Viruses and worms can be used to gain access to our systems. In this video, you’ll learn about the differences between viruses and worms, and how fileless viruses can attack from a system’s RAM.
Just like a virus inside of the human body, a virus inside of a computer is one that’s able to replicate itself from one computer to another. To get this virus to start, it requires some type of intervention, very commonly from a human, to be able to click a link or start an executable. Once the virus is running, it can move through the file system on a computer or try to access other file systems across the network.
We commonly associate viruses with some type of outage or downtime. And for the vast majority of viruses, that’s probably true. But there are some viruses that sit quietly in the background. And you might not even realize that you’re infected.
From a user’s perspective, a virus is probably one of the most common types of security concerns. And that’s why if you look at the operating systems we use today, many of them include or have the option to include an antivirus software. This software is always running on the computer. And it’s watching for executables to see if it recognizes software that may have already been identified as malicious. It’s one of the reasons we often tell you to always keep your signature file updated in your antivirus, because that’s what the antivirus is using to be able to identify this malicious software.
There are also different types of viruses. The one we commonly think about is when we click a link or an executable to run this as an application. But there are also viruses that will sit in the boot sector of your system. And when you boot up your computer, the virus automatically runs as the system is booting.
Your browser, your operating system, and many applications are able to run scripts. And those scripts can contain malicious software as well. And if you’re using an application, like Microsoft Office, that has the ability to run macros, there are viruses written in that macro language to take advantage of vulnerabilities in that software.
There’s also a type of virus that doesn’t use any files that are stored on your storage systems. This type of virus is a fileless virus because it’s never writing any software or any malicious code to your storage drives. And since most antivirus software is also looking for information to be written to a drive, this is one way that the virus can help avoid any of your antivirus software.
A fileless virus doesn’t install itself as software on your system. And it doesn’t require that software to be loaded from your storage drive. Instead, almost everything associated with a fileless virus is occurring in the memory of your system.
Here’s a very common example of how a fileless virus is able to first infect your system and then, from that point, install additional malicious software. This usually starts with the end user performing some type of function. So it might be that the user is clicking on a malicious link that’s inside of an email or part of an existing website.
That link will take the user to a website. And that website is set up to exploit a vulnerability within your operating system or the applications running on your operating system. So exploits associated with Flash, Java, or a known Windows vulnerability would be a perfect way for this fileless virus to get into your operating system.
Now that the virus is running on your system, it can run other applications, like PowerShell, which then downloads additional PowerShell scripts and runs those scripts in memory as well. At this point, the virus can run additional PowerShell scripts. It can install other applications. It can now start removing data from your system, and even transferring that data to a third party.
Since this virus is not saving any malicious software to the file system, it needs some way to restart if your system is rebooted. So normally, this type of virus may add an autostart to the registry of your Windows operating system so that the next time you start your system, this process occurs all over again.
So far, we’ve talked about viruses and how the user has to click a link or have some type of interactivity to get that virus running in memory. But there are certain types of malicious software that can run without any user intervention. This malicious software is called a worm. This malware is able to self-replicate itself between systems without any type of user intervention. And obviously, these days, most of our systems are networked, which makes it very easy and very efficient for a worm to replicate itself to every system that may be on your network.
These worms are replicating themselves at the speed of your network. So an infection with a worm tends to occur very quickly if there’s no other type of limiting factor. And since there’s no user intervention, these worms are able to attack your systems at any time and move freely about your network.
Network-based firewalls and personal firewalls, along with intrusion prevention systems, can make a big difference in identifying and stopping a worm from propagating itself throughout your network. Obviously, these technologies would need to be aware of this type of worm and have signatures and a process in place to be able to stop that traffic from going from one machine to another.
Fortunately, worms are a relatively rare occurrence. But let’s look at an example of a worm called the WannaCry worm. Not only was this worm able to propagate itself automatically, it also installed ransomware so that it would encrypt and make unavailable all of the user files on these systems. This started with a computer that is infected. That computer then looked across the network to try to find another system that was vulnerable.
Once the system is infected, EternalBlue will install a backdoor, pull down the ransomware code, and infect the machine with that ransomware software. At this point, the worm continues to propagate itself and find all of the vulnerable systems that may exist on this network and infect those also with the same ransomware.