TROJANS & MALWARE & RANSOMWARE, OH MY! - The Necessity of an Antivirus
Every week, someone brings a device into Armor because of malware. Every day, the AV-TEST Institute registers over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA). These are examined using the analysis tools Sunshine and VTEST, classified according to their characteristics and saved. Visualisation programs then transform the results into diagrams that can be updated and produce current malware statistics.
And that old adage about Macs never getting viruses, the amount of malware targeting Macs has skyrocketed over the last two years. An antivirus program is vital to the health of your computer.
What Is Malware?
Malware is software intentionally designed to cause damage to a computer, server or computer network. Malware does the damage after it is implanted or introduced in some way into a target’s computer and can take the form of executable code, scripts, active content, and other software. The code is described as viruses, Trojan horses, worms, ransomware, and scareware. Malware has a malicious intent, acting against the interest of the computer user.
Time for some History
With the birth of the web and the ability to connect to computers around the globe, the early 90s saw internet businesses take off as people looked to provide goods and services using this new technology.
However, as with any other form of new technology, there were those who looked to abuse it for the purposes of making money—or in many cases, just to cause trouble. In addition to being able to spread via discs—both floppy and CD-Rom varieties—the increased proliferation of personal email allowed attackers to spread malware and viruses via email attachments—especially potent against those without any sort of malware protection. If you are curious, you can explore The Malware Museum to look at various forms of early malware, safely.
At its core, a computer virus is a form of software or code that is able to copy itself onto computers. The name has become associated with additionally performing malicious tasks, such as corrupting or destroying data. In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus's code may be executed simultaneously. In operating systems that use file extensions to determine program associations (such as Microsoft Windows), the extensions may be hidden from the user by default. This makes it possible to create a file that is of a different type than it appears to the user. For example, an executable may be created and named "picture.png.exe," in which the user sees only "picture.png" and therefore assumes that this file is a digital image and most likely is safe, yet when opened, it runs the executable on the client machine.
One of the most common forms of malware—the Trojan horse—is a form of malicious software which often disguises itself as a legitimate tool that tricks the user into installing it so it can carry out its malicious goals. Once installed in the system, depending on its capabilities a Trojan can then potentially access and capture everything—logins and passwords, keystrokes, screenshots, system information, banking details, and more—and secretly send it all to the attackers. Sometimes a Trojan can even allow attackers to modify data or turn off anti-malware protection.
A worm is a form of malware that is designed to spread itself from system to system without actions by the users of those systems. Worms often exploit vulnerabilities in operating systems or software but are also capable of distributing themselves via email attachments in cases where the worm can gain access to the contact book on an infected machine.
It might seem like a basic concept, but worms are some of the most successful and long-lived forms of malware out there. The 15-year-old SQL slammer worm is still causing issues by powering DDoS attacks, while the 10-year-old Conficker worm still ranks among the most common cyber infections.
Ransomware has grown to be one of the biggest problems on the web. It's a form of malware that encrypts documents on a PC or even across a network. Victims can often only regain access to their encrypted files and PCs by paying a ransom to the criminals behind the ransomware.
A ransomware infection often starts with someone clicking on what looks like an innocent attachment, and it can be a headache for companies of all sizes if vital files and documents (think spreadsheets and invoices) are suddenly encrypted and inaccessible. But that's not the only way to get infected.
Cybercriminals didn't use to be so obvious. If hackers infiltrated your corporate network, they would do everything possible to avoid detection. It was in their best interests not to alert a victim that they'd fallen victim to a cybercriminal. But now, if you are attacked with file-encrypting ransomware, criminals will brazenly announce they're holding your corporate data hostage until you pay a ransom in order to get it back.
It might sound too simple, but it's working: cybercriminals pocketed over a billion dollars from ransomware attacks during 2016 alone, and a Europol report describes it as having “eclipsed” most other global cybercriminal threats in 2017. Ransomware is always evolving, with new variants continually appearing in the wild and posing new threats to businesses. However, there are certain types of ransomware which have been much more successful than others.
While hundreds of ransomware variants extorted payments from victims in return for unlocking files, Locky was the most dominant family. But after outright dominating the ransomware landscape in 2016, Locky has virtually fallen off the face of the earth in 2017, making way for Cerber to become the king of ransomware.
The original creators of Cerber are selling it on the dark web, allowing other criminals to use the code in return for 40% of each ransom paid. This particular family of ransomware is constantly evolving, with its developers regularly adding new features to ensure its continued success. According to this report on ransomware events from David Balaban at Privacy PC, Cerber developers have been able to ship updates to the ransomware that adds new features and help it evade detection nearly once every week. Indeed, the cryptography behind Cerber is so advanced that there's currently no decryption tools available to help those infected by the latest versions. This Cerber variant is, like most ransomware, delivered by a phishing email. But rather than encouraging the victim to click on a link to download a file, these emails contain a link to Dropbox which downloads and self-extracts the Cerber payload.
Also known as deception software, or rogue scanner software, scareware usually comes in the form of pop-ups. They use social engineering to cause shock, anxiety, and/or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware, and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually, the virus is fictional and the software is non-functional or malware itself.
Anxiety-based scareware puts users in situations where there are no positive outcomes. For example, a small program can present a dialog box saying “Erase everything on hard drive?” with two buttons, both labeled “OK.” Regardless of which button is chosen, nothing is destroyed.
How to Protect Yourself
First, if you are a Windows user, please stop using Internet Explorer. In fact, don't just stop, uninstall this garbage program from your computer. I know it's what you may be used to, but the risk to your data is simply not worth it. We recommend using Google Chrome or Mozilla Firefox, as they are much more secure.
Second, keep your software updated. Simply ensuring your software is patched and up to date, and all operating system updates are applied as quickly as possible after they're released, will help protect users from falling victim to attacks using known exploits.
Third, make sure your computer has an antivirus application installed on it. There are dozens to choose from, and some of the free ones outperform expensive subscription programs. Here at Armor, we use the free version of Avira, which is one of the top-ranked antiviruses. Now that you have an antivirus, make sure you schedule regular scans (we recommend at least once a week).
Fourth, we recommend that users also install an anti-malware program, which is not the same as an antivirus (running two antivirus programs is a major no-no). Antivirus programs usually deal with the older, more established threats, such as Trojans, viruses, and worms. Anti-malware, by contrast, typically focuses on newer stuff, such as ransomware, polymorphic malware, and malware delivered by zero-day exploits. An antivirus protects users from lingering, predictable-yet-still-dangerous malware. Anti-malware protects users from the latest, currently in the wild, and even more dangerous threats. In addition, anti-malware typically updates its rules faster than antivirus, meaning that it’s the best protection against new malware you might encounter while surfing the net. By contrast, an antivirus is best at crushing malware you might contract from a traditional source, like a USB or an email attachment.