope the information will be useful. I would like not only beginners, but also experienced users to find something new for themselves in this post. I will probably devote the next post to the user’s actions in response to the detection of any unlawful action. Well, besides the fact that you need to set an antivirus on the impudent “creature”. 😉 And if it fits, I’ll start a conversation about security in Wi-Fi networks – let’s look at the settings of wireless networks on a home router.
Thank you all for your attention, I will be glad to receive comments and suggestions for the next posts.