Chapter 2. Computer Systems Security Part I
This chapter covers the following subjects:
Malicious Software Types: This portion of the chapter helps you to differentiate between the various malicious software threats you should be aware of for the exam, including viruses, worms, Trojans, ransomware, spam, and more.
Delivery of Malware: Here we discuss how malware finds its way to computer systems. Malware can be delivered via websites, e-mail, removable media, third-party applications, and botnets.
Preventing and Troubleshooting Malware: Finally, we discuss how to defend against malware threats in a proactive way, and how to fix problems that do occur in the case that threats have already manifested themselves. This is the most important section of this chapter; study it carefully!
Simply stated, the most important part of a computer is the data. The data must be available, yet secured in such a way so that it can’t be tampered with. Computer systems security is all about the security threats that can compromise an operating system and the data held within. Threats such as viruses, Trojans, spyware, and other malicious software are extremely prevalent in today’s society, and so, this chapter is an important part of the book. Applications that can help to secure your computers against malware threats include antivirus programs, anti-spyware applications, or combination anti-malware programs. By implementing these security applications and ensuring that they are updated regularly, you can stave off the majority of malicious software attacks that can target a computer system.
To combat the various security threats that can occur on a computer system, we first need to classify them. Then we need to define how these threats can be delivered to the target computer. Afterward we can discuss how to prevent security threats from happening and troubleshoot them if they do occur. Let’s start with the most common computer threat and probably the most deadly—malicious software.
Foundation Topics
Malicious Software Types
Malicious software, or malware, is software designed to infiltrate a computer system and possibly damage it without the user’s knowledge or consent. Malware is a broad term used by computer professionals to include viruses, worms, Trojan horses, spyware, rootkits, adware, and other types of undesirable software.
Of course, we don’t want malware to infect our computer system, but to defend against it we first need to define it and categorize it. Then we can put preventative measures into place. It’s also important to locate and remove/quarantine malware from a computer system in the case that it does manifest itself.
For the exam, you need to know about several types of malware. Over the past several years, an emphasis shift from viruses to other types of malware, such as spyware and ransomware, has occurred. Most people know about viruses and have some kind of antivirus software running. However, many people are still confused about the various other types of malware, how they occur, and how to protect against them. Because of this, computer professionals spend a lot of time fixing malware issues (that are not virus related) and training users on how to protect against them in the future. However, viruses are still a valid foe; let’s start by discussing them.
Viruses
A computer virus is code that runs on a computer without the user’s knowledge; it infects the computer when the code is accessed and executed. For viruses to do their dirty work, they first need to be executed by the user in some way. A virus also has reproductive capability and can spread copies of itself throughout the computer—if it is first executed, by the user or otherwise. By infecting files accessed by other computers, the virus can spread to those other systems as well. The problem is that computers can’t call in sick on Monday; they need to be up and running as much as possible, more than your average human.
One well-known example of a virus is the Love Bug. Originating in 2000, this virus would arrive by an e-mail titled “I love you” with an attachment named love-letter-for-you.txt.vbs, or one of several other permutations of this fictitious love. Some users would be tricked into thinking this was a text file, but the extension was actually .vbs, short for Visual Basic script. This virus deleted files, sent usernames and passwords to its creator, infected 15 million computers, and supposedly caused $5 billion in damage. Educate your users on how to screen their e-mail!
Note
Throughout this book I typically give older examples of malware and attacks, ones that have been defeated or at least reduced heavily. There are always new malicious attacks being developed. It is up to you to keep on top of those threats. A couple of quick Internet searches will provide you with several threat blogs and anti-malware applications that you can use to keep up to date on the latest attacks. I also highly recommend visiting on a regular basis the Common Vulnerabilities and Exposures (CVE) feed from MITRE: https://cve.mitre.org/cve/.
You might encounter several different types of viruses:
Boot sector: Initially loads into the first sector of the hard drive; when the computer boots, the virus then loads into memory.
Macro: Usually placed in documents and e-mailed to users in the hopes that the users will open the document, thus executing the virus.
Program: Infects executable files.
Encrypted: Uses a simple cipher to encrypt itself. The virus consists of an encrypted copy of the virus code (to help avoid detection) and a small decryption module. Different encrypting keys can be used for each file to be infected, but usually there is only one decrypting code.
Polymorphic: Builds on the concept of an encrypted virus, but the decrypting module is modified with each infection. So, it can change every time it is executed in an attempt to avoid antivirus detection.
Metamorphic: Similar to polymorphic but rewrites itself completely each time it is going to infect a new file in a further attempt to avoid detection.
Stealth: Uses various techniques to go unnoticed by antivirus programs.
Armored: Protects itself from antivirus programs by tricking the program into thinking that it is located in a different place from where it actually resides. Essentially, it has a layer of protection that it can use against the person who tries to analyze it; it will thwart attempts by analysts to examine its code.
Multipartite: A hybrid of boot and program viruses that attacks the boot sector or system files first and then attacks the other files on the system.
Sometimes, what appears to be a virus really isn’t. That is the case with a virus hoax. A virus hoax is when a user gets a message warning that the computer is infected by a nonexistent virus. It might appear within an e-mail or as a pop-up on a website. This is a ploy to try to get unsuspecting users to pay for tech support that isn’t needed. It could also be a method for con artists to access people’s computers remotely. We’ll talk more about hoaxes in Chapter 17, “Social Engineering, User Education, and Facilities Security.”
Worms
A worm is much like a virus except that it self-replicates, whereas a virus does not. It does this in an attempt to spread to other computers. Worms take advantage of security holes in operating systems and applications, including backdoors, which we discuss later. They look for other systems on the network or through the Internet that are running the same applications and replicate to those other systems. With worms, the user doesn’t need to access and execute the malware. A virus needs some sort of carrier to get it where it wants to go and needs explicit instructions to be executed, or it must be executed by the user. The worm does not need this carrier or explicit instructions to be executed.
A well-known example of a worm is Nimda (admin backward), which propagated automatically through the Internet in 22 minutes in 2001, causing widespread damage. It spread through network shares, mass e-mailing, and operating system vulnerabilities.
Sometimes, the worm does not carry a payload, meaning that in and of itself, it does not contain code that can harm a computer. It may or may not include other malware, but even if it doesn’t, it can cause general disruption of network traffic and computer operations because of the very nature of its self-replicating abilities.
Trojan Horses
Trojan horses, or simply Trojans, appear to perform desirable functions but are actually performing malicious functions behind the scenes. These are not technically viruses and can easily be down-loaded without being noticed. They can also be transferred to a computer by way of removable media, especially USB flash drives. One example of a Trojan is a file that is contained within a downloaded program such as a key generator—known as a “keygen” used with pirated software—or another executable. If users complain about slow system performance and numerous antivirus alerts, and they recently installed a questionable program from the Internet or from a USB flash drive, their computers could be infected by a Trojan.
Remote access Trojans (RATs) are the most common type of Trojan, examples of which include Back Orifice, NetBus, and SubSeven; their capability to allow an attacker higher administration privileges than those of the owner of the system makes them quite dangerous. The software effectively acts as a remote administration tool, which happens to be another name for the RAT acronym. These programs have the capability to scan for unprotected hosts and make all kinds of changes to a host when connected. They are not necessarily designed to be used maliciously, but are easy for an average person to download and manipulate computers with. Worse, when a target computer is controlled by an attacker, it could easily become a robot, or simply a bot, carrying out the plans of the attacker on command. We’ll discuss bots later in this chapter.
RATs can also be coded in PHP (or other languages) to allow remote access to websites. An example of this is the web shell, which has many permutations. It allows an attacker to remotely configure a web server without the user’s consent. Quite often, the attacker will have cracked the FTP password in order to upload the RAT.
RATs are often used to persistently target a specific entity such as a government or a specific corporation. One example of this is the PlugX RAT. Malicious software such as this is known as an advanced persistent threat (APT). Groups that have vast resources at their disposal might make use of these APTs to carry out objectives against large-scale adversaries. APT groups could take the form of large hacker factions, and even some corporations and governments around the globe.
Ransomware
Some less than reputable persons use a particularly devious malware known as ransomware—a type of malware that restricts access to a computer system and demands that a ransom be paid. Also known as crypto-malware, it encrypts files and/or locks the system. It then informs the user that in order to decrypt the files, or unlock the computer to regain access to the files, a payment would have to be made to one of several banking services, often overseas. It often propagates as a Trojan or worm, and usually makes use of encryption to cause the user’s files to be inaccessible. This usage of encryption is also known as cryptoviral extortion. One example of this is CryptoLocker. This ransomware Trojan encrypts certain files on the computer’s drives using an RSA public key. (The counterpart private key is stored on the malware creator’s server.) Though the Trojan can be easily defeated by being either quarantined or removed, the files remain encrypted, and are nearly impossible to decrypt (given the strength of the RSA key). Payment is often required in voucher form, or in the form of a cryptocurrency such as Bitcoin. Ransomware attacks grew steadily for several years until 2013 when CryptoLocker (and other similar ransomware Trojans) appeared—now hundreds of thousands of computers worldwide are affected each year.
Note
Sometimes a user will inadvertently access a fraudulent website (or pop-up site) that says that all the user’s files have been encrypted and payment is required to decrypt them; some imposing government-like logo will accompany the statement. But many of these sites don’t actually encrypt the user’s files. In this case, we are talking about plain old extortion with no real damage done to the computer or files. These types of sites can be blocked by pop-up blockers, phishing filters, and the user’s common sense when clicking searched-for links.
Spyware
Spyware is a type of malicious software either downloaded unwittingly from a website or installed along with some other third-party software. Usually, this malware collects information about the user without the user’s consent. Spyware could be as simple as a piece of code that logs what websites you access, or go as far as a program that records your keystrokes (known as a keylogger). Spyware is also associated with advertising (those pop-ups that just won’t go away!), and is sometimes related to malicious advertising, or malvertising—the use of Internet-based advertising (legitimate and illegitimate) to distribute malicious software.
Spyware can possibly change the computer configuration without any user interaction; for example, redirecting a browser to access websites other than those wanted. Adware usually falls into the realm of spyware because it pops up advertisements based on what it has learned from spying on the user. Grayware is another general term that describes applications that are behaving improperly but without serious consequences. It is associated with spyware, adware, and joke programs. Very funny...not.
One example (of many) of spyware is the Internet Optimizer, which redirects Internet Explorer error pages out to other websites’ advertising pages. Spyware can even be taken to the next level and be coded in such a way to hijack a person’s computer. Going beyond this, spyware can be used for cyber-espionage, as was the case with Red October—which was installed to users’ computers when they unwittingly were redirected to websites with special PHP pages that exploited a Java flaw, causing the download of the malware.
Rootkits
A rootkit is a type of software designed to gain administrator-level control over a computer system without being detected. The term is a combination of the words “root” (meaning the root user in a Unix/Linux system or administrator in a Windows system) and “kit” (meaning software kit). Usually, the purpose of a rootkit is to perform malicious operations on a target computer at a later date without the knowledge of the administrators or users of that computer. A rootkit is a variation on the virus that attempts to dig in to the lower levels of the operating system—components of the OS that start up before any anti-malware services come into play. Rootkits can target the UEFI/BIOS, boot loader, kernel, and more. An example of a boot loader rootkit is the Evil Maid Attack; this attack can extract the encryption keys of a full disk encryption system, which we discuss more later. Another (more current) example is the Alureon rootkit, which affects the master boot record (MBR) and low-level system drivers (such as atapi.sys). This particular rootkit was distributed by a botnet, and affected over 200,000 (known) Microsoft operating systems.
Rootkits are difficult to detect because they are activated before the operating system has fully booted. A rootkit might install hidden files, hidden processes, and hidden user accounts. Because rootkits can be installed in hardware or software, they can intercept data from network connections, keyboards, and so on.
Spam
Have you ever received an e-mail asking you to send money to some strange person in some faraway country? Or an e-mail offering extremely cheap Rolex watches? Or the next best penny stock? All of these are examples of spam. Spam is the abuse of electronic messaging systems such as e-mail, texting, social media, broadcast media, instant messaging, and so on. Spammers send unsolicited bulk messages indiscriminately, usually without benefit to the actual spammer, because the majority of spam is either deflected or ignored. Companies with questionable ethics condone this type of marketing (usually set up as a pyramid scheme) so that the people at the top of the marketing chain can benefit; however, it’s usually not worthwhile for the actual person who sends out spam.
The most common form of spam is e-mail spam, which is one of the worst banes of network administrators. Spam can clog up resources and possibly cause a type of denial-of-service to an e-mail server if there is enough of it. It can also mislead users, in an attempt at social engineering. And the bulk of network-based viruses are transferred through spam e-mails. Yikes! The worst type of spamming is when a person uses another organization’s e-mail server to send the spam. Obviously illegal, it could also create legal issues for the organization that owns the e-mail server.
A derivative of spam, called spim (spam over instant messaging), is the abuse of instant messaging systems, chat rooms, and chat functions in games specifically. It is also known as messaging spam, or IM spam.
Summary of Malware Threats
Table 2-1 summarizes the malware threats discussed up to this point.
Table 2-1 Summary of Malware Threats
| Malware Threat | Definition | Example |
| Virus | Code that runs on a computer without the user’s knowledge; it infects the computer when the code is accessed and executed. | Love Bug virus Ex: love-letter-for-you.txt.vbs |
| Worm | Similar to viruses except that it self-replicates, whereas a virus does not. | Nimda Propagated through network shares and mass e-mailing |
| Trojan horse | Appears to perform desired functions but actually is performing malicious functions behind the scenes. | Remote access Trojan Ex: PlugX |
| Ransomware | Malware that restricts access to computer files and demands a ransom be paid by the user. | Often propagated via a Trojan Ex: CryptoLocker |
| Spyware | Malicious software either downloaded unwittingly from a website or installed along with some other third-party software. | Internet Optimizer (a.k.a. DyFuCA) |
| Rootkit | Software designed to gain administrator-level control over a computer system without being detected. Can target the UEFI/BIOS, boot loader, and kernel. | Boot loader rootkits Ex: Evil Maid Attack, Alureon |
| Spam | The abuse of electronic messaging systems such as e-mail, broadcast media, and instant messaging. | Identity theft e-mails (phishing) Lottery scam e-mails |
Delivery of Malware
Malware is not sentient (...not yet) and can’t just appear out of thin air; it needs to be transported and delivered to a computer or installed on a computer system in some manner. This can be done in several ways. The simplest way would be for attackers to gain physical access to an unprotected computer and perform their malicious work locally. But because it can be difficult to obtain physical access, this can be done in other ways, as shown in the upcoming sections. Some of these methods can also be used by an attacker to simply gain access to a computer, make modifications, and so on, in addition to delivering the malware.
The method that a threat uses to access a target is known as a threat vector. Collectively, the means by which an attacker gains access to a computer in order to deliver malicious software is known as an attack vector. Probably the most common attack vector is via software.
Via Software, Messaging, and Media
Malware can be delivered via software in many ways. A person who e-mails a zipped file might not even know that malware also exists in that file. The recipients of the e-mail will have no idea that the extra malware exists unless they have software to scan their e-mail attachments for it. Malware could also be delivered via FTP. Because FTP servers are inherently insecure, it’s easier than you might think to upload insidious files and other software. Malware is often found among peer-to-peer (P2P) networks and bit torrents. Great care should be taken by users who use these technologies. Malware can also be embedded within, and distributed by, websites through the use of corrupting code or bad downloads. Malware can even be distributed by advertisements. And of course, removable media can victimize a computer as well. Optical discs, USB flash drives, memory cards, and connected devices such as smartphones can easily be manipulated to automatically run malware when they are inserted into the computer. (This is when AutoPlay/AutoRun is not your friend!) The removable media could also have hidden viruses or worms and possibly logic bombs (discussed later) configured to set that malware off at specific times.
Potential attackers also rely on user error. For example, if a user is attempting to access a website but types the incorrect domain name by mistake, the user could be redirected to an altogether unwanted website, possibly malicious in nature. This type of attack is known as typosquatting or URL hijacking. URL stands for uniform resource locator, which is the web address that begins with http or https. The potential attacker counts on the fact that millions of typos are performed in web browsers every day. These attackers “squat” on similar (but not exact) domain names. Once the user is at the new and incorrect site, the system becomes an easy target for spyware and other forms of malware. Some browsers come with built-in security such as anti-phishing tools and the ability to auto-check websites that are entered, but the best way to protect against this is to train users to be careful when typing domain names.
Note
Speaking of what a user types, some attackers will make use of a keylogger to record everything that the user types on the keyboard. This tool could be hardware or software-based, and is often used by security professionals as well. More about keyloggers appears in Chapter 13, “Monitoring and Auditing.”
Another way to propagate malware is to employ automation and web attack-based software “kits,” also known as exploit kits. Exploit kits are designed to run on web servers and are usually found in the form of PHP scripts. They target client computers’ software vulnerabilities that often exist within web browsers. One example of an exploit kit is the Blackhole exploit kit. This is used (and purchased) by potential attackers to distribute malware to computers that meet particular criteria, while the entire process is logged and documented.
Note
The automating of cyber-crime, and the software used to do so, is collectively referred to as crimeware.
Botnets and Zombies
I know what you are thinking—the names of these attacks and delivery methods are getting a bit ridiculous. But bear with me; they make sense and are deadly serious. Allow me to explain—malware can be distributed throughout the Internet by a group of compromised computers, known as a botnet, and controlled by a master computer (where the attacker resides). The individual compromised computers in the botnet are called zombies. This is because they are unaware of the malware that has been installed on them. This can occur in several ways, including automated distribution of the malware from one zombie computer to another. Now imagine if all the zombie computers had a specific virus or other type of attack loaded, and a logic bomb (defined a bit later) was also installed, ready to set off the malware at a specific time. If this were done to hundreds or thousands of computers, a synchronized attack of great proportions could be enacted on just about any target. Often, this is known as a distributed denial-of-service, or DDoS, attack, and is usually perpetuated on a particularly popular server, one that serves many requests. If a computer on your network is continually scanning other systems on the network, is communicating with an unknown server, and/or has hundreds of outbound connections to various websites, chances are the computer is part of a botnet.
But botnets can be used for more than just taking down a single target. They can also be used to fraudulently obtain wealth. One example of this type of botnet is the ZeroAccess botnet. It is based on Trojan malware that affects various Microsoft operating systems, and is used to mine Bitcoins or perpetuate click fraud. It is hidden from many antivirus programs through the use of a rootkit (infecting the MBR). In 2012 it was estimated that the botnet consisted of up to 10 million computers. You can imagine the sheer power of a botnet such as this, and the amount of revenue it can bring in per month. Every couple of months you can read about another botnet mastermind who has been brought to justice—only to be replaced by another entrepreneur.
Active Interception
Active interception normally includes a computer placed between the sender and the receiver to capture and possibly modify information. If a person can eavesdrop on your computer’s data session, then that data can be stolen, modified, or exploited in other ways. Examples of this include session theft and man-in-the-middle (MITM) attacks. For more information on these attacks, see the section titled “Malicious Attacks” in Chapter 7, “Networking Protocols and Threats.”
Privilege Escalation
Privilege escalation is the act of exploiting a bug or design flaw in a software or firmware application to gain access to resources that normally would’ve been protected from an application or user. This results in a user gaining additional privileges, more than were originally intended by the developer of the application; for example, if a regular user gains administrative control, or if a particular user can read another user’s e-mail without authorization.
Backdoors
Backdoors are used in computer programs to bypass normal authentication and other security mechanisms in place. Originally, backdoors were used by developers as a legitimate way of accessing an application, but soon after they were implemented by attackers who would use backdoors to make changes to operating systems, websites, and network devices. Or the attacker would create a completely new application that would act as a backdoor, for example Back Orifice, which enables a user to control a Windows computer from a remote location. Often, it is installed via a Trojan horse; this particular one is known as a remote access Trojan, or RAT, as previously mentioned. Some worms install backdoors on computers so that remote spammers can send junk e-mail from the infected computers, or so an attacker can attempt privilege escalation. Unfortunately, there isn’t much that can be done about backdoors aside from updating or patching the system infected and keeping on top of updates. However, if network administrators were to find out about a new backdoor, they should inform the manufacturer of the device or the application as soon as possible. Backdoors are less common nowadays, because their practice is usually discouraged by software manufacturers and by makers of network devices.
Logic Bombs
A logic bomb is code that has, in some way, been inserted into software; it is meant to initiate one of many types of malicious functions when specific criteria are met. Logic bombs blur the line between malware and a malware delivery system. They are indeed unwanted software but are intended to activate viruses, worms, or Trojans at a specific time. Trojans set off on a certain date are also referred to as time bombs. The logic bomb ticks away until the correct time, date, and other parameters have been met. So, some of the worst bombs do not incorporate an explosion whatsoever. The logic bomb could be contained within a virus or loaded separately. Logic bombs are more common in the movies than they are in real life, but they do happen, and with grave consequences; but more often than not, they are detected before they are set off. If you, as a systems administrator, suspect that you have found a logic bomb, or a portion of the code of a logic bomb, you should notify your superior immediately and check your organization’s policies to see if you should take any other actions. Action could include placing network disaster recovery processes on standby; notifying the software vendor; and closely managing usage of the software, including, perhaps, withdrawing it from service until the threat is mitigated. Logic bombs are the evil cousin of the Easter egg.
Easter eggs historically have been a platonic extra that was added to an OS or application as a sort of joke; often, it was missed by quality control and subsequently released by the manufacturer of the software. An older example of an Easter egg is the capability to force a win in Windows XP’s Solitaire by pressing the Alt+Shift+2 keys simultaneously. Easter eggs are not normally documented (being tossed in last minute by humorous programmers) and are meant to be harmless, but nowadays they are not allowed by responsible software companies and are thoroughly scanned for. Because an Easter egg (and who knows what else) can possibly slip past quality control, and because of the growing concerns about malware in general, many companies have adopted the idea of Trustworthy Computing, which is a newer concept that sets standards for how software is designed, coded, and checked for quality control. Sadly, as far as software goes, the Easter egg’s day has passed.
Preventing and Troubleshooting Malware
Now that we know the types of malware, and the ways that they can be delivered to a computer, let’s talk about how to stop them before they happen, and how to troubleshoot them if they do happen. Unfortunately, given the number of computers you will work on, they will happen.
If a system is affected by malware, it might be sluggish in its response time or display unwanted pop-ups and incorrect home pages; or applications (and maybe even the whole system) could lock up or shut down unexpectedly. Often, malware uses CPU and memory resources directly or behind the scenes, causing the system to run slower than usual. In general, a technician should look for erratic behavior from the computer, as if it had a mind of its own! Let’s go over viruses and spyware, look at how to prevent them, and finally discuss how to troubleshoot them if they do occur.
Preventing and Troubleshooting Viruses
We can do several things to protect a computer system from viruses. First, every computer should have a strong endpoint protection platform—meaning that antivirus software should be running on it. There are many providers of antivirus protection, plus manufacturers of operating systems often bundle AV software with the OS or offer free downloads. Second, the AV software should be updated, which means that the software requires a current license; this is renewed yearly with most providers. When updating, be sure to update the AV engine and the definitions if you are doing it manually. Otherwise, set the AV software to automatically update at periodic intervals, for example, every day or every week. It’s a good idea to schedule regular full scans of the system within the AV software.
As long as the definitions have been updated, antivirus systems usually locate viruses along with other malware such as worms and Trojans. However, these systems usually do not locate logic bombs, rootkits, and botnet activity. In lieu of this, keep in mind that AV software is important, but it is not a cure-all.
Next, we want to make sure that the computer has the latest updates available. This goes for the operating system and applications. Backdoors into operating systems and other applications are not uncommon, and the OS manufacturers often release fixes for these breaches of security. Windows offers the Windows Update program. This should be enabled, and you should either check for updates periodically or set the system to check for updates automatically. It might be that your organization has rules governing how Windows Update functions. If so, configure Automatic Updates according to your company’s policy.
It’s also important to make sure that a firewall is available, enabled, and updated. A firewall closes all the inbound ports to your computer—or network—in an attempt to block intruders. For instance, Windows Firewall is a built-in software-based feature included in Windows. This is illustrated in Figure 2-1. You can see that the firewall in the figure is enabled for private and guest/public networks. Always verify functionality of the endpoint firewall!
You might also have a hardware-based firewall; for example, one that is included in a small office/home office (SOHO) router. By using both, you have two layers of protection from various attacks that might include a payload with malware. Keep in mind that you might need to set exceptions for programs that need to access the Internet. This can be done by the program, or the port used by the protocol, and can be configured to enable specific applications to communicate through the firewall while keeping the rest of the ports closed.
Another way to help prevent viruses is to use what I call “separation of OS and data.” This method calls for two hard drives. The operating system is installed to the C: drive, and the data is stored on the D: drive (or whatever letter you use for the second drive). This compartmentalizes the system and data, making it more difficult for viruses to spread and easier to isolate them when scanning. It also enables easy reinstallation without having to back up data! A less expensive way to accomplish this is by using two partitions on the same drive.
Note
There are viruses that can affect other types of operating systems as well. Android, iOS, and other desktop systems such as macOS and Linux are all susceptible, although historically have not been targeted as much as Windows systems.
Encryption is one excellent way to protect data that would otherwise be compromised (or lost) due to virus activity on a computer. Windows operating systems make use of the Encrypting File System (EFS), which can encrypt files on an individual basis. When a file is encrypted in this manner, the filename shows up green in color within Windows Explorer or File Explorer. It prevents clear-text access, and defies modification in most cases. Encryption of this type probably won’t prevent viruses from occurring, but it can help to protect individual files from being compromised. We’ll talk more about encryption in Chapter 14, “Encryption and Hashing Concepts,” and Chapter 15, “PKI and Encryption Protocols.”
Finally, educate users as to how viruses can infect a system. Instruct them on how to screen their e-mails, and tell them not to open unknown attachments. Show them how to scan removable media before copying files to their computer, or set up the computer to scan removable media automatically. Sometimes user education works; sometimes it doesn’t. One way to make user education more effective is to have a technical trainer educate your users, instead of doing it yourself. Or, consider creating interactive online learning tutorials. These methods can provide for a more engaging learning environment.
By using all of these techniques, virus infection can be severely reduced. However, if a computer is infected by a virus, you want to know what to look for so that you can “cure” the computer.
Here are some typical symptoms of viruses:
Computer runs slower than usual.
Computer locks up frequently or stops responding altogether.
Computer restarts on its own or crashes frequently.
Hard drives, optical drive, and applications are not accessible or don’t work properly.
Strange sounds occur.
You receive unusual error messages.
Display or print distortion occurs.
New icons appear or old icons (and applications) disappear.
There is a double extension on a file attached to an e-mail that was opened; for example: .txt.vbs or .txt.exe.
Antivirus programs will not run or can’t be installed.
Files have been corrupted or folders are created automatically.
System Restore capabilities are removed or disabled.
Here is a recommended procedure for the removal of malware in general:
1. Identify malware symptoms.
2. Quarantine infected systems.
3. Disable System Restore (in Windows).
4. Remediate infected systems:
a. Update anti-malware software.
b. Use scan and removal techniques (for example, Safe Mode and preinstallation environments).
5. Schedule scans and run updates.
6. Enable System Restore and create a restore point (in Windows).
7. Educate end users.
Before making any changes to the computer, make sure that you back up critical data and verify that the latest updates have been installed to the OS and the AV software. Then perform a thorough scan of the system using the AV software’s scan utility; if allowed by the software, run the scan in Safe Mode. Another option is to move the affected drive to a “clean machine,” a computer that is not connected to any network, and is used solely for the purpose of scanning for malware. This can be done by using a USB converter kit or a removable drive system, or by slaving the affected drive to another hard drive port of the other computer. Then, run the AV software on that clean machine to scan that drive. PC repair shops use this isolated clean machine concept.
Hopefully, the AV software finds and quarantines the virus on the system. In the case that the AV software’s scan does not find the issue, or if the AV software has been infected and won’t run, you can try using a free online scanner.
In rare cases, you might need to delete individual files and remove Registry entries. This might be the only solution when a new virus has infected a system and there is no antivirus definition released. Instructions on how to remove viruses in this manner can be found on AV software manufacturers’ websites.
When it comes to boot sector viruses, your AV software is still the best bet. The AV software might use a bootable USB flash drive or bootable disc to accomplish scanning of the boot sector, or it might have boot shielding built in. Some UEFI/BIOS programs have the capability to scan the boot sector of the hard drive at startup; this might need to be enabled in the UEFI/BIOS setup first. You can also use recovery environments and the command-line to repair the boot sector.
Another possibility is to use freely downloadable Linux-based tools and Live Linux discs such as Knoppix, which can be used to boot and repair the computer.
Keep in mind that the recovery environments and other command-line methods might not fix the problem; they might render the hard drive inoperable depending on the type of virus. So, it is best to first use the AV software’s various utilities that you have purchased for the system.
Preventing and Troubleshooting Worms and Trojans
Worms and Trojans can be prevented and troubleshot in the same manner as viruses. There are free online scanners for Trojans, but in most cases, standard AV software scans for worms and Trojans in addition to viruses (and perhaps other malware as well). Usually, AV software can easily detect remote access Trojans, which were mentioned previously in the chapter, either by detecting the attacker’s actual application or by detecting any .exe files that are part of the application and are used at the victim computer.
Prevention is a matter of maintenance, and careful user interaction with the computer. Keeping the AV software up to date is important once again, but even more important becomes the user’s ability to use the computer properly—to navigate only to legitimate websites and to screen e-mail carefully.
Troubleshooting these types of malware is done in basically the same way as with viruses. The malware should be quarantined and/or removed if at all possible with AV software or with advanced techniques mentioned in the previous section. The same prevention and troubleshooting techniques apply to ransomware because it is often delivered in the form of a Trojan.
Preventing and Troubleshooting Spyware
Preventing spyware works in much the same manner as preventing viruses when it comes to updating the operating system and using a firewall. Also, because spyware is as common as viruses, antivirus companies and OS manufacturers add anti-spyware components to their software. Here are a few more things you can do to protect your computer in the hopes of preventing spyware:
Use (or download) and update built-in anti-spyware programs such as Windows Defender. Be sure to keep the anti-spyware software updated.
Adjust web browser security settings. For example, disable (or limit) cookies, create and configure trusted zones, turn on phishing filters, restrict unwanted websites, turn on automatic website checking, disable scripting (such as JavaScript and ActiveX), and have the browser clear all cache on exit. All of these things can help to filter out fraudulent online requests for usernames, passwords, and credit card information, which is also known as web-page spoofing. Higher security settings can also help to fend off session hijacking, which is the act of taking control of a user session after obtaining or generating an authentication ID. We’ll talk more about web browser security in Chapter 5, “Application Security.”
Uninstall unnecessary applications and turn off superfluous services (for example, Remote Desktop services or FTP if they are not used).
Educate users on how to surf the web safely. User education is actually the number one method of preventing malware! Access only sites believed to be safe, and download only programs from reputable websites. Don’t click OK or Agree to close a window; instead press Alt+F4 on the keyboard to close that window, or use the Task Manager to close out of applications. Be wary of file-sharing websites and the content stored on those sites. Be careful of e-mails with links to downloadable software that could be malicious.
Consider technologies that discourage spyware. For example, use a browser that is less susceptible to spyware, and consider using virtual machines.
Verify the security of sites you visit by checking the certificate, or by simply looking for HTTPS in the URL.
Here are some common symptoms of spyware:
The web browser’s default home page has been modified.
A particular website comes up every time you perform a search.
Excessive pop-up windows appear.
The network adapter’s activity LED blinks frequently when the computer shouldn’t be transmitting data.
The firewall and antivirus programs turn off automatically.
New programs, icons, and favorites appear.
Odd problems occur within windows (slow system, applications behaving strangely, and such).
The Java console appears randomly.
To troubleshoot and repair systems infected with spyware, first disconnect the system from the Internet (or simply from the local area network). Then, try uninstalling the program from the Control Panel or Settings area of the operating system. Some of the less malicious spyware programs can be fully uninstalled without any residual damage. Be sure to reboot the computer afterward and verify that the spyware was actually uninstalled! Next, scan your system with the AV software to remove any viruses that might have infested the system, which might get in the way of a successful spyware removal. Again, in Windows, do this in the recovery environment (for example, Safe Mode) if the AV software offers that option.
Note
In some cases, Safe Mode is not enough, and you need to boot off of a disc or USB flash drive with a bootable OS or kernel (Knoppix, for example) and then rerun the scans.
Next, scan the computer with the anti-spyware software of your choice in an attempt to quarantine and remove the spyware. You can use other programs to remove malware, but be careful with these programs because you will probably need to modify the Registry. Remove only that which is part of the infection.
Finally, you need to make sure that the malware will not re-emerge on your system. To do this, check your home page setting in your browser, verify that your HOSTS file hasn’t been hijacked (located in C:WINDOWSsystem32driversetc), and make sure that unwanted websites haven’t been added to the Trusted Sites within the browser.
Preventing and Troubleshooting Rootkits
A successfully installed rootkit enables unauthorized users to gain access to a system and act as the root or administrator user. Rootkits are copied to a computer as a binary file; this binary file can be detected by signature-based and heuristic-based antivirus programs, which we discuss in Chapter 3, “Computer Systems Security Part II.” However, after the rootkit is executed, it can be difficult to detect. This is because most rootkits are collections of programs working together that can make many modifications to the system. When subversion of the operating system takes place, the OS can’t be trusted, and it is difficult to tell if your antivirus programs run properly, or if any of your other efforts have any effect. Although security software manufacturers are attempting to detect running rootkits, it is doubtful that they will be successful. The best way to identify a rootkit is to use removable media (a USB flash drive or a special rescue disc) to boot the computer. This way, the operating system is not running, and therefore the rootkit is not running, making it much easier to detect by the external media.
Sometimes, rootkits will hide in the MBR. Often, operating system manufacturers recommend scrubbing the MBR (rewriting it, for example, within System Recovery Options or other recovery environment) and then scanning with antivirus software. This depends on the type of rootkit. The use of GPT in lieu of MBR helps to discourage rootkits. I suggest using GPT whenever possible.
Unfortunately, because of the difficulty involved in removing a rootkit, the best way to combat rootkits is to reinstall all software (or re-image the system). Generally, a PC technician, upon detecting a rootkit, will do just that, because it usually takes less time than attempting to fix all the rootkit issues, plus it can verify that the rootkit has been removed completely.
Preventing and Troubleshooting Spam
The Internet needs to be conserved, just like our environment. Might sound crazy, but it’s true. There is only so much space to store information, and only so much bandwidth that can be used to transfer data. It is estimated that spam causes billions of dollars in fraud, damage, lost productivity, and so on every year; besides botnets and P2P networks, it’s one of the biggest gobblers of Internet resources. The worst part is that most spammers do not bear the burden of the costs involved; someone else usually does. So the key is to block as much spam as possible, report those who do it, and train your users. Here are several ways to implement anti-spam security controls and, hopefully, reduce spam:
Use a spam firewall/filter: This can be purchased as software for the server or as a hardware-based appliance. These appliances monitor spam activity and create and update whitelists and blacklists, all of which can be downloaded to the appliance automatically. Network administrators should also block any e-mails that include attachments that do not comply with company rules. For example, some companies enable only .zip, .txt, .doc, and .docx to go through their e-mail attachment filter (or .zips only). If your company uses a web-hosting company for its website and for e-mail, that company likely has many spam filtering options. And on the client side, you can configure Outlook and other mail programs to a higher level of security against spam; this is usually in the Junk Email Options area, as shown in Figure 2-2. Spam filters can also be installed on individual clients. Many popular antivirus suites have built-in spam filtering. Make sure it is enabled! Just as an example, my personal e-mail account (which I try to keep private) has a filter at the web hosting company, plus my anti-malware software package filters the e-mails, and Outlook is set to High in the Junk Email Options page, and of course, I still get at least several spams to my inbox every single day!
Close open mail relays: SMTP servers can be configured as open mail relays, which enables anyone on the Internet to send e-mail through the SMTP server. Although this is desirable to customers of the company that runs the SMTP server, it is not desirable to the company to have a completely open mail relay. So, open mail relays should either be closed or configured in such a way that only customers and properly authenticated users can use them. Open mail relays are also known as SMTP open relays.
Remove e-mail address links from the company website: Replace these with online forms (for example, secure PHP forms) that enable a person to contact the company but not see any company e-mail addresses. Use a separate advertising e-mail address for any literature or ads. Consider changing this often; marketing people might already do this as a form of tracking leads. Taking it to the next level, consider an e-mail service.
Use whitelists and blacklists: Whitelists are safe lists of e-mail addresses or entire e-mail domains that are trusted, whereas blacklists are lists of e-mail addresses or e-mail domains that are not trusted. These lists can be set up on e-mail servers, e-mail appliances, and within mail client programs such as Outlook.
Train your users: Have them create and use a free e-mail address whenever they post to forums, tech support portals, and newsgroups, and instruct them not to use their company e-mail for anything except company-related purposes. Make sure that they screen their e-mail carefully; this is also known as e-mail vetting. E-mail with attachments should be considered volatile unless the user knows exactly where it comes from. Train your employees never to make a purchase from an unsolicited e-mail. Also, explain the reasoning behind using blind carbon copy (BCC) when sending an e-mail to multiple users. Let’s not beat around the bush; we all know that this is the most difficult thing to ask of a company and its employees who have more important things to do. However, some companies enforce this as policy and monitor users’ e-mail habits. Some companies have a policy in place in which users must create a “safe” list. This means that only the addresses on that list can send e-mail to the user and have it show up in the inbox.
You Can’t Save Every Computer from Malware!
On a final and sad note, sometimes computers become so infected with malware that they cannot be saved. In this case, the data should be backed up (if necessary by removing the hard drive and slaving it to another system), and the operating system and applications reinstalled. The UEFI/BIOS of the computer should also be flashed. After the reinstall, the system should be thoroughly checked to make sure that there were no residual effects and that the system’s hard drive performs properly.
Summary of Malware Prevention Techniques
Table 2-2 summarizes the malware prevention techniques discussed up to this point.
Table 2-2 Summary of Malware Prevention Techniques
Chapter Review Activities
Use the features in this section to study and review the topics in this chapter.
Chapter Summary
Computer security threats can be delivered by way of software or within an e-mail, via zombie computers that are part of a botnet, by using exploit kits, and through backdoors and the act of privilege escalation. The idea is that the attacker wants to either render the computer useless or gain administrative access to it. The reason, more often than not, is that the attacker wants confidential information, such as company secrets, credit card numbers, or even classified government information. But it could also be that the attacker simply wants to create havoc.
Whatever the reason, be sure to know the warning signs for the various types of malware you might encounter: from virus-caused lockups and restarts to spyware-caused web browser modifications. If malware does infect a computer, be sure to implement the proper removal procedure; either the one listed in this chapter, or one that is provided to you by your organization’s written policies.
However, prevention is the key to a productive business environment. Understand the prevention techniques for viruses, worms, Trojans, spyware, and ransomware. Review those methods periodically to make sure that you are implementing the best and most up to date strategies possible. I say it often: “An ounce of prevention is worth a pound of cure” to quote Benjamin Franklin. This is one instance where just a little bit of time spent securing systems and educating users could save an organization hours—possibly days—and perhaps a whole lot of money in the process.
Review Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 2-3 lists a reference of these key topics and the page number on which each is found.
Table 2-3 Key Topics for Chapter 2
| Key Topic Element | Description | Page Number |
| Bulleted list | Types of viruses | 13 |
| Table 2-1 | Summary of malware threats | 17 |
| Numbered list | Malware removal procedure | 22 |
| Table 2-2 | Summary of malware prevention techniques | 27 |
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
Complete the Real-World Scenarios
Complete the Real-World Scenarios found on the companion website (www.pearsonitcertification.com/title/9780134846057). You will find a PDF containing the scenario and questions, and also supporting videos and simulations.
Review Questions
Answer the following review questions. Check your answers in Appendix A, “Answers to the Review Questions.”
1. A group of compromised computers that have software installed by a worm or Trojan is known as which of the following?
A. Botnet
B. Virus
C. Rootkit
D. Zombie
2. Which of the following computer security threats can be updated automatically and remotely? (Select the best answer.)
A. Virus
B. Worm
C. Zombie
D. Malware
3. You have been given the task of scanning for viruses on a PC. What is the best of the following methods?
A. Recovery environment
B. Dual-boot into Linux
C. Command Prompt only
D. Boot into Windows normally
4. Which of the following is a common symptom of spyware?
A. Infected files
B. Computer shuts down
C. Applications freeze
D. Pop-up windows
5. Dan is a network administrator. One day he notices that his DHCP server is flooded with information. He analyzes it and finds that the information is coming from more than 50 computers on the network. Which of the following is the most likely reason?
A. Virus
B. Worm
C. Zombie
D. PHP script
6. Which of the following is not an example of malicious software?
A. Rootkits
C. Viruses
D. Browser
7. Which type of attack uses more than one computer?
A. Virus
B. DoS
C. Worm
D. DDoS
8. What is a malicious attack that executes at the same time every week?
A. Virus
B. Worm
C. Ransomware
D. Logic bomb
9. Which of these is a true statement concerning active interception?
A. When a computer is put between a sender and receiver
B. When a person overhears a conversation
C. When a person looks through files
D. When a person hardens an operating system
10. Which of the following types of scanners can locate a rootkit on a computer?
A. Image scanner
B. Barcode scanner
C. Malware scanner
D. Adware scanner
11. Which type of malware does not require a user to execute a program to distribute the software?
A. Worm
B. Virus
C. Trojan horse
D. Stealth
12. Whitelisting, blacklisting, and closing open relays are all mitigation techniques addressing what kind of threat?
A. Spyware
B. Spam
C. Viruses
D. Botnets
13. How do most network-based viruses spread?
B. Through e-mail
C. By USB flash drive
D. By instant messages
14. Which of the following defines the difference between a Trojan horse and a worm? (Select the best answer.)
A. Worms self-replicate but Trojan horses do not.
B. The two are the same.
C. Worms are sent via e-mail; Trojan horses are not.
D. Trojan horses are malicious attacks; worms are not.
15. Which of the following types of viruses hides its code to mask itself?
A. Stealth virus
B. Polymorphic virus
C. Worm
D. Armored virus
16. Which of the following types of malware appears to the user as legitimate but actually enables unauthorized access to the user’s computer?
A. Worm
B. Virus
C. Trojan
D. Spam
17. Which of the following would be considered detrimental effects of a virus hoax? (Select the two best answers.)
A. Technical support resources are consumed by increased user calls.
B. Users are at risk for identity theft.
C. Users are tricked into changing the system configuration.
D. The e-mail server capacity is consumed by message traffic.
18. One of your co-workers complains of very slow system performance and says that a lot of antivirus messages are being displayed. The user admits to recently installing pirated software and downloading and installing an illegal keygen to activate the software. What type of malware has affected the user’s computer?
A. Worm
B. Logic bomb
C. Spyware
D. Trojan
19. A user complains that they were browsing the Internet when the computer started acting erratically and crashed. You reboot the computer and notice that performance is very slow. In addition, after running a netstat command you notice literally hundreds of outbound connections to various websites, many of which are well-known sites. Which of the following has happened?
A. The computer is infected with spyware.
B. The computer is infected with a virus.
C. The computer is now part of a botnet.
D. The computer is now infected with a rootkit.
20. One of your users was not being careful when browsing the Internet. The user was redirected to a warez site where a number of pop-ups appeared. After clicking one pop-up by accident, a drive-by download of unwanted software occurred. What does the download most likely contain?
A. Spyware
B. DDoS
C. Smurf
D. Backdoor
E. Logic bomb
21. You are the network administrator for a small organization without much in the way of security policies. While analyzing your servers’ performance you find various chain messages have been received by the company. Which type of security control should you implement to fix the problem?
A. Antivirus
B. Anti-spyware
C. Host-based firewalls
D. Anti-spam
22. You are the security administrator for your organization and have just completed a routine server audit. You did not notice any abnormal activity. However, another network security analyst finds connections to unauthorized ports from outside the organization’s network. Using security tools, the analyst finds hidden processes that are running on the server. Which of the following has most likely been installed on the server?
A. Spam
B. Rootkit
C. Backdoor
D. Logic bomb
E. Ransomware