Other Malware Types - CompTIA Security+ SY0-701 - 2.4
Understanding Keylogging and Logic Bombs
Keylogging: A Major Threat to Sensitive Information
- Attackers exploit the keyboard as a primary input method, making it an ideal target for keylogging to capture sensitive information such as usernames, passwords, and credit card details.
- Keylogging malware remains active on the system, logging keystrokes into a file that is periodically sent to attackers, providing them with a comprehensive record of user activity.
- Unlike data transmitted over networks which can be encrypted, keystrokes are unencrypted during entry, making them vulnerable to interception by keyloggers.
- Advanced keyloggers can also capture clipboard contents, take screenshots, log instant messages or chats, and track search engine queries in addition to keystrokes.
- DarkComet is highlighted as an example of a Remote Access Trojan (RAT) that incorporates keylogging capabilities alongside other malicious functions.
The Mechanics of Keylogging Software
- Demonstration shows how a keylogger captures typed information in real-time; it records not just text but also actions like spaces and deletions.
- Introduction of logic bombs as another type of malware that activates upon specific triggers or events rather than continuously running like traditional malware.
Understanding Logic Bombs
- Logic bombs wait for predetermined conditions (e.g., date/time or user actions), executing harmful commands once triggered—such as deleting files or altering system settings.
- These threats are often created by individuals with specific goals in mind and lack identifiable signatures typical of conventional malware, complicating detection efforts.
Real-world Example: South Korea's 2013 Incident
- On March 19, 2013, a malicious email led to the installation of a Trojan on banks' systems. The following day at 2 PM local time, the logic bomb activated and caused extensive data loss.
- The activation resulted in deletion of all stored data including critical components like the master boot record. This left systems unable to boot due to missing operating systems.
Consequences and Prevention Strategies
- ATMs were particularly affected; users encountered error messages indicating no operating system was found after attempts to access services post-reboot.
- Identifying logic bombs is challenging due to their unique nature; organizations should implement strict monitoring processes for core operating system files changes as preventive measures.
Security Best Practices Against Malware
- Organizations should enforce limited user permissions to reduce risks associated with elevated rights that could facilitate malware installation like logic bombs.
- Continuous monitoring for unauthorized changes within critical files can help detect potential threats early before they cause significant damage.
Rootkits: Another Layer of Threat
Understanding Rootkits and Their Impact
The Nature of Rootkits
- Rootkits are integrated into the operating system (OS), making them difficult to detect. They operate invisibly alongside legitimate processes, allowing malicious code to run freely on the computer.
- Not all rootkits function at the kernel level; some may run as traditional processes. This means that certain anti-malware software might still identify these variants.
Addressing Rootkit Infections
- Standalone rootkit removal tools exist for various rootkit types, which can be utilized after infection occurs. These tools may not prevent damage but can help in removing the rootkit.