Every internet user has to have been affected by malware at some point in their life. This is not a surprise, as computer viruses seem to be nearly more infectious than real, biological pathogens!
According to PandaLabs, they have neutralized over 20 million malware threats in the first quarter of 2016 alone (That’s 27,000 samples a day!) Despite the security firms working around the clock to fight malware, there are still catastrophic amounts of newly created malware distributed daily. Black hat hackers and programmers spend precious time creating state of the art malware and techniques for distributing their payloads for a variety of reasons, the most common being the desire to make large sums of money over the internet. There are plenty of ways hackers manage to get rich by spreading viruses, but first of all, how does malware manage to make it onto victim computers?
One of the most simple hacker disciplines is commonly referred to as “spreading”. This refers to techniques by which black hat hackers distribute their malware to victim computers around the world. In fact, a quick google search shows many tutorials on the Clearnet teaching people how to spread malware.
However, before spreading to actual victims, hackers must prepare payloads of their preferred malware (the possibilities are endless!) so that it is effective once delivered to a victim. There are numerous techniques used to spread malware, one of them being packaging malware within other files. For example, windows executable files use the portable executable format. However, there is usually plenty of empty space existing within the contents of .exe files, giving hackers the possibility of stashing malicious code within otherwise safe programs. Hackers also develop packagers which allow multiple executable files to be bound together, letting them bind malware to legitimate files. So if you download a file that looks and acts normal, it is possible for a virus to be attached. It is even possible to package viruses onto document and .pdf files.
Hackers also take advantage of exploits existing within client-side software. A common attack known as a java drive-by can be used to either trick the user into downloading a malicious file, or even download and run itself without user interaction. The latter is usually done by exploiting insecure browsers which suffer from vulnerabilities.
Hackers can then use any platform they wish to spread. An easy way used to be torrent networks like the pirate bay, which have been used to infect 12 million users a month with malware. The combination of illegal downloads, little security and the fact that anyone can upload files makes it a perfect opportunity for a beginner hacker to spread his malware to millions of unsuspecting users. A far more sophisticated attack which has entered the scene fairly recently is known as malvertising, where hackers manage to put malware inside malicious advertisements on entirely trusted websites that earn revenue from said advertisements. This malicious advertising can be used to infect users from entirely trusted platforms, making it highly effective in spreading to millions while being suspected by few.
Where is anti-virus in all this? Shouldn’t anti-virus software keep society safe against malware threats? The short answer is no. If you think antivirus will protect you in all your browsing habits, you are going to have a bad time.
The official Malwarebytes antivirus blog even points out that anti-virus is no longer enough to keep us safe. Symantec, a cyber security software company also said after a large breach that “anti-virus software alone is not enough.” To understand why anti-virus is insufficient when used alone, let’s take a look at how antivirus software works.
Antivirus traditionally functions by using scanning techniques to detect malware signatures which exist within files on your hard disk. Your anti-virus program keeps a large database of signatures, or little snippets of data which come from within the code of a virus. Your AV program scans your disks files, searching for sequences of bytes to identify known malware.
The issue with this is that changing the signature of a file isn’t impossible (or even that difficult). Hackers use tools commonly referred to as “crypter’s” (basically a special purpose executable packer like UPX), commonly sold on hacker forums and darknet markets, which are used to obfuscate the signature of a file. The most effective are called runtime crypters, which are actually just a stub program containing an encrypted version of said malware. Scanning can’t detect the contained malware, obviously, because it is encrypted. However, when the stub is run it decrypts the virus and runs it from memory, ultimately bypassing anti-virus scanning. Also, scanning requires the virus to have a known signature, meaning anti-virus scanning is useless until a signature is developed for that specific malware file.
Anti-virus companies also use heuristic methods and sandboxing, which rely on observing and quarantining programs if they exhibit malware like behavior (like rapidly copying itself inside of other programs and files). Heuristics also uses algorithms for determining whether or not a file’s contents are encrypted and therefore suspicious, for example. However, evading heuristics is simple, as the malware can be programmed specifically to evade heuristic searches. Certain malware is known to wait a certain amount of time before doing anything malicious in order to wait out anti-virus surveillance. Malware researchers like to test possible malware on virtual machines, so some malware has also been developed to determine whether or not that instance of malware is being run within a virtual machine, and doing absolutely nothing if it is.
After all is said and done and malware makes it onto your computer, what happens next? That depends what type of malware you are afflicted with! One popular form malware are the RAT’s (Remote Access Trojan) or even worse, rootkits. With such software, hackers can control your computer and use it as a drone in their ever growing botnet. Once a large botnet has been created (network of computers controlled by a hackers malware) it can be used to launch distributed denial of service attacks, commit ad fraud or a number of other methods to make money online with their stolen computing power.
Another form of malware commonly making headlines these past few years is ransomware. Ransomware encrypts the victims data (pictures, documents, everything!) and demands a ransom be paid for the encryption key. Without the encryption key, it is basically impossible to regain the user’s data, making this method ruthless and tremendously successful.
Another vicious malware commonly spread is spyware. Spyware collects information about you from your computer, possibly including what you type, messages you send, sites you visit and even take pictures of you through your webcam (if you have one). This malware is great for stealing user credentials, allowing hackers to harvest things like bank accounts, credit card numbers and other valuable information automatically from a victim PC.
All of these malware attacks can be devastating, so what can you do to protect yourself? The best course of action seems to be education. When one can think like a hacker and is familiar with the methods they deploy, one is less likely to fall victim to them. If you spend a significant amount of time on the internet, either for employment or leisure, it’s suggested you at least take a little time to become computer savvy and learn about some minor aspects of computer security. For it seems the difference between a wolf and a sheep nowadays is ones level of education. As Benjamin Franklin said: