Tag: Malware

CISSP Blog Post 26, Domain 8: Malware

by Yosef B., posted in CISSP, Security, Technology

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Finally! Congratulations on making it to the last CISSP post in this series. Today we will cover the most exciting topic of Malware! Here are some of the most common types of malware you need to know about:

  1. Viruses are malicious code that replicate by creating, replacing, or attacking other programs or files. Viruses generally require some initiating action by the user. Virus Types include File Infectors and Boot Sector Infectors (which are read before the host operating system is started)
  2. Worms are a malicious and continuous process that reproduces and eats up resources. Generally it does not require an initiating action by the user. They spread over networks by exploiting vulnerabilities in network protocols, or through application components (e.g. DLLs, etc.) Unlike viruses, worms do not require using infected files to spread (i.e. viruses require a file “host”).
  3. Trojans are installed by a user because they think they want it. They are a form of social engineering.
  4. Remote Access Tools aka RAT’s can be legitimate remote administration tool but they can also be an illegitimate remote access trojan.
  5. Rootkits are often trojans or other malware that can replace critical system files or interfere with system kernel functions to seize control of a processor’s central ring (0 or 1) such that a whole system is compromised.
  6. A Logic Bomb is malicious code, often planted by someone you know (i.e. an insider programmer) that is triggered by an event or specific schedule. Usually as an act of revenge.
  7. Botnets are where multiple systems are compromised and turned into agents / bots / zombies.
  8. Distributed Denial of Service (DDoS) attacks have 3 phases:
    1. Attacker infects many machines with agents (aka bots or zombies)
    2. Attacker uses a Master / Handler program to command agents
    3. Agents initiate denial of service or SPAM attack against attacker’s target ISPs and managed DNS can help stop a DDoS attack.
  9. Zero-Day Exploits / Malware are attacks that take place shortly after a security vulnerability is discovered but before a vendor has a fix or patch available.

So how do you protect against Malware? Malware tools come with different types of capabilities including:

  • Known Signature Scanning – the program scans based on known malware or attack signatures (e.g. Antivirus). These solutions are only as good as known, available signatures.
  • Heuristic Scanning – the program looks for suspicious system behavior or activity. It does NOT use baseline learning, it only uses predefined rules.
  • Change Detection Tools look for unauthorized changes to files, system configuration, or programs (e.g. File Integrity Monitoring solutions). These tools take baseline snapshots of files (via a file hash) and then creates new hashes periodically to see if they change.

Picking an Anti-Virus Software

by Yosef B., posted in Security, Software, Technology

There are many different Anti-Virus software available for both PC’s & Mac’s (yes, Mac’s get virus’s too…) – the question is, how do you choose one?

Personally, I have had very good success with Avast! Anti-Virus software (www.avast.com/) however I also practice very careful internet browsing so I probably don’t attract the same number of nasty programs as your typical internet browser.

That being said, I recently did some research on Anti-Virus software and came across a great resource, a publication called Virus Bulletin (www.virusbtn.com). In reviewing their test results, I built an interesting graph that I think compares a lot of software in an easy to digest manner (click the below picture for a full size view):

Virus Bulletin Software Comparison - July 2015
Virus Bulletin Software Comparison – July 2015 (click to zoom)

I’ve highlighted in red two different software that I think are noteworthy, ESET & Microsoft Endpoint Protection (aka Windows Defender – per Microsoft’s statement of: “Most of our security software uses the same technology and offers the same level of protection.”).

ESET has been around a very long time and has been reviewed by Virus Bulletin for a total of 90 tests. It was not submitted for review for 4 test periods & failed only 2 tests. This by far, is the most impressive long-term passing streak of any of the software reviewed.

In contrast, Microsoft’s product has not been around for that long (roughly half as many test cycles as ESET). It has also not been submitted for review for almost half of the time it’s been being developed. That being said, of every test it’s been submitted for, it has never failed a test – all in all, pretty impressive as well.

I think that this type of visual depiction is very helpful for a quick comparison – keep in mind though that you should review Virus Bulletin’s methods to ensure that you’re comfortable with their testing strategy.

I hope these resources help – I would love to hear which Anti-Virus software you think is the best & why!

~Yosef