The human race just turned the wheel over for another year and with it came a new decade. The author is aware that some people say the decade starts in 2021, but the author does not mean to debate that here. Considering the last decade, many things changed: we saw the rise of new attack methods, increasingly complicated attacks, and even the simplifying of some complex attacks into “Malware as a Service”.Continue reading Some Things Never Change
Continue reading Security Agent Bloat: A Growing Concern
“Computer viruses are an urban myth.”Peter Norton, circa 1988
This fall, just a few short months from the time of this writing, Microsoft will be releasing a minor update to follow the most recent Windows 10 Creators Update from earlier this year. It will include some new features, including a few that revolve around their built-in Windows Defender suite. With these changes to Windows Defender, Microsoft hopes to make their latest operating system more resistant to ransomware attacks which have become prolific over the last several years.
One of the features coming with the update is called Controlled Folder Access. Microsoft touts the feature as a direct response to ransomware. It will work via a whitelist approach, with Windows Defender only granting certain applications the privilege to access the data of a protected user account; otherwise, the application is not allowed to read, write, or modify any data a user might own such as documents, pictures, or videos.
The default folder list includes Documents, Pictures, Movies, and Desktop and are hard-coded into the feature with no option for removal, but additional folders can be added manually through the Windows Defender Security Center. There will also be an option to add custom software to the whitelist, but Microsoft states that most software should already be pre-whitelisted. If an application is not whitelisted and attempts to alter data within a protected folder it will be automatically blacklisted and the user will be notified. Although this feature has many benefits, Microsoft will have the feature disabled by default. It can also be enabled in the Windows Defender Security Center under Virus & threat protection settings, as seen below.
Other features coming with the Fall Creators Update include a Cloud Clipboard which will allow copy and pasting between multiple Windows 10 devices; a Timeline feature, which will be similar to the app switcher found on many mobile phone operating systems; Pick Up Where You Left Off, which will be an application synchronization service that developers can use much like the Cloud Clipboard; and OneDrive Files On-Demand, which will allow access to files, even if they are only stored in the cloud and not locally.
Windows 10 is also getting a design language refresh. Microsoft is moving away from the Metro UI to offer a more consistent, depth-enabled interface with lighting and motion effects. It is being likened to Google’s own Material Design. Overall, a welcome change, but one that may be more resource demanding.
Will you be upgrading? What feature do you look forward to most? Leave a comment below!
Malware is a common term heard throughout the security industry, but it is also heard a lot outside the industry, because it has become so ubiquitous in the computing landscape. Many users have to deal with it often, in its many different forms, on their personal computers, their computers at work, and more recently, even their smartphones. Malware, commonly defined as “malicious software,” is any software that was developed with nefarious intentions. It can be as harmless as a prank or as serious as a complete takeover of one’s computer. Malware can take many forms, but rest assured, none of them are pleasant.
A virus is a software that is self-replicating and designed to spread from host to host. In the dawn of the computing era, every malicious software was referred to as a virus, but as time has progressed, the term malware has taken its place. A virus will often attach to a host file, replacing it or modifying it, so it can then be transported to another host, almost always by user intervention. Early viruses spread through floppy disks, but then transitioned to Internet downloads, jump drives, and emails. One of the first viruses found in the wild was called Elk Cloner. It spread through floppy disks, and upon being ran for the 50th time, would take over the victim’s computer and display a short poem dedicated to itself. A less common form of a virus is a boot sector virus. This type of virus copies itself to the boot sector of a hard drive or floppy disk, allowing it to load itself into memory before the operating system or typical anti-virus software has a chance to run. This allows the virus to be persistent and much harder to remove.
Adware, alone, tends to carry the lowest risk of all of the different types of malware. It is often installed with user consent in a bundle with other software. A lot of download sites bundle adware with the free software they offer for download, in order to generate more revenue. On a side note, that is why software should be downloaded from the original author’s website, instead of download sites. The intention behind adware is to monetize software without consent of the original author. A lot of adware injects ads into webpages they do not own or into popular software they did not author. More aggressive adware has also been known to create popups that cannot be closed and generate an overwhelming number of popups with graphic advertisements. It is usually more annoying than harmful, but that does not exempt it from being malware.
Spyware, while very similar to adware, is written for the specific purpose of capturing information generated by a user. It can also be installed in the same way adware is installed–with consent–or as part of a trojan, which we will discuss later. Some spyware can use a keylogger to steal credentials or just capture browsing habits in order to monetize that user’s browsing habits. While it seems closely related to adware, it takes things a step further by tracking usage habits, capturing keystrokes, and monetizing that information, among other things.
A worm, much like a virus, is self-replicating and designed to spread from host to host, but does not require user intervention. All that is required to be infected by a worm is to be on the Internet (or local network) and be vulnerable. Worms are designed to spread at an exponential rate, because as more systems are infected, they go on to infect more machines themselves. A worm combined with a virus can be even more devastating, because the virus then has a method of transportation that is highly efficient, that it did not have by itself. An example of well-known a worm was one named Code Red. It attacked vulnerable IIS web servers back in 2001, spreading across the entire world in less than 24 hours.
Trojans, much like the story of antiquity, is a piece of software that is deceptive in nature. A trojan is often an executable file that looks legitimate, but is carrying a hidden payload of malware. Trojans are essentially a malware delivery vessel, in other words. An example of a trojan is a piece of software for which one would normally pay, being offered for free on a website that is commonly associated with pirated software. Always proceed with caution with any software that seems “too good to be true,” and always download software from the original author’s website when possible to avoid this type of situation.
A rootkit is one of the more dangerous forms of malware. Most rootkits go undetected, because of the way the malicious software manipulates the underlying file system and presents it to the operating system. Basically, it hides itself. One of the more famous uses of a rootkit was by Sony BMG. When a Sony copy-protected disc was inserted into a computer, a piece of software was automatically installed without user consent and hid itself from the operating system. After much public outcry, Sony released an “uninstaller” that merely un-hid the files, but also installed more software, unbeknownst to the user. These rootkits also introduced vulnerabilities for other malware and eventually led to Sony being hit with multiple class-action lawsuits.
A keylogger, as discussed earlier, logs all keystrokes on a computer. They will often dump all information into a log file which can then be retrieved by an attacker or can be automatically uploaded to a central server that is controlled by an attacker. Some keyloggers are more advanced than others, but they all serve a specific purpose, to log all data input through the keyboard of a computer so an attacker can look for usernames and passwords, credit card information, social security numbers, and other highly valuable information.
Ransomware is by far the most destructive form of malware, and also one of the newest. Ransomware took off around 2013 and has changed the face of malware in a large way. Ransomware, in its many forms, runs in the background encrypting certain file types, and then when it is complete, displays a warning that all of a user’s files are encrypted and holds them for a monetary ransom. That ransom is usually $300 or more dollars, at the time of this writing, per infected machine and is only payable through anonymous payment methods. If remediation is attempted and the malware removed, all files will remain encrypted. Security researchers have discovered decryption methods and keys for some forms of ransomware, but many forms still require payment. When it comes to ransomware, the best defense is prevention and backups.
Although there are many different forms of malware, they all have the same intent: causing issues for users. While malware was more demonstrative and harmless in the beginning, as time has progressed, it has become more destructive and monetized. Malware may be a catch-all phrase in the information technology industry, but now the differences are clear and well defined, and that is important in the information security industry.