Malware Discovery and Protection
Malware is Short for “malicious software,” malware refers to software programs designed to damage
or do other unwanted actions on a computer system; it is one of the biggest threats to computer users
on the Internet today. It can hijack your browser, redirect your search attempts, serve up nasty pop-up
ads, track what websites you visit, and generally screw things up. Malware programs are usually poorlyprogrammed and can cause your computer to become unbearably slow and unstable in addition to all the other havoc they wreak.
Many of them will reinstall themselves even after you think you have removed them, or hide themselves deep within Windows, making them very difficult to clean.
The vast majority, however, must be installed by the user. Unfortunately, getting infected with malware is usually much easier than getting rid of it, and once you get malware on your computer it tends to multiply.
A Brief History of Malware
With the emergence of computers, malware arose from the dark side. UNIX computers were the first targets.In the 1970s and 1980s, programs known as rootkits were developed. Those who hack systems with criminal intent, known as black hats, used these applications to hide their presence while they had their way with an unsuspecting organization’s infrastructure.
Viruses were the first personal computer malware category to arise. As early as 1982, high school student Rich Skrenta wrote a gem called “Elk Cloner” for Apple II computers. Yes, the first known virus targeted an Apple computer. At that time, it was probably the biggest target. http://en.wikipedia.org/wiki/Elk_Cloner.
As malware defense matured, so did malware sophistication. Other types of malicious programs emerged, including those which could propagate without any help from the user population. Known as worms, they are probably today’s biggest challenge to malware defense.
And the black hats have been busy. Over the years, the malware count has risen exponentially and continues to do so. Figure 1 depicts malware growth through all years and also Figure 2 shows the new malware rate through all years.
The statistics shown are from AV-Test.org, a company that tests the effectiveness of anti-virus software,and formatted by PC Magazine. They show an accelerating increase in the number of unique malware since 1984. There is no evidence this growth will stop.
Early malware was written by hackers trying to make a name for themselves within the Black Hat community.Today, malware is used by individual Black Hat as well as crime syndicates to make money – to transfer your money to criminals’ bank accounts around the world.
Example 1: Citibank Hacking, http://www.bbc.co.uk/news/technology-13711528
Example 2: Saudi Aramco cyber-attack, http://www.reuters.com/article/2012/09/07/net-us-saudi-aramcohack- idUSBRE8860CR20120907
Malware Types and Examples
The most common types of malware include: – Viruses – Worms – Trojans – Keyloggers – Botnet agents – Rootkits – Backdoor.
Viruses
In computers, a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD.
Like any malware program, viruses are written to perform some action on your computer which you would rather not allow, including:
• Erasing files
• Crashing your system
• Taking your computer hostage until you pay a “fee”
• Stealing intellectual property
• Stealing personal identity information
• and anything else the black hats can think of
Although many people label all malware as viruses, the term “virus” has a specific meaning. A virus
is malware that cannot propagate from one computer to another without help. For example, early viruses werespread as floppy disks passed from one machine to another. They also spread as users share files over a network or email infected files to friends, family, and coworkers.
Worms
Viruses were nice, but they didn’t get around fast enough. So the worm was born. Worms can move between networked computers As long as the vulnerability a worm was written to exploit exists, and as long as the worm can see the vulnerability, it will continue to propagate.
Worms can spread very quickly. One recent example is Conficker.
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft
Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer, with more than seven million government, business and home computers in over 200 countries now under its control. Once a worm like Conficker infects an organization’s network, in can potentially spread to all connected computers within hours – or minutes for smaller networks. http:// en.wikipedia.org/wiki/Conficker.
Trojans, Keyloggers, Rootkits, and Botnet Agents
Trojans, keyloggers and rootkits are related types of malware.
A Trojan is small, malicious program that is installed along with a more attractive one. For example,
that great freeware program you got from that dodgy website? It may well be the program you wanted. But someone (usually a 3rd party) may well have attached a Trojan to it. The Trojan will be installed as well as the software you wanted.
Trojans are not viruses, in the sense that they don’t replicate or send copies of themselves to others. They are just another program that can be installed on your computer, albeit a nasty one!A Trojan can be very malicious indeed. Most of them are intent on controlling your PC. These are called Remote Access Trojans or RATs for short. If someone has placed a Trojan on your computer, they’ll be able to see everything that you can. Some of them can even control your webcam. That means the attacker can see you! If you have speakers attached to the PC, they can even hear you!
If that weren’t bad enough, the attacker will have access to your computer, enabling him to upload nasty things to your PC. After all, why should he store these things on his computer when he has access to yours?
Most Trojans these days, though, are placed on your computer by criminals. If you type your credit card details in to a website, for example, then the attacker can record what you type. If a criminal has control of a lot of computers, he could also launch something called a Denial of Service attack. A DoS attack is when a lot of malicious computers attack a particular network or website. The network has so many requests that it can’t cope, so it has to shut down. The criminals then blackmail the owner (“We’ll let you have your site back if you give us money.”) Many gambling sites have been hit by this type of attack.
A Trojan can also disable your security software, leaving you wide open on the internet.
The Keyloggers concept is to capture all keystrokes – including passwords, PINs, etc. – entered bank
or other protected sites. The captured information is periodically sent to the black hat’s server. If the user is lucky, the information won’t be used to steal his or her identity, reduce bank balances, etc.
A rootkit is another type of malware that has the capability to conceal itself from the Operating System and antivirus application in a computer. A rootkit provide continuous root level (super user) access to a computer where it is installed. The name rootkit came from the UNIX world, where the super user is “root” and a kit.
Rootkits are installed by an attacker for a variety of purposes. Root kits can provide the attacker root level access to the computer via a back door, rootkits can conceal other malwares which are installed on the target computer, rootkits can make the installed computer as a zombie computer for network attacks, Rootkits can be used to hack encryption keys and passwords etc. Rootkits are more dangerous than other types of malware because they are difficult to detect and cure.
Different types of Rootkits are explained below.
Application Level Rootkits: Application level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behavior of present applications with patches, injected code etc.
Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because hey have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations.
Another example of malware is botnet, the term bot is short for robot. Criminals distribute malware that can turn your computer into a bot, also called a zombie. When this occurs, your computer can perform automated tasks over the Internet without your knowledge.
Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet.
Botnets can be used to send out spam email messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If your computer becomes part of a botnet, it might slow down and you might be inadvertently helping criminals.
Anti-virus software can’t always locate and remove these types of malware. Black hats often use rootkit technology to “hide” their programs. If a keylogger or botnet agent is installed with rootkit technology, it is invisible to the operating system and therefore to most, if not all, anti-virus applications.
Backdoor
Backdoors allow unauthorized access to compromise a system by opening a listening port on victim’s
system. This creates a pathway for hackers to control the compromised system by sending commands
of his choice. SubSeven, Netbus and Back Orifice are some of the well-known examples of Backdoor which enables unauthorized people to access users’ system over the Internet without his/her knowledge.
Bug
In the context of software, a bug is a flaw that produces an undesired outcome. These flaws are usually the result of human error and typically exist in the source code or compilers of a program. Minor bugs only slightly affect a program’s behavior and as a result can go for long periods of time before being discovered. More significant bugs can cause crashing or freezing. Security bugs are the most severe type of bugs and can allow attackers to bypass user authentication, override access privileges, or steal data. Bugs can be prevented with developer education, quality control, and code analysis tools.
Adware
Adware displays ads on your computer. As Wikipedia notes, adware is often a subset of spyware. The implication is that if the user chooses to allow adware on his or her machine, it’s not really malware, which is the defense that most adware companies take. In reality, however, the choice to install adware is usually a legal farce involving placing a mention of the adware somewhere in the installation materials, and often only in the licensing agreement, which hardly anyone reads.
Ransomware
If you see this screen that warns you that you have been locked out of your computer until you pay for your cybercrimes. Your system is severely infected with a form of Malware called Ransomware. It is not a real notification from the Police, but, rather an infection of the system itself. Even if you pay to unlock the system, the system is unlocked, but you are not free of it locking you out again. The request for money, usually in the hundreds of dollars is completely fake.
Browser Hijacker
When your homepage changes, you may have been infected with one form or another of a Browser
Hijacker. This dangerous Malware will redirect your normal search activity and give you the results the developers want you to see. Its intention is to make money off your web surfing. Using this homepage and not removing the Malware lets the source developers capture your surfing interests. This is especially dangerous when banking or shopping online. These homepages can look harmless, but in every case they allow other more infectious
Symptoms of Infected System
How do you know that your system is infected with possible malware? Following are some of the symptoms of an infected system:
• System might become unstable and respond slowly as Malware might be utilizing system resources
• Unknown new executables found on the system
• Unexpected network traffic to sites where you don’t expect to connect
• Altered system settings like browser homepage without your consent
• Random pop-ups are shown as advertisements
• Recent addition to the set are alerts shown by fake-security application that you never installed like
“Your computer is infected!” and it asks to register the program to remove detected threats.
Overall, your system will have unexpected behavior.
New Trends of Today Malwares
For security researchers, there’s never a dull moment; online criminals constantly find new security holes to exploit, and new ways to get at your personal data, here are some of the dangerous new malware trends to watch for in 2012.
SSL Not So Safe?
When you see the padlock icon in your browser’s toolbar, you might think that your data is safe, but hackers have found ways to get at your information before you send it securely on the internet.
These new forms of malware can identify when you’ve visited sites protected with SSL – the encryption technology used to keep data safe from prying eyes as it travels across the Internet – and it can grab your username and password before the encryption kicks in. In addition, these sorts of attacks, according to security software maker Webroot, will ignore all Web traffic except encrypted sites to filter out information that it isn’t interested in.
More Targeted Baddies
Also on the rise is super-targeted malware. Some malware can access your browser history, and will
only infect you if it sees that you’ve visited certain sites. For instance, a piece of malware designed
to steal online banking login information might check to see if you visited a particular bank’s website.
Expect more malware that goes after certain groups of people or specific bits of information.
Cyber Warfare
Many professionals foresee that conventional military will be increasingly compounded by cyber-warfare in the coming years.
They also state that more covert attempts at subversion by unfriendly nations will take the form of
electronic-war techniques. Some even proclaim that China has a hand in this, as most bot controllers
and malware threats have been tracked down to the country.
Example:
Flame (malware) OR “Flame” Malware Greatly Expands the Scope of Cyber Warfare.
VoIP Attacks
VoIP technology is another vehicle for disseminating malware. Much like the issues connected with emails in the past, criminals will use VoIP to perpetrate information theft, voice fraud, and numerous scams.
VoIP networks may also play host to botnet attacks, disabling of services, and remote execution of code.The information that people impart over the phone makes it ideal for criminals to take advantage of, for purposes such as identity theft and phishing.
What about Mobile Malware?
One of the big stories out of last year’s show was the rise of malware for Android, and we saw a large
increase – at least in terms of growth rate – in malicious apps for Android over the last few months. Is it time to panic?
Mobile malware seems to be spreading at a dizzying pace. In the second half of 2012 alone, Bitdefender found that Android malware spiked 292% from the first half of the year. This could pose a threat to millions of smartphone users worldwide.
Mobile malware is becoming harder to detect for the average smartphone user who pays little, if any,
attention to security. Fortunately, most malware creators are not rocket scientists, and a user does not have to be a computer scientist to combat them.
Symptoms of the infected Smartphone
Bad Battery Life
Android users who don’t perform a lot of battery straining activities have a good idea of how long their battery should last. Malware gives itself away when batteries mysteriously drain quicker than usual. That’s usually due to adware, spam-like malware that shows app users an inordinate amount of ads. Continuously displaying aggressive adware will impact heavily on battery life.
Whether the malware is hiding in plain sight by pretending to be a regular application or trying to stay hidden from the user, abnormal battery drainage can often give away the presence of an Android infection.
Dropped Calls and Disruptions
Mobile malware can affect ongoing or incoming calls. Dropped calls or strange disruptions during
a conversation could indicate the existence of mobile malware that is interfering. If you can’t blame your mobile carrier, then some strand of mobile malware could be the culprit. Call your service provider to determine if the dropped calls are its fault. If it is not your carrier, it is possible that someone or something is trying to eavesdrop on conversations or perform other suspicious activities.
Inordinately Large Phone Bills
Android malware often infects devices and starts sending SMS (text) messages to premium-rated numbers. While these effects are easily seen in your phone bill, not all malware programs are obviously greedy. They may send an SMS message just once a month to avoid suspicions, or they may uninstall themselves after punching a serious hole in your budget, checking your bill should make it easy to figure out such messagesending malware has found its way onto a device.
Bad Performance
Depending on device hardware specifications, malware infestation may cause serious performance problems as it tries to read, write or broadcast data from your smartphone. Anybody that has ever had a PC infected with malware should be familiar with this. Imagine rebooting a device several times a day because background running malware consumes too much processing power to let apps work properly. Performance clogging is yet another sign that malware might be present on your device. Checking RAM (Random Access Memory) use or CPU load could reveal the presence of malware that’s actively running on the device.
Now, How to protect your smartphone from being infected by a malware?
Below are some best practices to keep your smartphone safe
Be cautious when installing apps
Using official app stores like google play or apple app store is less risky than installing apps from third parties.
Also, read the reviews on the app store – a surfeit of one-star reviews is a sign that something’s wrong – and check the permissions that an app asks for before you install it. If anything here sets off warning bells – or simply makes you uncomfortable – it’s a good prompt to walk away
Watch out for phishing / SMS
Security on smartphones isn’t just about the apps that you install on your phone. As with any device be on your guard for phishing, sites that try to get you to enter personal data and/or credit card details. Text messages and emails can all be phishing methods, and just because you’re on your phone doesn’t make them less dangerous.
Combating phishing on smartphones isn’t so different from on your computer: useful advice from the
Citizens Advice Bureau, Microsoft and Symantec will get you up to speed, while an additional tip is
to never tap on a link in a text message from someone you don’t know – even if it looks like a company you do business with.
Lock screen security
Another point that applies to every smartphone OS, do you have your device’s lock-screen settings sorted, so that if it gets stolen, the thief can’t access your apps and data? Default settings will see you through, but there are some third-party apps that take interesting and unusual spins on unlocking the phone.
Picture Password Lockscreen, for example, gets you to unlock your phone by drawing points, lines and circles on any image you like. ERGO scans your ear and then gets you to unlock the device by holding it up to said lug. Fingerprint Scanner Lock Screen is a cheeky Android equivalent of Apple’s iPhone 5s’ Touch ID – it pretends to scan your fingerprint, but really it’s just measuring how long your thumb rests on the screen.
Consider anti-virus software
If you’d still like to take the extra step of installing anti-virus software – or if you’re thinking of putting it on the device of someone else (an older parent, for example) – a number of options are available from the big names of the security world.
Consider a parental control app
You can follow many of the steps above, but can your
children if they’re using your device, or have their
own Android tablet and/or smartphone? A number
of companies are trying to help with this challenge
too, with parental control software capable of ensuring children don’t install apps that they shouldn’t, or compromise data on a shared device.
Another important topic that may be outside the
scope of malware, but is very important to be
taken into consideration and will give a very good
introduction to it, is android application permissions.
Normal vs. Dangerous Permissions: A Background
Android Open Source Project (AOSP) classifies
Android permissions into several protection levels:
“normal”, “dangerous”, “system”, “signature” and
“development”.
Dangerous permissions “may be displayed to the
user and require confirmation before proceeding,
or some other approach may be taken to avoid the
user automatically allowing the use of such facilities”.
In contrast, normal permissions are automatically
granted at installation, “without asking for the user’s
explicit approval (though the user always has the
option to review these permissions before installing)”.
On the latest Android 4.4.2 system, if an app requests
both dangerous permissions and normal permissions,
Android only displays the dangerous permissions,
as shown in Figure 4. If an app requests only normal
permissions, Android doesn’t display them to the
user, as shown in Figure 5.
Normal Permissions Can Be Dangerous
We have found that certain “normal” permissions
have dangerous security impacts. Using these normal permissions, a malicious app can replace legit Android home screen icons with fake ones that point to phishing apps or websites.
The ability to manipulate Android home screen
icons, when abused, can help an attacker deceive
the user. There’s no surprise that the com.android.
launcher.permission.INSTALL_SHORTCUT
permission, which allows an app to create icons,
was recategorized from “normal” to “dangerous”
ever since Android 4.2. Though this is an
important security improvement, an attacker can
still manipulate Android home screen icons using
two normal permissions: com.android.launcher.
permission.READ_SETTINGS and com.android.
launcher.permission.WRITE_SETTINGS. These
two permissions enable an app to query, insert,
delete, or modify the whole configuration settings
of the Launcher, including the icon insertion or
modification. Unfortunately, these two permissions
have been labeled as “normal” since Android 1.x.
References: http://developer.android.com/guide/
topics/manifest/permission-element.html.
Social Networks Malwares
Social networks have given birth to new types of elemental relations among various entities in the online world. The social networking world is virtualized in nature, but it has real-time impacts on the lives of individuals. Since these networks are part of the online world, they are not untouched by the threats and flaws present on the World Wide Web. Security and privacy are considered basic elements for effective social networking; however, the aim of web malware is to infect users and steal information by exploiting various vulnerabilities through attacks in social networks. User ignorance is a big factor in the spread of malware and is quite hard to patch. It is hard to expect robustness from a user’s perspective; rather, it has to be an inbuilt nature of social networking websites.
Social Attacks Era: There are 3.5 new threats per second (almost 12,600 per hour), 1/3 of web users are attacked by cybercriminals using social networking sites to target victims. (Source: nsslabs.com)
The following infection strategies are utilized by attackers to spread malware through social networking websites by taking advantage of user ignorance.
Malicious Profile Generation
One of the most common techniques used by attackers is generating fake profiles. These profiles can
be of celebrities, models, advertisements, etc. Fake profiles can be used for many purposes including
monitoring users, revenge and business. The fake profiles tempt users to read the malicious content that is posted on the messaging walls used for communication. Once users visit such profiles, embedded malicious codes start infecting the users with malicious executables.
From a security perspective, this is a clear case of identity theft in social networks, and the type
of information present in fake profiles is used in a plethora of scams. Moreover, it is difficult to discount the fact that the malicious scams are uncontrollable. Facebook, Twitter and MySpace users, for example, have been victims of these kinds of scams and identity frauds because it is hard to restrict the functioning of users based on identity profiles in the network. This is the inherent vulnerability of social networks. Social networks are adding secure protocols for automatic detection of these malicious fake profiles, but the protocols are not robust enough.
Worm Generation – Chain Infection and Reaction
Attackers follow the process of chain infection and reaction to trigger malware through worms. It can
be devastating because exploitation of interconnected identities results in a diversified infection.
Whileencountering malware on a day-to-day basis, a generic model has been designed to understand the working of worms that infect social networking websites on a large scale. It can be explained in two steps:
• The first step of this model involves the initiation of a malicious node that starts infecting the chain.
In this type of level 1 infection, attackers try to find a legitimate user in the social network to set a
base for infection. At this point, the infection is dedicated to that user only and is persistent in nature.The prime aim is to serve malware to that user continuously. Successful exploitation results in the downloading and installation of malware onto the user’s machine. Primarily, the browser plays a critical role in this. Once the malware is installed in the system, it converts the system into a zombie or bot with backdoor access and generates a specific type of interface with the browser. The malware tracks the user’s Internet activity and waits for the right network to start the chain infection. It not only steals the information from the victim machine, it also starts doing operations on the behalf of the victim.The infected victim machine is treated as the first node in the infection chain.
• The second step occurs after the infection node is created. The malware waits for the user to visit and log in to a specific social networking website. Once this occurs, the malware starts reacting. Without the user’s knowledge or consent, it starts posting messages to contacts that are part of the user’s social networks. This happens through the browser because malware sends a request automatically from the background, and the browser executes it in the context of an active social networking website. When the user logs in to the website, malware utilizes the already-given access rights to infect the profiles connected to the user. As a result, the infection chain begins to flourish. All the secondary nodes become zombies and then start infecting the users who are connected to their specific social network. This process keeps on iterating and gives birth to botnets, which are networks of bots interconnected to spread malware and steal critical information. A number of profiles become nodes of this chain and keep on performing the infection and reaction operations.
Exploitation of Custom Code and Social Networking APIs
The release of open application programming interfaces (APIs) by social networking websites has
completely transformed the realm of malware infections. In general, these APIs are used for customizing and designing applications that use social networking websites to execute their content, meaning that a user can design a custom code to derive an interface with social networking websites. The deployed custom applications can be accessed by a number of identities present in the social networking website. Attackers design malicious applications using APIs to conduct attacks in a sophisticated manner by exploiting the generic design of an application development model, which makes the malicious applications look authentic.
Once the malware-driven application is accessed, APIs can be used to introduce malicious content into social networking websites. Usually, the designed application has hidden links to the malware domain. The application remains persistent and becomes active when a user accesses any module for performing a specific set of operations. Many of the methods discussed previously can be used directly in this way.
Malicious applications can have disastrous impacts. The risk of malware infection is high because a social networking website is a shared environment. Once a link is clicked, the payload (a malicious code in the form of JavaScript) from the third-party domain is executed in the user’s browser and the infection starts. Attackers perform a number of social identity attacks and privacy hacks to extract more information about the users. It is possible to gain access to sensitive information by executing browser-based attacks through a malicious application. For example, bookmark attacks are primarily executed against social networking websites with the intention of stealing information. Of course, this is a browser-dependent attack, and inevitably, the rate of exploitation is dependent on the specific browser’s design, functionality and inherent vulnerabilities. Control is transferred either to the third party, or it can be a part of user-generated content. It is hard to trust user-generated content because it is not known whether the content is malicious or not, i.e., it may contain any type of code based on the intentions of the user.
Exploitation of URL Shorteners and Hidden Links
Although URL shortening services are used for URL optimizations in which a URL is compressed, this same tactic has been adopted by attackers to fool users because it is difficult to determine the actual URL of a compressed URL. Social networking websites have adapted this functionality, and one can find shortened URLs on a day-to-day basis. This has become a problem, though, because attackers are utilizing these services to hide malicious links as part of the compressed URLs – users can be fooled without much complexity. As a result, phishing has become stealthier and the inherent redirection spreads malware at a more rapid rate.
Risk at Stake
As discussed previously, it is hard to make social networks completely secure. The potential risk
of spreading malware is ever increasing.
The major factor that contributes to this process is user ignorance regarding the technology used on social networking websites. The threat factor becomes high when user ignorance combines with the tactics presented. As a result, user privacy and information are at high risk. Identity scams may not only result in reputational damage to an individual online, but they may also influence the stature of an individual’s “offline” social life.
Social networking websites can apply controls to a certain extent, but it is difficult to provide knowledge to users about the authenticity of the hyperlinks posted to the messaging walls of their profiles. Theft of sensitive information and data can result in credit card frauds and unwanted banking transactions. The risk of compromising the user systems becomes high when a malicious binary is downloaded by clicking a hyperlink on a social networking website. The infection entry point is the social networking website; the infection then penetrates the user machine. The risk increases based on the user environment, such as a home personal computer (PC) or an organization-owned machine.
Organizations that use social networking websites to advertise their products are also at a high risk when a worm outbreak occurs to spread malware across a social network, which could result in the defamation of the organization’s brand and can hamper the business to a wider extent than expected. The risks posed by social networking websites are becoming harder to conquer.
Recommendations and Usability
Considering the nature of web malware in social networking websites, it is hard to make the networks
foolproof. However, the impacts can be reduced to some extent by complying with the following
recommendations:
• Users should educate themselves to identify fake profiles and phishing e-mails. This kind of attention requires a collaborative knowledge of technology and its applicability in social networking websites.
• Users should secure their browsers by installing appropriate client-side filters, such as NoScript in
Mozilla, to nullify the malicious scripts when rendered in browsers. Users should choose client-side filters that are appropriate for their browsers.
• Users should not click suspicious hyperlinks. Users should try to scrutinize the origin of hyperlinks on social networks to avoid traps.
• Users should configure their profiles by applying the appropriate restrictions provided by standard social networking websites to protect privacy.
• Users should report suspicious messages and e-mails directly to the security teams of social networking websites. This can help administrators apply filters on the web-based social network infrastructure.
• User systems should have requisite antivirus software installed with the latest signatures to thwart
infections.
• Users should upgrade their operating systems with the latest patches to avoid the exploitation of
vulnerabilities in various components of installed software
• Also, users can make sure they are not logged in as administrator while surfing the web.
Malware Detection and Protection Best Practices
• Install and maintain a modern antivirus suite and keep it always updated
• Lock down the configuration of the operating system and updated browser.
• Control what software is installed and allowed to run.
• Keep up with security patches and OS updates
• Back up your critical files on a regular basis. Some viruses may damage files or completely destroy hard drives. Consider an imaging solution like Norton Ghost so that a machine can be completely re-imaged if necessary.
• Keep your workstation anti-virus signatures updated. Use of an automated routine, such as McAfee’s ePolicy Orchestrator, will make this more realistic.
• If possible, disable the Windows Scripting Host (WSH) program, the active scripting in Internet Explorer and auto DCC reception in Internet Relay Chat client programs on your computer. (Note: These programs may be required for some software, but you should find out if it’s needed)
• Always exercise caution when opening attachments that arrive in e-mail, even if you know the sender. Verify with the sender before opening * attachments that you are not expecting.
• Disable the automatic execution of code embedded in documents, if you have software with that feature i.e., Microsoft Office.
• Disable the auto-open or preview of e-mail attachments feature in your e-mail client.
• Use notepad as the default text editor
• Educate users about the dangers and safe use of social networking Websites
• Encrypt sensitive data in use, at rest, and in motion
• Restrict use of removable storage devices
• Protect smartphones and other mobile devices from unauthorized access.
• Keep browser plug-ins patched
• Turn off Windows AutoRun (AutoPlay)
Malware is Short for “malicious software,” malware refers to software programs designed to damage
or do other unwanted actions on a computer system; it is one of the biggest threats to computer users
on the Internet today. It can hijack your browser, redirect your search attempts, serve up nasty pop-up
ads, track what websites you visit, and generally screw things up. Malware programs are usually poorlyprogrammed and can cause your computer to become unbearably slow and unstable in addition to all the other havoc they wreak.
Many of them will reinstall themselves even after you think you have removed them, or hide themselves deep within Windows, making them very difficult to clean.
The vast majority, however, must be installed by the user. Unfortunately, getting infected with malware is usually much easier than getting rid of it, and once you get malware on your computer it tends to multiply.
A Brief History of Malware
With the emergence of computers, malware arose from the dark side. UNIX computers were the first targets.In the 1970s and 1980s, programs known as rootkits were developed. Those who hack systems with criminal intent, known as black hats, used these applications to hide their presence while they had their way with an unsuspecting organization’s infrastructure.
Viruses were the first personal computer malware category to arise. As early as 1982, high school student Rich Skrenta wrote a gem called “Elk Cloner” for Apple II computers. Yes, the first known virus targeted an Apple computer. At that time, it was probably the biggest target. http://en.wikipedia.org/wiki/Elk_Cloner.
As malware defense matured, so did malware sophistication. Other types of malicious programs emerged, including those which could propagate without any help from the user population. Known as worms, they are probably today’s biggest challenge to malware defense.
And the black hats have been busy. Over the years, the malware count has risen exponentially and continues to do so. Figure 1 depicts malware growth through all years and also Figure 2 shows the new malware rate through all years.
The statistics shown are from AV-Test.org, a company that tests the effectiveness of anti-virus software,and formatted by PC Magazine. They show an accelerating increase in the number of unique malware since 1984. There is no evidence this growth will stop.
Early malware was written by hackers trying to make a name for themselves within the Black Hat community.Today, malware is used by individual Black Hat as well as crime syndicates to make money – to transfer your money to criminals’ bank accounts around the world.
Example 1: Citibank Hacking, http://www.bbc.co.uk/news/technology-13711528
Example 2: Saudi Aramco cyber-attack, http://www.reuters.com/article/2012/09/07/net-us-saudi-aramcohack- idUSBRE8860CR20120907
Malware Types and Examples
The most common types of malware include: – Viruses – Worms – Trojans – Keyloggers – Botnet agents – Rootkits – Backdoor.
Viruses
In computers, a virus is a program or programming code that replicates by being copied or initiating its copying to another program, computer boot sector or document. Viruses can be transmitted as attachments to an e-mail note or in a downloaded file, or be present on a diskette or CD.
Like any malware program, viruses are written to perform some action on your computer which you would rather not allow, including:
• Erasing files
• Crashing your system
• Taking your computer hostage until you pay a “fee”
• Stealing intellectual property
• Stealing personal identity information
• and anything else the black hats can think of
Although many people label all malware as viruses, the term “virus” has a specific meaning. A virus
is malware that cannot propagate from one computer to another without help. For example, early viruses werespread as floppy disks passed from one machine to another. They also spread as users share files over a network or email infected files to friends, family, and coworkers.
Worms
Viruses were nice, but they didn’t get around fast enough. So the worm was born. Worms can move between networked computers As long as the vulnerability a worm was written to exploit exists, and as long as the worm can see the vulnerability, it will continue to propagate.
Worms can spread very quickly. One recent example is Conficker.
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft
Windows operating system that was first detected in November 2008. It uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. Conficker has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer, with more than seven million government, business and home computers in over 200 countries now under its control. Once a worm like Conficker infects an organization’s network, in can potentially spread to all connected computers within hours – or minutes for smaller networks. http:// en.wikipedia.org/wiki/Conficker.
Trojans, Keyloggers, Rootkits, and Botnet Agents
Trojans, keyloggers and rootkits are related types of malware.
A Trojan is small, malicious program that is installed along with a more attractive one. For example,
that great freeware program you got from that dodgy website? It may well be the program you wanted. But someone (usually a 3rd party) may well have attached a Trojan to it. The Trojan will be installed as well as the software you wanted.
Trojans are not viruses, in the sense that they don’t replicate or send copies of themselves to others. They are just another program that can be installed on your computer, albeit a nasty one!A Trojan can be very malicious indeed. Most of them are intent on controlling your PC. These are called Remote Access Trojans or RATs for short. If someone has placed a Trojan on your computer, they’ll be able to see everything that you can. Some of them can even control your webcam. That means the attacker can see you! If you have speakers attached to the PC, they can even hear you!
If that weren’t bad enough, the attacker will have access to your computer, enabling him to upload nasty things to your PC. After all, why should he store these things on his computer when he has access to yours?
Most Trojans these days, though, are placed on your computer by criminals. If you type your credit card details in to a website, for example, then the attacker can record what you type. If a criminal has control of a lot of computers, he could also launch something called a Denial of Service attack. A DoS attack is when a lot of malicious computers attack a particular network or website. The network has so many requests that it can’t cope, so it has to shut down. The criminals then blackmail the owner (“We’ll let you have your site back if you give us money.”) Many gambling sites have been hit by this type of attack.
A Trojan can also disable your security software, leaving you wide open on the internet.
The Keyloggers concept is to capture all keystrokes – including passwords, PINs, etc. – entered bank
or other protected sites. The captured information is periodically sent to the black hat’s server. If the user is lucky, the information won’t be used to steal his or her identity, reduce bank balances, etc.
A rootkit is another type of malware that has the capability to conceal itself from the Operating System and antivirus application in a computer. A rootkit provide continuous root level (super user) access to a computer where it is installed. The name rootkit came from the UNIX world, where the super user is “root” and a kit.
Rootkits are installed by an attacker for a variety of purposes. Root kits can provide the attacker root level access to the computer via a back door, rootkits can conceal other malwares which are installed on the target computer, rootkits can make the installed computer as a zombie computer for network attacks, Rootkits can be used to hack encryption keys and passwords etc. Rootkits are more dangerous than other types of malware because they are difficult to detect and cure.
Different types of Rootkits are explained below.
Application Level Rootkits: Application level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behavior of present applications with patches, injected code etc.
Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because hey have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations.
Another example of malware is botnet, the term bot is short for robot. Criminals distribute malware that can turn your computer into a bot, also called a zombie. When this occurs, your computer can perform automated tasks over the Internet without your knowledge.
Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet.
Botnets can be used to send out spam email messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If your computer becomes part of a botnet, it might slow down and you might be inadvertently helping criminals.
Anti-virus software can’t always locate and remove these types of malware. Black hats often use rootkit technology to “hide” their programs. If a keylogger or botnet agent is installed with rootkit technology, it is invisible to the operating system and therefore to most, if not all, anti-virus applications.
Backdoor
Backdoors allow unauthorized access to compromise a system by opening a listening port on victim’s
system. This creates a pathway for hackers to control the compromised system by sending commands
of his choice. SubSeven, Netbus and Back Orifice are some of the well-known examples of Backdoor which enables unauthorized people to access users’ system over the Internet without his/her knowledge.
Bug
In the context of software, a bug is a flaw that produces an undesired outcome. These flaws are usually the result of human error and typically exist in the source code or compilers of a program. Minor bugs only slightly affect a program’s behavior and as a result can go for long periods of time before being discovered. More significant bugs can cause crashing or freezing. Security bugs are the most severe type of bugs and can allow attackers to bypass user authentication, override access privileges, or steal data. Bugs can be prevented with developer education, quality control, and code analysis tools.
Adware
Adware displays ads on your computer. As Wikipedia notes, adware is often a subset of spyware. The implication is that if the user chooses to allow adware on his or her machine, it’s not really malware, which is the defense that most adware companies take. In reality, however, the choice to install adware is usually a legal farce involving placing a mention of the adware somewhere in the installation materials, and often only in the licensing agreement, which hardly anyone reads.
Ransomware
If you see this screen that warns you that you have been locked out of your computer until you pay for your cybercrimes. Your system is severely infected with a form of Malware called Ransomware. It is not a real notification from the Police, but, rather an infection of the system itself. Even if you pay to unlock the system, the system is unlocked, but you are not free of it locking you out again. The request for money, usually in the hundreds of dollars is completely fake.
Browser Hijacker
When your homepage changes, you may have been infected with one form or another of a Browser
Hijacker. This dangerous Malware will redirect your normal search activity and give you the results the developers want you to see. Its intention is to make money off your web surfing. Using this homepage and not removing the Malware lets the source developers capture your surfing interests. This is especially dangerous when banking or shopping online. These homepages can look harmless, but in every case they allow other more infectious
Symptoms of Infected System
How do you know that your system is infected with possible malware? Following are some of the symptoms of an infected system:
• System might become unstable and respond slowly as Malware might be utilizing system resources
• Unknown new executables found on the system
• Unexpected network traffic to sites where you don’t expect to connect
• Altered system settings like browser homepage without your consent
• Random pop-ups are shown as advertisements
• Recent addition to the set are alerts shown by fake-security application that you never installed like
“Your computer is infected!” and it asks to register the program to remove detected threats.
Overall, your system will have unexpected behavior.
New Trends of Today Malwares
For security researchers, there’s never a dull moment; online criminals constantly find new security holes to exploit, and new ways to get at your personal data, here are some of the dangerous new malware trends to watch for in 2012.
SSL Not So Safe?
When you see the padlock icon in your browser’s toolbar, you might think that your data is safe, but hackers have found ways to get at your information before you send it securely on the internet.
These new forms of malware can identify when you’ve visited sites protected with SSL – the encryption technology used to keep data safe from prying eyes as it travels across the Internet – and it can grab your username and password before the encryption kicks in. In addition, these sorts of attacks, according to security software maker Webroot, will ignore all Web traffic except encrypted sites to filter out information that it isn’t interested in.
More Targeted Baddies
Also on the rise is super-targeted malware. Some malware can access your browser history, and will
only infect you if it sees that you’ve visited certain sites. For instance, a piece of malware designed
to steal online banking login information might check to see if you visited a particular bank’s website.
Expect more malware that goes after certain groups of people or specific bits of information.
Cyber Warfare
Many professionals foresee that conventional military will be increasingly compounded by cyber-warfare in the coming years.
They also state that more covert attempts at subversion by unfriendly nations will take the form of
electronic-war techniques. Some even proclaim that China has a hand in this, as most bot controllers
and malware threats have been tracked down to the country.
Example:
Flame (malware) OR “Flame” Malware Greatly Expands the Scope of Cyber Warfare.
VoIP Attacks
VoIP technology is another vehicle for disseminating malware. Much like the issues connected with emails in the past, criminals will use VoIP to perpetrate information theft, voice fraud, and numerous scams.
VoIP networks may also play host to botnet attacks, disabling of services, and remote execution of code.The information that people impart over the phone makes it ideal for criminals to take advantage of, for purposes such as identity theft and phishing.
What about Mobile Malware?
One of the big stories out of last year’s show was the rise of malware for Android, and we saw a large
increase – at least in terms of growth rate – in malicious apps for Android over the last few months. Is it time to panic?
Mobile malware seems to be spreading at a dizzying pace. In the second half of 2012 alone, Bitdefender found that Android malware spiked 292% from the first half of the year. This could pose a threat to millions of smartphone users worldwide.
Mobile malware is becoming harder to detect for the average smartphone user who pays little, if any,
attention to security. Fortunately, most malware creators are not rocket scientists, and a user does not have to be a computer scientist to combat them.
Symptoms of the infected Smartphone
Bad Battery Life
Android users who don’t perform a lot of battery straining activities have a good idea of how long their battery should last. Malware gives itself away when batteries mysteriously drain quicker than usual. That’s usually due to adware, spam-like malware that shows app users an inordinate amount of ads. Continuously displaying aggressive adware will impact heavily on battery life.
Whether the malware is hiding in plain sight by pretending to be a regular application or trying to stay hidden from the user, abnormal battery drainage can often give away the presence of an Android infection.
Dropped Calls and Disruptions
Mobile malware can affect ongoing or incoming calls. Dropped calls or strange disruptions during
a conversation could indicate the existence of mobile malware that is interfering. If you can’t blame your mobile carrier, then some strand of mobile malware could be the culprit. Call your service provider to determine if the dropped calls are its fault. If it is not your carrier, it is possible that someone or something is trying to eavesdrop on conversations or perform other suspicious activities.
Inordinately Large Phone Bills
Android malware often infects devices and starts sending SMS (text) messages to premium-rated numbers. While these effects are easily seen in your phone bill, not all malware programs are obviously greedy. They may send an SMS message just once a month to avoid suspicions, or they may uninstall themselves after punching a serious hole in your budget, checking your bill should make it easy to figure out such messagesending malware has found its way onto a device.
Bad Performance
Depending on device hardware specifications, malware infestation may cause serious performance problems as it tries to read, write or broadcast data from your smartphone. Anybody that has ever had a PC infected with malware should be familiar with this. Imagine rebooting a device several times a day because background running malware consumes too much processing power to let apps work properly. Performance clogging is yet another sign that malware might be present on your device. Checking RAM (Random Access Memory) use or CPU load could reveal the presence of malware that’s actively running on the device.
Now, How to protect your smartphone from being infected by a malware?
Below are some best practices to keep your smartphone safe
Be cautious when installing apps
Using official app stores like google play or apple app store is less risky than installing apps from third parties.
Also, read the reviews on the app store – a surfeit of one-star reviews is a sign that something’s wrong – and check the permissions that an app asks for before you install it. If anything here sets off warning bells – or simply makes you uncomfortable – it’s a good prompt to walk away
Watch out for phishing / SMS
Security on smartphones isn’t just about the apps that you install on your phone. As with any device be on your guard for phishing, sites that try to get you to enter personal data and/or credit card details. Text messages and emails can all be phishing methods, and just because you’re on your phone doesn’t make them less dangerous.
Combating phishing on smartphones isn’t so different from on your computer: useful advice from the
Citizens Advice Bureau, Microsoft and Symantec will get you up to speed, while an additional tip is
to never tap on a link in a text message from someone you don’t know – even if it looks like a company you do business with.
Lock screen security
Another point that applies to every smartphone OS, do you have your device’s lock-screen settings sorted, so that if it gets stolen, the thief can’t access your apps and data? Default settings will see you through, but there are some third-party apps that take interesting and unusual spins on unlocking the phone.
Picture Password Lockscreen, for example, gets you to unlock your phone by drawing points, lines and circles on any image you like. ERGO scans your ear and then gets you to unlock the device by holding it up to said lug. Fingerprint Scanner Lock Screen is a cheeky Android equivalent of Apple’s iPhone 5s’ Touch ID – it pretends to scan your fingerprint, but really it’s just measuring how long your thumb rests on the screen.
Consider anti-virus software
If you’d still like to take the extra step of installing anti-virus software – or if you’re thinking of putting it on the device of someone else (an older parent, for example) – a number of options are available from the big names of the security world.
Consider a parental control app
You can follow many of the steps above, but can your
own Android tablet and/or smartphone? A number
of companies are trying to help with this challenge
too, with parental control software capable of ensuring children don’t install apps that they shouldn’t, or compromise data on a shared device.
Another important topic that may be outside the
scope of malware, but is very important to be
taken into consideration and will give a very good
introduction to it, is android application permissions.
Normal vs. Dangerous Permissions: A Background
Android Open Source Project (AOSP) classifies
Android permissions into several protection levels:
“normal”, “dangerous”, “system”, “signature” and
“development”.
Dangerous permissions “may be displayed to the
user and require confirmation before proceeding,
or some other approach may be taken to avoid the
user automatically allowing the use of such facilities”.
In contrast, normal permissions are automatically
granted at installation, “without asking for the user’s
explicit approval (though the user always has the
option to review these permissions before installing)”.
On the latest Android 4.4.2 system, if an app requests
both dangerous permissions and normal permissions,
Android only displays the dangerous permissions,
as shown in Figure 4. If an app requests only normal
permissions, Android doesn’t display them to the
user, as shown in Figure 5.
Normal Permissions Can Be Dangerous
We have found that certain “normal” permissions
The ability to manipulate Android home screen
icons, when abused, can help an attacker deceive
the user. There’s no surprise that the com.android.
launcher.permission.INSTALL_SHORTCUT
permission, which allows an app to create icons,
was recategorized from “normal” to “dangerous”
ever since Android 4.2. Though this is an
important security improvement, an attacker can
still manipulate Android home screen icons using
two normal permissions: com.android.launcher.
permission.READ_SETTINGS and com.android.
launcher.permission.WRITE_SETTINGS. These
two permissions enable an app to query, insert,
delete, or modify the whole configuration settings
of the Launcher, including the icon insertion or
modification. Unfortunately, these two permissions
have been labeled as “normal” since Android 1.x.
References: http://developer.android.com/guide/
topics/manifest/permission-element.html.
Social Networks Malwares
Social networks have given birth to new types of elemental relations among various entities in the online world. The social networking world is virtualized in nature, but it has real-time impacts on the lives of individuals. Since these networks are part of the online world, they are not untouched by the threats and flaws present on the World Wide Web. Security and privacy are considered basic elements for effective social networking; however, the aim of web malware is to infect users and steal information by exploiting various vulnerabilities through attacks in social networks. User ignorance is a big factor in the spread of malware and is quite hard to patch. It is hard to expect robustness from a user’s perspective; rather, it has to be an inbuilt nature of social networking websites.
Social Attacks Era: There are 3.5 new threats per second (almost 12,600 per hour), 1/3 of web users are attacked by cybercriminals using social networking sites to target victims. (Source: nsslabs.com)
The following infection strategies are utilized by attackers to spread malware through social networking websites by taking advantage of user ignorance.
Malicious Profile Generation
One of the most common techniques used by attackers is generating fake profiles. These profiles can
be of celebrities, models, advertisements, etc. Fake profiles can be used for many purposes including
monitoring users, revenge and business. The fake profiles tempt users to read the malicious content that is posted on the messaging walls used for communication. Once users visit such profiles, embedded malicious codes start infecting the users with malicious executables.
From a security perspective, this is a clear case of identity theft in social networks, and the type
of information present in fake profiles is used in a plethora of scams. Moreover, it is difficult to discount the fact that the malicious scams are uncontrollable. Facebook, Twitter and MySpace users, for example, have been victims of these kinds of scams and identity frauds because it is hard to restrict the functioning of users based on identity profiles in the network. This is the inherent vulnerability of social networks. Social networks are adding secure protocols for automatic detection of these malicious fake profiles, but the protocols are not robust enough.
Worm Generation – Chain Infection and Reaction
Attackers follow the process of chain infection and reaction to trigger malware through worms. It can
be devastating because exploitation of interconnected identities results in a diversified infection.
Whileencountering malware on a day-to-day basis, a generic model has been designed to understand the working of worms that infect social networking websites on a large scale. It can be explained in two steps:
• The first step of this model involves the initiation of a malicious node that starts infecting the chain.
In this type of level 1 infection, attackers try to find a legitimate user in the social network to set a
base for infection. At this point, the infection is dedicated to that user only and is persistent in nature.The prime aim is to serve malware to that user continuously. Successful exploitation results in the downloading and installation of malware onto the user’s machine. Primarily, the browser plays a critical role in this. Once the malware is installed in the system, it converts the system into a zombie or bot with backdoor access and generates a specific type of interface with the browser. The malware tracks the user’s Internet activity and waits for the right network to start the chain infection. It not only steals the information from the victim machine, it also starts doing operations on the behalf of the victim.The infected victim machine is treated as the first node in the infection chain.
• The second step occurs after the infection node is created. The malware waits for the user to visit and log in to a specific social networking website. Once this occurs, the malware starts reacting. Without the user’s knowledge or consent, it starts posting messages to contacts that are part of the user’s social networks. This happens through the browser because malware sends a request automatically from the background, and the browser executes it in the context of an active social networking website. When the user logs in to the website, malware utilizes the already-given access rights to infect the profiles connected to the user. As a result, the infection chain begins to flourish. All the secondary nodes become zombies and then start infecting the users who are connected to their specific social network. This process keeps on iterating and gives birth to botnets, which are networks of bots interconnected to spread malware and steal critical information. A number of profiles become nodes of this chain and keep on performing the infection and reaction operations.
Exploitation of Custom Code and Social Networking APIs
The release of open application programming interfaces (APIs) by social networking websites has
completely transformed the realm of malware infections. In general, these APIs are used for customizing and designing applications that use social networking websites to execute their content, meaning that a user can design a custom code to derive an interface with social networking websites. The deployed custom applications can be accessed by a number of identities present in the social networking website. Attackers design malicious applications using APIs to conduct attacks in a sophisticated manner by exploiting the generic design of an application development model, which makes the malicious applications look authentic.
Once the malware-driven application is accessed, APIs can be used to introduce malicious content into social networking websites. Usually, the designed application has hidden links to the malware domain. The application remains persistent and becomes active when a user accesses any module for performing a specific set of operations. Many of the methods discussed previously can be used directly in this way.
Malicious applications can have disastrous impacts. The risk of malware infection is high because a social networking website is a shared environment. Once a link is clicked, the payload (a malicious code in the form of JavaScript) from the third-party domain is executed in the user’s browser and the infection starts. Attackers perform a number of social identity attacks and privacy hacks to extract more information about the users. It is possible to gain access to sensitive information by executing browser-based attacks through a malicious application. For example, bookmark attacks are primarily executed against social networking websites with the intention of stealing information. Of course, this is a browser-dependent attack, and inevitably, the rate of exploitation is dependent on the specific browser’s design, functionality and inherent vulnerabilities. Control is transferred either to the third party, or it can be a part of user-generated content. It is hard to trust user-generated content because it is not known whether the content is malicious or not, i.e., it may contain any type of code based on the intentions of the user.
Exploitation of URL Shorteners and Hidden Links
Although URL shortening services are used for URL optimizations in which a URL is compressed, this same tactic has been adopted by attackers to fool users because it is difficult to determine the actual URL of a compressed URL. Social networking websites have adapted this functionality, and one can find shortened URLs on a day-to-day basis. This has become a problem, though, because attackers are utilizing these services to hide malicious links as part of the compressed URLs – users can be fooled without much complexity. As a result, phishing has become stealthier and the inherent redirection spreads malware at a more rapid rate.
Risk at Stake
As discussed previously, it is hard to make social networks completely secure. The potential risk
of spreading malware is ever increasing.
The major factor that contributes to this process is user ignorance regarding the technology used on social networking websites. The threat factor becomes high when user ignorance combines with the tactics presented. As a result, user privacy and information are at high risk. Identity scams may not only result in reputational damage to an individual online, but they may also influence the stature of an individual’s “offline” social life.
Social networking websites can apply controls to a certain extent, but it is difficult to provide knowledge to users about the authenticity of the hyperlinks posted to the messaging walls of their profiles. Theft of sensitive information and data can result in credit card frauds and unwanted banking transactions. The risk of compromising the user systems becomes high when a malicious binary is downloaded by clicking a hyperlink on a social networking website. The infection entry point is the social networking website; the infection then penetrates the user machine. The risk increases based on the user environment, such as a home personal computer (PC) or an organization-owned machine.
Organizations that use social networking websites to advertise their products are also at a high risk when a worm outbreak occurs to spread malware across a social network, which could result in the defamation of the organization’s brand and can hamper the business to a wider extent than expected. The risks posed by social networking websites are becoming harder to conquer.
Recommendations and Usability
Considering the nature of web malware in social networking websites, it is hard to make the networks
foolproof. However, the impacts can be reduced to some extent by complying with the following
recommendations:
• Users should educate themselves to identify fake profiles and phishing e-mails. This kind of attention requires a collaborative knowledge of technology and its applicability in social networking websites.
• Users should secure their browsers by installing appropriate client-side filters, such as NoScript in
Mozilla, to nullify the malicious scripts when rendered in browsers. Users should choose client-side filters that are appropriate for their browsers.
• Users should not click suspicious hyperlinks. Users should try to scrutinize the origin of hyperlinks on social networks to avoid traps.
• Users should configure their profiles by applying the appropriate restrictions provided by standard social networking websites to protect privacy.
• Users should report suspicious messages and e-mails directly to the security teams of social networking websites. This can help administrators apply filters on the web-based social network infrastructure.
• User systems should have requisite antivirus software installed with the latest signatures to thwart
infections.
• Users should upgrade their operating systems with the latest patches to avoid the exploitation of
vulnerabilities in various components of installed software
• Also, users can make sure they are not logged in as administrator while surfing the web.
Malware Detection and Protection Best Practices
• Install and maintain a modern antivirus suite and keep it always updated
• Lock down the configuration of the operating system and updated browser.
• Control what software is installed and allowed to run.
• Keep up with security patches and OS updates
• Back up your critical files on a regular basis. Some viruses may damage files or completely destroy hard drives. Consider an imaging solution like Norton Ghost so that a machine can be completely re-imaged if necessary.
• Keep your workstation anti-virus signatures updated. Use of an automated routine, such as McAfee’s ePolicy Orchestrator, will make this more realistic.
• If possible, disable the Windows Scripting Host (WSH) program, the active scripting in Internet Explorer and auto DCC reception in Internet Relay Chat client programs on your computer. (Note: These programs may be required for some software, but you should find out if it’s needed)
• Always exercise caution when opening attachments that arrive in e-mail, even if you know the sender. Verify with the sender before opening * attachments that you are not expecting.
• Disable the automatic execution of code embedded in documents, if you have software with that feature i.e., Microsoft Office.
• Disable the auto-open or preview of e-mail attachments feature in your e-mail client.
• Use notepad as the default text editor
• Educate users about the dangers and safe use of social networking Websites
• Encrypt sensitive data in use, at rest, and in motion
• Restrict use of removable storage devices
• Protect smartphones and other mobile devices from unauthorized access.
• Keep browser plug-ins patched
• Turn off Windows AutoRun (AutoPlay)