Other Malware Types – CompTIA Security+ SY0-701 – 2.4

There are many other malware types than viruses or worms. In this video, you’ll learn about keyloggers, logic bombs, and rootkits.


Attackers know that a great deal of sensitive information is put into your computer using the keyboard. So this would be a great place to perform key logging and capture every keystroke that you make when you’re typing something into your PC. This might include all of the website URLs you visit. It could be passwords and usernames. It might be credit card information and other financial details and anything else that you might type into your system.

Keylogging malware will stay resident on your system. It will capture all of these keystrokes to a file. And usually, once or more times a day, that file will be sent to the attackers so they now have a record of everything you typed into your computer. We often talk about protecting the data sent across our network by using encryption or VPNs. Sometimes we’ll discuss storing files in encrypted form using full disk encryption or single file encryption.

But the attackers know that if you’re typing something into the keyboard, that process is not encrypted. That’s a perfect place to capture your username and password or your credit card number. This keylogging software can do a lot more than simply capture your keystrokes. They can be used to capture the information that you store in a clipboard. Maybe they take screenshots of what you have on your screen at any particular time and store that information.

There may be instant messages or chats that can be stored as part of the keylogger. And maybe anything that you search in a search engine query can all be logged, stored, and sent to an attacker with this keylogging software. This is keylogging software that’s included with a utility called DarkComet. DarkComet is a RAT, or a Remote Access Trojan. It’s malicious software that an attacker can use to capture your keystrokes, screenshots, and other information from your computer.

On the left side is a notepad where I taped in username professormesser and a password of notarealpassword. And then I show you the keylogger on the right side that has captured all of this information. It captured what I typed, when I typed it. It even recognized when I put in a space and then used a delete key so that I can make that all one single word. The keylogger captures everything, stores it in a file, and that file is occasionally sent to the attacker.

Another type of malicious software is a logic bomb. A logic bomb is waiting for a particular event to occur. And when that event occurs, the bomb is then detonated on that system. This might be waiting for a particular date and time. And when that date and time arrives, the system then reboots, erases data, or makes changes to that system. Or this may be something related to what the user is doing. Maybe we’re waiting for a particular user to log in. And as soon as that user logs in, the bomb then executes.

Logic bombs are usually something created by an end user or created by someone who has a particular goal in mind. And because of that, it’s not malware that we’ve seen run on another system. So there generally is not an antivirus or anti-malware signature associated with a logic bomb. This makes a logic bomb very difficult to identify. But there are monitoring tools that you can put into a system to look at key files and make sure that no one has modified or changed anything associated with those critical operating system files.

An example of a logic bomb creating a problem for an organization occurred on March 19, 2013 in South Korea. A malicious email was sent to banks and broadcasting companies that had an attachment. And if that attachment was run, it installed a Trojan onto the user’s computer. A day later, on March 20, 2013 at 2:00 PM local time, the logic bomb activated based on that time of day. When it activated, it deleted everything that was in storage and the master boot record of the system where the Trojan was installed.

The system was then rebooted, but, of course, the operating system had just been deleted. So when the system started up again, there was no operating system to start. Because this Trojan was sent to a bank, a number of the systems within the bank were affected by this logic bomb but perhaps none more important than the Automatic Teller Machines associated with the bank. These were also infected by this logic bomb. And on March 20th at 2:00 PM local time, all of the ATMs were deleted and also rebooted to no operating system on those ATMs.

If you tried to use the ATM after the system was rebooted, you saw a message that said “Boot device not found. Please install an operating system on your hard disk.” As I mentioned earlier, it’s difficult to identify where a logic bomb may have been installed because there are no known signatures that you can use to try to identify them. There are things you can do within the normal processes and procedures of your organization.

For example, you may have a series of processes and procedures that limits the change of any core operating system files. And you may set up monitoring that can identify when any of these files may have been changed which might give you a heads up that something has been modified that could be a logic bomb.

This is also another good idea to perform constant monitoring to make sure that every user in your organization only has the rights and permissions necessary for that user to do their job. The days of having everyone run as administrator rights are over primarily because of the security concerns that can be based around that issue and certainly because someone with additional rights and permissions could easily install a logic bomb.

Another security concern you may have heard of is a rootkit. The name root in rootkit comes from the Unix superuser of root very similar to the administrator that would be in a Windows environment. A rootkit generally hides itself in the kernel of the operating system. This makes it part of the OS itself, which means it’s very difficult to identify this rootkit with traditional antivirus or anti-malware software.

When the rootkit is running, it’s running as part of the operating system, so you probably won’t see it listed if you tried to list out all of the tasks or processes on this particular computer. Instead, it simply is part of the OS. And anything the operating system is doing will include the malicious code that’s part of this rootkit. And since this rootkit is effectively invisible to your antivirus or anti-malware software, it has full run of your computer.

Not all rootkits are part of the kernel. And if they are running as a traditional process in your operating system, you still might be able to identify it with anti-malware software. If you believe your system has been infected with a specific type of rootkit, there are a number of standalone rootkit removal tools that are specific to different rootkit variants. Obviously, this is something you would use after you would become infected. So it may not prevent the rootkit from causing problems. But it may be able to remove the rootkit so you can perform some type of mitigation of your personal files.

In order to combat these rootkits, we’ve created processes within the UEFI BIOS called secure boot. Secure boot will look for an operating system signature and confirm that nothing has changed with the kernel of that operating system before the system is booted. This means that even if the rootkit does manage to get installed, your system will stop this rootkit from running when it boots up and effectively preventing that rootkit from causing any additional problems on your system.