1.

Introduction to Malware

Malware or Malicious software is a worm or virus outbreak may occur in an

organization’s network. Malware is the inclusive term that includes many types of
malicious code, including viruses, worms, Trojan horses, root kits, and more.

The outbreak may disrupt normal business operations simply through the
malware’s spread, or the malware may also damage infected systems in other
ways, including destroying or altering information. Malware can also eavesdrop
on communications and send intercepted sensitive information back to its source.

While viruses, worms, Trojan horses, and so on do not directly attack networks,
they do use networks to propagate from one system to another. Especially
virulent malware may generate so much traffic that all legitimate network
communications may cease. This may be true even if only a small number of
infected systems are present and attempting to find new victim hosts to attack
and infect.

2. Malware Threats and Vulnerabilities

Malware is capable of making a wide variety of negative impact, as well as

serious issues, for organizations affecting the busines needs. The earliest viruses
were relatively benign, whereas contemporary malwareis able to produce a wide
range of damage.

3. Classes of Malware

There are several classes of malware:

• Viruses These are fragments of code that attach themselves to .exe files
(executable programs) and are activated when the program they are attached to
is run.

• Worms These are stand-alone programs capable of human-assisted and

automatic propagation.

• Trojan horses As the name suggests, these are programs that are purported to
perform one function, but which actually perform other (or additional) undesired
functions. For example, something might be advertised as a game that actually
erases files (or does both).

• Spyware This type of software performs one or more surveillance-type actions

on a computer, reporting back to the spyware owner. The most insidious form of
spyware is the key logger, a software program (and also an implantable hardware
device) that records user keystrokes and transmits them back to a central
location.

• Root kits These are malware designed to hide themselves from the operating
system as well as evade detection by antivirus software. Some root kits are also
able to run “underneath” the operating system so that they are undetectable.
 • Bots These are agents implanted by other forms of malware and which are
programmed to obey remotely issued instructions. Collections of bots are called
bot armies. These are built to create spam, propagate malware, attack target
systems and networks, and host phishing sites.

4. Types of Damages caused by Malware

The types of damage that malware can cause include:

• Computer slowdowns
• Alteration or destruction of data
• Eavesdropping on communications
• Stolen data
• Attack or damage to other systems

5. Vulnerabilities exploited by Malware

The vulnerabilities that malware is able to exploit include:

• Missing patches Many malware programs are designed to exploit known
vulnerabilities that remain on many computers that do not have security patches
installed.

• Unsecure configuration Old, outdated, or incorrectly set configuration settings

can leave a computer vulnerable to attack.

•Faulty architecture Mistakes in a network’s architecture (for example, incorrect

placement of a firewall that exposes too many systems) or errors in
implementation can leave systems open to attack.

• Faulty judgment Mistakes and decisions that are based on incomplete

knowledge can lead to configuration or architecture errors that introduce
vulnerabilities.

6. Common Threats associated with Malware

The most common threats associated with malware include:

• Spam Junk e-mail often contains malware, or entices users to connect to web sites
that contain malware. Spam also includes e-mail messages that advertise both
legitimate goods and services as well as fakes; prescription medication is a good
example of the phony merchandise that many people buy in the hopes of saving
money.

• Phishing Some spam impersonates real government and private institutions,

pretending to communicate urgent news to customers, who need to act quickly.

A common ploy is an e-mail message from a bank telling customers that their bank
accounts will be locked unless they respond by logging in to an imposter site. People
who fall for these schemes inadvertently provide login credentials to thieves, who
use them to transfer funds out of their victims’ accounts. Many similar schemes exist
that attempt to steal money or other valuables from victims.

• Denial of service Some malware deliberately causes computers to malfunction.

Plus, malware that is designed to rapidly spread from computer to computer over
networks will cause high volumes of network traffic that make the networks, as well
as computers, unusable.

• Stolen information Some malware is designed to intercept keystrokes and

displayed information and relay that data back to a central location. The information
of greatest interest is credit card numbers, bank account numbers, and user ID- -
and-password combinations for high-value sites such as online banking.

7. Anti-Malware Administrative Controls

Organizations’ anti-malware controls need to include several administrative controls

to stop the introduction and spread of malware. These controls include policies such
as:
• Spam policy Security policy and awareness training needs to include “don’t open
strange or unusual e-mail messages, even from people you know” guidance to
workers. Even in an environment with effective spam filters, some spam does get
through, so this policy helps users think twice before opening them.

• Only business-related Internet access Because some malware spreads through

malicious code implanted on web sites (and for other reasons like lost productivity),
organizations may forbid its employees from visiting web sites with no direct
business purpose.

• No removable media Malware can be introduced via removable media. In fact, the
earliest viruses were spread via floppy disk. Today, many organizations forbid, and
even actively block, the use of removable media such as USB drives and memory
sticks.

• No downloading Because some malware is implanted in downloadable software,

many organizations have enacted policies that forbid the practice of downloading
software. Instead, requests are made to the IT service desk if additional software or
tools are needed.

• No personally owned computers In many organizations, it was once okay to access

the corporate network remotely using personally owned computers. Because the
organization is unable to control the spread of malware on computers it does not
own or control, the right place to draw the line is to enact a policy that forbids all but
company-owned computers from connecting to any network, local or remote

8. Anti-Malware Technical Controls

Because malware is so potent, and because some kinds of malware are able to
spread without any human interaction or assistance, a defense-in-depth strategy for
blocking it is needed in most organizations to make sure that malware has few
opportunities to enter the network.
Anti-malware on all servers and workstations Every workstation should have current
anti-malware software. It should be configured to perform real-time malware
detection, plus regular scans (daily in high-risk environments, weekly in others).
Users should not be able to remove or tamper with anti-malware software, even if
they are local administrators for their workstations. However, users should be able to
perform scans on demand if they sense that something new in their system may be
infected.

• Anti-malware on e-mail servers E-mail servers should have anti-malware programs

designed to block malware on incoming and outgoing e-mail. This cannot be ordinary
anti-malware software, but a type designed to run on an e-mail server and
interoperate with the e-mail server programs.

• Anti-malware on web proxy servers/filters Organizations should have active or

passive web proxy servers that have anti-malware software on board. This will
prevent malware from entering an organization from web sites that users are visiting.

• Centralized anti-malware console Organizations should consider using enterprise

versions of anti-malware software that provide central monitoring and configuration
consoles. This gives the organization the ability to instantly see the “big picture” with
regard to anti-malware controls. For instance, a console will show which
workstations’ anti-malware programs are having trouble running or getting new
updates and where infections are occurring.

• Intrusion prevention systems Organizations can employ agented or agentless

intrusion prevention systems (IPSs) that will automatically sense activities typical of
malware. An IPS has the ability to immediately disconnect an infected system from
the network so that it cannot infect other systems or disrupt network traffic.

• Spam filters A lot of malware (not to mention phishing schemes and fraud) enters
an organization through e-mail. Centralized spam filters can intercept and block
spam before it even reaches the e-mail server. Many spam filters also have antivirus
programs on them to scrub viruses from incoming email— even when it comes from
legitimate, known persons.

• Blocking use of removable media While external memory devices such as USB
sticks and external hard drives are popular, they do represent a number of threats,
including malware. Blocking removable media is also one measure that is effective
against information leakage. typically use it to extract data that they can
leverage over victims for financial gain. That data can range from
financial data, to healthcare records, to personal emails and passwords
—the possibilities of what sort of information can be compromised have
become endless.

What is malware?
Malware is a catch-all term for any type of malicious
software designed to harm or exploit any
programmable device, service or network.
Cybercriminals typically use it to extract data that
they can leverage over victims for financial gain.
That data can range from financial data, to
healthcare records, to personal emails and
passwords—the possibilities of what sort of
information can be compromised have become
endless.