The Expanded Bestiary of Malware and Other Digital Threats

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Thus said Sun Tzu in his immortal work, The Art of War. Obviously he lived in a time before computers were even a concept, but he would probably feel right at home in the quiet war of hackers versus cybersecurity professionals waging just on the other side of our screens. After all he also said, “all warfare is based on deception,” and deception is the hackers’ greatest weapon.

So the question now stands: do you know your enemy? Do you truly know what you are up against?

Through our efforts we’ve compiled a fairly comprehensive glossary of the major terms in SIEM, IAM, and Endpoint Security. We know the field is mired in jargon, and we believe clear communication is the key to facilitating better protection, less anxiety, and above all acquiring more knowledge about what threats are lurking in the electric shadows.

Looking back over our glossary, however, we noticed our definitions of cybersecurity’s demons could use a little fleshing out. If we are to know our enemy, we need to know them in detail—how they behave, how good online hygiene practices can help prevent them, and what to do if you are infected. Therefore we have compiled this bestiary of the digital threats you are most likely to face and how to stay calm in the roughest storm.

A General Guide for Cybersecurity’s Nebulous Threats

According to the McAfee Labs Threat Report December 2017 findings, the number of individual ransomware samples is over 12 million. Individual malware numbers around 57.6 million. Cataloging every strain would be a task of herculean proportions; even with the resources to do so, the speed of hackers’ innovations means that our record would be obsolete long before we could finish it. Instead, we have provided information on the threat categories and how they behave as a group rather than focus on the individuals. In other words, we focused on the families, not the species.

Additionally, we do not touch upon threats that are of more concern to private individuals, although they may also find useful information here. Instead, we focused on the infections that plague enterprises and small-to-medium sized businesses (SMBs).

With that clarified, here is our bestiary of digital threats:

Bot

Despite its cute name, a bot is technically any software application that runs automated tasks or scripts online. In other words, a bot is any code that obtains and calculates data in repetitive cycles at a rate many times faster than a human could manage. Google’s web indexing is one example of an innocent bot. However, malicious bots can coordinate and enact automated attacks on networks, commit click fraud, harvest emails, or drain bandwidth on targeted sights. They can even be programmed to post incendiary comments on particular pages or buy up real-world concert tickets.

Servers can set rules on the bots that visit their sites, establishing limits on the data bots can access. However, no matter the website, there is no mechanism to enforce these rules; obeying them is voluntary, which renders such rules mere illusions of control. Other sites will use CAPTCHA—tests that ask users to verify they are not bots—as a more effective tool to fool bots, but bots can be programmed to bypass these barriers.

See also zombie computer.

Botnet

Think of the botnet as the next step in the bot’s evolution, or rather the bot as the infection and the botnet as the epidemic. A botnet is a network of devices that each is running a bot, either willingly or not. Botnets can coordinate attacks, thefts, spam, bitcoin mining,  and access-cracking to much more devastating effect than an individual bot, like with a DDoS attack.

Usually the botnet devices were breached and forced to cede control to a third-party hacker using malware or another virus. This hacker, sometimes called a bot herder, can use the botnet to obfuscate their location and hide their malicious connections in pre-existing servers. When ready, the herder can remotely send a message to all of their bots to initiate an attack.  

The greatest obstacle to fighting botnets is that you have to cure each client of their infection individually. In the short term, this means finding the infected computers, removing their internet access, and denying the domain access crucial to facilitating communication to the bot herder. In the long term, this means removing the code that turns the computer into a bot.  

Originally, signature-based detection from anti-malware solutions could detect and remove botnet coding. However, botnets are becoming increasingly sophisticated, developing new ways to bypass signature-based detection. Solutions providers are developing behavior-based approaches to recognize and distinguish human and bot behavior and block the latter.

See also zombie computer.

Denial of Service (DoS) Attack

A Denial of Service Attack renders a server or network that connects to the Internet unavailable to legitimate users by disrupting its service. Usually this is accomplished by overwhelming the victim server or network with a flood of superfluous queries until it shuts down. While rebooting the network can revive a server crash resulting from a DoS Attack, the actual flood of queries can result in lingering damage.

While some DoS Attacks have an extortion element to them, generally they are designed to simply sabotage an enterprise, website, or their customers. Motivations for such attacks can range from ideology to personal revenge. It depends on the attacker.  

Solution providers recommend having incident response plans well in advance of such attacks, with many providing such plans as part of their solutions. Rerouting or suppressing malicious traffic through the ISP has also proven successful in stopping an attack. However, while patching vulnerabilities can help reduce the likelihood of an attack, prevention is generally impossible.

While there are many varieties of the DoS Attack, the Distributed Denial of Service Attack is the most common.  

Distributed Denial of Service (DDoS) Attack

A DoS attack that uses multiple infected systems (a botnet) to attack a server or website. This could be the result of the lone hacker or entire state governments.  

Malware

Short for malicious software, malware is actually an umbrella terms for any program, software, or application with ill intent. This can include worms, trojans, adware, scareware, and viruses.

Malware can come from myriad sources and have equally numerous intentions and forms; the only unifying principle is that the program acts in secret against the interests of the user. The Sony BMG Rootkit Scandal in 2005 is an example of a legitimate global company distributing malware.

Malware is often most inflicted on a server or network via a downloaded file; it has existed almost since the existence of computers themselves.  

See also rootkit.

Malwareless Attack / Non-Malware Attack

A non-malware attack lives in a world all on its own. It is still malware in the sense that it is a program running on a user’s computer without their permission, working against their interests. But unlike the majority of malware throughout history, a non-malware attack uses existing software, allowed applications, and authorized protocols to carry out its malicious intentions. They do not require downloading a file in the initial phases, and are thus referred to as fileless, memory-based, or “living-off-the-land” attacks.

Non-malware attacks take advantage of vulnerable software that a typical end user would leverage on a day-to-day basis, such as Flash Player or Microsoft Office-suite applications; the successful exploit grants access to the computer’s native operating system tools. This gives the attacker a huge degree of freedom within the infected system, allowing them to take control with relative ease.

The issue with non-malware attacks is not that they are hidden so much as that they operate in plain sight—by using native applications and not downloading files in the initial phases, traditional anti-malware solutions typically can’t prevent them or even detect them, which means an increased dwell time and thus more damage. This has proven successful over the past few years: the Democratic National Committee hack was accomplished via a non-malware attack.

Solutions providers have developed or are developing detection and prevention methods for non-malware attacks. The most commonly utilized prevention solution is to use streaming logs to look for incongruous behavior and activity in conjunction with regular activity, a clear sign of non-malware attacks. SIEM solutions and their log capabilities are often the most effective in this regard.

Phishing

Phishing refers to any attempt by hackers to obtain vital information—credentials or direct financial information—by impersonating a trusted entity in an electronic communication. This can be in the form of an email, instant message, or direct message, and often purports to be from a bank, social media site, or IT administrator. Phishing messages will ask users to input their credentials on a forged  website that looks legitimate, and by doing so the user unintentionally hands hackers their information.

While there are many different kinds of phishing techniques, the most commonly employed is called spear phishing. This refers to phishing attempts that target a specific individual or company, using personal information gathered online to fool the victim into trusting it. If this is done on an upper-level executive the technique is called whaling.

While solutions can certainly help prevent phishing emails through machine learning, a good deal of prevention can come from employee training. Employees should not click on emailed links or give their information to websites, even to trusted websites; the most talented phishers can mask the true identity of their weblinks as legitimate ones. Users should also be on the lookout for spelling mistakes in official communications, as these are typically red flags.

If a user is in doubt about the legitimacy of an emailed request for verification from a legitimate company, they should call that company to make sure the request is real.       

Ransomware

Arguably the most well-known form of malware, ransomware (as the name suggests) ruthlessly holds a computer’s or network’s data hostage for a ransom. If the user doesn’t pay the cybercriminal the ransom within a certain amount of time, their data will be deleted and lost forever. Supposedly, if the ransom is paid the victim will receive the tool or encryption key to access their data. Ransoms can range in amount from a few hundred to several thousand dollars.

There are actually three distinct families of ransomware, distinguishable by how the computer or network is held hostage:

Screen Locking Ransomware: The user is unable to move off or out of the screen demanding payment. Files may still be accessible outside the screen, but the user is prevented from leaving until paying. With some IT expertise, this ransomware may be bypassed.

Encryption Ransomware: The user can still move within the computer’s operating system but cannot access any files due to encryption. Without the encryption key, these files are generally impossible to recover, granting even more power to the hacker.

Fake Ransomware: This is a bluff tactic, the suddenness and scariness of which is designed to intimidate users into paying. However, the screen is not locked and the files are not encrypted. This is still a threat in that an external malicious actor has gained access into your network, but it is a much less serious threat than its brethren.

Some ransomware, regardless of family, will try to disguise itself as an official entity such as the FBI and IRS. The ransomware will attempt through this masquerade to intimidate users by accusing them of some crime or violation and demanding payment as punishment for that crime. No official government organization operates in this fashion; users should not fall for these ploys.

All security experts agree on one thing when dealing with ransomware: do not pay the ransom. Ransomware is a one-sided relationship. You cannot trust the hacker to have a sense of honor. While paying the ransom may result in the return of your files, they could also demand more money after the initial payment or lock your files again later on.

If you are infected with ransomware, do not panic. Alert the authorities and your solution provider if you have one. Disconnect your computer from the network if possible; ransomware may also be programmed as a worm to spread to all computers in your network.  

Ransomware can be difficult to detect; they are often hidden deep in innocent-looking files. As a prevention method, keep your files backed up on a separate server or drive. Do not open attachments in emails unless you are sure the sender can be trusted, ignore spam emails, and train your employees to maintain these digital hygiene practices.

Rootkit

The definition of rootkit can be contentious, but it is generally understood to be malware designed gain unauthorized access to a server and conceal its existence. Essentially, it uses a vulnerability to hack into a system, give privileged access to the hacker, and then cover up all of its activities.

What makes rootkits insidious is that they essentially give the hacker the ability to modify the existing software of the computer including the software that would normally detect such blatant breaches, undermining their capabilities and making removal incredibly difficult.  

Rootkits, like all malware families, are numerous in form and capability. Some solutions can detect some forms of rootkits—often through behavior or user analysis—and even remove them. However, many rootkits will remain firmly entrenched in the compromised system despite these efforts. In those cases, a total rebuild of the compromised system (physically or via digital software) may be necessary, as there is no way to be sure a rootkit has been totally removed otherwise.

Rootkits are file-based, and therefore monitoring and carefully selecting what is installed on your computer can help prevent them. Solutions that carefully control system permissions and continually apply security patches are usually the most fortified against rootkits.

Spyware

A branch of malware that is itself an umbrella term for malicious programs such as keyloggers, remote access trojans, and backdoor trojans—software that allows remote surveillance of passwords and other sensitive data without the user being aware their information is being collected. Spyware can trace user actions, collect hard drive information, and even monitor your keyboard typing. Firewalls are designed in part to prevent them and anti-malware scanners are designed in part to detect and remove them.   

Trojan Horse (“Trojan”)

As the name suggests, a trojan is any malicious program–malware, ransomware, spyware, etc/–that poses as a legitimate program or download to disguise its intentions. Usually this can be in the form of a seemingly innocuous download from a reputable company.

Generally, trojans operate as backdoors, opening the network or server for hackers to enter unchallenged or exposing personal information. Other trojans turn the infected computer into a proxy, so the hacker can use the Internet for illegal purposes while all the incriminating evidence is attached to the hacked IP address. Anti-malware solutions can generally prevent, detect, and remove Trojans, as they are file-based attacks.  

Virus

While often used to referred to all forms of malware, the term “virus” actually applies to the specific kind of malware that replicates itself and spreads from host to host. Viruses need a file or document on the victim’s computer to replicate, and therefore cannot be a non-malware attack.

Viruses require human action to be spread, either knowingly or not, which can be through an emailed link, a infected download, or a removable hard drive. Viruses can delete, add, copy, encrypt, or modify files or manipulate core functions.

Anti-malware solutions are often designed to fight viruses directly, but virus innovations have made them harder to detect and remove.

Worm

A worm refers to any piece of malware that replicates itself to spread to other computers or servers on a network, using security failures and vulnerabilities to infiltrate them. Unlike a virus, worms do not need human action to spread and don’t need to copy itself to a host program to replicate. Worms by themselves don’t do harm beyond consuming bandwidth. However, many worms will harbor a “payload” attachment that can delete files, inflict ransomware attacks, or install spyware depending on their purpose.

Firewalls, anti-virus, and anti-spyware solutions can help prevent worms so long as they are regularly updated to patch vulnerabilities. Worms are often propagated on zero-day attacks.

Zero-Day Attack

A zero-day attack refers to when an attack on a security vulnerability or exploit occurs on the same day as the discovery of that vulnerability, which leaves solutions providers scrambling to patch the issue as the attack wrecks havoc. Zero-day attacks can either occur when a hacker learns of the vulnerability through reconnaissance or when a solution provider announces the discovery of a vulnerability before they have released a patch for it.

While called “zero-day” it can be months or even years before the vulnerability that led to an attack is discovered and patched. Because of the nature of zero-day attacks, there is no real method of prevention or detection.

Zombie Computer

The sci-fi term belies the serious nature of the compromise. A zombie is any endpoint device compromised by a hacker that can be used to carry out their (usually malicious) will, attacking under remote direction. They are often part of botnets.

What makes these things scary is that typically the owners of infected computers will have no idea that their endpoint is being used in this way.

There are some warning signs that an endpoint has been turned into a zombie, including slower than usual start-up, shut-down, or operation times, unexpected error messages, unusual loss of hard drive storage, and unexplained web browser closures.

To kill a zombie computer (or perhaps more accurately bring it to the world of the living) first contact your solution provider. They should be able to deploy anti-malware applications that will remove the rogue control code. It is generally not advisable to try to remove the zombie threat yourself; zombie programs often employ self-defenses that will prevent some anti-malware programs from running; some may even use rootkits to embed themselves in the server.  

Setting your enterprise’s firewall to the maximum security setting will force every application that wants internet access to ask for your permission first. While perhaps annoying, it will give you a level of personal control that will make it hard for hackers to slip their activities past you.

A good solution will certainly help prevent many attacks, but you and your employees need to always check emails before clicking any attachments within them, as this is the most common bot vector and thus the initial infection vector for zombies.