The new RestrictedAdmin RDP – Security Trade-Off and Pass-the-Hash Exposure

Windows 8.1 and Windows Server 2012 R2 come with a new feature called RestrictedAdmin RDP feature in which the credentials are not stored on the remote computer anymore.

I read about many arguments on the internet about weather this is a good security feature or something that can makes you vulnerable to pass-the-hash attacks. In this blog post, i will try to share with you my thoughts.

To start talking about this hot topic, i will start by comparing Interactive Logon vs Network Logon.

Interactive Logon

  • John inputs his credentials to the machine by entering his username and password.
  • The machine checks if the credentials are right by contacting a domain controller using (Kerberos by default, or NTLM when kerberos is not available)
  • If the domain controller approves that identity, the user is authorized to access the machine and a Single-Sing On (SSO) data is stored on that machine. This can be a Ticket Granting Ticket TGT or NTLM hash of the user password. SSO data is stored in memory and is required to ensure Single Sign On experience for John so he can access network resources without the need to type his credentials over and over.

pass-the-hash-6

Network Domain Logon

  • So now John logs on to his machine using Interactive Logon and has his SSO data is stored in memory as shown the previous figure.
  • When John wants to access a network resources like a remote file share using Network Domain Logon, an SSO token derivative  (a Kerberos TGS ticket or a challenge encrypted with the NTLM hash) is used to prove the user’s identity to the target machine.
  • The target machine uses the Domain Controller to validate the authenticity of the SSO derivative and to receive authorization data for the user.  It’s important to note that the SSO token itself does not leave the user’s machine and specifically, it is not sent to the target machine.

Which one is better?

  • From John’s machine perspective, Network Logon is better because when he access a network share, he can do that using Network Logon and his actual SSO data is not sent to the target server, and thus Network Logon reduces the user’s exposure to pass-the-hash attack.
  • From the remote server perspective, allowing Network Logon on it means that an attacker that has access to user hash, can use Network Logon to access it. On the other hand, if that server does not allow Network Logon, then pass-the-hash attack is not possible. In other words, a server that does not allow network logon, is not vulnerable to pass-the-hash attack.

How normal RDP connection works (without /RestrictedAdmin)?

Prior to Windows 8.1, the only way to connect and authenticate to a remote computer using RDP was with the Remote Interactive Logon Process.

  • John enters his credentials to the RDP client.
  • RDP client performs Network Logon to the target server to authorize the John.
  • Once John is authorized, the RDP client securely relays the credentials to the target machine over a secure channel.
  • The target server uses there credentials to perform an Interactive Logon on behalf of John.

Note: the remote server should gain access to the actual credentials to allow remote desktop connection.

How RestrictedAdmin  RDP connection works ?

Using this mode with administrative credentials, RDP will try to interactively logon to the remote server without sending credentials. RestrictedAdmin mode does not at any point send plain text or other re-usable forms of credentials to remote computers.

This means that if an attacker has only the hash of the password, he can access a remote computer using RestrictedAdmin mode as now the actual credentials are not a requirement to establish the connection. While without using RestrictedMode,  knowing the actual credentials is a must.

In other words, Network Authentication is used heavily when using RestrictedAdmin RDP, which means that either NTLM or Kerbeors will work by default.

Previously, if you know the admin hash, you can pass-the-hash with psexec tool and take over the remote system if SMB/RPC (ports 445,135,139,,) were exposed. But because many administrators already block these ports leaving only RDP inbound connection allowed, now the attacker can pass-the-hash using the RDP protocol.

Windows 8.1 Security Improvements – RestrictedAdmin RDP

Windows 8.1 and also Windows 2012 R2,  come with many security improvements. My favorite feature is related to RDP as i usually use RDP to administer all servers beside PowerShell.

 This measure is meant to enhance Windows credential protection against attacks such as Pass-the-hash attacks.

The new feature is called (Restricted Admin Mode for RDP).  Usually when you connect to a remote computer using RDP, your credentials are stored on the remote computer that you RDP into. Usually you are using powerful account to connect to remote servers, and having your credentials stored on all these computers is a security threat indeed.

Imagine you are conecting to a Remote Desktop Server with your admin credentials using RDP, With so many other users using that server, the possibility for a malware infecting that box is high.

With the new feature introduced in Windows 8.1 and Windows Server 2012 R2, when you connect to a remote computer using the command,  MSTSC.EXE /RESTRICTEDADMIN, you will be authenticated to the remote computer but your credentials will not be stored on that computer as they would have been in the past. This means that if a malware or even a malicious user is active on that server, your credentials will not be available on that remote desktop server.

When connecting to a remote computer using RDP and specifying the /RestrictedAdmin switch, the experience looks like this:

restrictedadmin RDP 1

Things to watch out when using this feature

When you connect to a remote computer using this feature, your identity is preserved on that remote server. Say for example that you are connecting from your machine to a server called (SRV1), any activity that you are doing during that remote desktop session on SR1 is performed using your identity. If you tried to access any network resource from that remote server (SRV1), then the identity that is being used is the computer account $SRV1, and not your identity. This is because your identity is not stored on SRV1 server and it cannot be used to jump or connect to a second network resource from there.

Microsoft documentation mentions this “Restricted mode may limit access to resources located on other servers or networks beyond the target computer because credentials are not delegated.”

So if i connect to SRV1 from my machine and then i tried to access the admin share on SRV2 from that remote desktop session, then the connection will happen using SRV1 computer account and not mine.

restrictedadmin RDP 2

GPO Settings

There is a tricky GPO to control and enforce this new feature. The tricky part that this GPO setting should be applied to the machines initiating the remote desktop session using /RestrcitedAdmin feature, and not on the target RDP server.Example if I had 8.1 clients all over my network it would be a good idea to force this setting on my helpdesk personnel systems so that when they RDP to client systems they would be forced to use Restricted Admin mode.

GPO setting is located under the Administrative Templates under Computer Configuration > System > Credential Delegation > Restrict delegation of credentials to remote servers.

restrictedadmin RDP 3

Limitations

The Restricted Admin mode only applies to administrators and the remote server should support this feature.

Furthermore, the remote server cannot delegate your credentials to a second network resource. This can become a problem with some implementations like remote apps.

Security Trade-Off

There is a big argument on the internet about how vulnerable this feature can be in a way or another, to pass-the-hash attack. Check my blog post to know more.

 

Pass-the-Hash attack : compromise whole corporate networks P3

Check other parts:

Some people simply accept all of these flaws as inherent in single-sign-on and centralized authentication. But they don’t have to be. Now that we know about the Pass-the-Hash attack, we will talk here about how we can protect our network from this type of attack. We will be talking about “Network Mitigation”.

1. Local Accounts

The problem with local accounts is that many organizations use the same username and password combination across machines. This can be because you have a standard image that you are deploying across the network machines, or because you use local accounts to troubleshoot problems on the machine where the network is not accessible and you cannot use network accounts.

  • Local Account Traversal , the problem

If Fred’s laptop has a local admin account called “Admin” and Jo’s laptop has also a local admin account called “Admin” with the same password as the admin on Fred’s laptop, then if a network connection happening from Fred’s laptop to Jo’s laptop using that local “Admin” account, then the Security Account Manager (SAM) on Jo’s laptop will accept that connection and will consider it as the local Admin account is doing the transaction or authentication.

pass-the-hash-10

This is the most used attacks that happens where a malware gets access to the local Admin account hash, and authentication to all other machines with the same local admin account user name and password combination using NTLM.

  • Local Account Mitigation

You should not use local accounts to talk to resources across the network. When you want to do that, use domain accounts only. Moreover, if you have a machine with no network access to use a domain account, then physical access is required to that machine so that you can use the local accounts at that time.

The mitigation here is to prevent local accounts from being used to access network resources even if you have the same local account user name and passwords across your machines for some reason. So if someone compromise one machine, he cannot use the local accounts to authenticate to other machines.

Two new well-known groups are introduced (Windows 8.1 and Windows 2012 R2):

    • Local Account
    • Local Account and member of Administrators group

pass-the-hash-8

So now, you can go to your group policy editor, under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights\Assignments\Deny access to this computer from the network, and add one of those new well-known groups.

pass-the-hash-9

How things work in real word

Usually an attacker compromises a machine and the first thing he does is to get local administrative privileges on that machine. May be the attacker compromise the machine by drive-by-download exploit or an Excel macro and escalated privileges using an HP driver vulnerability. Some new attacks will inject the Adobe reader and prompt for Adobe reader update, and trick the user to enter his admin credentials to download the new Adobe reader version.

Then the attacker (once getting admin rights on the machine) will start to dump the local hash database and getting the hash for all local accounts. The local security databases (SAM) contains the hash for all local users The attacker now uses those user accounts and hashes to try to remotely compromise other systems on the same LAN. If the password to a local administrator accounts is the same, and the account is not prohibited from remotely logging in, the attacker will succeed in remotely compromising those systems.

Pass-the-Hash attack : compromise whole corporate networks P1

Check other parts

“Microsoft confirms that 99% of cases reported to Microsoft consulting services for corporate networks being owned by a malware, is by using this technique.”

Pass-the-Hash = Single-Sign-On

Any system that supports Single-Sign On (SSO) is affected by the Pass-the-Hash attack.

SSO = somebody uses his credentials to log on to a system, and some form of that credentials or the actual credential allows him to go and access other resources without retyping his credentials. This benefit of not having to retype your credential every time you access network resources like the corporate SharePoint site, comes with a problem that if an attacker get access to your machine, he can use those stored credentials and access the network using your identity.

In other words, if you want SSO, pass-the-hash attack is something that cannot be fixed and you have to accept.

There are two types of pass-the-hash attack:

  • Credential reuse: using the saved credentials on the system on which it was saved.
  • Credential theft: taking the saved credential to another system and using it from there and allow attacker to spread over the network.

Single-Sign-On Explained

  1. John logs on his laptop by entering his username and password.
  2. John gets a user session on that laptop, and Windows verifier, in case of Windows, it is a one way hash (NT one way function), creates the hash for the password.
  3. Now John can access a file server, and when doing this, the file server will send challenge/response to John to prove his identity, and John proves that by using that one way function (password hash)
  4. Now, John gets a session on the file server.Pass-the-Hash 1

Pass-the-Hash Technique

  •  Step 1 : we have Fred. He logs on to his laptop and got a user session, so he has the one hash value of his password stored on the system. Now an attacker gets over his laptop, or Fred runs a malware, or Fred himself is malicious. Now the malware creates a user session using Fred’s one way hash password. Fred can now log off and has his session destroyed, but the malware has Fred’s one way function (his hash) in its own session and it can go around the network as Fred.

Pass-the-Hash 2

  • Step 2 : now, the malware will perform some kind of port scan and discovery to identify targets. Sounds like Jo’s laptop is an interesting target, so let us try to authenticate to it using Fred’s credentials. Assuming that Fred can access Jos laptop, a user session is created for Fred on Jo’s laptop.

Pass-the-Hash 3

  • Step 3:  what is worse if Fred has administrative rights on Jo’s laptop. With such administrative rights, the malware can harvest (steal) Jo’s credentials. If Jo is a domain admin, then the malware has now domain admin rights. Now the malware can access for example a File Server using Jo credentials and now the whole network is compromised.Pass-the-Hash 4

Note:

Password hashes for all local accounts are stored locally on all Windows computers, hashes for all domain accounts are stored on all domain controllers for a Windows domain, and hashes for currently-logged-in users whether local or domain are usually stored in memory in the computer the user is logged into (some exceptions apply

Sandbox for malware detection

The problem

Crackers are getting smarter everyday.They are using new and sophisticated ways to encrypt their malware or to make them change their shape and signature with time. This makes it so difficult for signature based antivirus solutions to detect and protect against those types of malware. Furthermore, zero day attacks are becoming more and more popular than ever and IT Security people should respond.

Solution

Since we cannot depend on comparing a malware file against a list of signatures in a database, we should think of a way to study the life cycle of the malware when it is in motion (action). Just imagine that you are given a malware file, and you are asked to study its behavior. Usually you will let it run in a controlled environment, and start monitoring what the malware is doing to the registry, O.S, processes, memory, and what network connections it is opening. Sandbox is exactly the same idea.

Sandbox originally is a concept that is used to describe running a program in an isolated and controlled environment for evaluation and testing purposes. Usually Sandboxes are used to test running applications from third party un-trusted vendors. Security people use Sandboxes now for malware investigation and detection.

How does it work

When a user first downloads an executable file, the file gets downloaded to his machine and also a copy of the file is sent to the Sandbox for evaluation. The Sandbox contains couple of virtual machines that simulate the end user’s operating system to the patch level. Since the Sandbox is optimized for this work, it will execute the file faster and start studying its behavior. If it suspects a malware connectivity (Call Back) to the cracker control and command center, then it will block it if it is configured to do so, or just log that incident.

SandBox_@3222

Sandbox malware detection uses behavior-based malware classification patterns, not code-based signature solutions. Patterns cover everything from generic malicious behavior (i.e. creating files, modifying registry keys) to family-specific behavior patterns (i.e. banking Trojans, keyloggers). Malware infects virtual systems inside the Sandbox, create and delete files, replicate, connect to carefully controlled IRC servers and URLs, send emails, set up listening ports, or perform most other functions as they would on real systems. Working at the kernel level, the sandbox emulator exercises the malware, intercepting behavior and converting it into step-by-step forensic intelligence, providing a map of the damage the threat would cause if allowed to run on a real machine, without ever putting actual systems at risk.

Sandbox ISO Images

Usually the Sandbox contains many virtual machines inside it (ISO Images) for different operating systems (typically Windows XP SP3 and others). Each machine simulates one of the possible operating systems inside the corporate network to the service pack level. Some Sandboxes allow you to copy your “Gold image” that you use internally on your machine, which will create extremely similar virtual environment inside the Sandbox and this allows better judgments.

Usually Sandboxes do not contain ISO images for Apple, Android, Linux or other non-Windows legacy devices and it is likely that the Sandbox will not be able to do anything about a malware written to target those operating systems. This is an obvious detection limit for Sandboxes when it comes to malware detection !.

SandBox_@3223332

Malware is VM aware

An intelligent malware can detect if it is running inside a virtual machine and not on an actual user workstation by looking at different things (like the VM process or network card MAC addresses), so it will sleep and do nothing as it knows it is being evaluated inside an virtual environment by a security team. Sandbox vendors compete to create an internal environment with undetected visualization platforms so that the malware will be active when get analyzed. Think about it, if the Sandbox has vmware virtual machines inside it, then when it evaluate a malware, the malware is smart enough to know it is in a known virtual environment, and will not do anything, and the sandbox will not detect any thing suspicious allowing the malware to spread inside the network undetected. Most Sandbox security vendors claim that they have their own visualization platforms to simulate the end user O.S environment, but they do not share these details in public, so malware writers cannot get around their product.

Final Thoughts

I believe Sandbox approach to detect malware besides signature based detection is a big step towards better security. Sandboxes can detect malware that signature based cannot detect usually.

Nevertheless, most Sandboxes do not have ISO images for Linux, Apple and other legacy operating systems, so if you are using those a lot, then Sandbox will not be useful here.

The interesting part is that botnets malware type, will usually stay in sleep mode until the bot master activates them. This means that they will definitely bypass Sandbox security.

Further more, crackers are getting smarter now and will wait for the user to do couple of clicks on his machine before activating the malware to bypass Sandbox systems. Interesting right !!

Again, Sandbox is definitely a big step in the right direction that can raise your security level, but it is not completely bullet proof and they are so expensive financially and operationally. Doing simple Risk Assessment in your company would be your way to go when deciding to purchase one of those products as it depends on your business  you are in.

 

Metamorphic and Polymorphic malware : changes its shape like a real virus !

Can you imagine that a piece of malware code can change its shape and signature each time it appears, to make it extremely hard for signature based antivirus to detect them ?! This is called Polymorphic or Metamorphic malware.

In its annual threat report, security firm Sophos said that the majority of samples it observes are unique attacks associated with polymorphic malware!

Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s but they are getting very advanced. Usually antivirus solutions use signatures to identify malware by comparing each file with their database of malware signatures. If the file under investigation has the a signature that looks like on of the signatures in their database, then it will detect the infection.

Crackers are getting smarter. When you visit a suspicious web site, you will get infected with a malware with a certain shape and signature. When another person visits the same site, he will get infected with the same malware but with different shape and signature. Each time someone downloads that malware, a new shape is generated for the same malware automatically. Actually refreshing that page will generate new shapes for the new malware !. This makes it so difficult for signature based antivirus solutions to handle.

Not only each download for the same malware will have different shape, the same malware on a certain machine will keep changing its shape to avoid detection.

 It is important to note that although the malware changed (“morphs”) its shape for each iteration and each download, the function that it performs remains the same (it is like it changes its appearance, but the bad code inside it still doing the same damage).

This is an example of malware (codenamed Shylock) that once appear with file name and description, and with time it appears as different file completely, changing by that its signature:

Polymorphic Malware_2323asa

Metamorphic malware

This type of malware is completely rewritten with each iteration but still each version for each iteration functions the same way. The longer the malware stays in a computer, the more iterations and versions it will produce and the more sophisticated the iterations are.

The technologies used by metamorphic malware is so sophisticated and complex. Metamorphic malware is more difficult to detect than polymorphic malware. Some of the technologies used for such malware include register renaming, code permutation, code expansion, code shrinking and garbage code insertion.

Polymorphic malware

it is also a type of malware that changes its shape and signature. It has usually two parts, one of them changes its shape, while the other part remains the same, which makes it easier to detect than metamorphic malware.

Usually this type of malware consists of two parts :

  • Code that is used to decrypt and encrypt the other part (usually called VDR : virus decryption routine). This part does not change its shape.
  • The core malware code that changes its shape (usually called EVB : encrypted virus body).

When an infected application launches, the VDR decrypt the encrypted virus body (EVB) so it can execute and then re-encrypt it again. Usually the malware writer will use randomly generated encryption key to be used by the VDR so for each malware download, so that we will get completely different EVB encrypted virus body. Polymorphic Malware_232

Security Academy – Course 105 : Botnets Part 2

Check other parts here:

In part two of this course, we will be talking about the types of attack that can be done from an infected computer with a bot.

Types of attacks

Distributed Denial of Service DDoS is the most common one, where the whole Zombie army will try to bring a published service down by sending millions of requests using Ping of Death, or using ICMP through a reflector (Smurf Attack).

Another technique would be something called (Teardrop) where bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result

Mailbomb on the other side is when bots send a massive amount of e-mail, crashing e-mail servers.

Botmasters nowadays will rent their Zombie army to another people for certain amount of money to send spam emails and advertisements or even to do DDoS attacks.

Even worse, botmasters may use botnet to perform some phishing attacks or install key logging programs to steal your credit card information and passwords.

One of the most interesting usage of botnet is to play with internet poll results or performing Click Fraud. Click Fraud refers to the practice of setting up a botnet to repeatedly click on a particular link. Sometimes, crackers will commit Click Fraud by targeting advertisers on their own Web sites. Since Web advertisers usually pay sites a certain amount of money for the number of clicks an ad gets, the botmaster could stand to earn quite a few dollars from fraudulent site visits.

It becomes way dangerous when it comes to Identity theft or unknowingly participate in an attack on an important Web site

How to prevent your computer from becoming one

Prevention is the name of the game here, below you can find some tips to prevent your computers from being a bot:

  • Implement a good Antivirus.
  • Keep your systems patched all the time.
  • Implement a strong firewall.
  • Deploy very complex passwords that are hard to guess.
  • Do not open emails or attachments from people you do not trust.

Sadly, if your computer is already a bot, your options are minimum. Your best shot is to erase everything and format the box.

Check out this YouTube link http://www.youtube.com/watch?v=RTCpCy_FFXc

Security Academy – Course 105 : Botnets Part 1

Check other parts here:

Imagine that the internet is a city, it would be the most crowded city in the world, but it would be incredibly seedy and dangerous. You can find all types of criminals out there waiting to infect you with malwares.

Inside this city, you would also discover that not everyone is who they seem to be – even yourself. You might find out that you’ve been misbehaving, although you don’t remember it. You discover you’ve been doing someone else’s bidding, and you have no idea how to stop it.

An attacker can infect a computer to become (Zombie Computer) and use it to do illegal activities. The user generally remains unaware that his computer has been taken over – he can still use it, though it might slow down considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer’s suspicious activities.

Definitions

The term Bot is a short of robot.

A Bot is nothing than a malware that allows attacker to take control over an affected machine. Home computers are the biggest candidate for such malware type. Multiple infected machines with this type of malware are called Botnet or Zombie Army.

The cybercriminals that control these bots are called botherders or botmasters.

zombie_computer

Size and spread

Some botnets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of zombies at their disposal. Many of these computers are infected without their owners’ knowledge.

A recently discovered attacker has a botnet with 1.5 million infected machines with a rate of 75,000 infected machines in the first 30 minutes!

According to the Symantec Internet Security Threat Report, through the first six months of 2006, there were 4,696,903 active botnet computers.

Attackers may use Skype and other instant messaging (IM) applications to spread malware that transforms computers into zombie computers.

Botnet Spread

How they get to you

Bots sneak onto a person’s computer in many ways. Bots often spread themselves across the Internet by searching for vulnerable, unprotected computers to infect or an open port. They infect a computer by leaving a Trojan horse program that can be used for future activation. When an infected computer is on the Internet the bot can then start up an IRC client and connect to an IRC server created by the botmaster. Their goal is then to stay hidden until they are instructed to carry out a task.

Attackers find new ways to deliver their programs. Have you ever seen a pop-up ad that included a “No Thanks” button? Hopefully you didn’t click on it — those buttons are often just decoys. Instead of dismissing the annoying pop-up ad, they activate a download of malicious software.

Once the victim receives the program, he has to activate it. In most cases, the user thinks the program is something else. It might appear to be a picture file, an MPEG or some other recognizable file format. When the user chooses to run the program, nothing seems to happen. For some people, this raises alarm bells and they immediately follow up with a flurry of virus and spyware scanner activity. Unfortunately, some users simply think they received a bad file and leave it at that.

Meanwhile, the activated program attaches itself to an element of the user’s operating system so that every time the user turns on his computer, the program becomes active. Attackers don’t always use the same segment of an operating system’s initializing sequence, which makes detection tricky for the average user.

Security Academy – Course 104 : Malware Part 3

Check other parts here:

It is part three of the Malware course. In part one, we have identified malware as the umbrella term. This is a big catchall phrase that covers all sorts of software with nasty intent. In part two, we talked about how malware will reach you [Delivery Methods]. In this part, we will talk about some of the [Actions] that malware will do once you get infected. This is the interesting part !

Spyware: Steals Your Information

It is malicious computer program that does exactly what its name implies -i.e., spies on you. After downloading itself onto your computer either through an email you opened, website you visited or a program you downloaded, spyware scans your hard drive for personal information and your internet browsing habits.

spyware 121

Some spyware programs contain keyloggers that will record personal data you enter in to websites, such as your log on usernames and passwords, email addresses, browsing history, online buying habits, your computer’s hardware and software configurations, your name, age and sex, as well as sensitive banking and credit information.

Some spyware can interfere with your computer’s system settings, which can result in a slower internet connection.

Since spyware is primarily meant to make money at your expense, it doesn’t usually kill your PC—in fact, many people have spyware running without even realizing it, but generally those that have one spyware application installed also have a dozen more. Once you’ve got that many pieces of software spying on you, your PC is going to become slow.

Scareware: Holds Your PC for Ransom !!

Sometime it is called Ransomware.

Lately a very popular way for Internet criminals to make money. This malware alters your system in such a way that you’re unable to get into it normally. It will then display some kind of screen that demands some form of payment to have the computer unlocked. Access to your computer is literally ransomed by the cyber-criminal.

Sometime the user is tricked into downloading what appears to be an antivirus application, which then proceeds to tell you that your PC is infected with hundreds of viruses, and can only be cleaned if you pay for a full license. Of course, these scareware applications are nothing more than malware that hold your PC hostage until you pay the ransom—in most cases, you can’t or even use the PC.

Ransomware can be Lock Screen type (locks your computer until you pay), or Encryption type, which will encrypt your files with a password until you pay.

The most famous malware of this type is the “FBI MoneyPak”. It will lock your screen saying that you break some copyright laws or visited unauthorized pages, and you need to pay the FBI money to unlock your PC. Really smart !!

FBIMoneyPak

Adware: We will get you some Advertisements

Adware is any software that, once installed on your computer, tracks your internet browsing habits and sends you popups containing advertisements related to the sites and topics you’ve visited. While this type of software may sound innocent, and even helpful, it consumes and slows down your computer’s processor and internet connection speed. Additionally, some adware has keyloggers and spyware built into the program, leading to greater damage to your computer and possible invasion of your private data.

Adware

Security Academy – Course 104 : Malware Part 2

Check other parts here:

In part one, we have identified malware as the umbrella term. This is a big catchall phrase that covers all sorts of software with nasty intent. In this post, we will talk about how malware will reach you [Delivery Methods]

Virus : Breaks Stuff

[Key thing to remember] They need the first click from the user!!!]

Virus_Stuff

It is a type of Malware and it is nothing but a piece of code that is designed to render your PC completely inoperable, while others simply delete or corrupt your files—the general point is that a virus is designed to cause havoc and break stuff.

Often viruses are disguised as games, images, email attachments, website URLs, shared files or links or files in instant messages.

Spread:

Viruses can spread sometimes to other machines, but usually it spread slowly and most of the time, rely on the user to transfer the infected file. You can have viruses in your computer but they are setting there doing nothing until you click on the executable they attach themselves to. So it needs a human action and they don’t propagate by themselves. Infected USB drives are famous way of moving the virus around.

An interesting  type of viruses are Macro Viruses. A macro is a piece of code that can be embedded in a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs.

Effect:

It infects files and programs and usually destroy files and can also interfere with computer operations by multiplying itself to fill up disk space or randomly access memory space, secretly infecting your computer.

Worm: Copy Themselves <massive effect>

[Key thing to remember] They don’t need the first user click or any action. They can propagate by their own using your network.

worm

Some consider them sub class of viruses but the key difference is that they don’t need the first user click or any action. They can propagate by their own.

It is called warm because they can move around by their own. You can think of them as viruses that are self-contained and go around searching out other machines to infect.

Effect:

Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding.

Examples

Some of the most famous worms include the ILOVEYOU worm, transmitted as an email attachment, which cost businesses upwards of 5.5 billion dollars in damage. The Code Red worm defaced 359,000 web sites, SQL Slammer slowed down the entire internet for a brief period of time (75000 infections in the first 10 minutes !), and the Blaster worm would force your PC to reboot repeatedly.

Spread

 worms are standalone software and do not require a host program or human help to propagate. It also uses a vulnerability or social engineering to trick the user into spreading them.

Worm rely on network to spread. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver’s address book, and the manifest continues on down the line.

Trojans Horses: Install a Backdoor

In simple words, it is a software that you thought was going to be one thing, but turns out to be something bad.

Do you remember that story you had to read in high school about the big wooden horse that turned out to be full of guys with spears? This is the computer equivalent.

trojan horse

It is a program that either pretends to have, or is described as having, a set of useful or desirable features but actually contains damaging code.

Generally, you receive Trojan horses though emails, infected webpages, instant message, or downloading services like games, movies, and apps. True Trojan horses are not technically viruses, since they do not replicate; however, many viruses and worms use Trojan horse tactics to initially infiltrate a system.  So although Trojans are not technically viruses, they can be just as destructive.

Security Academy – Course 104 : Malware Part 1

Check other parts here:

The point of today’s lesson is to help you teach your friends and family more about the different types of malware, and debunk a few of the common myths about viruses. Who knows, maybe you’ll learn a thing or two as well.

The meaning of those words have changed over time and people may use some meaning the other. In this academy, I will project my own perspective by dividing and separating this topic to  [How you get infected] and [Type of actions] once infected. This will make it easy for you to digest.

Why should I care in the first place to know those stuff??

Why it is good practice to know these terms and distinguish between them, someone may ask? Well, if you know that you get infected by a worm, then you should panic more than if you get hit by a virus because of the speed of spread. It is also nice to read in the news about one of those terms and say “OH, I know what this means!”

Another important thing is that when you purchased an Antivirus software, that you check with the supplier what kind of malware it can detect. Sometimes, those Antivirus software will protect you against some but not all of those bad guys. So pay attention!!

You will hear a lot about vulnerability and Exploit

Funny thing about software: it’s written by humans. Humans are fallible and sometimes they do mistakes. Sometimes those mistakes create strange behavior in programs. And sometimes that strange behavior can be used to create a hole that malware or hackers could use to get into your machine more easily. That hole is otherwise known as a vulnerability.

The strange behavior that can be used to create a hole for hackers or malware to get through generally requires someone to use a particular sequence of actions or text to cause the right (or is that wrong?) conditions. To be usable by malware (or on a larger scale by hackers), it needs to be put into code form, which is also called exploit code.

It is all Malware

The word malware is a combination of two words malicious” and “software”. Malware is the big umbrella term. It covers viruses, worms and Trojans, and even exploit code. But not vulnerabilities or buggy code, or products whose business practices you don’t necessarily agree with.

The difference between malware and vulnerabilities is like the difference between something and the absence of something. Yeah, okay, that’s a bit confusing. What I mean is malware is a something. You can see it, interact with it, and analyze it. A vulnerability is a weakness in innocent software that a something (like malware or a hacker) can go through.

umbrella term

If you recall from previous Security Academy courses, we talked about types of attack.Well, some kinds of malware can be considered Denial of Service DoS attacks, because usually they do nasty stuff to your files or consume your bandwidth, memory or disks pace, and  preventing you from using corporate resources.

Sometimes you’ll hear the term “rootkit” or “bootkit” used to describe a certain type of malware. Generally, this refers to methods that the malware uses to hide itself deep inside the inner workings of Windows so as to avoid detection.