Malware 101: Criminal Strategies, Pt. 2
In our previous article, Malware 101: Criminal Strategies, Pt. 1, we explained how cybercriminals dupe their targets into downloading malicious software, potentially causing severe damage to the user’s computer. For this article, we will focus on how malware can spread unhindered through a network, without any need for authentication from users.
The primary difference between the two strategies is that user exploitation requires a user-download for each computer in order to infect the system, while network exploitation can infect a network and spread from computer to computer without any need to get a user involved. That’s because the network itself is an exploitable entity that a hacker can take advantage of. The hacker can infiltrate a network with viruses or worms programmed to either automatically be sent to other users or travel via its internet connection. The results can be both difficult to maintain and catastrophic in impact.
To understand this strategy, it is useful to understand the viruses/worms that hackers can use. There are at least two parts to a virus/worm’s code: the means of propagation, and the transmittable data, aka the “payload”. We saw in the article on ransomware that there was an attack in 2017 known as WannaCry. One of the key features of that program was that it did not require user authentication, instead relying on vulnerabilities within the Microsoft OS. Thus, WannaCry was technically categorized as a worm rather a simple virus.
The development of computer viruses coincides with the development of the internet. At first, sending malware to unsuspecting users amounted to nothing more than a prank. As time progressed, more and more computers were connected, and we as users became more connected to each other and the network at large. These connections are what eventually became the Internet. But the internet then was nothing like the internet of today. What started out in the 1960s and 70s as projects allowing small, isolated networks to connect and communicate with other isolated networks, led to projects in the early 1980s in developing Internet Protocol (IP).
Everything was fine… until the Morris Worm attacked. It was the first worm to ever be written. What started out as a research experiment to find the size of the internet quickly turned into an event that caused millions of dollars in damages. The worm’s payload didn’t even contain malicious content. So, what happened? Put simply, it just replicated far too rapidly. Not only did it pass from computer to computer, but the same computer could receive multiple copies of the worm, each of which would propagate further and further. This created a massive Denial of Service (DoS) attack. Computers crashed from the sheer volume of programs trying to run at the same time. The creator was reprimanded, and the event sparked a newfound interest in network security.
To put the timeline in perspective, the World Wide Web was invented by Berners-Lee in 1989. That’s one year after the Morris Worm. So in a way, the worm came before the apple.
An alternative way of invading a network is by essentially hacking into a network directly, or taking advantage of an unsecure network. This involves using Wi-Fi to intercept information bouncing off the walls. These kinds of acts usually aren’t as large in scale, but can lead to more devasting crimes.
Imagine you are in your favorite coffee shop, and it has free public Wi-Fi. You love coming to this place so much that you’ve set up your phone and computer to automatically connect the moment you walk into that sweet smelling, personal Wi-Fi haven. But that’s the thing: it’s not personal. Anybody within connection range can intercept a variety of data-types, including log-in credentials, anything in your cloud or device storage, and the contents of personal messages. Something more aggressive would be purposefully exceeding the bandwidth’s operational capacity – meaning there are so many devices trying to sign on the network that it’s unable to function properly. And the issues don’t stop there. This little shop is also in a situation of legal risk. If any illegal activity is committed on their unsecured network, the providers can be held liable.
The internet is a network, and all the persons connected to a particular provider are in their own little bubble within that network. It’s from that little bubble that the internetworking happens. When it is said that they are all connected, the image that comes to mind should be a web. A sticky, messy web. Information is being sent and received through the router, but the devices are also sending and receiving information between themselves. To see how this works, go to your system files and click Network. That should display every device logged into that network. While in the network, it is possible for a hacker to spread malware to every user connected.
How Direct Infiltration and Worms Work Together
Let’s say we decided to buy a coffee before work. This space contains 20 users, each connected to Wi-Fi. A hacker manages to connect to that network, and distributes a worm that targets the people using the shop’s order-online application. It roots itself in the targeted device and gains access to the user’s contacts. The worm’s payload is designed to mine personal information from the data located on the device(s). 15 users become infected, and each one has 100 contacts. Messages with the worm as an attachment disguised as a .JPG are sent out to all of those contacts. With a potential of 1500 new victims, 500 open the attachment, and they, too, have 100 contacts. The program continues. It’s because of situations like these that attacks like ILOVEYOU can occur.
Cyberthreats of this sort can come in all shapes and sizes. A worm relies on specific security vulnerabilities within a network. Sometimes companies like Microsoft can patch the holes before they are discovered by someone else. However, releasing information about the patch in turn exposes information about the hole. Cybercriminals keep track of these kinds of things, because let’s be honest, how often do people immediately download an update? Even if only 1% of people do not download the patch and are infected, that is still over 3 million US citizens at risk of being victimized by cybercrime. Hackers can and will take advantage of an exploitation like that whenever possible. Ports – points in an OS that identify certain functions – can be exploited, and are an easy way around firewalls. Even if your router has a password, a weak password can be solved and the network is at risk.
The Good News
The good news is, network attacks can be prevented. One of the best first steps you can take is to implement effective and improvable measures in your own life to promote cybersecurity. Is your Wi-Fi network secure? Are your passwords strong/complex? In the event of an attack, have you enabled multifactor authentication for your email? Is all of your software, such as your operating system, up-to-date? Are your devices being periodically scanned for malware? It is never too late to be safe.
If you, your organization or company, or someone you know would like more information about our company or the strategies criminals can use to get into your system, please do not hesitate to reach out to Mission Multiplier at firstname.lastname@example.org.