The Threat Landscape, Malware, and How it's Changed

In cyberspace, things are constantly in flux. New developments are discovered every day and often our news is filled with the latest on how threat actors have utilised vulnerabilities to launch ransomware at a company and demand millions in extortion, or how cyber warfare at the behest of nation-states have led to damage of infrastructure like the Ukraine Power Grid. 

More and more, cyber threats have encroached on our headlines. 

As our society becomes more and more dependent on the internet, these threats become even more intimidating.  We know hackers are out there, lurking about in the cyberspace, and it may often feel to the general public that the methods they use are enigmatic, shrouded in a cloud of secrecy.  

It’s always important to note that these threats have always been with us and a number of them utilise flaws which go back as far as the 1960s with the internet’s precursor, the ARPANET. Here, we can find protocols which hackers still utilise today in order to target individuals, organisations and nation states. 

What Are Protocols? 

Computers operate on protocols, which are essentially the rules of how things are done. They are the rules of engagement, a standard universal language of instruction that computers use to communicate with each other and make sure that they’re on the same page. This is true of computers communicating in a network, and networks communicating with other networks in a process called internetworking. 

You can see this term is where we get the term ‘internet’ from. 

Computers, their networks, and thus the internet operate on logic and logic is often quite straightforward and predictable. The standardisation of these protocols since the 1980s as well as technology being brought in-band to facilitate internet processes have caused an internet revolution which has changed everyday life as we know it. 

Now, practically everything runs on Internet Protocol (IP), from mobiles, laptops and computers to smart cars and IoT home devices, even smart devices that monitor critical infrastructure like the electrical grid and waste management. 

It has also given threat actors, who leverage these protocols, more access to install malware, causing increased consequences if they’re successful. Let’s track the history of this constantly evolving environment and some of the malware threat actors use to accomplish their aims. 

Trojans 

Trojan is a type of malware delivery which has proved just as infamous as their namesake the Trojan Horse.  

They are generally delivered by a type of social engineering. Malicious actors often trick users into downloading them through palatable presentation. This for example can be innocuous software such as a cool new game app or a simple login page for a website that, without the victim’s knowledge, has a hidden malicious code embedded in it for purposes like acting as spyware, even ransomware or just create damage for the sake of it.  

There is still a lot of debate on what was the first Trojan.  

One of the earlier and most infamous examples was the AIDs Trojan of 1989, a denial-of-service malware which was also the first known ransomware. It was contained on floppy disks and mailed to PC Business World magazine subscribers and the WHO AIDS conference mailing list, tricking them into inserting it into their PC.  

Once the user inserted the floppy disk on their device, it would lay dormant for 90 boot cycles before encrypting all filenames and then displaying a ransom demand of 189 dollars, which was expected to be mailed to a Panama post office box for the release of the decryption program. In contrast, nowadays, ransomware tends to use cryptocurrency for ransom payments. 

Methods and techniques regarding trojan delivery have also become increasingly sophisticated since then: 

• Trojans are often delivered by email attachments or messages with links, with enticing content designed to convince you to click. 
• Fake Wi-Fi hotspots and browser exploits. 
• Scareware telling you your device is infected and you need to download this ‘antivirus’ now. 
• Trojan Horse Login trapdoor, where login pages have malicious code embedded in them that allows access when a user inputs their username and password as they log in. 
• Malicious compilers can hide malicious code from being displayed in website source code pages, which are used for reviewing. 
• Malicious websites that fling Trojan droppers at you via drive-by download, pretending to be giving you helpful software. 
• Dodgy mobile phone app downloads infecting phones. 

Another type of cybercrime that trojan horses and malware are becoming increasingly popular for is fraud.  

Trojans like IISerpent is a server-side, browser extension trojan that targets Microsoft's Internet Information Services (IIS) Web server software. The malware is injected into an IIS installation as a corrupted web extension, compromising IIS servers.  

The purpose of the malware is to boost a malicious actor’s own website by leaching off the success of another, more popular website. The malware proceeds to manipulate search engine results by turning compromised websites into doorway pages to malicious actor’s own site, injecting backlinks in the HTTP response that are delivered to SEO crawlers, resulting in significant upping of their SEO ranking at your expense.  

The Worm 

A worm is a propagating piece of malware which, in essence, is quite simplistic. Typically, it is sent by a malicious actor to a victim’s device, often finding a way in via unpatched vulnerabilities. This then makes a copy of itself on that device and then executes its primary function of finding another victim, making a copy of itself and… well, the process repeats and repeats.  

Often, hackers will inject further malicious code within the worm to do a function on each machine before it executes its propagation code. 

One of the earlier examples of how devastating malware could be was the SQL Slammer Worm of 2003. 2003 was an especially bad year for cybersecurity and the internet as it was a time where organisations by large, had fallen on bad habits and often weren’t patching their software regularly with the latest security features. This enabled hackers to utilise known flaws quite easily. 

The SQL Slammer Worm primarily affected organisations running MSDE, exploiting an unpatched, buffer overflow vulnerability in the Windows SQL server. It caused affected servers to start spamming the internet with high-value traffic, slowing down systems as routers crashed, ensuing denial of service. 

If parts of this sound somewhat familiar, this method of cyber-attack has a sort of successor in this modern era. 

Bot Malware and Botnets  

Worms, however, are no longer as popular these days, as Botnets has proved superior.  

Bot malware which infects thousands of computers often in a manner similar to trojans, spear phishing tactics, turning them into zombies and stealing a part of their egress connection without the owners’ knowledge. Delivery can also consist of exploiting unpatched vulnerabilities in software. 

Bot malware and their botnets are a common, rather effective means to conduct Denial of Service attacks nowadays. 

In a Distributed Denial of Service (DDoS) attack, malicious actors use botnets to create a SYN Flood, emanating a ton of traffic from each machine of its botnet army to overwhelm servers with too many SYN Packets and data packets, which are typically in normal circumstance only generated in moderation when a user connects to a server via the standard TCP connection. 

How Can You Defend Yourself Against Threats in Cyberspace? 

It’s important to have good cybersecurity measures in place. Make sure that your company is keeping software patched up-to-date and has systems in place to make sure you are maintaining cybersecurity best practices and keeping your company’s cybersecurity posture within acceptable parameters. An IT consultant can help with this.  

However, the cyber space is big and potential attack vectors can become very hard to keep track of. It is therefore important, to utilise tools to make yourself more effective in detecting these threats and what exploits they’ll likely be using. 

Securiwiser is a monitoring tool which allows you to check the cybersecurity posture of your site in real-time, displaying the data you need to know in a clear, straight-to-the-point dashboard. These can include things like your DNS Health, if malware is on your browser, HTTP redirections, if your subdomains are exposed and much more. Sign up today to get your free cybersecurity report.