An Intro To Malware – And Why Should IT Care?

I decided to write this post after looking around and finding that most malware discussions appear to be presented from a security person’s rather than an IT or lay person’s perspective.  They break down the various types of malware based on affects and technical characteristics, and only talk about what the technical differences are.  Several basic security questions often remain unanswered, and the discussion rarely considers the Desktop Analyst who is responding to the call. 

IT staff are often called in to deal with “routine” malware infections.  They are not really intersted in what the infection agent is, how it got there, whether there is a systemic problem that is allowing the malware to enter or spead, what data may have been at risk or exfiltrated, or if your organization is being targeted by a competitor, disgruntled employee, saboteur, or vindictive personality.  Their main objectives are to move through their call queue as quickly and efficiently as possible, avoid escalations, and maintain the good health of systems in their care.  It’s not that they don’t care about security, it’s more a matter of what needs to get done on a day-to-day schedule.  Many security questions often remain unasked.

I will have to start with that taxonomy stuff, but hope to answer the questions that usually arise when discussing (or presenting) malware information or research to a “technical-as-I-need-to-be” audience:

  • Does the average user or IT person really care whether they or their customer has been infected with a:
    • virus
    • trojan
    • worm
    • bot agent
    • other malware type 
  • How can they tell the difference?
  • Should they care which category the infector fits into? 
  • Why or why not?

The usual security-headed stuff must be mentioned, or the picture we are looking at will be incomplete.  If you feel that you have a good understanding of what the differences between the various malware agents are, move along, nothing to see here, folks.

Malware are the weapons launched by attackers to aid them in reaching their objectives.  Don’t lose sight of the fact that a malware infection IS NOT just a tecnical issue, like Word not printing, a forgotten password, a broken PC component, or a login failure.  There is a person behind the malware’s presence, and that person has an agenda.  We have to at least mention and consider the capabilities of the malware, typical targets, and the motives of the attacker that is publishing the malware, and the motives can be generally understood, based on the malware type used in the attack. 

  • A virus is a piece of code that injects itself into executable programs in order to run.  They don’t have executable capabilities on their own, and rely on other applications to provide that functionality for them.  Their typical purpose has been to spread to other locally accessible files, and to cause mischief by corrupting files, deleting information, disabling drives, etc.  The general inclination for distributing viruses has been to disrupt a target’s operations.  The motives for virus distribution can be attributed to attaining a childish feeling of power or superiority by doing something wrong or clever, or realizing “karma” for perceived wrong-doing.
  • A worm is a complete program that has the ability to propagate to other systems, often scanning for specific vulnerabilities or services to locate susceptible targets.  Worms often share the characteristic behaviors of viruses, but tend to be network aware.  The typical motivations for worm distribution has changed over time, where they used to reflect a desire to achieve similar mishievious goals as viruses, modern worms serve as beach-heads for other malware, disabling protections, and providing backdoor entry into systems for the attacker.  Motivations are leaning more and more towards large-scale system compromise for financial gain.
  • A trojan is a complete program, disguiesd as, or even hidden within another program that is often useful or interesting to the victim.  Trojan programs can do anything that a real user or other program can possibly do on a computer, including load/unload services, capture packets, keystrokes or screenshots, download other malware, and/or provide backdoor access.  Their capabilities can be as creatively purposed as a human can engineer them.    Motivations for deployment are leaning more and more towards disabling security controls, introducing additional malicious tools, and enabling financial gain through backdoor access.
  • A bot agent is a piece of code that is often introduced by other malware, often making it a “secondary infector” in security-speak.  It’s purpose is to automate control of the compromised computer, joining it into a “bot-net” or network of compromised computers.  Bot agents will have specific servers that they communicate with to recieve instructions, and act in a coordinated manner with other compromised systems.  Bot agents will typically seek out your banking credentials, passwords, and other useful information for the purposes of theft, fraud and identity theft.  Once your information has been gathered, the bot agent will often be rented out to the highest bidder to attack other systems and companies, sending spam messages, spreading malware, scanning for and attacking vulnerable systems, or even denying service to legitimate businesses.  Motivations are direct and indirect financial gain.
  • Other malware types include newer threats such as “Advanced Persistent Threats (APT) which are really espionage engines.  These are the cutting edge, high cost malware agents that really worry me.  By combining the characteristics and capabilities of hte other types of known malware, we saw the introduction of so-called blended threats being used by organized (and well funded) criminal organizations.  These threats have evolved, and have been further enhanced by government black-ops groups so that they are specifically targeted to one organization, one group, or even a single person in order to reduce the risk of detection and signature development.  This is a high cost attack, and is used for high gain opportunities.  Motivations here are high level corporate, governmental or political espionage by professional agents, spies and thieves.

Depending on what you were infected with, you may need to adjust your incident response plan. 

  • A virus, if it is focused on causing technical problems, may be simply corrected by using an Anti-virus cleaning process.  Provided it was not introduced to cover up something else, delete logs and evidence, or distract from the real payload.
  • A worm, once contained, might need you to restore servers from backup, or if used as a blended threat, investigate its other capabilities before putting systems back online or taking other action. 
  • A bot agent or APT that managed to fully deploy, gather intelligence, and forward information outside of the organization before detection would require an in-depth investigation, forensics to determine what went where and to whom, and consideration of a complete audit and retooling of the environment.  There may be legal ramifications regarding information disclosure that should be considered as well as law enforcement involvement.  Rules of evidence preservation and audit fully apply! 

Summarizing this post, yes, the average user and IT folks should care, and should do their best to correctly categorize the malware agent that has been used to attack them.  Each is similar, but each is different enough with regard to targets, intentions and capabilities, to influence the containment, eradication and follow-up response stance taken.  Not doing so could put the customers’ and business’ infromation at risk, increase the liability to the company, lead to loss of jobs due to revenue decline, and directly impact the company’s bottom line.

Modern malware is so versatile and modularized now, that all attacks should be considered blended threats, and the course of action taken should be scaled downward, assuming the  worst case scenario until supported by evidence to the contrary.  In other words, if you can’t tell what it was, react as if it was the worst possible threat imaginable, unless something can be produced to warrant a different reaction.  Speaking of worst case scenarios, I haven’t even mentioned Rootkits, guess I should.  Rootkits are a mechanism often used by modern malware to extend the lifespan of a malware infection by hiding the presence of malware by loading it into memory as early as possible into the boot-up cycle.  It is often found in the Master Boot Records on hard drives, and develoeps of cutting edge rootkits are starting to move their wares into VRAM, EPROM and BIOS space.  If it can load before your other defenses, it can hide its presence from them completely, and load without regard for A/V or other protective controls, gaining unfettered access to the system.

You can only tell the differences by actually investing the necessary time, resources and tools, or hiring a reputable third party.  Understanding what a malware type targets, carries as a payload, and what its capabilities are will guide you in your Incident Response activities.

I believe that answers all of the original questions set out at the beginning of this article.  Other useful information and articles: