A social engineering (SE) is a wide range of techniques used to influence person to take action that may or may not be in their best interest. Very often social engineering is referred to as an art of human hacking; Yet, a lot of techniques used by attackers is reinforced by a science and human psychology. Attackers use these techniques because it’s much easier to persuade a person to plug in an infected USB thumb drive into victim’s system, rather than try to hack their way in by targeting hardware and software vulnerabilities.

Over the millennia there have many con artists and hackers that used social engineering to scam people into doing things that they normally would never do. For instance one of the early and interesting examples of social engineering can be found in the bible, when the Devil himself tricked Eve into eating the forbidden fruit.

Yep that’s right, SE is Satan’s greatest wicked non technological weapon, and Eve did not stand a chance. At least not till the modern age when we have access to tools such as Internet and world wide web which are great resources for educating our selfs.

Another example, and little closer to earth is an infamous Kevin Mitnick, who in the 90’s became one of the first FBI’s most wanted hacker. Many times he has deluded agents, doing practical pranks such as leaving donuts for the agents  in the fridge but eventually due his arrogance and help of much respected computer security expert Tsutomu Shimomura got caught.

According to the records Kevin has been sentenced to five years of prison for braking into the government systems, networks of Pacific Bell, Nokia, IBM, Motorola, and few other companies. What is the moral of the story is that Mitnicks did not refer to what he was doing as hacking; instead, he liked to call it “social engineering.”

Later on, after getting out of the prison and cleaning up his act, he has been asked by US government to look into improving FBI’s information security practices; which later lead him to launch his own security consulting firm. As of today Kevin is still in the business doing information security consulting and once again claims to have a hundred percent success rates when deploying a “social engineering trade craft”. After all Humans, not computers, are usually the weakest links.

An Information Security is based entirely on establishing trust, and if an attacker using social engineering framework can elevate that trust and eventually lead to further exploitation that is when we can get in real trouble. Fort that reason best approach is to understand at least the basic techniques that social engineers use and establish clear guidelines and procedures so everyone can follow.

For instance, let’s imagine one day a good looking person wearing workers uniform knocked at your door, and kindly pointed at your name on their binder that there is a problem with your account and ask to see your most recent bill to straight it out. Would you comply? Right now your answer is probably no, but why wouldn’t you? Nobody likes to have problems, and if a nice person can fix that for you, than why not?  What if the nice person would tell you that the problem is that you are using wrong supplier and by making the correction you would be saving a lot of money?  If eventually you would say sure why not, who does not like to save money, than you would have become a victim of social engineering, and your account would have been compromised.

Another real life example was when two workers from Internet Service Provider walked in to the front door of a business and asked to get access to telecommunication closed because there are some issues that they need to take care of, and the answer from the front desk was “what took you guys so long?

Thankfully the two guys where part of information security team, performing an information security audit. Can you imagine what would have happened if those two where in fact bad guys?  

 Last but not least let’s imagine a person come to your company for an interview. But instead of a resume, he\she is holding a piece of paper that looks like it has been true some rough life. With a desperate look on the persons face, he\she explains that the resume slipped through and fell straight to puddle. Thankfully they have a copy on a thumb drive, and you would have become a life saver if you could reprint him/her a copy. Again, it’s just using our imagination to create a very generic scenario but in real life a professional social engineer would have carefully crafted the conversation and the situation you to are at, and if you would have plugged that thumb drive into your PC or even a printer, that exact second you would have bypassed all information security controls that might have been in place.

“All malware is based on deception” Sun Tzu by Chris

A computer malware is something that creeps into our computers, and until something bad happens we just assume our free version of AV will take care of it and we can move on with our busy life’s.

The sad truth is that most people think in a similar fashion. The problem really escalates when we lose our sensitive data such as documents and pictures or even identity. In these short series of educational articles, I will talk about most common computer malware, type of attacks and what we can do to minimize our risks. After all its all about risk management. I believe that it’s our own responsibility to know what type of dangerous are in the world. Once we know what’s out there, we can prepare by reading, googling, or even YouTube a topic and when times comes we should know What To Do, and Not To Do in a given situation. After all we teach our children not talk to strangers or not to play with matches. Same principal applies to etiquette on all computers systems and worldwide web.

Let’s starting with a definition; a computer malware according to Wikipedia is “any software intentionally designed to cause damage to a computer, server or computer network” Simple right? Sure, it is, but its not enough to be safe out there. We need to understand what are some vectors of attack hackers use to deceive us in getting infected.

There are many different types of malware. Each has unique wicked design, and every year hackers are becoming more creative. However, in most part, we can categorize all malware into the following groups which I will explain in a bit more details:

1. Viruses
2. Worms
3. Trojan
4. Rootkit
5. Ransomware
6. Keylogger
7. Adware
8. Spyware
9. Hybrid

1. Computer Virus

A virus by a definition in order to survive needs to attach itself to a host. Once the host application that the virus is attached to is executed, the virus will seek other host in order to replicate. At some point and time, the virus will activate and deliver its malicious payload. The results can be various depending on a virus type.

Examples of different types of viruses

1. File Infectors Virus
2. Macro virus
3. Boot sector virus
4. Stealth, Polymorphic and Armored Viruses
5. Resident virus
6. Logic Bomb virus
7. Multipartite Virus

File Infecting virus infects executable files with .exe or .com extensions, and it’s probably the most common type of virus. Most end users think of a computer virus as a file-infecting virus.

Macro virus mostly residues inside Microsoft Word or Excel office suites. They use embedded applications feature to use powerful macro language, which hides inside office documents, so the moment you open one of those files the virus automatically executes as well.

Boot sector virus infects boot sector of a removable memory or Master Boot Record (MBR). Those are first sectors of a disk that identifies how and where the operating system is located, so than it can be loaded into the computer’s memory. The boot sector viruses really gained traction with floppy disks. I still remember times when brand new floppy would come straight from a store with pre-infected viruses. Now a days we don’t have floppy drive but any thump drive can be a host of such a virus.

Resident virus is like unwanted tenant. Just because you terminated the original infected file, it will still embed itself in to the computers random-access memory (RAM) and continue to operate. For the same reason you might have seen an option in your AV to not only scan your HDD but also RAM.

Stealth viruses are often Resident because they need to hide in RAM in order to intercept OS read and write function to storage media. This means that they can make the infected files or sectors look uninfected. A lot of sophisticated malware uses stealth mode techniques in order to residue on your system undetected. Time when you knew where infected are mostly gone, and only time you might know you got infected is with Ransomware malware.

Polymorphic virus can transform itself into different forms by changing its code or encrypting itself thus making itself very difficult for the antivirus program to detect it. The reason why is because all AV use signature-based database in order to detect and eradicate malware from the system. This type of virus is extremely sophisticated and very often impossible to locate. If you believe you might have been infected with one, the only option really is performing a deep level format and reinstall operating system from scratch.

Armored virus use various techniques to make the attempts of tracing or examining the code more difficult. The reason why is so the information security researches won’t have it easy to reverse engineer the malware. After all some hacking organizations can spend quite a lot of time perfecting their malicious code.

Logic Bomb virus will only execute when a specific condition is met. One common example would be disgruntled employee who upon termination from the company will schedule deletion of some critical files. Another example could be such as upcoming Black Friday. Watch out for bogus web sites that can easily trick you into getting infected.

Multipartite Virus infects and replicate in multiple ways. For instance, it can attack a boot sector and executable files simultaneously, thus causing more serious damage than any other virus.

Good news is that pure computer viruses are not as common today, as they where lets say 10 years ago. Depending on the sources, they occupy probably less than 10 percent of all malware. Nevertheless its not a force you want to reckon with, ten percent is still millions of victims word wide.

Example: ILOVEYOU

2. Computer Worm

A computer worm very often gets categorized as virus, but in my opinion that is very misleading mistake. In comparison to a virus a worm does not need to attach itself to a host in order to replicate and cause mayhem. A worm is a standalone malware that looks for vulnerabilities in computers and network systems in order to replicate. For that reason, it is extremely important to keep your operating system and hardware patched. Worms can be a relatively simple code that is designed to make copies of itself over and over thus depleting system resources, such as hard drive space, memory or bandwidth of a computer network. But then again, a worm can be very sophisticated software that once finds and penetrate its target it can inject additional malicious software in order to perform higher level functions. For instance, make a victim join  a Botnet and be part of distributed denial of service (DDoS) attack.

Botnet: “a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages.” wiki

DDoS: “attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers” wiki

Example: Stuxnet

3. Trojan

You most likely heard about Trojan horse, and if you did not and don’t want to lose yourself into a Greek mythology, at the minimum watch a movie “Troy” with Brat Pit. The story talks about Greeks waging a war again independent city of Troy. On the end, sorry spoiler alert – Greek soldiers, by hiding inside a giant wooden horse manage to get in to the heavily fortification city of Troy. The irony of the story is that Trojans willingly accepted the horse as a gift of their victory; but at night Greek soldiers got out and let the rest of their army in, and slaughter everyone inside the city.

A Trojan malware is often used in a Social Engineering, which by the way is one of my favorite separate topic by itself; Hackers often use different techniques to gain trust and make the end user to execute a malicious software on their otherwise secure systems. A Trojan unlike a computer virus is not designed to self-replicate.

Social Engineering: “psychological manipulation of people into performing actions or divulging confidential information”. wiki

Example: Zeus

4. Rootkit

A rootkit is a group of tools that is intended to gain elevated system privilege and hide itself from being detected. Once injected into victims’ systems, hackers use it to install a keylogger, spyware or other malicious code. Most rootkits are delivered using a Trojan, by opening deceiving email attachment or clicking on a bait link. The name Root derives from Unix/Linux OS which stands for an Admin account, and the word Kit stand for collection of software that make the rootkit work.

In general, rootkits can be divided into two separate categories: User Mode and Kernel Mode. There is significant difference between the two, because a user mode can be relatively easily eradicated; However, the Kernel Mode chills along the kernel of the OS, which is a core of a computer’s operating system, which then gives it a complete control over anything and everything in that system. In conclusion, it can be able to manipulate all the system resource without being detected.

Good Read:  

https://www.csoonline.com/article/3222066/malware/how-to-detect-and-remove-a-rootkit-in-windows-10.html

https://resources.infosecinstitute.com/rootkits-user-mode-kernel-mode-part-2/

5. Ransomware

A ransomware is a crypto malware that is designed to extort money from individuals or companies. Not a new concept, but it has definitely gained traction along with a popularity of a cryptocurrency such as bitcoin. Last year, or maybe it was a year before, IBM performed a study, which concluded that a ransomware attacks have increased by 6,000%, and about 75% of all victims pay up. In general, there are two categories of ransomware: Locker and Crypto ransomware.

Locker ransomware: Deny access to a victim’s own device but in most part does not affect an operating system or a user’s data. As a result, attacker uses various social engineering techniques such as pretending to be from government authorities.

Crypto ransomware: Is much worse malware than the locker ransomware. The infection prevents access to a victim’s data by encrypting all valuable data, and in return on having it unencrypted you need to pay ransomware. That’s when a cryptocurrency such as bitcoin come in handy. Personally, I have been also affected by having my shared Onedrive encrypted when one my coworker opened an email attachment with a ransomware malware. Thankfully I had a backup. Hopefully you have one a well.

Good Read:      

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf

Example: Cryptowall

6. Keylogger

A keylogger is a program that without user consent records and tracks all keyboard strokes which then the can be obtained by the unauthorized person. The key strokes can obviously capture stuff like letters to Santa, but also all other sensitive information such as credit card information or passwords. Now very important part that I would like to emphasize: I did not say a Hacker. The reason why is because keyloggers are vastly available programs that anybody who know how to install a web browser can potentially deploy one. The reason why is because they are often used for legitimate use by IT admins or even concerned parents. Nevertheless majority of them are used for criminal purposes.

Sample of keyloggers   

https://lifehacker.com/how-to-install-a-windows-keylogger-1829986319

Example: Did you know Windows10 has built in keylogger?

7. Adware

In simple terms Adware is a forced advertisement projected on your screen. Most attacks are made via a web browser but can also be done during installation of a free software when unwanted PUP (potentially unwanted program) is being piggybacked. The advertisement can have many forms such as pop-ups, banners, audio and video. In many cases they are just more of annoyance than a real threat. Nevertheless, most adware now a days also steal your personal information such as web history etc..

My favorite program for ad-blocking and content-filtering is an open-source and cross-platform web extension called uBlock Origin. Just google one for you web browser.

Example: uBlock Origin

8. Spyware

Spyware same as real spies, once infiltrate your system, quietly run in the background collecting personal information, take screen shots, capture key strokes or steal your credit card information. Furthermore, stuff like social security or credit card info normally is sold for profit on a “deep web”. However, in most part a spyware is used to for tracking and storing internet user activities on a web, and serving adware.

Example: Famous program distributed with Spyware

8. Hybrids

The truth is that now a days  most malware can be a combination of a Trojan, Worm and a Virus.  They can use Trojan to get into your system, spread true the network using a Worm and use Viruses capabilities of being Polymorphic and Multipartie.

Now you can continue to use your  AV by frequently scanning your hard drive, but the truth is that unless you are skilled in finding and analyzing malware the only option is to stay proactive and minimize the possibility of getting infected in a first place.

In my next article I will cover some basic good information security practices that anyone can follow. Please stay tuned and don’t forget to comment.

Read More →

Information security (infosec) is a set of strategies for managing the processes, tools and policies necessary to prevent, detect, document and counter threats to digital and non-digital information. Infosec responsibilities include establishing a set of business processes that will protect information assets regardless of how the information is formatted or whether it is in transit, is being processed or is at rest in storage.