UNIT-III:

Software Security: Types of Malicious Software, Advanced Persistent Threat, Propagation,

Infected Content, Viruses, Vulnerability Exploit, Worms, Propagation, Social Engineering, SPAM
EMail, Trojans, Payload, System Corruption, Payload-Attack Agent, Zombie, Bots, Information Theft
Keyloggers, Phishing, Spyware, Stealthing, Backdoors, Rootkits, Countermeasures.

Software Security is a type of security used to protect or secure program from malicious attacks or
hacking. Types of software attacks include viruses, bugs, cookies, password attacks, malware attacks,
buffer overflow, spoofing, etc. Absolute, Norton, McAfee, etc., are some popular companies that
manage software security. It simply ensures that software continues to function and is safe from
attacks.
Important Software Security

Software security is essential for protecting sensitive data and intellectual property. Without
proper security measures, software vulnerabilities can be exploited by cyber criminals to gain
unauthorized access to the software system and steal or manipulate data. This can result in significant
financial loss, damage to reputation, and legal consequences.

2. Cyber Security is a type of security used to protect systems, network and programs against
unauthorized access or attack. It is also known as computer security or information security. Types of
cyber-attack includes Trojan horses, brute-force attacks, insider threats, SQL injection, ransomware
attacks, etc. Accenture, Cisco, Centrify, Transmit Security, etc., are some popular companies that
manages cyber security. It is of three types: Cloud security, application security, and network security.
Why is Cyber Security Important?
Cyber attacks are becoming increasingly sophisticated and widespread, making cyber security more
important than ever. Cyber attacks can result in significant financial and reputational damage, as well
as compromise sensitive data such as personal information, trade secrets, and financial data. Cyber
security is essential for protecting both individuals and businesses from these threats.
Difference between Software Security and Cyber Security :

Software Security Cyber Security

It is a process of providing security to

It is process of providing security to software
computer systems and networks from attack,
against malicious attack and other hackers risks.
damage, and unauthorized access.

It is important because it include everything

It is important because it helps to prevent viruses that can be done to protect confidential data,
and malwares that allows program to run quicker PII (Personally identifiable information), PHI
and smoother. (Protected health information), personal data,
etc.

Its process includes designing, creating, and testing
security software.
It is especially designed to make software systems
free of vulnerabilities and impervious to attack as
possible.
Its main aim is to develop more-robust,
higher-quality, and defect-free software that simply
continues to function properly and correctly.
Its activities include secure software design,
developing secure coding guidelines for developers
to follow, secure coding that follows established
guidelines, developing secure configuration
procedures and standards for deployment phase, etc.
It deals with only small piece of software that is
usually uploaded to one computer of system at a
time.
Its domain protects only system or mechanism it is
attached to such as computer it is attached to,
integrity of files, confidentiality of files, etc.
Tools used for software security includes antivirus
protection, antimalware, antispyware, data
encryption software, etc.
Its process includes risk management, network
security, monitoring, managing user privileges,
malware protection.
It is especially designed to protect network,
devices, programs, and data from attack,
damage, or unauthorized access.
Its main aim is to prevent or mitigate or reduce
harm and defend computing assets against all
threat actors throughout entire life cycle of
cyber-attack.
Its activities include protecting and securing
data, protecting information technology,
discovering threats, removing unwarranted
data, ensuring confidentiality and server
availability, etc.
It deals with larger-scale network or entire
cybernetic interweb or digital marketplace.
Its domain protects each and everything within
cyber realm such as software, data, code,
technology, hardware, information both digital
and analog, etc.
Tools used for cyber security includes
firewalls, behavior-monitoring layers, online
back-up systems, network-based restrictions,
etc.
 It is more versatile because it protects more
digital architecture as compared to software
It is less versatile as compared to cyber security.
security.

Software security best practices

There are a wide variety of software security tools and solutions. Just like any other security practice,
you’ll have to build a strategy in order to make sure that your software security solutions remain relevant and
working in your benefit.

Keep software up-to-date and patched

Every piece of software has issues at times. There’s no way to avoid that. But, this is one of the most common
ways that hackers take action on software users. This is why regular patching and staying up-to-date on
software is an important step in ensuring software security.

Software security services and tools can help software users stay on track when it comes to maintenance and
inventory of a wide range of software programs.

Least privilege

Least privilege is the concept of giving software users minimal access to programs in order to get their jobs
done. In other words, don’t give them access to features, access rights, and controls that they don’t need to use.

By enforcing a least privilege policy, you’ll reduce the risk of attacks by making sure that no one accidentally
changes access rights by mistake or has access to information that they don’t need. Don’t forget to reevaluate
privileges when employees change positions, finish projects, and of course, leave the company.

Consider automation for software security tasks

Large companies or enterprises can’t keep track of the wide range of tasks that they need to perform on a
regular basis manually. This is where automation comes into play (if the hackers are using it, you should be
too).

IT departments should automate regular tasks that are important for computer security software such as security
configurations, analyzing firewall changes, and more. In order to automate, companies need to invest in the
right software security tools and solutions.

Education
Software security risks won’t just go away at the press of a button. Educating employees is an important part of
guaranteeing software security and minimizing software security vulnerabilities.

Schedule one day per quarter to review software security risks, why the information is important, and what
employees can do to keep themselves, and the company, safe. It’s also important to teach employees to
recognize signs of security attacks, phishing attempts, etc.

Make a planNothing is 100%, and no matter how hard a company tries, breaches will happen. This is why a
software security plan is critical. If something does go wrong, how will you operate? How will you detect an
attack and make sure that you’re seeing as little damage as possible as a result?

Document, monitor, and measure

Write all of your software security policies down so that everyone onboard has access and a thorough
understanding of the processes involved (don’t forget to show them to new employees!).

Over time, it’s important to monitor and measure activity. This way you can make sure your users are
implementing practices related to computer security software and not abusing privilege or other damaging
measures. We also recommend defining key metrics so that you can track your software security risks and
security over time.

Types of Malicious Software

Malware is short for malicious software and refers to any software that is designed to cause
harm to computer systems, networks, or users. Malware can take many forms. It’s important for
individuals and organizations to be aware of the different types of malware and take steps to protect
their systems, such as using antivirus software, keeping software and systems up-to-date, and being
cautious when opening email attachments or downloading software from the internet.
Malware is a program designed to gain access to computer systems, generally for the benefit of some
third party, without the user’s permission. Malware includes computer viruses, worms, Trojan horses,
ransomware, spyware, and other malicious programs.

Why Do Cybercriminals Use Malware?

1. Cybercriminals use malware, which includes all forms of malicious software including
viruses, for a variety of purposes.
2. Using deception to induce a victim to provide personal information for identity theft
3. Theft of customer credit card information or other financial information
4. Taking over several computers and using them to launch denial-of-service attacks against
other networks
5. Using infected computers to mine for cryptocurrencies like bitcoin.

Types of Malware
1. Viruses – A Virus is a malicious executable code attached to another executable file. The
virus spreads when an infected file is passed from system to system. Viruses can be harmless
or they can modify or delete data. Opening a file can trigger a virus. Once a program virus is
 active, it will infect other programs on the computer.
2. Worms – Worms replicate themselves on the system, attaching themselves to different files
and looking for pathways between computers, such as computer network that shares
common file storage areas. Worms usually slow down networks. A virus needs a host
program to run but worms can run by themselves. After a worm affects a host, it is able to
spread very quickly over the network.
3. Trojan horse – A Trojan horse is malware that carries out malicious operations under the
appearance of a desired operation such as playing an online game. A Trojan horse varies
from a virus because the Trojan binds itself to non-executable files, such as image files, and
audio files.
4. Ransomware – Ransomware grasps a computer system or the data it contains until the
victim makes a payment. Ransomware encrypts data in the computer with a key that is
unknown to the user. The user has to pay a ransom (price) to the criminals to retrieve data.
Once the amount is paid the victim can resume using his/her system
5. Adware – It displays unwanted ads and pop-ups on the computer. It comes along with
software downloads and packages. It generates revenue for the software distributer by
displaying ads.
6. Spyware – Its purpose is to steal private information from a computer system for a third
party. Spyware collects information and sends it to the hacker.
7. Logic Bombs – A logic bomb is a malicious program that uses a trigger to activate the
malicious code. The logic bomb remains non-functioning until that trigger event happens.
Once triggered, a logic bomb implements a malicious code that causes harm to a computer.
Cybersecurity specialists recently discovered logic bombs that attack and destroy the
hardware components in a workstation or server including the cooling fans, hard drives, and
power supplies. The logic bomb overdrives these devices until they overheat or fail.
8. Rootkits – A rootkit modifies the OS to make a backdoor. Attackers then use the backdoor
to access the computer distantly. Most rootkits take advantage of software vulnerabilities to
modify system files.
9. Backdoors – A backdoor bypasses the usual authentication used to access a system. The
purpose of the backdoor is to grant cyber criminals future access to the system even if the
organization fixes the original vulnerability used to attack the system.
10. Keyloggers – Keylogger records everything the user types on his/her computer system to
obtain passwords and other sensitive information and send them to the source of the
keylogging program.

How To Protect From Malware?

The good news is that there are just as many ways to protect yourself from malware as there are
different types of malware. Look at these top suggestions:
1. Protect your devices.
2. Update your operating system and software. Install updates as soon as they become available
because cybercriminals search for vulnerabilities in out-of-date or outdated software.
3. Never click on a popup’s link. Simply click the “X” in the message’s upper corner to close it
and leave the page that generated it.
4. Don’t install too many apps on your devices. Install only the apps you believe you will
regularly use and need.
5. Be cautious when using the internet.
6. Do not click on unidentified links. If a link seems suspicious, avoid clicking it whether it
 comes from an email, social networking site, or text message.
7. Choose the websites you visit wisely. Use a safe search plug-in and try to stick to
well-known and reputable websites to avoid any that might be malicious without your
knowledge.
8. Emails requesting personal information should be avoided. Do not click a link in an email
that appears to be from your bank and asks you to do so in order to access your account or
reset your password. Log in immediately at your online banking website.

How To Remove Malware?

A large number of security software programs are made to both find and stop malware as well as
to eliminate it from infected systems.
An antimalware tool that handles malware detection and removal is Malwarebytes. Malware can be
eliminated from Windows, macOS, Android, and iOS operating systems. A user’s registry files,
currently running programs, hard drives, and individual files can all be scanned by Malwarebytes.
Malware can then be quarantined and removed if it is found. Users cannot, however, set automatic
scanning schedules like they can with some other tools.

Advantages of Detecting and Removing Malware

1. Improved Security: By detecting and removing malware, individuals, and organizations can
improve the security of their systems and reduce the risk of future infections.
2. Prevent Data Loss: Malware can cause data loss, and by removing it, individuals and
organizations can protect their important files and information.
3. Protect Reputation: Malware can cause harm to a company’s reputation, and by detecting
and removing it, individuals and organizations can protect their image and brand.
4. Increased Productivity: Malware can slow down systems and make them less efficient, and
by removing it, individuals and organizations can increase the productivity of their systems
and employees.

Advanced Persistent Threat (APT)

An advanced persistent threat (APT) is a prolonged and targeted cyber attack in which an
intruder gains access to a network and remains undetected for an extended period.
APT attacks are initiated to steal highly sensitive data rather than cause damage to the target
organization's network. The goal of most APT attacks is to achieve and maintain ongoing access to
the targeted network rather than to get in and out as quickly as possible.

Unlike ransomware as a service and other cyber assaults, APTs are executed manually through
meticulous planning. Because a great deal of effort and resources can go into carrying out APT
attacks, threat actors typically select high-value targets, such as large organizations, to steal
information over a long period. For this reason, APT attacks are typically orchestrated by
well-funded nation-state cybercriminal groups rather than individual hackers.

Techniques used in an APT attack

 To gain access, APT groups often use a variety of advanced attack methods, including social engineering
techniques. To maintain access to the targeted network without being discovered, threat actors continuously
rewrite malicious code to avoid detection and other sophisticated evasion techniques. In fact, some APTs are so
complex that they require full-time administrators to maintain the compromised systems and software in the
targeted network.

Common techniques used during APT attacks include the following:

● Spear phishing. APT actors commonly use highly targeted spear phishing emails to fool people into
divulging personal information or clicking on harmful links that can execute malicious code into
their systems. These emails are skillfully written to appear authentic and tailored to the recipient.
● Zero-day exploits. APT actors often take advantage of zero-day vulnerabilities in software or
hardware that have recently been discovered but not yet patched. By exploiting the vulnerabilities
before they've been addressed, threat actors can easily gain unauthorized access to target systems.
● Watering hole attacks. APT actors use the watering hole attack to breach websites often accessed
by their specific targets. By injecting malicious code into these websites, they can infect the systems
of unsuspecting visitors.
● Supply chain attacks. Supply chain attacks target a specific organization's supply chain,
compromising software or hardware before it reaches the intended receiver. This lets APT actors
gain access to the victim's network.
● Credential theft. APT actors use methods such as keylogging, password cracking and credential
phishing to obtain login credentials. Once they have legitimate credentials, they can navigate the
network laterally and gain access to sensitive information.
● Command-and-control (C&C) servers. Using C&C servers, APTs create communication routes
between hacked systems and their network. This lets the attacker maintain control over the
compromised network and exfiltrate data.
● Evasion strategies. To avoid being discovered by security systems, APT attackers often hide their
operations using legitimate tools and processes, code obfuscation and anti-analysis measures.

Stages of an APT attack

Attackers executing APTs typically take the following sequential approach to gain and maintain ongoing access
to a target:

1. Gain access. APT groups gain access to a target's network through the internet. Normally, they gain
access by inserting malicious software into the target through spear phishing emails or via an
application vulnerability.
2. Establish a foothold. After gaining access to the target, threat actors use their access to do further
reconnaissance. They use the malware they've installed to create networks of backdoors and tunnels
to move around unnoticed.
3. Cover tracks. APTs often use advanced malware techniques such as code rewriting to cover their
tracks and evade detection.
4. Gain even greater access. Once inside the targeted network, APT actors use methods such as
password cracking to gain administrative rights. This gives them more control of the system and
even deeper levels of access.
5. Move laterally. Once threat actors have breached their target systems, including gaining
administrator rights, they can move around the enterprise network at will. They can also attempt to
access other servers and other secure areas of the network.
6. Stage the attack. At this point, the hackers centralize, encrypt and compress the data so they can
 exfiltrate it.
7. Take the data. The attackers harvest the data and transfer it to their system.
8. Remain until they're detected. Cybercriminals will repeat this process for long periods of time
until they're detected, or they can create a backdoor so they can access the system again later.

Propagation

Propagation is an intricate phenomenon that essentially refers to how malware spreads in a network of
computers or entire cyberspace. Cyber criminals use diverse propagation techniques to spread malware,
viruses, worms, and other malicious codes into various computers, often infecting an entire network.

One common propagation method involves inserting malicious codes into genuine-looking emails, known
as phishing attacks. The seemingly innocuous email will typically require an individual to click a link or
download an attachment. When executed, the malware finds its way into the unsuspecting recipient's computer,
thereby infecting it. Such malware can lay dormant and start propagating whenever it detects a vulnerability,
moving horizontally to other connected systems in the network.

Malware propagation is often synonymous with worms – a specific type of malicious code designed to
self-replicate and propagate autonomously without any user action. No sooner does a worm manage to infiltrate
a computer than it begins duplicating itself to spread to other network-connected systems. It leverages system
vulnerabilities, with many designed explicitly to exploit particular security loopholes in system software or
configurations, thereby facilitating the rapid spread of infection.

Propagation can also occur through executable file spreading. For instance, trojans disguise themselves
as benign files. When an unsuspecting user downloads or opens the file, the trojan is installed stealthily
alongside the intended software or file. This process can be immensely damaging as trojans have been known to
create backdoors in systems, allowing unauthorized access or control to the cybercriminal.

Another propagation method lies in the use of portable devices, such as external hard drives and USB
flash drives. Stuxnet worm, one of the most sophisticated malware, was initially distributed through USB flash
drives. When a malware-infected USB is plugged into an uninfected computer, the malicious program executes,
thereby infecting a new host.

Network propagation is another significant aspect driving the spread of malware. Various advanced types
of malicious codes can detect and compromise connected systems within a network, thereby spreading the
infection. For instance, ransomware like WannaCry leveraged the EternalBlue technique to spread laterally
across networks and encrypt files on various systems at the same time.

Cybercriminals might also resort to website or web application compromises to embed malicious code,
happening mainly through a method known as "watering hole attacks." They embed malicious code into a
website, turning it into a vector for malware propagation. Each visitor unwittingly downloads the loaded
malware, thereby infecting their own systems,

Ever-evolving methods of malware propagation cause continual trouble to cybersecurity professionals. An

antivirus, in this scenario, serves as the first line of defense against such spreading threats. It does this by
employing various advanced security technologies, like signature-based detection, heuristic analysis,
sandboxing, and behavioral detection, to name a few.
Signature-based detection primarily uses malware signatures to identify threats. In contrast, heuristic analysis
proactively flags any suspicious patterns that might indicate new, undefined malware.

Sandboxing allows the potential code to execute in an isolated environment, thereby preventing any damage to
the system, while behavioral detection monitores and blocks any program or code's unusual behaviors. These
advanced techniques of antiviruses are fundamental in thwarting malware propagation in contemporary
cybersecurity.

Therefore, comprehending malware propagation in the context of cybersecurity and antiviruses is vitally
important. This understanding helps cybersecurity professionals maintain a watchful eye on the ever-changing
threat landscape, thereby coming up with dynamic antivirus solutions.

With an increase in frequency and complexity, it has become essential that all individuals, businesses, and
organizations maintain a robust and adaptable cybersecurity posture to counter such propagation threats
effectively. The ever-evolving landscape of malware and antivirus technologies sets a high requirement for
vigilance, regular updating, and there is becoming an increasing need for AI and machine learning in adapting
to the constant threat of such propagation techniques promptly.

Of course, no solution is perfectly permeable and will always be subject to new threats. it's through
understanding propagation and continually evolving our defenses, we stand a chance to predict emerging
threats, thwart attacks, and mitigate the devastating impacts of such malware. It's the game of cat and mouse, as
old as time itself, and recognizing the important role of propagation in this contest is crucial.

Propagation FAQs
What is propagation in cybersecurity?
Propagation refers to the spread of malware or viruses from one computer or network to another. This
can happen through various means, including email attachments, shared files or folders, and infected websites.
The goal of propagation is to infect as many computers and networks as possible to maximize the damage
caused by the malware or virus.

What is propagation in cybersecurity?

Propagation refers to the spread of malware or viruses from one computer or network to another. This
can happen through various means, including email attachments, shared files or folders, and infected websites.
The goal of propagation is to infect as many computers and networks as possible to maximize the damage
caused by the malware or virus.

How can I prevent propagation of malware on my computer or network?

To prevent propagation, it is important to have up-to-date antivirus software installed on all computers
and devices in your network. This software can detect and remove threats before they can spread. It is also
important to educate employees about safe browsing practices, such as not clicking on suspicious links or
downloading files from unknown sources. Regular software updates and security patches are also important to
prevent vulnerabilities that can be exploited by malware.

What are the consequences of a successful propagation of malware?

 The consequences of a successful propagation can be severe. Malware can steal sensitive data, such as
login credentials or financial information, and use it for illegal activities. It can also bring down entire networks
or systems, causing disruptions in business operations and loss of productivity. The cost of cleaning up after a
malware attack can be significant, and the damage to a company's reputation can be long-lasting.

How can I detect propagation in my network?

One method is to monitor network traffic for unusual activity, such as a sudden increase in outbound
data or connections to known malicious domains. Antivirus software can also detect and alert you to the
presence of malware on your network. Regular vulnerability scans and penetration testing can help identify and
fix any weaknesses before they can be exploited by malware.

Infection Techniques
By infection techniques we are referring to malware distributed via compromised websites.
Infection techniques: definition
Cybercriminals aim to cause as much damage as possible on as many computers as possible with their
attacks, and to achieve that objective they must introduce malware on the victim's computer, generally in the
form of executable code, scripts, active content or software.
Over the last few years, malware distribution via compromised websites has become one of the most popular
ways to implant malicious code on computers. Hence the use of antivirus solutions, firewalls, and other
protection strategies to defend systems from this threat.

Infection methods
Software flaws.
Many viruses aim to exploit security holes, that is, design flaws in systems or application software, in
order to spread and infect all computers with the same characteristics. Most software programs incorporate
security features to prevent unauthorized use of system resources, hence the importance of using trusted
software. However, sometimes unprofessional development techniques are employed that may cause errors and
bugs leading to potentially dangerous security holes.
Social engineering and user mistakes.
To infect a computer, the malware's code must be executed. That's why many malware specimens are
included in executable files bundled with legitimate programs, so that, when the user opens the program, the
malware is executed resulting in the computer becoming infected. Thus, on operating systems where file
extensions are used to associate a file with the program to use it, hackers usually try to hide the extension of
their malicious creations to trick users.
Operating system vulnerabilities.
Most viruses are designed to take advantage of vulnerabilities found on the most popular operating
systems on the market, as this may allow them to simultaneously infect the millions of computers that run a
vulnerable application around the globe. That's why widely-used operating systems and platforms such
Windows or Google Store are normally in the crosshairs of cybercriminals.

Distribution strategies
Social networks.
The appearance of social networks has given cybercriminals a massive platform to spread their
creations. Before, email was the primary tool for sending spam, but the appearance of Facebook, Twitter and
WhatsApp has opened new opportunities for this type of malware. Fake accounts are created to forward
chain-letter emails and malicious links, share inappropriate content, or spoof user identities for malicious
purposes. One of the most popular threats today is the use of phishing scams to trick users into clicking infected
links.
Fake websites.
This is one of the most widely used techniques over the last decades. It consists in creating a website
using platforms such as WordPress, and designing it to download and install malicious scripts on visitors. This
strategy includes the use of advertising and Black Hat SEO techniques to promote the site and affect as many
users as possible.
Online games.
Online gaming platforms are sometimes used to spread malware via games, particularly those for young
children. The idea is to induce the user to click and accept any condition in order to continue. Free mobile apps
are also a weapon of choice for cybercriminals. In this case, they use files with malicious code which, once
downloaded and installed, infect computers and compromise information.

Computer Virus
Chances are you’ve heard how important it is to keep viruses out, but what is a computer virus exactly? A
computer virus is a type of malicious software, or malware, that spreads between computers and causes damage to
data and software.

Computer viruses aim to disrupt systems, cause major operational issues, and result in data loss and leakage.
A key thing to know about computer viruses is that they are designed to spread across programs and systems.
Computer viruses typically attach to an executable host file, which results in their viral codes executing when a file
is opened. The code then spreads from the document or software it is attached to via networks, drives, file-sharing
programs, or infected email attachments.

Common Signs of Computer Viruses

Chances are you’ve heard how important it is to keep viruses out, but what is a computer virus exactly? A
computer virus will more than likely have an adverse effect on the device it resides on and may be discoverable
through common signs of performance loss, including:

Speed of System

A computer system running slower than usual is one of the most common signs that the device has a virus.
This includes the system itself running slowly, as well as applications and internet speed suffering. If a computer
does not have powerful applications or programs installed and is running slowly, then it may be a sign it is infected
with a virus.

Pop-up Windows

Unwanted pop-up windows appearing on a computer or in a web browser are a telltale sign of a computer
virus. Unwanted pop-ups are a sign of malware, viruses, or spyware affecting a device.

Programs Self-executing

If computer programs unexpectedly close by themselves, then it is highly likely that the software has been
infected with some form of virus or malware. Another indicator of a virus is when applications fail to load when
selected from the Start menu or their desktop icon. Every time that happens, your next step should be to perform a
virus scan and remove any files on programs that might not be safe to use.

Accounts Being Logged Out

Some viruses are designed to affect specific applications, which will either cause them to crash or force the
user to automatically log out of the service.
Crashing of the Device

System crashes and the computer itself unexpectedly closing down are common indicators of a virus.
Computer viruses cause computers to act in a variety of strange ways, which may include opening files by
themselves, displaying unusual error messages, or clicking keys at random.

Mass Emails Being Sent from Your Email Account

Computer viruses are commonly spread via email. Hackers can use other people's email accounts to spread
malware and carry out wider cyberattacks. Therefore, if an email account has sent emails in the outbox that a user
did not send, then this could be a sign of a computer virus.

Changes to Your Homepage

Any unexpected changes to a computer—such as your system’s homepage being amended or any browser
settings being updated—are signs that a computer virus may be present on the device.

Viruses Attack and Spread

In the early days of computers, viruses were spread between devices using floppy disks. Nowadays, viruses
can still be spread via hard disks and Universal Serial Bus (USB) devices, but they are more likely to be passed
between devices through the internet.

Computer viruses can be spread via email, with some even capable of hijacking email software to spread themselves.
Others may attach to legitimate software, within software packs, or infect code, and other viruses can be downloaded
from compromised application stores and infected code repositories. A key feature of any computer virus is it
requires a victim to execute its code or payload, which means the host application should be running.

Types of Computer Viruses

There are several types of computer viruses that can infect devices. This section will cover computer virus
protections and how to get rid of computer viruses.

Resident Virus

Viruses propagate themselves by infecting applications on a host computer. A resident virus achieves this by
infecting applications as they are opened by a user. A non-resident virus is capable of infecting executable files when
programs are not running.

Multipartite Virus

A multipartite virus uses multiple methods to infect and spread across computers. It will typically remain in the
computer’s memory to infect the hard disk, then spread through and infect more drives by altering the content of
applications. This results in performance lag and application memory running low.

Multipartite viruses can be avoided by not opening attachments from untrusted sources and by installing trusted
antivirus software. It can also be prevented by cleaning the boot sector and the computer’s entire disk.
Direct Action

A direct action virus accesses a computer’s main memory and infects all programs, files, and folders located in the
autoexec.bat path, before deleting itself. This virus typically alters the performance of a system but is capable of
destroying all data on the computer’s hard disk and any USB device attached to it. Direct action viruses can be
avoided through the use of antivirus scanners. They are easy to detect, as is restoring infected files.

Browser Hijacker

A browser hijacker manually changes the settings of web browsers, such as replacing the homepage, editing the new
tab page, and changing the default search engine. Technically, it is not a virus because it cannot infect files but can be
hugely damaging to computer users, who often will not be able to restore their homepage or search engine. It can
also contain adware that causes unwanted pop-ups and advertisements.

Browser hijackers typically attach to free software and malicious applications from unverified websites or app stores,
so only use trusted software and reliable antivirus software.

Overwrite Virus

Overwrite viruses are extremely dangerous. They can delete data and replace it with their own file content or code.
Once files get infected, they cannot be replaced, and the virus can affect Windows, DOS, Linux, and Apple systems.
The only way this virus can be removed is by deleting all of the files it has infected, which could be devastating. The
best way to protect against the overwrite virus is to use a trusted antivirus solution and keep it updated.

Web Scripting Virus

A web scripting virus attacks web browser security, enabling a hacker to inject web-pages with malicious code, or
client-side scripting. This allows cyber criminals to attack major websites, such as social networking sites, email
providers, and any site that enables user input or reviews. Attackers can use the virus to send spam, commit
fraudulent activity, and damage server files.

Protecting against web scripting is reliant on deploying real-time web browser protection software, using cookie
security, disabling scripts, and using malicious software removal tools.

File Infector
A file infector is one of the most common computer viruses. It overwrites files when they are opened and can
quickly spread across systems and networks. It largely affects files with .exe or .com extensions. The best way to
avoid file infector viruses is to only download official software and deploy an antivirus solution.

Network Virus

Network viruses are extremely dangerous because they can completely cripple entire computer networks. They are
often difficult to discover, as the virus could be hidden within any computer on an infected network. These viruses
can easily replicate and spread by using the internet to transfer to devices connected to the network. Trusted, robust
antivirus solutions and advanced firewalls are crucial to protecting against network viruses.
Boot Sector Virus
A boot sector virus targets a computer’s master boot record (MBR). The virus injects its code into a hard disk’s
partition table, then moves into the main memory when a computer restarts. The presence of the virus is signified by
boot-up problems, poor system performance, and the hard disk becoming unable to locate. Most modern computers
come with boot sector safeguards that restrict the potential of this type of virus.

Steps to protecting against a boot sector virus include ensuring disks are write-protected and not starting up a
computer with untrusted external drives connected.

Computer Viruses Through Examples

There are common examples of what computer and internet users believe to be viruses, but are technically incorrect.
Is Trojan a Virus?
A Trojan horse is a type of program that pretends to be something it is not to get onto a device and infect it with
malware. Therefore, a Trojan horse virus is a virus disguised to look like something it is not. For example, viruses
can be hidden within unofficial games, applications, file-sharing sites, and bootlegged movies.
Is a Worm a Virus?
A computer worm is not a virus. Worms do not need a host system and can spread between systems and networks
without user action, whereas a virus requires users to execute its code.
Is Ransomware a Virus?
Ransomware is when attackers lock victims out of their system or files and demand a ransom to unlock access.
Viruses can be used to carry out ransomware attacks.
Is Rootkit a Virus?
A rootkit is not a virus. Rootkits are software packages that give attackers access to systems. They cannot
self-replicate or spread across systems.
Is a Software Bug a Virus?
"Bug" is a common word used to describe problems with computers, but a software bug is not a virus. A bug is a
flaw or mistake in software code, which hackers can exploit to launch a cyberattack or spread malware.

How To Prevent Your Computer From Viruses

There are several ways to protect your computer from viruses, including:

Use a Trusted Antivirus Product

Trusted computer antivirus products are crucial to stop malware attacks and prevent computers from being infected
with viruses. These antivirus concepts will protect devices from being infected through regular scans and identifying
and blocking malware.

Avoid Clicking Pop-up Advertisements

Unwanted pop-up advertisements are more than likely to be linked to computer viruses and malware. Never click on
pop-up advertisements because this can lead to inadvertently downloading viruses onto a computer.

Scan Your Email Attachments

A popular way to protect your device from computer viruses is to avoid suspicious email attachments, which are
commonly used to spread malware. Computer antivirus solutions can be used to scan email attachments for potential
viruses.

Scan the Files That You Download Using File-sharing Programs

File-sharing programs, particularly unofficial sites, are also popular resources for attackers to spread computer
viruses. Avoid downloading applications, games, or software from unofficial sites, and always scan files that have
been downloaded from any file-sharing program.
Vulnerability Exploit

A vulnerability is a weakness that can be exploited by cybercriminals to gain unauthorized access to a computer
system. After exploiting a vulnerability, a cyberattack can run malicious code, install malware, and even steal
sensitive data.

Vulnerabilities can be exploited by a variety of methods, including SQL injection, buffer overflows, cross-site
scripting (XSS), and open-source exploit kits that look for known vulnerabilities and security weaknesses in
web applications.

Many vulnerabilities impact popular software, placing the many customers using the software at a heightened
risk of a data breach, or supply chain attack. Such zero-day exploits are registered by MITRE as a Common
Vulnerability Exposure (CVE).

Vulnerability Examples

There are several different types of vulnerabilities, determined by which infrastructure they’re found on.
Vulnerabilities can be classified into six broad categories:

1. Hardware
Any susceptibility to humidity, dust, soiling, natural disaster, poor encryption, or firmware vulnerability.

2. Software
I‍ nsufficient testing, lack of audit trail, design flaws, memory safety violations (buffer overflows, over-reads,
dangling pointers), input validation errors (code injection, cross-site scripting (XSS), directory traversal, email
injection, format string attacks, HTTP header injection, HTTP response splitting, SQL injection),
privilege-confusion bugs (clickjacking, cross-site request forgery, FTP bounce attack), race conditions (symlink
races, time-of-check-to-time-of-use bugs), side channel attacks, timing attacks and user interface failures
(blaming the victim, race conditions, warning fatigue).

Learn about the MOVEit Transfer vulnerability >

3. Network
Unprotected communication lines, man-in-the-middle attacks, insecure network architecture, lack of
authentication, default authentication, or other poor network security.

4. Personnel
Poor recruiting policy, lack of security awareness and training, poor adherence to security training, poor
password management, or downloading malware via email attachments.

5. Physical site
‍Area subject to natural disaster, unreliable power source, or no keycard access.

6. Organizational
I‍mproper internal controls, lack of audit, continuity plan, security, or incident response plan.

Learn about the top misconfigurations causing data breaches >

What Causes Vulnerabilities?

There are many causes of vulnerabilities, including:

● Complexity - Complex systems increase the probability of a flaw, misconfiguration, or unintended

access.
● Familiarity - Common code, software, operating systems, and hardware increase the probability that an
attacker can find or has information about known vulnerabilities.
● Connectivity - The more connected a device is, the higher the chance of a vulnerability.
‍
● Poor Password Management - Weak passwords can be broken with brute force, and reusing passwords
can result in one data breach becoming many.
‍
● Operating System Flaws - Like any software, operating systems can have flaws. Operating systems
that are insecure by default allow any user to gain access and potentially inject viruses and malware.
‍
● Internet Usage - The Internet is full of spyware and adware that can be installed automatically on
computers.
‍
● Software Bugs - Programmers can accidentally or deliberately leave an exploitable bug in software.
Sometimes end users fail to update their software, leaving them unpatched and vulnerable to
exploitation.
‍
● Unchecked User Input - If your website or software assumes all input is safe, it may execute
unintended SQL commands.
‍
● People - The biggest vulnerability in any organization is the human at the end of the system. Social
engineering is the biggest threat to the majority of organizations. This category of cyber threats can be
addressed with an in-house cyber threat awareness program.
What is Vulnerability Management?
Vulnerability management is a cyclical practice of identifying, classifying, remediating, and mitigating security
vulnerabilities. The essential elements of vulnerability management include vulnerability detection,
vulnerability assessment, and remediation.

Methods of vulnerability detection include:

● Vulnerability scanning
● Penetration testing
● Google hacking

Once a vulnerability is found, it goes through the vulnerability assessment process:

1. Identify Vulnerabilities

‍ nalyzing network scans, pen test results, firewall logs, and vulnerability scan results to find anomalies that
A
suggest a cyber attack could take advantage of a vulnerability.

2. Verify Vulnerabilities

‍ ecide whether the identified vulnerability could be exploited and classify the severity of the exploit to
D
understand the level of risk.

3. Mitigate Vulnerabilities

‍Decide on countermeasures and how to measure their effectiveness if a patch is unavailable.

4. Remediate Vulnerabilities

‍ emediating vulnerabilities requires updating affected software or hardware where possible. Due to the fact that
R
cyber attacks are constantly evolving, vulnerability management must be a continuous and repetitive practice to
ensure your organization remains protected.

What is Vulnerability Scanning?

A vulnerability scanner is software designed to assess computers, networks or applications for known
vulnerabilities. They can identify and detect vulnerabilities rising from misconfiguration and flawed
programming within a network and perform authenticated and unauthenticated scans:

● Authenticated scans: Allows the vulnerability scanner to directly access networked assets using remote
administrative protocols like secure shell (SSH) or remote desktop protocol (RDP) and authenticate
using provided system credentials. This gives access to low-level data such as specific services and
configuration details, providing detailed and accurate information about operating systems, installed
software, configuration issues, and missing security patches.
● Unauthenticated scans: Result in false positives and unreliable information about operating systems
and installed software. This method is generally used by cyber attackers and security analysts to try and
determine the security posture of externally facing assets and to find possible data leaks.
What is Penetration Testing?
Penetration testing, also known as pen testing or ethical hacking, is the practice of testing an information
technology asset to find security vulnerabilities an attacker could exploit. Penetration testing can be automated
with software or performed manually.

Either way, the process is to gather information about the target, identify possible vulnerabilities and attempt to
exploit them, and report on the findings.

Penetration testing may also be used to test an organization's security policy, adherence to compliance
requirements, employee security awareness, and an organization's ability to identify and respond to security
incidents.

Worms and Propagation

Worm A computer worm is a subset of the Trojan horse malware that can propagate or self-replicate from
one computer to another without human activation after breaching a system. Typically, a worm spreads across a
network through your Internet or LAN (Local Area Network) connection.
A Trojan uses trickery and social engineering to deceive people into running it. For example, a Trojan may
pretend to be legitimate software. A worm is a type of Trojan because it normally relies on social engineering to
attack systems.

How does a computer worm spread?

● Phishing: Fraudulent emails that look authentic can carry worms in corrupt attachments. Such emails
may also invite users to click malicious links or visit websites designed to infect users with worms.
● Spear-Phishing: Targeted phishing attempts can carry dangerous malware like ransomware
cryptoworms.
● Networks: Worms can self-replicate across networks via shared access.
● Security holes: Some worm variants can infiltrate a system by exploiting software vulnerabilities.
● File sharing: P2P file networks can carry malware like worms.
● Social networks: Social platforms like MySpace have been affected by certain types of worms.
● Instant messengers (IMs): All types of malware, including worms, can spread through text messages
and IM platforms such as Internet Relay Chat (IRC).
● External devices: Worms can infect USB sticks and external hard drives.

What does a computer worm do?

Once a computer worm has breached your computer’s defenses it can perform several malicious actions:

● Drop other malware like spyware or ransomware

● Consume bandwidth
● Delete files
● Overload networks
● Steal data
● Open a backdoor
● Deplete hard drive space
Computer worm examples
Over the years, there have been some particularly devastating worms. Some worms have caused billions in
damage. Here is a brief list of some infamous ones:

● Morris Worm: Also known as the Internet worm, this was one of the first computer worms to spread
via the Internet and earn notoriety in the media.
● Bagle: Also known as Beagle, Mitglieder, and Lodeight, this mass-mailing worm had many variants.
● Blaster: Also known as MSBlast, Lovesan, and Lovsan, this worm attacked computers running
Windows XP and Windows 2000.
● Conficker: Also known as Downup, Downadup, and Kido, this worm exploited flaws in Windows to
infect millions of computers in over a hundred countries.
● ILOVEYOU: The ILOVEYOU worm infected tens of millions of computers globally, resulting in
billions of dollars in damage.
● Mydoom: This became the fastest-spreading email worm in 2004, sending junk email across computers.
● Ryuk: Although Ryuk wasn’t always a worm, it’s now worm-like ransomware.
● SQL Slammer: The SQL Slammer worm gained infamy for slowing down Internet traffic with
denial-of-service attacks on some Internet hosts.
● Storm Worm: This worm utilized social engineering with fake news of a disastrous storm to drop
botnets on compromised machines.
● Stuxnet: Some experts believe this sophisticated worm was developed for years to launch a cyberattack.

Social Engineering

Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain
control over a computer system, or to steal personal and financial information. It uses psychological
manipulation to trick users into making security mistakes or giving away sensitive information.

Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended
victim to gather necessary background information, such as potential points of entry and weak security
protocols, needed to proceed with the attack. Then, the attacker uses a form of pretexting such as impersonation
to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as
revealing sensitive information or granting access to critical resources.

Types of Social Engineering Attacks

Social engineering attacks come in many different forms and can be performed anywhere where human
interaction is involved. The following are common forms of digital social engineering attacks.

Phishing: The process of attempting to acquire sensitive information such as usernames, passwords, and credit
card details by masquerading as a trustworthy entity using bulk email, SMS text messaging, or by phone.
Phishing messages create a sense of urgency, curiosity, or fear in the recipients of the message. The message
will turn over victims into revealing sensitive information, clicking on links to malicious websites, or opening
attachments that contain malware

Baiting: A type of social engineering attack where a scammer uses a false promise to attract a victim into a
trap which may steal personal and financial information or inflict the system with malware. The trap could be in
the form of a malicious attachment with an enticing name.

The most common form of baiting uses physical media to disperse malware. For example, attackers leave the
bait of a malware-infected flash drives in conspicuous areas where potential victims are certain to see them.
When the victim inserts the flash drive into a work or home computer, the malware is automatically installed on
the system. Baiting scams are also online in the form of tempting ads that lead to malicious sites or encourage
users to download a malware-infected application.

Social Engineering Prevention

○ Don't open email attachments from suspicious sources. Even if you do know the sender and the
message seems suspicious, it's best to contact that person directly to confirm the authenticity of the
message.

○ Use Multi-Factor Authentication (MFA). One of the most valuable pieces of information attackers
seeks are user credentials. Using MFA helps to ensure your account's protection in the event of an
account compromise. Follow Computing Services instructions for downloading DUO two-factor
authentication to add another layer of protection for your Andrew account.

○ Be wary of tempting offers. If an offer seems too good to be true, it's probably because it is. Use a
search engine to look up the topic which can help you quickly determine whether you're dealing with
a legitimate offer or a trap.

○ Clean up your social media. Social engineers scour the Internet searching for any kind of
information they can find on a person. The more information you have posted about yourself, the
more likely it is that a criminal can send you a targeted spear phishing attack.

○ Install and update antivirus and other software. Make sure automatic updates are turned on.
Periodically check to make sure that the updates have been applied and scan your system daily for
possible infections. Visit Secure Your Computer on the Computing Services website for more
instructions on using and updating antivirus software.

○ Back up your data regularly. If you were to fall victim to a social engineering attack in which your
entire hard drive was corrupted, it is essential that you have a backup on an external hard drive or
saved in the cloud.

○ Avoid plugging an unknown USB into your computer. When a USB drive is found unattended,
please give it to a cluster consultant, the Computer Services Help Center, a residence assistant (RA),
or to Carnegie Mellon campus police.
○ You should also Disable Autorun on your machine. Autorun is a feature that allows
Windows to automatically run the startup program when a CD, DVD, or USB device is
inserted into a drive.
○ Destroy sensitive documents regularly. All sensitive documents such as bank statements, student
loan information, and other account information should be physically destroyed in a cross-shredder
or placed in one of the blue or gray locked receptacles which are incinerated.
Email spam definition

Email spam includes unwanted or unsolicited emails that arrive in a user’s email inbox. Usually, email
spam is sent to a large number of recipients. Spam can be sent automatically by a botnet or by human senders.
If spam is not appropriately dealt with it can become troublesome for users to conduct work activity without
disruption from unwanted emails. Email spam also poses a security threat because messages can contain
malicious links or malware that can allow a cyber-criminal access to a user’s device or ability to find sensitive
data/account information.

What is a spammer?
A spammer is a person who sends unsolicited or unwanted emails. Typically, this entity is advertising or
promoting something. However, they can also be cyber-criminals who are distributing a large number of
malicious emails that contain malware or phishing scams.
‍

How does spam email work?

The method of spamming has been around for quite some time and since then has become a common
method of cyber disruption. To launch an email spam attack, a cyber-criminal will use spambots, computer
systems that conduct repetitive tasks designed to assist in spamming activities, to gather emails available on the
internet and send out a large amount malicious emails. Spam emails use a “spray and pray” tactic which
involves sending spam emails in masses with hopes that a few individuals will mistakenly interact with the
spam content.

How to identify spam emails

Certain characteristics of an email will reveal to a user that it is spam. Here is what to look for:
Sender credentials
check the sender of any unsolicited email to make sure that it is coming from a legitimate source.
Subject line
‍ pam emails will have vague subject lines or ones that attempt to alarm or call for urgent action. This might
S
come in the form of an alert or a fraudulent notification that your “account” is closing.
Requesting information
‍ pam emails are always trying to divulge sensitive information from their victims. Never share your personal
S
account information unless you are 100% certain of the senders identity.
For organizations
Identifying spam emails can be a time consuming task given that they come in large quantities and from a
variety of senders. Automated filtering can maximize productivity of employees and declutter their inboxes
while reducing the the workload of the security team. Below is an example of a non-productive email identified
in Darktrace/Email's UI. Darktrace/Email can identify and tag emails that are suspicious of spam and other
security risks like phishing scams, giving detailed explanation of the potential threat.

How to protect against spam email

There are several systems in place that protect email inboxes from spam mail. However, some organizations
might want to take extensive action in order to protect their employees’ inboxes to ensure business continuity
and productivity remain optimal. Email security options include:
Secure email gateways‍
A secure email gateway (SEG) or a secure email server (SEC) is a type of email security software that sits
between inbound and outbound email communication. Every email that is sent to and from an organization
passes through this gateway to ensure that its contents are not malicious or a sign of a data leak. It prevents
unwanted emails in user inboxes like spam, phishing emails, emails containing malware, etc… In many ways
email gateways are the first line of defense for email security.
AI Email solutions
‍ arktrace/Email uses artificial intelligence and machine learning algorithms to prevent, detect, respond to, and
D
heal from email attacks. Through its unique understanding of you, rather than knowledge of past attacks,
Darktrace/Email stops the most sophisticated and evolving email security risks like generative Al attacks, BEC,
account takeover, human error, and ransomware.

Trojan Horse Virus

A Trojan Horse Virus is a type of malware that downloads onto a computer disguised as a legitimate
program. The delivery method typically sees an attacker use social engineering to hide malicious code within
legitimate software to try and gain users' system access with their software.

It is a type of malware that typically gets hidden as an attachment in an email or a free-to-download file,
then transfers onto the user’s device. Once downloaded, the malicious code will execute the task the attacker
designed it for, such as gain backdoor access to corporate systems, spy on users’ online activity, or steal
sensitive data.

How Do Trojans Work?

Unlike computer viruses, a Trojan horse cannot manifest by itself, so it needs a user to download the server
side of the application for it to work. This means the executable (.exe) file should be implemented and the program
installed for the Trojan to attack a device’s system.

A Trojan virus spreads through legitimate-looking emails and files attached to emails, which are spammed
to reach the inboxes of as many people as possible. When the email is opened and the malicious attachment is
downloaded, the Trojan server will install and automatically run every time the infected device is turned on.

Devices can also be infected by a Trojan through social engineering tactics, which cyber criminals use to
coerce users into downloading a malicious application. The malicious file could be hidden in banner advertisements,
pop-up advertisements, or links on websites.

A computer infected by Trojan malware can also spread it to other computers. A cyber criminal turns the
device into a zombie computer, which means they have remote control of it without the user knowing. Hackers can
then use the zombie computer to continue sharing malware across a network of devices, known as a botnet.

For example, a user might receive an email from someone they know, which includes an attachment that also
looks legitimate. However, the attachment contains malicious code that executes and installs the Trojan on their
device. The user often will not know anything untoward has occurred, as their computer may continue to work
normally with no signs of it having been infected.

The malware will reside undetected until the user takes a certain action, such as visiting a certain website or
banking app. This will activate the malicious code, and the Trojan will carry out the hacker’s desired action.
Depending on the type of Trojan and how it was created, the malware may delete itself, return to being dormant, or
remain active on the device.

Trojans can also attack and infect smartphones and tablets using a strand of mobile malware. This could
occur through the attacker redirecting traffic to a device connected to a Wi-Fi network and then using it to launch
cyberattacks.
How To Protect Yourself from Trojan Viruses

A Trojan horse virus can often remain on a device for months without the user knowing their computer has
been infected. However, suggestive signs of the presence of a Trojan include computer settings suddenly changing, a
loss in computer performance, or unusual activity taking place. The best way to recognize a Trojan is to search a
device using a Trojan scanner or malware-removal software.

Payload (computing)

In computing, a payload is the carrying capacity of a packet or other transmission data unit.
The term has its roots in the military and is often associated with the capacity of executable
malicious code to do damage. The term payload has two meanings: data payload, which is related
to the transport of data across a network, and malware payload, which refers to malicious code
used to exploit and compromise IT networks and systems.

Data payload. The payload of a specific network packet or other protocol data unit (PDU) is the
transmitted data sent by communicating endpoints; network protocols also specify the maximum
length allowed for packet payloads. The payload is then wrapped in a packet that contains
information such as media access control address and IP information, quality of service tags,
time-to-live data and checksums.

Malware payload. Payload in the context of malware refers to malicious code that causes harm to
the targeted victim. Malware payloads can be distributed by methods such as worms and phishing
emails. Today, malware authors typically encrypt the payload to hide the malicious code from
antimalware detection and remediation tools.

In the context of cybersecurity, a payload is a piece of malicious code that is designed to execute a
specific action on a target system. This code can take various forms, such as a virus, worm, or Trojan, and is
typically delivered to the target system through a vulnerability or security flaw. Once the payload is executed, it
can perform a wide range of actions, such as stealing sensitive information, disrupting system operations, or
taking control of the target system.

Payloads can be designed to operate in different ways, depending on the specific goals of the attacker.
For example, a payload may be designed to remain dormant on the target system until a certain trigger event
occurs, such as a specific date or time, or until the system performs a particular action. Alternatively, a payload
may be designed to activate immediately upon execution and begin its malicious activities right away.

Payloads are often part of larger cyberattacks that are designed to achieve specific goals, such as stealing
data or taking control of a system. These attacks may involve multiple stages, with the payload being delivered
to the target system as part of a later stage in the attack process. In some cases, the payload may be delivered
through a sophisticated phishing email or other social engineering technique, while in other cases, it may be
delivered through a vulnerability in a piece of software or hardware.
How a payload works in the context of cybersecurity.

1.Delivery: First, the payload needs to get into the target system. This is often done through deceptive
means, like a phishing email, a compromised website, or an infected USB drive. It’s like our secret
agent sneaking into enemy territory in disguise.

2.Activation: Once inside, the payload waits for the right conditions to activate. This could be a specific
time, a certain user action, or when it reaches a particular part of the system. It’s as if our agent waits for
the signal to start the mission.

3.Execution: Here’s where the payload does its thing — the malicious activity. Depending on its design,
it might start deleting files, stealing data, encrypting files for ransom, or creating a backdoor for future
access. This is the agent carrying out the mission — the part that causes the damage or theft.

4.Spread (for some types of malware): In cases like worms, the payload not only executes its malicious
activity but also looks to replicate and spread to other systems. It’s like our agent recruiting more agents
to expand the operation.

Throughout this process, the payload often tries to stay hidden, using various techniques to avoid detection by
antivirus software or the user. This stealth aspect is crucial, as the longer a payload can operate undetected, the
more damage it can do or the more data it can steal.

Payload examples

Here are examples of a data payload and a malware payload:

● IP packet data payload. An IP packet consists of an Ethernet, IP and TCP header. This
information helps the packet adhere to the communication protocol standard and reach its
destination on the network. The payload portion of the packet contains the data that a
user or device wants to send.
● Phishing malware payload. In this scenario, a phishing email contains a self-replicating
virus stored within a macro of an Excel spreadsheet attachment.

Types of Payloads in Cybersecurity

In cybersecurity, payloads are malicious software code or programs that are designed to execute
unauthorized actions on a target system. They can be classified into various types based on their delivery
mechanism and functionality. Here are some of the most common types of payloads in cybersecurity:

1. Virus:
A virus is a type of malicious code that replicates itself by inserting copies of its code into other
programs or files on a system. Once activated, viruses can cause damage to files, slow down system
performance, and even steal data.
2. Trojan:
A Trojan is a type of malware that disguises itself as a legitimate program or software. Once
downloaded and executed, Trojans can perform a range of malicious actions, including stealing data,
creating backdoors, and launching attacks on other systems.
 3. Worm:
A worm is a type of self-replicating malware that spreads across a network or the internet. Worms can be
designed to perform various malicious actions, such as stealing data or launching DDoS attacks.
4. Ransomware:
Ransomware is a type of malware that encrypts a victim's files and demands payment in exchange for
the decryption key. Ransomware attacks can be devastating, resulting in the loss of important data and
financial damages.
5. Rootkit:
A rootkit is a type of malware that is designed to hide its presence on a system. Rootkits can be used to
gain unauthorized access to a system or to hide other malicious activities from detection.
6. Exploit payloads:
Exploit payloads are designed to take advantage of vulnerabilities or security flaws in a target system.
Once the vulnerability is exploited, the payload can be used to execute malicious code or perform other
actions.
7. Auxiliary payloads:
Auxiliary payloads are designed to provide additional functionality to a primary payload.
For example, an auxiliary payload might be used to provide a backdoor into a target system or to enable
the attacker to communicate with the infected system.
8. Singles:
Singles are standalone payloads that can execute their malicious actions without the need for additional
code or components.
Examples of single payloads include executable files, scripts, and macros.
9. Keyloggers:
Keyloggers are a type of malware that is designed to record a victim's keystrokes. Keyloggers can be
used to steal passwords, credit card numbers, and other sensitive information.
10. Adware and Spyware:
Adware and spyware are types of malware that are designed to monitor a victim's internet activity and
display unwanted advertisements. Adware and spyware can also be used to steal personal information
and data.
11. Logic Bombs:
Logic bombs are payloads that are triggered by specific conditions, such as a specific date or time. Once
triggered, logic bombs can perform various malicious actions, such as deleting files or corrupting data.
12. Denial of Service (DoS) payloads:
DoS payloads are designed to overwhelm a target system with traffic or requests, rendering it
inaccessible to users. DoS attacks can be used to disrupt business operations, steal data, or extort
victims.
13. Distributed Denial of Service (DDoS) payloads:
DDoS payloads are similar to DoS payloads, but they are executed from multiple sources, making them
difficult to stop.
14. Backdoors:
Backdoors are hidden entry points into a system that is designed to bypass normal authentication
procedures. Backdoors can be used by attackers to gain unauthorized access to a system or to maintain
persistence on an already compromised system.

Data Corruption
Data corruption refers to any unwanted change that happens to a file during storage, transmission, or
processing. A corrupted file can become unusable, inaccurate, unreadable, or in some way inaccessible to a user
or a related app.

Most data corruptions occur when a file somehow flips or mixes its binary code (bits of 0s and 1s). Bits are
mixed up for many reasons, including hardware problems, software-based issues, and human mistakes.

Common symptoms of data corruption:

 ● A computer slows down or keeps freezing.
● Sudden program crashes.
● File names keep changing into nonsense characters.
● Inability to open a file or folder.
● Changes in file attributes.
● Relocated or lost data.
● Busy disk activity regardless of what's going on within the system.

Modern disks are not much safer than old ones in terms of data corruption—the probability of errors was just
lower with older hardware because it stored tiny amounts of data compared to current devices.

Recent studies revealed just how prone our systems are to data corruption:

● Greenplum tested their large-scale data warehouses and found that they face a corruption-related
problem every 15 minutes.
● CERN ran a six-month-long test on 97 petabytes of data to reveal that about 128 megabytes of data
suffered long-term corruption.
● NetApp tested 1.5 million HDDs over 41 months to discover more than 400,000 data corruptions (over
30,000 instances went unnoticed by the RAID controller).

Data Corruption Causes

Here are the most common causes of data corruption:

● Improper shutdowns due to a power outage or a hard restart (pressing and holding the power button).
● Hardware failures (e.g., a hard drive failure due to overheating, bad sectors (either hard or soft), physical
issues with the disk's "platter," bad RAM, an old HDD, motherboard problems, etc.).
● Faulty networking infrastructure (issues with network cards (NICs), cables, routers, hubs, a switch, etc.).
● Ejecting an external hard drive or storage device before disconnecting them or turning them off.
● Failing or degraded portable storage media.
● Issues caused by insufficient disk space.
● Bad programming (e.g., a code bug that prevents a program from properly saving progress).
● Operating system errors (such as a sudden crash or freeze).
● Malicious code that a user accidentally installs on a device, such as a virus, malware, or ransomware.
● Software-based errors that occur during writing, editing, or transferring data to another drive.
● A failed or incompatible software update.
● A silo within error management.
● Environmental issues (extreme temperatures, heavy clouds, interference from household devices,
damage from a natural disaster, external vibrations or loud sounds that wear down hardware, etc.).

Learn about data leakage, another data-related issue your security team should be actively preventing.

How to Detect Data Corruption?

Data corruption happens at any system level, from the host to the storage medium.

Common signs of data corruption are:

● Sudden system crashes.

● Slowed down performance and freezes.
● Altered file or folder names.
● Missing or relocated files and folders.
● Getting an "invalid file format" or "[file name] is not recognized" error when trying to open a file.
● Regular blue screen of death (BSOD) errors.
● An unexpected change in file permissions or attributes.
 ● Physical symptoms (e.g., clicking sounds or excessive vibration).

Prevent Data Corruption: Best Practices

While some amount of data corruption is unavoidable, there are ways to limit the number of data-damaging
errors. To prevent data corruption issues, apply the following best practices.

Zombies in Cyber Security

“Zombie” denotes a computer or electronic device compromised by malware or malicious
software. Whenever a computer gets affected by malicious software then that computer can be
controlled by the attacker sitting at some different location and the owner won’t know about this. These
infected computers are termed to be ‘zombies’.

Types of Zombies
Different types of zombies present with different malicious intents:
1. Botnet Zombies: These are the compromised devices or computers that are controlled by
Central Command and Control(C&C) servers by infecting computers with malware. These
devices form a network called botnets. These botnets allow the criminal to coordinate for
various cybercrime such as Distributing spam or DDOS.
2. Fileless Zombies: The problem with traditional malware is that they leave traces on the
affected systems. Fileless Zombie operates in memory and it almost leaves no trail on the
hard drive. These zombies are mostly undetectable from the traditional antivirus software
making them hard to identify and mitigate.
3. IoT Zombies: Many IOT devices such as smart homes medical devices or industrial devices
can be compromised and converted into zombies. These infected devices are a way to launch
a big attack or can be the entry point into a big network
4. Ransomware Zombies: Some malware encrypts the victim’s file, blocks those files in the
victim’s computer itself, and demands money to decrypt those files. This type of attack is
said to be a ransomware attack. These attacks can become a zombie controlled by a
ransomware controller.
5. Social Engineering Zombies: These zombies are not devices or computers they refer to
individuals who manipulate others to give sensitive information by using social engineering
 tactics. Attackers use techniques such as fake websites, phone calls, or phishing emails to
manipulate people into providing sensitive information or making them install malware by
themselves.

How Zombie Works?

In cyber security, Zombies plays an important role in executing malicious intention. Working with
Zombies is important to understand to defend or prevent the system from zombies’ attack. Here is an
overview of how Zombies operate in Cyberworld:
● Infection: When a computer gets affected by malware Zombies are created. Visiting fake
websites, Downloading Malicious Files, and having infected attachments can be a reason for
being exposed to malware. Once the system gets infected by malware, it is ready to start
malicious activities.
● Remote Control: A connection between the attacker’s command-and-control (C&C) server
and the compromised device is set up after being infected by the malware. This C&C server
became a central hub to manage and control zombies by attackers. With this connection
attacker issue command to the Zombies without the knowledge of the owner.
● Botnet Formation: Botnets are the network of Zombies i.e.; A botnet is referred to the
collection of compromised devices that work under the control of a single attacker. Various
malicious activities are done with the botnets as botnets provide heavy computational power
and resources to the attackers.
● Malicious Activities: After the attacker gets control Zombies can be instructed to perform
various activities:
● Distributed Denial-of-Service (DDoS) Attacks: Zombies can flood the targeted
services with huge fake traffics causing the network inaccessible to the authorized
user.
● Spam and Phishing Campaigns: Zombies can be used for launching phishing
attacks or spam emails to trick the user into revealing sensitive information.
● Malware Distribution: Zombies propagate malware by infecting other computers
by sending infected files or links to users.
● Data Theft: Personal data, intellectual property, and financial information can be
stolen by using a zombie network.
● Cryptocurrency Mining: Attackers may use the computational powers of
multiple compromised devices to generate digital legacy and mine
cryptocurrencies.
● Persistence and Propagation: After the device becomes a zombie its malware tries to
propagate further. This is done by taking advantage of the vulnerabilities present in the
system and other connected devices in the same network.
● Detection and Mitigation: Zombies work silently and try to hide, so detecting zombies is
challenging for the defenders. Some antivirus software plays an important role in identifying
and quarantining infected devices such software such as advanced threat detection systems,
and network monitoring. Once the zombie is detected the software removes the malware
from compromised devices. Also, it ensures the implementation of patches, strengthening
security measures, and updates to prevent further exploitation.

Prevention from Zombies

Prevention from zombies is crucial in the cyber security world, with this prevention only we can
maintain a secure or resilient network. Some preventive measures to help reduce the risk of Zombies
are given below:
 ● Implement Robust Security Measures: A layered defense system comprises intrusion,
firewall, detection/prevention system, and antivirus/antimalware software. These security,
measures reduces the chances of a computer becoming Zombies.
● Regular Software Updates and Patching: Updating all software, operating systems, and
applications up to date. As not updating software can help the attacker to infect the devices
and create zombies. Regular Software updates reduce the chances of infection.
● User Education and Awareness: Educating users about online practices, clicking unknown
links, Downloading from untrusted sources, and the potential risk of opening suspicious
emails. Encourage two-factor authentication, and strong password management, unaware of
social engineering tactics can lead to malware infections/ zombie creation.
● Email and Web Filtering: Web filtering solutions and deployment of robust emails can help
block malicious links, attachments, or websites. These filters can restrict the user from
visiting compromised websites or downloading malicious attachments that can lead to
zombie infections.
● Network Segmentation: Network segmentation help in isolating the sensitive data from
critical systems from the rest of the network. This can help in restricting the lateral
movement of zombies across the network.
● Incident Response Planning: The incident response team helps in an action to be taken
whenever there is a zombie outbreak is detected. This plan should involve steps for
identifying, isolating, and removing infected devices and keeping the system secure.
● Regular Backups and Disaster Recovery: Whenever a zombie attack happens having a
reliable backup can facilitate system recovery and minimize the data loss. Ensure data
backups and periodically test the system to ensure effectiveness.

Keyloggers
A keylogger or keystroke logger/keyboard capturing is a form of malware or hardware that keeps track of and
records your keystrokes as you type. It takes the information and sends it to a hacker using a command-and-control
(C&C) server. The hacker then analyzes the keystrokes to locate usernames and passwords and uses them to hack
into otherwise secure systems.

Types of Keyloggers

A software keylogger is a form of malware that infects your device and, if programmed to do so, can spread to other
devices the computer comes in contact with. While a hardware keylogger cannot spread from one device to another,
like a software keylogger, it transmits information to the hacker or hacking organization, which they will then use to
compromise your computer, network, or anything else that requires authentication to access.

Software Keyloggers

Software keyloggers consist of applications that have to be installed on a computer to steal keystroke data. They are
the most common method hackers use to access a user’s keystrokes.

A software keylogger is put on a computer when the user downloads an infected application. Once installed, the
keylogger monitors the keystrokes on the operating system you are using, checking the paths each keystroke goes
through. In this way, a software keylogger can keep track of your keystrokes and record each one.

After the keystrokes have been recorded, they are then automatically transferred to the hacker that set up the
keylogger. This is done using a remote server that both the keylogger software and the hacker are connected to. The
hacker retrieves the data gathered by the keylogger and then uses it to figure out the unsuspecting user’s passwords.

The passwords stolen using the key logger may include email accounts, bank or investment accounts, or those that
the target uses to access websites where their personal information can be seen. Therefore, the hacker's end goal may
not be to get into the account for which the password is used. Rather, gaining access to one or more accounts may
pave the way for the theft of other data.

Hardware Keyloggers

A hardware keylogger works much like its software counterpart. The biggest difference is hardware keyloggers have
to be physically connected to the target computer to record the user's keystrokes. For this reason, it is important for
an organization to carefully monitor who has access to the network and the devices connected to it.

If an unauthorized individual is allowed to use a device on the network, they could install a hardware keylogger that
may run undetected until it has already collected sensitive information. After hardware keystroke loggers have
finished keylogging, they store the data, which the hacker has to download from the device.

The downloading has to be performed only after the keylogger has finished logging keystrokes. This is because it is
not possible for the hacker to get the data while the key logger is working. In some cases, the hacker may make the
keylogging device accessible via Wi-Fi. This way, they do not have to physically walk up to the hacked computer to
get the device and retrieve the data.

How Keyloggers Attack Your Device?

To gain access to your device, a keylogger has to be installed inside it or, in the case of a hardware keylogger,
physically connected to your computer. There are a few different ways keyloggers attack your device.

Spear Phishing

Spear phishing is one of the most prominent methods of initiating a malware infection. In most cases, a phishing
email or link is used to target a consumer. The link looks legitimate—it may even appear to come from a relative or a
friend. However, after you open the email or click on a link, a keylogger is installed on your device. Spear-fishing
attacks may also be used to launch a sextortion attack.

Drive-by Download

Drive-by downloading refers to when a keylogger is installed on your computer without you knowing. This is often
accomplished using a malicious website. When you visit the site, malware gets installed on your computer. It then
works in the background, undetected, logging your keystrokes, then sending them to the attacker.

Trojan Horse
It is common for Trojan horses to have keyloggers bundled inside. A Trojan horse, similar to the one used in the
Greek myth, appears to be benevolent. When the user opens it, malware containing a keylogger gets installed on
their device. The malware, once installed, keeps track of the user's keystrokes and then reports them to a device
accessed by the hacker.

How to Protect My Devices from Keylogging?

The best way to protect your devices from keylogging is to use a high-quality antivirus or firewall. You can also take
other precautions to make an infection less likely.

You may use a password manager to generate highly complex passwords—in addition to enabling you to see and
manage your passwords. In many cases, these programs are able to auto-fill your passwords, which allows you to
bypass using the keyboard altogether.

If you are not typing, a keylogger cannot record any strokes, and since password characters are usually replaced by
asterisks, even a video surveillance system would not be able to figure out what was entered. In addition, use
multi-factor authentication (MFA) when you have the option. A keylogger may deduce your password, but the
second phase of the authentication process may deter them.

A virtual keyboard can also help prevent keyloggers from accessing your keystrokes. Even a hypervisor-based
keylogger, which uses a separate operating system running underneath your main one, cannot access keystrokes
performed on a virtual keyboard. On a Windows computer, you can press the Windows key and “R” at the same time
to access its virtual keyboard.

It is also a good idea to periodically check the hardware connections on your computer. While hardware keyloggers
are not as common, the back of a PC’s tower may be an inviting attack surface for a keylogging hacker. This is also
true when working on a public computer. The attacker may have installed a hardware keylogger days or weeks
before you log in to your bank, brokerage, or email accounts.

Spyware
Spyware is malicious software that enters a user’s computer, gathers data from the device and user, and sends it to
third parties without their consent. A commonly accepted spyware definition is a strand of malware designed to
access and damage a device without the user’s consent.

Spyware collects personal and sensitive information that it sends to advertisers, data collection firms, or malicious
actors for a profit. Attackers use it to track, steal, and sell user data, such as internet usage, credit card, and bank
account details, or steal user credentials to spoof their identities.

Spyware is one of the most commonly used cyberattack methods that can be difficult for users and businesses to
identify and can do serious harm to networks. It also leaves businesses vulnerable to data breaches and data misuse,
often affects device and network performance, and slows down user activity.

The term "spyware" first emerged in online discussions in the 1990s, but only in the early 2000s did cybersecurity
firms use it to describe unwanted software that spied on their user and computer activity. The first anti-spyware
software was released in June 2000, then four years later, scans showed that around 80% of internet users had their
systems affected by spyware, according to research by America Online and the National Cyber Security Alliance.
However, 89% of users were unaware of the spyware’s existence and 95% had not granted permission for it to be
installed.

Types of Spyware

Attackers use various types of spyware to infect users’ computers and devices. Each spyware variety gathers data for
the attacker, with the lesser types monitoring and sending data to a third party. But more advanced and dangerous
spyware types will also make modifications to a user’s system that results in them being exposed to further threats.

Some of the most commonly used types of spyware include:

1. Adware: This sits on a device and monitors users’ activity then sells their data to advertisers and malicious
actors or serves up malicious ads.
2. Infostealer: This is a type of spyware that collects information from devices. It scans them for specific data
and instant messaging conversations.
3. Keyloggers: Also known as keystroke loggers, keyloggers are a type of infostealer spyware. They record the
keystrokes that a user makes on their infected device, then save the data into an encrypted log file. This
spyware method collects all of the information that the user types into their devices, such as email data,
passwords, text messages, and usernames.
4. Rootkits: These enable attackers to deeply infiltrate devices by exploiting security vulnerabilities or logging
into machines as an administrator. Rootkits are often difficult and even impossible to detect.
5. Red Shell: This spyware installs itself onto a device while a user is installing specific PC games, then tracks
their online activity. It is generally used by developers to enhance their games and improve their marketing
campaigns.

Spyware Protection
Spyware and other malicious attack methods are a constant threat to any device connected to the internet. Therefore,
the first line of defense against spyware is to deploy an internet security solution that includes proactive
anti-malware and antivirus detection. In addition, tools like antispam filters, cloud-based detection, and virtual
encrypted keyboards are useful to eliminate potentially malicious risks.

Some spyware types are also able to install software and modify the settings on a user’s device. This means it is also
vital for users to use secure passwords, not recycle their credentials on multiple applications and websites, and use
processes like multi-factor authentication (MFA) to keep their identity secure and their devices updated.

In addition to software, there are several steps that can be taken to protect devices and systems:

1. Cookie consent: It can be easy for users to simply click "accept" on the cookie consent pop-ups that appear
on nearly every website they visit. However, they need to be careful about issuing their consent every time
and only accept cookies from websites they trust.
2. Browser extensions: Users can also install anti-tracking extensions that prevent the relentless online tracking
of their activity on web browsers. These extensions can block activity tracking by both reputable sources and
malicious actors, keeping users’ data private when they access the internet.
3. Security updates: Updating software with the latest versions is vital to preventing spyware and other types of
malware. Spyware typically makes its way onto devices through gaps in code or vulnerabilities in operating
systems. So it is important to constantly patch potential issues and fix vulnerabilities immediately.
4. Avoid free software: It can be appealing to download free software, but doing so can have costly
ramifications for users and their organizations. The free software may be insecure and the creator can make a
 profit from users’ data.
5. Use secure networks: Unsecured Wi-Fi networks are an easy resource for hackers to breach devices. Avoid
using free Wi-Fi networks, and only connect to trusted, secure networks.
6. Best practice and behavior: Practicing good cybersecurity behavior is crucial to avoiding spyware. All users
need to be aware of the security risks they face, avoid opening emails or downloading files from people they
do not know, and make it a habit to hover over links to check if they are reputable before clicking on them.

Stealth Virus
Stealth is the term used to describe techniques used to make malware inconspicuous – that is, to conceal
any changes made by the malware to the infected system. This includes, for example, rootkits.

How Stealth Viruses Infect Computers

A stealth virus can infect a computer system in a number of ways: For instance, when a user downloads a
malicious email attachment; installs malware masquerading as programs from websites; or uses unverified
software infected with malware. Similar to other viruses, it can take over a wide variety of system tasks and can
affect the computer's performance. When performing such tasks, antivirus programs detect the malware, but the
stealth virus is designed to actively remain hidden from antivirus programs. It accomplishes this by temporarily
moving itself away from the infected file and copying itself to another drive and replacing itself with a clean
file. The stealth virus can also avoid detection by concealing the size of the file it has infected.

How to Protect Yourself

You can detect the virus by starting the system via a disk boot — to avoid systems the virus has control over —
and then beginning an antivirus scan. However, even if detected here, there is a chance the virus has copied
itself into another file on the system, so it remains a challenging virus to fully eradicate. In general, the best
countermeasure is to use strong antivirus software designed to detect viruses and their hidden counterparts.

Backdoors
Every computer system has an official means by which users are supposed to access it.
Often, this includes an authentication system where the user provides a password or other type of
credential to demonstrate their identity. If the user successfully authenticates, they are granted
access to the system with their permissions limited to those assigned to their particular account.

While this authentication system provides security, it can also be inconvenient for some users, both
legitimate and illegitimate. A system administrator may need to gain remote access to a system that
is not designed to allow it. An attacker may want to access a company’s database server despite
lacking the credentials to do so. The manufacturer of a system may include a default account to
simplify configuration, testing, and deployment of updates to a system.

In these cases, a backdoor may be inserted into a system. For example, a system administrator may
set up a web shell on a server. When they want to access the server, they visit the appropriate site
and can send commands directly to the server without needing to authenticate or configure
corporate security policies to accept a secure remote access protocol like SSH.

Types of Backdoors
Backdoors can come in various different forms. A few of the most common types include:
 ● Trojans: Most backdoor malware is designed to slip past an organization’s defenses,
providing an attacker with a foothold on a company’s systems. For this reason, they are
commonly trojans, which pretend to be a benign or desirable file while containing malicious
functionality, such as supporting remote access to an infected computer.
● Built-in Backdoors: Device manufacturers may include backdoors in the form of default
accounts, undocumented remote access systems, and similar features. While these systems
are typically only intended for the use of the manufacturer, they are often designed to be
impossible to disable and no backdoor remains secret forever, exposing these security holes
to attackers.
● Web Shells: A web shell is a web page designed to take user input and execute it within the
system terminal. These backdoors are commonly installed by system and network
administrators to make it easier to remotely access and manage corporate systems.
● Supply Chain Exploits: Web applications and other software often incorporate third-party
libraries and code. An attacker may incorporate backdoor code into a library in the hope that
it will be used in corporate applications, providing backdoor access to systems running the
software.

Prevent a Backdoor Attack

Some best practices for protecting against exploitation of backdoors include:

● Changing Default Credentials: Default accounts are some of the most common types of
backdoors. When setting up a new device, disable the default accounts if possible, and, if
not, change the password to something other than the default setting.
● Deploying Endpoint Security Solutions: Backdoors are commonly implemented as trojan
malware. An endpoint security solution may detect and block known malware or identify
novel threats based on unusual behavior.
● Monitoring Network Traffic: Backdoors are designed to provide remote access to systems
via alternative means that bypass authentication systems. Monitoring for unusual network
traffic may enable the detection of these covert channels.
● Scanning Web Applications: Backdoors may be deployed as web shells or integrated into
third-party libraries or plugins. Regular vulnerability scanning can help to identify these
backdoors in an organization’s web infrastructure.

Rootkit

A common rootkit definition is a type of malware program that enables cyber criminals to gain access to and
infiltrate data from machines without being detected.

It covers software toolboxes designed to infect computers, give the attacker remote control, and remain hidden
for a long period of time. As a result, rootkits are one of the most difficult malware strands to discover and
remove, and are frequently used to eavesdrop on users and launch attacks on machines.

Rootkit malware can contain multiple malicious tools, which typically include bots to launch distributed
denial-of-service (DDoS) attacks; software that can disable security software, steal banking and credit card
details, and steal passwords; and keystroke loggers. A rootkit usually provides an attacker with a backdoor into
a machine, which gives them access to the infected computer and enables them to change or remove software
and components when they choose.

Types of Rootkits
Rootkits can be installed through several methods, but they typically target a vulnerability in a machine’s operating
system (OS) or application on the machine. Attackers will target known vulnerabilities and use exploit code to attack
a machine, then install a rootkit and other components that give them remote access.

Another common rootkit installation method is through infected universal serial bus (USB) drives that attackers
leave in public places in the hope that unwitting victims will pick them up and plug them into a machine. The
malware hidden on a USB drive will then install as part of an application or file that appears to be legitimate.

However, rootkits are not only used for malicious purposes. They are also used by organizations and law
enforcement to monitor employees, which enable them to investigate machines and counter possible cyber threats.

There are several rootkit virus types that give attackers different routes into computers and enable them to steal data
from users.

1. Firmware Rootkits

A firmware rootkit, also known as a hardware rootkit, typically aims to infect a computer’s hard drive and basic
input/output system (BIOS), the software installed onto a small memory chip in the motherboard. Some firmware
rootkits can be used to infect a user’s router, as well as intercept data written on hard disks.

2. Bootloader Rootkits

A bootloader is an important element of any computer and is central to a machine booting up. The special OS
software loads in the memory of a computer after it starts up and is typically launched by a compact disc (CD) or
digital versatile disc (DVD), hard drive, or USB stick, which tells the BIOS where the bootloader is. A bootloader
toolkit attacks this system by replacing a machine’s bootloader with a hacked version.

A bootloader rootkit infects the master boot record or volume boot record, which means it does not show up in users’
standard file systems. This makes it extremely difficult for the rootkit to be detected by anti-rootkit and antivirus
software. It may also modify boot records, which could damage a machine when removed.

3. Memory Rootkit

A memory rootkit hides in a machine’s random access memory (RAM), the hardware that enables data to be received
and stored on a computer. These rootkits only have short lifespans, but they can carry out extremely harmful activity
in the background of a machine.

Memory rootkits live in a machine’s RAM and typically disappear when the system is rebooted, but they can
sometimes require additional work to be removed. They reduce the performance of a machine’s RAM by eating up
resources with their malicious processes.

4. Application Rootkit

An application rootkit replaces the files on a computer with malicious rootkit files, which changes the performance
of standard applications like Notepad, Paint, or Word. Every time a user runs these applications, they give the hacker
access to their computer. The infected programs run as usual, which can make it difficult to detect that a rootkit is
present, but they should be discovered with good anti-rootkit or antivirus programs.

5. Kernel Mode Rootkits

Kernel mode rootkits are pieces of advanced, complex malware that target a machine’s OS. They give an attacker
simple access to a machine, enabling them to steal data and modify how the OS works by adding, deleting, or
replacing its code.

Creating a kernel mode rootkit requires significant technical knowledge, which means if it has bugs or glitches, then
it could have a huge impact on the infected machine’s performance. However, a kernel rootkit laden with bugs is
easier to detect as it leaves a trail for anti-rootkit or antivirus software.

These rootkit types have been used to create devastating attacks, including:

1. NTRootkit: One of the first malicious rootkits created, which targeted the Windows OS.
2. Machiavelli: The first rootkit to target the Mac OS. The 2009 Machiavelli rootkit attack created hidden
kernel threads and hidden systems within Mac machines.
3. Zeus: A Trojan horse attack launched in 2007 that targeted banking information using a man-in-the-browser
(MITB) attack method, alongside form grabbing and keystroke logging.
4. Stuxnet: First discovered in 2010, the first known rootkit to specifically target industrial control systems and
cause the equipment they run to malfunction.
5. Flame: Discovered in 2012, attacks Windows computers and can record audio, keyboard activity, network
traffic, and screenshots.
6. Necurs: The rootkit behind one of the biggest active botnets, which was responsible for spreading huge
ransomware attacks like the Locky spam and Dridex financial malware. Necurs protects other malware
strands, enslaving a machine to the botnet and ensuring the infection cannot be removed.
7. ZeroAccess: The rootkit malware that created the ZeroAccess botnet, which eats up resources while mining
for Bitcoin and spamming users with ads. The botnet contained up to 2 million machines, most of which was
taken down by various security firms and agencies. However, variations of ZeroAccess are still available and
active.

Rootkit Protection and Removal

Rootkits are one of the most difficult malware programs to remove from infected machines. As a result, there is no
guaranteed method for recovering a machine infiltrated by a rootkit, but there are steps that users and organizations
can take to protect their computers and remove the malware.

Once a rootkit has been detected, the following process should be followed to remove it:

1. Back up vital data: The rootkit’s reaction upon removal is unpredictable, and it may have defensive measures
built in that could affect or damage the machine’s performance. Back up any important data and files that
need to be retained from the machine.
2. Boot up in safe mode: Many rootkits attempt to prevent a user from installing security solutions or removing
the malware. In this case, restart the machine in safe mode with networking to limit the rootkit’s access by
pressing F8 in the Windows boot screen.
3. Use multiple rootkit scan tools: The wide range of rootkit families means that not all rootkit scans will be
capable of discovering them. It is therefore important to use a combination of scanners that offer different
capabilities.
4. Freeze remaining malware: Removing the rootkit alone may not always guarantee that the machine is clean.
It may have been infected by other malware that remains active or designed to evade rootkit scans. Other
security solutions can freeze any malware that remains on the system, which enables malware removal
 programs to clean up any malicious software.
5. Advanced rootkit removal: Some rootkit types are particularly difficult to remove. For example, a firmware
or hardware rootkit is unlikely to be removed by standard rootkit scans, and the user may need to back up
and wipe their data from the machine and reinstall the OS. However, in the case of a rootkit targeting the
BIOS, even a wipe and a reinstall may not be enough to remove the malicious software. This may require the
BIOS drive to be wiped and replaced along with a hard reset of the machine.

Countermeasures
Countermeasures in computer security refer to methods to protect computer systems and networks from
cyber threats. Employing countermeasures in computer security often safeguards valuable digital assets and
sensitive information from a variety of threats. Countermeasures can be used to detect, prevent or mitigate
the impact of an attack on an organization's computer system, network or device. As cyber threats grow, the
need for effective countermeasures becomes more vital than ever. This prompts organizations and
individuals alike to take proactive steps to defend their digital environments effectively.

Why Does it Matter?

Countermeasures are significant because they support the prevention and mitigation of threats in the event
of a security event. Most countermeasures are used to address security threats, such as cyberattacks, and are
designed to minimize the damage and disruption caused by these incidents.

Countermeasures can also address other types of risk, such as financial or operational risks or reputational
risks. For example, a company might implement countermeasures to prevent fraud or ensure operations
continue smoothly in the event of an unforeseen disruption. Countermeasures help organizations better
manage risk and minimize security issues and events.

Types of Countermeasures
When it comes to computer security, countermeasures are fundamental in ensuring the protection against
attacks to the systems, networks and devices within a company. Many countermeasures that organizations
can take range from physical security measures to more technical cybersecurity solutions that effectively
protect internal devices and systems. Below are several of the common types of countermeasures that can
be found in relation to computer security.

Physical Security Countermeasures

This type of countermeasure includes physical security attributes such as security locks, fencing, security
personnel, surveillance equipment and cameras, and other physical security necessities. These types of
countermeasures are designed to prevent unauthorized access to the on-site premises for organizations such
as buildings, corporate campuses, facilities, offices and data centers. This type of countermeasure can also
be used in correlation with electronic identity access control measures or biometric authentication.

Operational Security Countermeasures

Operational security countermeasures focus on methods which include processes and protocols that can
prevent or reduce the impact of a particular threat. These can include emergency scenarios involving fire
drills, evacuation plans, natural disasters or backup power systems in the event of an operational disruption
to the organization.
Financial Countermeasures
Financially related countermeasures include monetary controls, which can consist of audits, inspections and
fiscal tracking. This ensures that measures are in place to protect business assets and financial information
in order to protect against financial fraud, money laundering or other monetary-related infractions.

Legal Countermeasures
Countermeasures related to legalities often involve laws and regulations that impose penalties or sanctions
on individuals or organizations that engage in adverse activities. Legal countermeasures can involve
organizations establishing protective actions that include copyright, trademarking and intellectual property.
This can support businesses against brand reputation damage and other illicit activities that can cause harm
to the company.

Common Countermeasures Used in Computer Security

As cyberattacks have grown in complexity and frequency, it has become increasingly imperative for
organizations to stay informed and vigilant about the various computer security countermeasures that can
be taken. Protecting information and systems from unauthorized access, use, tampering or destruction is
essential to maintaining the integrity and confidentiality of sensitive information for companies.

These methods are commonly used to fortify computer systems against malicious actors. These
countermeasures highlight the significant role they play in effectively safeguarding company digital assets.
The following are some of the common types of countermeasures used in computer security
countermeasures.

Identity and Access Management (IAM)

IAM involves identifying, authenticating and authorizing users and devices to access resources within a
computer system or network. This process is crucial to preventing unauthorized access to sensitive
information and systems. Implementing IAM as part of an organization's countermeasures can include
password policies, multi-factor authentication and role-based access controls. IAM can help mitigate
insider threat security concerns and external threat actors from accessing internal devices, networks and
systems successfully.

Network Security Controls

Network security controls as countermeasures aim to protect the integrity and confidentiality of data
transmitted across an organization's networks. These security measures can help prevent or mitigate hackers
from infiltrating internal networks and systems effectively. Some countermeasures organizations and their
teams use in relation to computer security involve firewalls and VPNs. They can also set up network
segmentation capabilities. These measures can provide a barrier from external attack vectors and protect
data transmitted between less secure portions of the network and from the overall internet directly.

Intrusion Detection and Prevention Systems

Intrusion detection and prevention systems (IDPS) identify and respond to potential threats in real-time,
mitigating the impact of an attack. These countermeasures, when used in computer security, can be pivotal
to reducing the severity and damage of an ongoing attack. IDPS can also quarantine malware threats and
other attack methods cybercriminals employ to attack organizations. Some of the IDPS countermeasures
used in computer security include honeypots to attract attackers for threat intelligence purposes, SIEM's,
signature and anomaly-based detection, anti-malware, and antivirus software.

Data Loss Prevention and Recovery

In today's complex threat landscape, even the most robust computer security measures can still be attacked.
Therefore, employing countermeasures such as data loss prevention (DLP) and recovery measures focuses
on safeguarding sensitive information and ensuring that data can be restored in the event of a breach or
system failure. Common DLP and recovery countermeasures include employing programs providing
regular backups, disaster recovery, data leak prevention, dark web monitoring and brand protection.

Steps to Implement
Computer security countermeasures are essential to safeguard against potential security threats and protect
organizational systems. Implementing countermeasures effectively in computer security involves a series of
steps to identify, assess and mitigate potential risks.

Here are a few steps organizations can take to implement countermeasures efficiently:

1. Conduct risk assessments periodically. Performing a comprehensive risk assessment of the

organization can help to identify potential threats, vulnerabilities and the potential impact of those
risks on it. It helps your IT and security teams to better prioritize countermeasures and allocate
resources efficiently.
2. Establish practical computer security controls and policies. Implementing security controls along
with a practical cybersecurity policy can mitigate vulnerabilities. Fundamental policies and controls
in place can include company best practices to fit your industry, acceptable use capabilities and
other security-related procedures designed to protect systems, networks and devices from internal
and external vulnerabilities.
3. Develop an incident response plan. A detailed incident response plan can outline how your
organization will respond to security incidents effectively. This plan should include the roles and
responsibilities of teams in the event of a cybersecurity incident occurring. It should also include
communication protocols and steps for containment, remediation and recovery.
4. Plan regular audits and testing. By performing regular system audits and testing, organizations can
get a clearer picture of how effectively their security controls are currently working. Testing and
system auditing can also help identify any potential gaps in your defenses. Some of these processes
may include vulnerability scans, internal phishing campaigns, penetration testing and security
audits.
5. Monitor, analyze and patch regularly. Continuously monitoring the systems, networks and
applications of an organization can help teams look for signs of unauthorized access or any
malicious activity. Also, having them review and analyze vulnerabilities and provide patch
management capabilities can help to better protect systems from adversaries.