Cyber-Criminal Tactics - Malware

The umbrella term ‘malware’ is a portmanteau of the words ‘malicious’ and ‘software’.

There are many types of malware, and the list just keeps growing. In the majority of cases, the main goal behind all of them is to make money and/or cause damage. They can do that by any number of ways including but not limited to:

• stealing your data and selling it
• injecting extra ads into your web browsing experience    
• stealthily controlling your computer to later use it as part of a ‘botnet’ to attack other larger targets (or any other number of reasons)    
• use the processing power of your computer to mine cryptocurrency    
• encrypting your files, rendering them inaccessible, and then demanding a ransom payment to decrypt them

In this article we will look at the most common ways you may end up getting malware, what you can do to protect yourself from them, or rid yourself of them, as well as a short description of a handful of the types of malware that exist out in the wild.

Common avenues of infection

Generally, malware relies on some type of social engineering/tricking of the user to get them to install the malicious program. (Learn more about social engineering from my other article on that topic here.)

This can take the form of:

• a malicious link in a phishing email or social media post directing you to a website that will sneakily run a script to install the malware
• disguised as legitimate software (fake antivirus software is a popular one)
• tag along with legitimate software (if downloaded from an illegitimate source via a tricky search  result, for example)
• ‘free’ media streaming websites. These will either sneakily install or ask you to install some type of malware before you can watch their streams. They say it is needed to view the video or some other such trickery.
• Infected removable drives (usb sticks or external hard drives).
• From a previous malware infection. It is common for malware to install even more malware after the initial infection.
• a hacked and compromised formerly legit website to instead become a vehicle for malware

Optional side story:
In a previous job at a different institution there was a certain individual I would see regularly because they kept infecting their computer with the same malware. I would have to totally wipe out their computer and freshly install Windows at every visit. In chatting with him on his first visit, I deduced that he infected his computer because he visited a site that would illegally stream live soccer games. I informed him of that fact and yet I would continue to see him weekly during the soccer season. I told him he needs to stop going to this page and find a legitimate way of watching soccer. His reply was that it is easier for me to fix his computer after every game than it is for him to pay for a legit sports streaming service. I can’t argue with that logic! However, I wonder how much damage was done in those times between him watching his soccer game and his visit to me to remove the resulting malware.

How to protect yourself from malware

There are many everyday steps you can take to keep yourself protected. It is not hard once you are aware what to do/not do.

• Always install updates for your software and operating system. It is really quite incredible how huge an impact this easy step has on keeping you secure.
• Use a non-admin account whenever possible. To make this an easier process than it sounds, create yourself an admin account but do not ever log in to it. Instead, use your normal account and when you need to install software, it will pop up asking for the admin accounts' password, enter it and you are on your way. This will stop many types of malware from being able to install or carry out their tasks.
• Use antivirus on your Windows PC. At Trent we trust the included Microsoft Windows Security software for all our computers. If you want to use another on your personal devices, just make sure you research it first.
• Periodically scan your device with Malwarebytes(.com) (DISCLAIMER, this is free software but only for personal machines, so is not an option for those working on Trent computers). When done scanning, feel free to uninstall until the next time. This works equally well on Mac as well as PC.
• Always install software from the official vendors’ website, never just click the first search result as it could be an ad/trick to get you to install a competitor or trojan virus.
• When installing new software, read every step of the install process to ensure it is not going to automatically also install some unwanted software alongside it. Sometimes there is a preclicked checkbox saying ‘also install this!’, just uncheck it.
• Do not plug in unknown usb sticks or external hard drives to any of your devices.  They can be configured to install malware as soon as they are plugged in (there are even some designed to physically destroy your computer by releasing an electric charge when plugged in!). If you find one on the floor or in the parking lot, it could have been infected and left there on purpose (this is called a road apple attack—feeding off that ‘Hey! Free USB!’ thought process). It could just be a students’ usb, unwittingly infected as well. Or it could be totally safe. The point is there is no way to tell and it is not worth the risk of finding out.  Bring it to IT (Bata) or Security (Blackburn Hall).
• Be wary of links in email, especially unexpected ones.  Remember, if you are going to click a link in an email, always hover over the link to make sure it is going where you expect it to, and make sure it is from someone you trust.
• Do not open unknown or unexpected attachments in emails. Be especially wary of Office Documents and PDFs as these are commonly used as vehicles for malicious code.

How to remove malware

Your antivirus software may be able to remove the infection, alongside Malwarebytes. If it is that easy, then run those scans, reboot and you are done!

The next easiest step is to check your browser and remove any extensions you do not absolutely need as these are a great source of adware. They could be the culprit, especially if you are getting pop ups on your computer asking you to install antivirus etc.

Next, run through your list of installed programs and delete whatever you do not use anymore. If there are any you are not familiar with, Google them first before uninstalling, just in case their important to the operating system.

When done, reboot your computer.

If none of the above works..

I am a big proponent of starting over from scratch. 

It sounds drastic, but in my experience it is orders of magnitude easier and faster than removing stubborn infections AND you won't be left wondering if you got every trace of it.

If the infected device is a Trent computer, the recommendation will always be to back up your files and call/visit IT to get your computer reimaged as soon as possible. It is not worth the time or risk to your files or the university to try to battle malware that is not easily removed with a scan.

DISCLAIMER: Whether you are staff or faculty bringing your computer to IT, or a student doing this on your own with your own device, you are responsible for your own data.  Make sure you backup your data first as you will lose everything currently on your computer when the operating system is reinstalled.

How to reinstall your operating system:

(personal devices only, bring Trent Dell computers to IT for a reimage)

On a Mac
On a PC

If you are on your own device and you do not want to fully reinstall your operating system, you can attempt the manual route.  Just search online for ‘how to remove [name of malware your antivirus reports but can’t get rid of]’. It is never straightforward though, and most of the time tricky and frustrating.

Types of Malware

Virus – code that replicates itself and hides among or replaces legitimate programs, and then runs itself without permission or knowledge of the user.  Some are programmed to delete files or pop up messages, video or audio automatically. They can infect individual files and can therefore move around with them and survive being backed up etc.

Worms – self replicating with the aim to spread to other computers on the network. They do not require user interaction, silently carrying out their objective (whatever that may be) and not requiring any user interaction.

Trojans – just like the Trojan Horse the Greeks used to get into Troy, the idea here is to hide malicious code within another piece of software as a way to trick an individual into running it on their computer. This bypasses the whole problem of ‘how to get malware to the computer’ as well as ‘how do we get the software to run itself with administrative permissions’.

Hybrids – can combine features of multiple types of malware in one to create a more devastating result. For example, a virus that comes in as a trojan, and can also infect other computers by traversing the network the way a worm can.

Ransomware – immediately starts encrypting all non-operating system files. When it is done, a message will pop up informing you that your files are now inaccessible to you unless you pay a ransom to get the encryption key. Note that even paying does not guarantee you will get your files back, and it is possible your files have also been exfiltrated and are now being sold on the dark web.

Fileless malware – a relatively new threat. Does not rely on files and does not leave a footprint. This makes it tricky to find, let alone remove. The goal of the malware can change, just like the other types, however this differs in that it does not sit as a file on the hard drive, instead it uses trusted, unmonitored software like powershell to start scripts that run in memory only and have very short lifespans. They get in, cause damage and then disappear.

Adware – generally exhibits trojan like behaviours, piggybacking on free game downloads or browser extensions.  The goal of adware is to inject extra ads into webpages you visit in an effort to glean little bits of advertising clicks off of every infected computer. These can be more dangerous than just showing ads as they can help the attacker trick a target into clicking a link that can install more malicious types of malware.

Spyware – gathers data about you and your computer and then forwards it out to a third party without your consent. The idea being to profit from the stolen data. It can capture what you type, pictures of what is on your screen as well as other data ranging from usernames/passwords, credit card numbers, browsing habits etc.

Crypto mining malware – stealthy malware that uses the power of your computer to mine cryptocurrencies for the attacker. Some are browser based, as in they run in the background when you are on specific sites, others are software based that get installed on your computer.

Rootkit – hide their presence by taking over the names and actions of legitimate tools, while tagging on their own malicious actions.  When you run the legitimate software, it still does what it is supposed to do, but stealthily runs the malicious code in the background as well. Once infected, the computer can be controlled remotely to execute malicious actions, download new and more malware, exfiltrate data etc..

Bootkits – install themselves outside of the operating system, this helps them hide as they can not be scanned for conventionally by software within the operating system since they are not actually residing there.

Now you know! And…

A large portion of cyber security is awareness, so knowing may be even more than half the battle in this case!

Back to Cybersecurity Blog home.

Stavros Tzagadouris - Level 1 Information Security Officer - Trent University