Malware payloads

- [Instructor] As I mentioned in the previous video, each type of malware has two defining characteristics: a propagation mechanism that determines how it spreads from system to system, and a payload that delivers malicious content to infected systems. We spoke about propagation techniques in the last video. Now let's take a look at four different types of malware payloads: adware, spyware, ransomware, and crypto malware. We'll begin with adware. Advertising is a very common source of revenue generation online, just as it is on television, in newspapers and other media. Normally, online advertising is perfectly legitimate. It's a way for people who provide content to generate revenue from that content. But where there's an opportunity to make money, there's always an opportunity for malware. Adware is malware that has the specific purpose of displaying advertisements. But instead of generating revenue for the content owner, adware generates revenue for the malware author. Adware varies based upon the mechanism that it uses to display ads to the user. Some adware redirects search queries to a search engine controlled by the malware author, or the malware author has an affiliate advertising arrangement with. Adware might also display pop-up ads during browsing that the user might blame on the website that they're visiting, or it might even replace the legitimate ads and web content that are supposed to appear on the site with ads that benefit the malware author. Is adware irritating or dangerous? Well, that really depends on what ads are delivered and your perspective. If you're the content author, adware is very dangerous. If you're the end user, it might be a little more innocuous. The second type of payload that we'll discuss is spyware. Spyware is malware that gathers information without the user's knowledge or consent. Spyware then reports that information back to the malware author who can use it for any purpose. They might use it for identity theft, gaining access to financial accounts, or even in some cases, espionage. Spyware uses many different techniques. Keystroke loggers capture every key that a user presses, and they might report everything back to the malware author, or they might monitor for visits to certain websites and capture the usernames and passwords used to access bank accounts or other sensitive resources. Some spyware monitors web browsing. This might be used to target later advertising to that user or to report back on user activity. And finally, some malware actually reaches inside a system and searches the hard drive and cloud storage services used by a user seeking out sensitive information. This spyware might search for Social Security numbers or other details that can be useful in identity theft. Adware and spyware often come bundled with software that users actually want to download. The click-through installers slip the adware and spyware onto a user's system, either without obtaining permission or by tricking the user into granting them access. Malware that fits into this category is also known as potentially unwanted programs or PUPs. The third category of malware that we'll discuss is ransomware. Ransomware blocks a user's legitimate use of a computer or data until a ransom is paid. The most common way of doing this is encrypting files with a secret key and then selling that key for ransom. A recent example of ransomware is WannaCry, which struck many internet connected systems in 2017. WannaCry spread from system to system by exploiting a vulnerability called EternalBlue that affected Windows systems. Once it infects a system, WannaCry encrypts many files on that system's hard drive. These might include Office documents, images, CAD drawings, or whatever files are the most important to end users. The decryption key for those files is kept on a control server under the ownership of the malware author, and the user is given a deadline to pay a ransom of several hundred dollars in Bitcoin. The big question that arises when a ransomware infection occurs is, should you pay the ransom? Now, your first response might be to say, no, you don't want to benefit the malware author. But it's a very difficult question when it's your files that have been encrypted and that are no longer accessible. A recent survey showed that over 40% of those infected with ransomware actually did pay the ransom. And an analysis of Bitcoin payments for an earlier piece of ransomware called CryptoLocker, showed that the malware authors received over $27 million in ransom. Cryptomalware is a form of malware that takes over the computing capacity of a user's system and uses that capacity to mine cryptocurrency, such as Bitcoin, generating revenue for the malware author. It's easy to confuse ransomware and cryptomalware because of their names. Ransomware uses cryptography to encrypt files and demand ransom from a user. Cryptomalware steals compute capacity from a user's system and uses it to mine cryptocurrency. If you get confused, remember that the beginning of the name is what the attacker hopes to get. In ransomware, the attacker hopes to get a ransom. While in cryptomalware, the attacker hopes to mine cryptocurrency. Scareware is a type of malware that's similar to ransomware, but unlike ransomware, it's a bluff. Scareware typically pops up a message as a website advertisement that's designed to look like a warning from the user's security software. It warns users that their system is compromised and offers to sell them a solution. In reality, there was no infection, and the solution does nothing other than serve as a source of revenue for the scareware author. Fortunately, there are things that you can do to prevent malware infections on systems under your control. The top three ways that you can prevent malware are installing and keeping current antivirus software on your systems, applying security patches promptly, and educating end users about the dangers of malware. Malware payloads might vary in their specific intent, but they all undermine system security. As a security professional, you'll be expected to protect your organization against all types of malware.