1. Overview
In today's digital landscape, malware poses significant threats to individuals and organizations alike. From sophisticated ransomware to pesky adware, malicious software comes in various forms, each designed to serve the nefarious intentions of cyber criminals. No device is immune, be it a PC, smartphone, or any gadget capable of running software. Thus, gaining a comprehensive understanding of malware is imperative for navigating the complexities of the information age. Let's embark on this journey together.
2. Malware
The term "malware", short for "Malicious Software", encompasses a range of harmful programs designed to compromise computer systems or users. While malware historically spread through storage media like disk cloning, the advent of networks has made infection via emails or the web far more prevalent.
Modern malware has undergone significant evolution, presenting challenges to traditional classification systems. Distribution methods have become increasingly sophisticated, employing various tactics to evade security measures. Moreover, the motives behind malware distribution have shifted towards economic gains, rendering conventional classification systems inadequate.
*How is it different from a computer virus?
While a computer virus falls under the umbrella of malware, not all malware is a virus. The term "virus" carries a narrower definition. For example, a worm qualifies as malware but not a virus because it can propagate through networks independently, without relying on an infected host. in contrast, viruses attach themselves to specific programs and activate only when those programs are executed.
3.Motivations Behind Malware Distribution
Cybercriminals employ malware to pursue various objectives, including:
- Ransom for financial gain: By seizing control of devices, data, or corporate networks, perpetrators demand hefty sums in exchange for restoring access.
- Unauthorized access: Malware is utilized to gain illicit entry into sensitive data or digital assets, circumventing security protocols.
- Theft of critical information: Valuable information such as login credentials, credit card numbers, and intellectual property are targeted for illicit acquisition.
- System disruption: Critical systems integral to businesses and government agencies are intentionally disabled, causing significant disruptions and potential financial losses.
4. Types
The scale of cybercrime is projected to surpass $10.5 trillion by 2025, establishing it as the third-largest economy globally, following the United States and China. Within this landscape, hackers persistently innovate new malware variants to circumvent security measures. Since the 1980s, over one billion distinct malware variants have surfaced.
Hence, it’s crucial to recognize that the classification of malware outlined below remains subject to evolution, with new types emerging and old ones becoming obsolete.
(1) Computer Virus
Although malware and computer viruses are often discussed interchangeably, a virus represents merely one subset of malware. Viruses replicate by attaching themselves to legitimate software, causing harm and propagation. Unlike standalone malware, viruses rely on embedding their code within executable programs. When users execute these programs, the virus activates, often resulting in data deletion, operational disruptions, and further propagation to other programs on the infected system.
Many early instances of malware were viruses, with 'Elk Cloner' being among the first to spread via public devices, specifically targeting Apple computers.
(2) Ransomware
Ransomware attacks involve blocking access to the victim's device or data, with perpetrators demanding a ransom, typically in the form of cryptocurrency, in exchange for restoration. According to an IBM study, ransomware constitutes approximately 17% of cyber attacks, making it one of the more frequent types of attacks.
In its basic form, ransomware blocks access to assets until the ransom is paid. However, attackers often employ additional tactics to increase pressure. For instance, in double extortion schemes, they threaten to publish stolen data unless the ransom is met. In triple extortion attacks, attackers encrypt and exfiltrate data, alongside threats to paralyze systems with DDoS attacks.
The demanded ransom in such attacks can range from tens of thousands to millions of dollars, with an average reported around $810,000. Even without paying the ransom, ransomware incidents can inflict substantial costs, averaging approximately $4.54 million per attack, as per the IBM report.
(3) Remote Access Malware
Hackers access remote access malware to infiltrate computers or servers by establishing and exploiting backdoors, constituting approximately 21% of hacking attacks. These backdoors enable unauthorized access, facilitating data theft, device manipulation, and the installation of more dangerous malware. Notably, some hackers sell the creation of backdoors produced through remote access malware, often fetching substantial sums on the black market.
Malicious tools like Back Orifice or CrossRAT are specifically developed for such purposes, while hackers also repurpose legitimate software for remote access. In some cases, stolen credentials such as Microsoft Remote Desktop Protocol (RDP) credentials are utilized as backdoors, further enabling unauthorized entry and compromise of systems.
(4) Botnets
A botnet refers to a network of diverse devices infected with malware and remotely controlled by a hacker, encompassing computers, mobile devices, and Internet of Things (IoT) devices. Frequently, users remain unaware that their devices have become part of a botnet. Hackers use botnets to generate massive amounts of traffic, often employing them to execute Distributed Denial of Service (DDoS) attacks.
One prominent example is the Mirai botnet, which in 2016 orchestrated large-scale assaults on prominent websites across the United States and Europe, causing widespread disruptions for countless users.
(5) Cryptojacker
Cryptojacker is a form of malware that infiltrates users' devices, typically without their awareness, to engage in cryptocurrency mining, such as Bitcoin mining, thereby establishing a crypto-mining botnet. Cryptocurrency mining necessitates substantial computational resources and incurs significant costs, resulting in performance degradation or system failures for the users of compromised computers.
Cryptojackers frequently target the cloud infrastructure of businesses as they offer more extensive resources compared to personal computers, enabling malicious actors to gain higher profits from crypto-mining endeavors.
(6) Fileless Malware
Fileless malware operates by exploiting vulnerabilities in legitimate software to insert malicious code directly into a computer's memory. Unlike traditional malware, this code does not get written to the hard drive, rendering detection challenging. Fileless malware commonly utilizes tools like Microsoft Windows' PowerShell to compromise systems or exfiltrate information. Additionally, attacks exploiting the macro functions of Microsoft Word or Excel are prevalent, wherein hidden malicious scripts execute upon opening the document.
(7) Other Malware Types
Various other types of malware include worms, Trojans, rootkits, scareware, spyware, and adware.
- Worms are malicious programs with the ability to replicate automatically and spread without user intervention.
- Trojans disguise themselves as legitimate software to trick users into installing them, often facilitating the installation of additional malicious software.
- Rootkits allow hackers to obtain administrator-level access to systems and perform various malicious actions.
- Scareware is designed to induce fear in users to prompt them into installing additional malware or disclosing sensitive information.
- Spyware secretly gathers sensitive data, with keyloggers specifically recording users' keystrokes.
- Adware generates unwanted advertisements, occasionally leading to the download of more hazardous malware.
5. Economic Damages Caused by Malware (Listed by Year)
ILOVEYOU (2000): This email worm infected over 10 million Windows PCs worldwide, causing an estimated economic damage of about $10 billion.
Code Red Worm (2001): Emerging in the summer of 2001, this worm infected more than 359,000 systems in just 14 hours, resulting in over $2 billion in damages.
Mydoom (2004): Spreading rapidly through email transmission, it infected around 50 million computers and caused approximately $38 billion in economic losses.
Stuxnet (2010): A cyber weapon that targeted Iranian nuclear facilities, infecting over 200,000 computers and damaging more than 1,000 essential machines.
Petya (2016): This ransomware spread via email, affecting various organizations worldwide and causing damages exceeding $10 million.
WannaCry (2017): A large-scale ransomware attack that infected about 200,000 computers across 150 countries, leading to up to $4 billion in global losses.
Shlayer (2018): A Trojan that posed a significant threat to macOS users, with about 10% of analyzed Mac computers being infected by this Trojan.
6. Case Study: Email Phishing and Mydoom
In this post, we will explore the Mydoom case, which stands out for inflicting the highest economic damage among the seven cases mentioned.
Definition and Damage
Mydoom, also known as Shimgapi, is a computer worm that targeted Windows-based computers. Initially identified on January 26, 2004, Mydoom gained notoriety for its rapid dissemination via email, setting a propagation speed record that surpassed even the Sobig worm and ILOVEYOU. This record remained unbroken until 2019.
Considered one of the most devastating computer viruses in history, Mydoom wrought over $38 billion in damage. It predominantly spread through deceptive email tactics, ultimately infecting an estimated 50 million computers worldwide.
Origin of the Name
Craig Schmugar, an employee at McAfee and one of the initial discoverers of the worm, named it Mydoom. He made this choice after encountering the text "mydom" within the program's code. Anticipating the significant impact the worm would have, Schmugar deemed it fitting to incorporate 'doom,' an English word signifying destruction, into its name.
Distributor and Damaging Emails
The Mydoom worm seemed to have been disseminated by email spammers, with infected computers generating and sending out emails containing Mydoom payload. Notably, the worm featured a peculiar message, "andy; I'm just doing my job, nothing personal, sorry," sparking speculation that the creator may have been financially motivated. Initially, some security firms attributed its creation to Russian programmers, yet the actual distributor remains undisclosed to this day.
Purpose
There was a theory suggesting that Mydoom's primary objective was to launch a Distributed Denial of Service (DDoS) attack against the SCO Group, evident from significant traffic originating from infected hosts directed towards www.sco.com. This speculation arose due to perceived grievances against the SCO Group's legal actions and public statements regarding Linux and open-source supporters. However, security researchers swiftly dismissed this claim.
Early analyses indicated that Mydoom was a variant of the Mimail worm, which circulated in 2003, with both worms purportedly attributed to the same distributor. However, as time progressed, the link between these two worms became less clear over time.
The scale and complexity of Mydoom's assault highlighted the evolving nature of malware creators, underscoring the necessity for robust digital security measures. Mydoom’s legacy serves as a poignant reminder of the perpetual need for vigilance and readiness in fortifying digital defenses against evolving cyber threats.
7. Solutions (Linked with International Standards)
Given the prevalence of email-related malware attacks highlighted in section 4, particularly in cases such as ILOVEYOU, Mydoom, and Petya, it’s imperative to proactively address these threats. For large corporations or government entities, mitigating email-related malware attacks becomes a critical priority. Therefore, deploying products capable of effectively safeguarding against such email attacks is paramount.
In recent years, hackers have increasingly targeted organizations rather than individuals. This shift is attributed to corporations being more likely to meet larger financial demands, and stolen personal data proving lucrative for identity theft or sale on the dark web.
So, what does it mean to be fully prepared against email attacks? Essentially, it entails having comprehensive security requirements and countermeasures in place to combat various email threats.
To explore this further, let's delve into the international email security standards endorsed by the International Telecommunication Union (ITU), a specialized agency of the United Nations.
(1) Zero-Day Malware Attacks
Security Requirements
Behavioral-based analysis checks should be conducted to detect new viruses that have not been previously identified in patterns. This proactive approach is crucial for identifying and responding to emerging threats posed by malicious malware attacks.
To respond to new malicious malware attack threats, it is necessary to conduct behavior-based analysis checks to detect novel viruses that have not been registered in patterns.
Descriptions of the behavior exhibited by newly discovered or detected malware should be promptly reported. This reporting process can be facilitated through manual or automated methods, enabling swift response and mitigation efforts.
The technical sophistication exhibited by Mydoom, characterized by its utilization of mass-mailing capabilities, backdoor functionality, and denial-of-service attacks, marked a significant departure from traditional virus patterns. When combined with social engineering tactics via email, Mydoom inflicted substantial damage. As malware attacks continue to evolve in complexity and diversity, the implementation of behavior-based analysis checks is imperative for detecting and mitigating novel viruses not captured by existing patterns.
Countermeasures
To effectively mitigate the risks posed by zero-day malware attacks, the following countermeasures can be implemented:
Security administrators can utilize malware classification management to configure the system in a way that prevents the delivery of emails identified as containing malicious files or viruses. Even if users attempt to resend such emails, the system will block their delivery, thus preventing the further spread of the malware.
Implement multi-analysis checks that combine both static and dynamic tests to detect unknown malware that may not have been identified during initial testing. These checks can include tests for changes in the operating system environment, such as 'tampering,' 'memory access,' 'hooking alerts,' 'file creation,' 'file deletion,' or 'process execution.' By employing a multi-faceted approach to malware analysis, organizations can enhance their ability to identify and mitigate emerging threats effectively.
The Mydoom case underscores the rapid spread of malware through personal and business emails, as well as social connections. Therefore, preventing the resend of emails identified as containing malicious files or viruses is critical to curbing be propagation of the virus and minimizing its impact.
(2) Attachment Attacks
Security Requirements
-It is advisable to implement measures to detect forged file extensions across various file formats. By identifying and flagging suspicious file extensions, organizations can mitigate the risk posed by malicious attachments that may attempt to disguise their true nature.
-Providing email reputation analysis functionality is recommended to assess the trustworthiness of incoming emails and attachments. This functionality evaluates the sender's reputation and the content of the email to determine the likelihood of it being associated with malicious activity.
In particular, as observed with Mydoom, it operated primarily as a mass-mailing worm, disseminating through email attachments. Upon a user opening an infected attachment, Mydoom would activated, subsequently sending further emails to contacts stored on the user's computer, thus facilitating its spreading. Therefore, the critical importance of detecting forged file extensions and implementing email reputation analysis functionality becomes evident in thwarting such attacks. These measures serve as vital safeguards against the propagation of malware via email attachments, helping to mitigate risks and prevent widespread infection.
Countermeasures
To effectively combat attachment attacks like those exemplified by Mydoom, the following countermeasures can be implemented:
- Utilize big data-based scanning to periodically examine all inbound and outbound email data of users through cloud services. This scanning process aims to identify and extract malicious attachments that require further inspection. By leveraging big data analytics, the system can assess the risk of targeted email attacks based on stored data, effectively identifying forged file extensions and other suspicious elements.
Implementing big data-based scanning is highly effective in detecting and isolating email-based viruses such as Mydoom. Given Mydoom's propagation method of sending itself to all addresses found in the email address book, periodic scanning of email data is crucial to identify and block malicious attachments promptly. This proactive approach aids in blocking the spread of infection early on, minimizing potential damage and mitigating the overall impact of attachment-based attacks.
8. Conclusion
In today’s cybersecurity landscape, malware remains an ever-present threat, necessitating ongoing evolution in defense strategies. The diverse range of malware types and distribution techniques underscores the perpetual innovation of attackers in circumventing security measures. In light of this, it is imperative for, both individuals and organizations to stay informed about the latest security trends and proactively adopt advanced security solutions to safeguard against cyber threats.
By remaining vigilant and actively implementing robust security measures, we can collectively strive towards leading safer digital lives. Together, let's prioritize cybersecurity and work towards a more secure online environment for all.
Referencees
<What is malware?>
https://www.ibm.com/topics/malware
<Malware Examples (2024): The 7 Worst Attacks of All Time>
https://softwarelab.org/blog/malware-examples/
<Malware Detection Using Memory Analysis Data in Big Data Environment>
https://www.mdpi.com/2076-3417/12/17/8604
<The 12 Most Common Types of Malware>
https://www.crowdstrike.com/cybersecurity-101/malware/types-of-malware/
< Email Security International Standards>
https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15710&lang=en
0 Comments