SECTION 5: TYPES OF MALWARE & ATTACKS
Malicious individuals employ many styles of attacks in order to prey on unwary, unsuspecting users. Usually these attacks aim to compromise or alter some form of your PC's software, though other attacks can actually use the Internet as a service itself to disable/cripple entire networks.
Below I'll detail the broad categories of malware that can occur on a PC system:
Virus
- Viruses are infectious files that are capable of copying themselves over and over and can spread to other computers. They can attach themselves to programs and can spread throughout a network. They can also be used to steal information and allow advertisements to appear.
Worm
- Worms are like viruses in that they can spread across multiple PCs on the same network. They usually hog network bandwidth. Additionally, they can steal data and delete files. The most important characteristic is that they can self-replicate - they don't need a host file to attach to.
Trojan Horse
- Trojans are programs that look normal and disguise themselves as an actual legitimate piece of software. These are able to give remote access to a user's computer, keylog, and modify files - all without a user's permission.
Adware
- While generally harmless, adware includes pop-up ads that are very intrusive and disrupt the user. Most adware is usually intended solely for advertising, but sometimes it can come bundled with other nasties that can track user activity and steal information.
Spyware
- Spyware does what it sounds like - it spies on users. They collect keystrokes, harvest data, and can even modify security settings of your browser. It spreads by exploiting software vulnerabilities and can even attach itself to legitimate software or Trojans.
Ransomware
- Perhaps the deadliest and most crippling form of malware is ransomware. This is a form of malware that basically holds a PC hostage. It encrypts a PC's entire hard drive and usually nags the user to pay a fee in order to release the encryption or get a decryption key. Ransomware can easily spread to multiple computers on a network, causing chaos within enterprise environments.
Rootkit
- Rootkits are created with the intent to remotely access or control a computer without being detected by antivirus or the user. The malicious individual can steal files, execute scripts, or add the PC to a botnet. Detecting rootkits is difficult as they usually are able to evade most forms of antivirus software.
In addition to malware, there are also several forms of network-based attacks you need to be aware of:
Eavesdropping
- Generally speaking, much of the activity that occurs on the Internet is in an unsecured or "plain text" format. Those who are able to gain access to your activity can see everything you are doing without any deterrence. This is why encryption is so emphasized - by scrambling/hashing data, attackers cannot gather sensitive information.
Man-in-the-Middle Attack (MITM)
- A MITM attack occurs when someone between you and the person you are communicating with actively monitors, captures, and controls your communication. They can alter where data is sent. Essentially, it's like someone is assuming your identity without your knowledge.
Distributed Denial of Service Attack (DDoS)
- Perhaps the most widely used type of attack - DDoS attacks take on many forms, but they all share several characteristics. DDoS attacks aim to cripple a network by overflowing it with requests, causing it to crash or load slowly (hence the name Denial of Service). It's important to keep your public IP safe for this reason - attackers can literally flood your network and cause you to temporarily lose Internet access altogether.
SECTION 5.1: HOW TO HANDLE A COMPROMISED SYSTEM
(Added 8/13/16)
If you're seeing a bunch of popups, your system has been drastically slowed down, or you fear that someone might be maliciously accessing your account, chances are you have been the victim of one or more of the above categories of malware.
The first step in handling this situation is to REMAIN CALM. Try your best to retain your composure. Depending on the type of malware you have contracted, most scenarios aren't very serious. However, more severe infections may seem very intimidating and contain graphics/sounds that are intended to scare you. Do not lose your cool.
Some infections are able to control what kinds of files are opened, such as your antivirus. If this is the case, you may need to boot into Safe Mode (Windows and Mac) in order to proceed with the cleanup of your system. This is rare, but the following steps should apply to most, if not all scenarios.
- Open up your antivirus and run a scan. As stated in a previous post, make sure your virus database definitions are up-to-date and that you have the latest version of your antivirus. As stated before, I recommend using Malwarebytes for this.
- Let the scan run. You should see the numbers of the detected suspicious files and malware. Once the scan completes, depending on what antivirus you have, hit "quarantine" or "delete" on all of the files that were found.
- You may need to scan several times in order for your antivirus to find all of the files. Restart your PC. Open up Task Manager and look at your CPU and disk usage to see if it's back to normal idle levels (malware has a tendency to really hog system resources).
- As a "cleanup" last step, download CCleaner and run a scan on your system to remove any junk files that might have been left behind. Also go into the Registry cleaner and run a scan on that as well.
Remember that these steps might not work for the
worst incidents of malware infection. Sometimes your only option to regain access to your PC (like in the event of ransomware) is to re-image/factory restore your PC. Be sure to keep backups of important user data in this case.
_______________
@Shamus The Brute has also asked me to cover the subject of
keyloggers. A keylogger is a form of malware that can read every single key you press on your keyboard. Everything that you type is sent over the Internet to the attacker. The intent of this type of malware is to steal usernames, passwords, credit card info, and other sensitive information that you may type in.
If you notice that you receive "suspicious log in activity" emails from websites you use, or notice that your account shows activity that was not made by you, chances are you may have become victim to a keylogger (assuming you are following all of the password guidelines in one of my previous posts).
Here are steps to take if you think you have a keylogger on your system:
- Run a scan with your antivirus program of choice or Malwarebytes. The keylogger should come up as a detected object. From there, you can blast it right out of the water.
- Even though the keylogger is now gone from your system, data has already been sent to the malicious individual on the other side. Change ALL of your passwords. If you made any online purchases using your credit card, ask that your card be deactivated and that you receive a new card.
Things you can do to prevent further incidents of keyloggers grabbing information from your system:
- Copy and paste sensitive information from a text document (obviously not accessible to other users on your PC). To the keylogger, all that will be sent over is a CTRL+C and a CTRL+V.
- Use a password manager, like LastPass. LastPass automatically fills in login details - no keyboard activity is required.
_______________
Another thing I also want to cover is what to do in the event that a malicious individual has somehow grabbed your public IP off of the Internet and is now DDoSing you.
Some ISPs may distribute a new IP upon rebooting your modem. Take note of your old public IP (using something like
https://www.whatismyip.com/) and simply unplug your modem for a few seconds and plug it back in. Refresh that webpage and check to see if it changed.
If not, you may need to call your ISP and tell them what is going on. They may be able to manually change your IP address.
If your ISP has no control over IP distribution, the last option is to
spoof your router's MAC address (not your modem's - your ISP uses your modem's MAC address to ensure you are actually a customer). While this is technical and some users might not feel comfortable doing this, it is a surefire way to trigger an IP change (since some ISPs tie the router's MAC to a specific public IP). I won't detail how to do this process here, but you can search elsewhere on the Internet for a guide.