Hi, I am Mitch. I'm here to talk to you today about malware. Malware is malicious software or code that typically damages, takes control of or collects information from an infected endpoint. Malware broadly includes viruses. Viruses are malware that is self replicating, but must first infect the host program and be executed by a user or process. Then we have worms. Worms are malware that typically targets a computer network by replicating itself in order to spread rapidly. Unlike viruses, however, worms do not need to infect other programs and do not need to be executed by a user or process. We also have Trojan horses. Trojan horses are malware that is disguised as a harmless program, but actually gives an attacker full control and elevated privileges of an endpoint when installed. Unlike other types of malware however, Trojan horses are typically not self replicating. Then there's anti-antivirus. It's a silly name, but what it is, is a type of malware that disables legitimately installed antivirus software on the compromised endpoint, thereby preventing automatic detection and removal of other malware. We also have logic bombs. Logic bombs are type of malware that is triggered by a specific condition such as a given date or quite famously, when a particular user account is disabled or deleted. There's also backdoors. Backdoors are a type of malware that allows an attacker to bypass authentication, to gain access to a compromised system. Then we have rootkit with an R. Rootkits are type of malware that provides privileged or root level access to a computer. Rootkits live in the BIOS of a machine, which means operating system level security tools have no visibility to them. Then we also have bootkits with a B, which is a type of malware that is a kernel mode variant of a rootkit commonly used to attack computers that are protected by full disk encryption. Next, we have spyware and then finally, adware. Spyware is a type of malware that collects information such as Internet surfing habits, login credentials, and financial account information on an infected endpoint. Spyware often changes browser or other software settings and slows the computer or Internet speeds on an infected endpoint. Adware is a type of spyware that displays annoying advertisements on an infected endpoint, often as pop ups or banners. Historically, early malware consisted of viruses which displayed annoying but relatively benign error messages or graphics. The first computer virus was called Elk Cloner, which was written in 1982 by a ninth grade high school student near Pittsburgh, Pennsylvania. Elk Cloner was relatively benign, it was a boot sector virus that displayed a poem on the 50th time and infected floppy disk was inserted into an Apple II computer. On the PC side, the first virus was a boot sector virus written in 1986 called Brain. Brain was also relatively benign and displayed a message with the actual contact information for the creators of the virus. Brain was written by two Pakistani brothers who created the virus so that they could track piracy of their medical software. One of the first computer worms to gain widespread notoriety was the Morris worm, written by a Cornell University graduate student in 1998. The worm exploited weak passwords and known vulnerabilities in several Unix programs and spread rapidly across the early Internet. It's estimated that the worm infected up to 10 percent of all Unix machines connected to the Internet at that time, which was approximately 6,000 computers, sometimes infecting a computer multiple times to the point that it was rendered useless, which is a type of early denial of service attack. The US Government Accountability Office estimated the damage caused by the Morris worm between 100,000 and 10 million US dollars. The worms creator became the first felony conviction under the 1986 Computer Fraud and Abuse Act. Ultimately, he only served three years of probation, performed 400 hours of community service. But he did have to pay a $10,050 fine. More than 35 years have passed since those early examples of malware and unfortunately modern malware is evolved and is used for far more sinister purposes. Unlike the creators of Elk Cloner, Brain, and Morris, who today work as a Silicon Valley entrepreneur, run Pakistan's largest Internet service provider, and third, teach at the Massachusetts Institute of Technology, respectively, modern threat developers are true criminals and terrorists motivated by pure greed and hatred. Modern malware is typically stealthy and evasive and now plays a central role in a coordinated attack against the target. Advanced malware leverages networks to gain power and resilience and can be updated just like any other software application so that an attacker can change course or dig deeper or make changes and enact counter measures. This is a fundamental shift compared to the early types of malware, which were more or less swarms of independent agents that simply infected and replicated. Increasingly, malware has become centrally coordinated and networked application in a very real sense. In much the same way that the Internet changed what was possible in personal computing, ubiquitous network access is changing what is possible in the world of malware. Now, all malware of the same type can work together towards a common goal, with each infected endpoint expanding the attack foothold and increasing the potential damage to organizations. Some important characteristics and capabilities of advanced malware today include distributed fault tolerant architectures. Advanced malware takes full advantage of the resiliency built into the Internet itself. Advanced malware can have multiple control servers distributed all over the world with multiple fallback options and can also potentially leverage other infected endpoints as communication channels, providing a near infinite number of communication paths to adapt to changing conditions or update code as needed. Next, there's multi functionality. Updates from command and control servers can also completely change the functionality of advanced malware. This multifunctional capability enables an attacker to use various endpoints strategically in order to accomplish specific desired tasks, such as stealing credit card numbers, sending spam containing other malware payloads like spyware or installing ransomware for the purposes of extortion. Also, malware uses polymorphism or metamorphism, a cool name, very Sci-Fi-esque. However, some advanced malware has an entire sections of code that serve no purpose whatsoever other than to change the signature of the malware, thus producing an infinite number of unique signature hashes for even the smallest malware programs. Techniques such as polymorphism and metamorphism are used to avoid detection by traditional signature based antimalware tools and software. For example, just changing a single character, a bit of the file or source code completely changes the hash signature of that malware. Last, we have obfuscation. Advanced malware often uses common obfuscation techniques to hide certain binary strings that are characteristically used in malware, and therefore easily detected by antimalware signatures. Or obfuscation can be used to hide an entire malware program. Thanks for joining me for this discussion on malware.
