Media coverage of malware tends to fall into the ‘Shock! Horror!’ category. But what types of malware are actually doing the rounds, and what can they really do to your computer — or you?
To answer these questions, BIT spoke to experts from three security vendors — Sophos technology solutions director Justin Peters, Sophos ESET malware researcher, Sieng Chye Oh, and Symantec security expert Nick Savvides — and we were slightly surprised by their unanimity.
So what are the most common types of malware?
They fall into two main categories: those that are basically no more than a nuisance, and those that are aimed at getting money from the victim.
Perhaps the most common example of nuisance malware is adware. According to Oh, this is typically delivered along with free software or by compromised or malicious web sites. Adware rarely does any real damage, but some examples are hard to remove.
The term was once applied to ‘advertising supported software.’ In return for getting a useful application at no charge, you accept that it will display ads from time to time — an approach you still see in the free versions of some mobile apps. If you don’t want the ads, you buy the paid versions instead - and depending on how much you pay for mobile data, the paid version can work out cheaper than the free one. Seems fair enough, right?
But these days adware has taken on a darker meaning, and more often refers to malware that delivers unwanted ads, changes browser settings to use a different search engine, and so on. The people behind this type of malware benefit by being paid for the traffic their code (re)directs to particular sites.
Other types of malware are more dangerous and damaging, according to Oh. They include Trojans (programs that have malicious functionality as well as their stated purpose), rootkits (malware that works at a very low level to conceal its presence and possibly other pieces of malware), botnets (co-opting a large number of computers to carry out distributed denial of service attacks, run spam campaigns, and so on), keyloggers (that basically capture everything that’s typed on an infected device and then send the results to a server for analysis in the hope of capturing usernames and passwords, and other valuable information), and ransomware (which encrypts files and demands payment to decrypt them).
Botnets are still common, Savvides says. They usually have very little impact on the host computer as they are designed to remain hidden. It’s the sheer number of computers involved that make them effective, so it is in our collective interest to keep our computers free of this pest.
Ransomware “is definitely something we’ve seen a lot of,” says Peters, while Oh calls it one of the top threats to small businesses. Savvides agrees: “ransomware has been very effective for the bad guys,” he says, adding that it has been “extremely profitable.” For small businesses, “the real threat is ransomware,” he says.
“It’s very evident when you’re affected,” Peters says, “it has an emotional impact.”
Both ESET and Sophos recommend that those affected should not pay the ransom as there is no guarantee that you will receive the decryption key and “paying encourages this activity,” he says. Savvides goes further, saying that a lot of people that do pay never get their data back.
If you don’t pay, you definitely won’t receive the key, but as long as you have a good backup regime, ransomware should be no more than a nuisance, Oh says. Without a backup, ransomware can be a real problem for small businesses, Savvides observes. Without access to the business data, how would the owner or manager know who should be invoiced, or for how much?
Solutions can create problems
Backing up to a network server or a permanently connected hard drive is not foolproof in these circumstances. According to Peters, some ransomware encrypts every drive it can see, so your backups could be scrambled too.
A simple defence would be to connect and reconnect the backup drive each time, but that loses the advantages of completely automated backup. Another approach could be to use software that accesses remote storage without mounting it as a drive — this includes products such as Mozy — but there have been reports of malware variants that seek out usernames and passwords for cloud storage services so those files can also be replaced with encrypted versions. Some cloud storage includes ability to roll back to earlier versions of files, which could mitigate the effects of such malware.
Interestingly, Peters notes that if one computer in an organisation is affected by ransomware, there will typically be additional incidents. This suggests that better training is required to reduce risky behaviour. On a related note, he says phishing attempts — trying to trick people into logging into what they think is a real site that they use but that is actually a fake operated by crooks — have “a very high conversion rate” in Australia, which also implies a lack of training.
Other common types of malware include Trojans that install a ‘back door’ into the affected computer, which allows the perpetrators to download and install additional malware that can include functions for gaining access to internet banking accounts.
Beware banks bearing gifts
Banking Trojans are a particular problem. They usually sit quietly in the background until someone uses the computer to access internet banking. Then they collect the username and password and ‘call home’ with the details so that other parts of the criminal organisation can use them to extract funds, or they add to or modify the legitimate transactions being performed by the user to drain the account. In some cases they are masked from transaction listings by the malware, so you don’t know what’s happened until you receive a paper statement, or an ATM or a POS terminal rejects your card.
Taking advantage of security mechanisms such as SMS codes can “certainly improve things,” says Peters, but not all institutions offer them and when they do, their customers may have to opt in. He also recommends that customers follow up any unexpected transaction attempts: if your bank sends you an authorisation code for a transaction you didn’t initiate, report it. And always check any details in the SMS for transactions you are making, especially the amount.
Even if the bank does agree to reverse an unauthorised transaction — and there’s no guarantee that will happen if the fraud can be directly linked to malware on your computer — it can take anything from weeks to years before the money is back in your account, and many small businesses just can’t wait that long. So banking malware “is a tough one for small business.” Savvides observes.
Peters’ advice is to dispute fraudulent transactions with the financial institution, and if it is card-related to consider cancelling the card. It’s very difficult to correlate all the events involved in the process, so there may be no real evidence that malware was involved. Indeed, it may have nothing to do with malware on your computer.
Malware doesn’t only seek out information about the owner or user of the system, Savvides warns. Businesses aren’t supposed to store credit card numbers in spreadsheets or other documents, but they do, along with other identifying details. “You can lose customer data and not even know about it,” Savvides says, then you face the risk of reputational damage and the possibility of legal action from customers.
Some pieces of financial malware are subtle, he says, as they collect information such as the bank used by the victim and other details. That digital dossier is either sold, or used to personalise subsequent attacks. Fake invoices and delivery notes have proved to be successful vectors for introducing malware into small businesses, he says. If the covering email includes accurate information, the poisoned attachment is more likely to be opened. Hypothetically, malware running on a supplier’s system may have identified your business as a customer and the carrier used for deliveries, so even if you are appropriately cautious about opening unexpected attachments, an email supposedly from that carrier mentioning a consignment from your supplier would probably open the supposed delivery note.
And once malware has gained a foothold, it sometimes takes a very sneaky approach: it configures standard system components to do its dirty work (such as exfiltrating files) and then deletes itself, making detection a lot more difficult.
Here’s a sneaky one: Savvides says there have even been cases where malware has altered the payment details on a business’s invoices so that when customers think they are paying their supplier, they’re actually sending funds to the bad guys via a money mule (someone recruited under the pretence that they will receive money from legitimate customers in Australia and forward it to an overseas supplier, but actually handling misappropriated funds).
One way or another, some Australian small businesses have suffered serious financial losses because of malware, he says.
Defending the defencessless
The bad guys are targeting small businesses because they know these organisations lack the knowledge and skills to protect themselves properly, says Savvides: 26 percent of targeted attacks detected during 2014 were on small businesses. Peters suggests that a small but very profitable business is more likely to be targeted, especially if it has international competitors.
This discussion has mostly been about malware affecting computers, but mobile devices are also vulnerable. “It is an increasing problem,” Peters says, pointing to mobile malware — especially for Android — that makes money for the bad guys by racking up bills for premium SMS services.
Protecting yourself and undoing the damage
Not surprisingly, the usual advice is to run a reputable security package.
Oh points out that it’s not enough to have the software installed and running, it has to be set up properly for the best protection. The problem isn’t that the default settings are inappropriate, more that some users change the settings and by doing so increase their chance of being hit by malware.
For example, the security software has to be kept up to date. Another issue is that although vendors increasingly offer some type of cloud protection — in part to provide early warning of new threats — some people decrease the frequency of update checks or disable cloud protection completely, even though as Peters pointed out, using cloud protection is a good way to keep up with the bad guys.
If you do get hit by malware, Oh’s advice is to start by making a full backup of the system before attempting to clean it up. That way, if something goes wrong with the process you can try again. Just don’t overwrite the most recent backup from before the infection.
It’s important to identify the malware as accurately as possible, because some types require special software tools — supplied by your security vendor — for cleaning up the damage. Whether they are required or the general repair function of the security software can do the job, be sure to start up the computer from a CD, DVD or a USB drive loaded with the system image from the security vendor so you can be confident you’re working in a ‘clean’ environment.
Once the primary problem has been fixed, run a full scan using your security software with the very latest updates to ensure nothing else is lurking in the system.
Some organisations prefer to play it safe by wiping the hard disk and reinstalling or reimaging the operating system and applications. That assumes the data on the infected system is safely backed up somewhere, or all stored on a server. If you have an up to date — but pre-infection — clone of the infected disk, copying it back onto the PC is a relatively simple solution.
But Oh warns that a few types of malware work at such a low level they can even survive the physical replacement of the hard drive.
It's an ongoing "warm" war. Everyone versus a bunch of overlapping international criminal cabals. It sounds exciting, but it doesn't have to be. Because with a bit of common sense, diligence and a good security package, you can opt out of the hostilities.