Input: Malware 101

Credits Pablo, Carol, Daniel O’Clunaigh, Ali Ravi, Samir Nassar Last Updated 2015-05

This input session includes definition of basic malware terms, reviewing how users are exposed to malware, and how users can prevent malware infections or handle existing ones. Current trends in threats move very fast, and can either be warnings to include in trainings or examples to use. Keep up to date on vulnerabilities, social engineering trends, etc., for your workshops - particularly if you're training on operating systems that you're less up-to-date on.

ADIDS Element

Input

Parent Topic(s)

Using Antivirus Tools

Duration

45-60 minutes

Have feedback on this content? Does something need updating?

Leave a note anywhere on this page - look for the Hypothes.is toolbar in the upper right-hand corner.

Have content you'd like to share with other trainers?

Email us at levelup@riseup.net (GPG public key here) or read our guide on Contributing to LevelUp.

 

Materials to Prepare

  • Flipchart paper and markers
  • Pre-written questions for the “Exposure to Malware” section below, on flipchart paper.
  • Go to Survival Time to calculate the average number of minutes it takes for an unpatched computer without antivirus and a firewall to become infected (for Avoiding Malware).
  • Examples of case studies you want to share with participants; for example, this very convincing yet fake Google login page and the story behind it.

Input Session

Step 1. Defining Terms

When it comes to talking about malware, a definition of terms is helpful so that participants can understand the different types and the distinctions between them. To avoid presenting the content solely as a lecture, and to get a better sense of your participants’ knowledge, you can present this section by asking participants how they would define the following terms, then correcting their definition(s) as needed:

Malware

An umbrella term for Malicious Software, very likely containing a virus or an otherwise malicious software application.

Virus

Viruses are usually attached to a program or file. They are generally executable files and can only be run when ordered to do so by the user.

Trojan

This is malware which comes disguised as “legitimate” software - often in cracked versions of proprietary software. They are often designed to steal information and transmit it over the internet. This is one reason that genuine software is always preferable to pirated, cracked software.

Spyware

Malware which records users’ activities on a computer; a common example of this is a keylogger, but it can be far more advanced.

Worm

Worms are similar to trojans but have the unique characteristics of being able to copy and send themselves from computer to computer (or other devices). A well-known example was the I Love You worm.

Step 2. Exposure to Malware

One easy way to organize this, again so as not to bore participants with a lecture-only session, is to elicit input and ideas from the experiences of participants and write them on a flipchart.

Supplement any crucial answers they haven’t suggested and add them to the list; to save time, you may wish to prepare the following questions (leaving suggested answers blank, of course), on individual pages of flipchart paper before the session, with one question per page:

I. How Do We Get Malware?

Answers:

  • From infected hardware such as USB keys.
  • By clicking malicious links to download viruses, like those found in fake advertisements.
  • By downloading malicious e-mail attachments containing it.
  • “Drive-by downloads” or malware downloaded from websites - exploits a number of vulnerabilities in unpatched, outdated, or “cracked” operating systems and browsers.
  • Using unlicenced or “cracked” software - a common example of this are unlicenced versions of Windows, often bought because users cannot afford a licensed version, and often sold by non-hostile sellers though they leave users very vulnerable.
  • Software that seems legitimate (e.g., Skype, Tor, Firefox) but is downloaded from hostile sources, and usually repackaged with malware.
  • Through social engineering attacks; for example, when someone impersonates a friend or colleague and invites you to click on a link that downloads malicious software onto your device.
  • By downloading them through scams on social networking sites.

II. How Do We Get Phished?

Answers:

  • Emails that ask you to log into your online banking account.
  • Emails that ask you to log into your social network accounts.
  • Private messages on Twitter with shortened links which bring you to a fake login screen.
  • Facebook wall posts and links which bring you to a fake login screen.
  • Email attachments.
  • Instant messages from unknown accounts or from known contacts who have had their accounts compromised.
  • More sophisticated attacks - explain what spearphishing is, what it looks like, and ask if participants have experienced it.

III. What are Common Misperceptions or “Myths” about Viruses and Malware?

Only Windows machines get malware!

False: Both OSX (Apple) and Linux operating systems can also be vulnerable to malware, although most malware targets Windows because it is the most commonly used operating system worldwide. With the increasing number of OSX users, more malware is made to target OSX; however, because the number of Linux users are far fewer, Linux malware is far less prevalent.

Malware is only spread by devices that are also “infected” by malware!

False: Computers can pass on malware to other devices as “carriers.” An example of this is a computer with OSX, passing on Windows malware to a Windows device, even though that malware didn’t “infect” the OSX device because this malware was designed for Windows. That malware still successfully infected a Windows device, and because of this, users should have antivirus software that also scans for malware designed for other operating systems.

If I don’t notice anything “strange” happening with my computer, it’s okay!

False: Malware may or may not be noticeable - sometimes it will have dramatic impact on a device’s performance, other times a device will continue functioning in an apparently “normal” manner.

Antivirus will catch any malware I have!

False: Anti-malware tools can only identify malware that is known; they cannot protect against “undiscovered” or “new” malware. This doesn’t mean you shouldn’t use anti-malware tools, however!

Once each list is made from this section, hang them up, but leave space next to each list for the list of solutions, both technical and non-technical, that will be covered in the following section.

Step 3. Avoiding Malware

Go to Survival Time to calculate the average number of minutes it takes for an unpatched computer without antivirus and a firewall to become infected - at time of writing, it took on average 5 minutes.

Below is a list of solutions for avoiding malware to cover together as a group - begin each question by soliciting solutions from participants and adding them to the list, then supplementing additional solutions and missing information as needed.

Place each list of solutions next to the respective list of how users are exposed from the previous section - the avoidance questions below are numbered the same (I or II) as the exposure questions (I or II) from the previous section. Keep them up during the training so participants can refer back to them.

I. How Can We Avoid, or Reduce Our Exposure to, Malware?

A) By Using Updated Operating Systems and Applications

One of the most important ways to protect yourself from malware is to have an updated and licensed operating system, whether open source (Linux), or proprietary (Windows and OSX). Malware takes advantage of outdated and cracked software and operating systems to infect them. - If using open source (or FLOSS) applications, only download them from known projects - for those who are interested, the website osalt offers suggestions for open source alternatives to popular proprietary applications. - Only download software from official sources, or trusted download sites via offical websites. - Be wary of using unknown and untrusted third-party sites or file-sharing sites. - The experience of Syrians being targeted with malware in a number of ways is a useful cautionary example, as well as the Tibetan community.

B) Using SHA or MD5 Hashes

…to verify downloads whenever possible. Suggested tools for this include FileInfo Professional (Free, OSX), HashTab (Paid, OSX), HashCheck (Free, Windows), Rapid CRC Unicode (Free, Windows).

C) By Downloading over an Encrypted Connection

…usually SSL in the browser, whenever possible; similarly, turn on auto-updates for the operating system and applications you use - Flexera for Windows is a free tool that will check to make sure your installed software is up to date.

D) By Enabling the Firewall

…on your device to protect yourself; this can also help reduce the spread of malware if you are infected. If you have OSX users, mention that Apple devices are sold with the Firewall OFF by default. Direct them to where they either confirm that it is turned ON or turn it ON themselves (Preferences -> Security & Privacy -> Firewall). Windows usually has firewalls ON by default; to confirm or to turn ON, go to (Control Panel -> Security -> Windows Firewall).

Trainer’s Note

If participants are using pirated copies of Windows, this is extremely dangerous and they should prioritize buying a license if they want to continue using proprietary software (Windows and OSX). If there are a number of participants who cannot afford licenses and are unlikely to use open source, try to see if you can find an organization to provide them with licenses. Otherwise, they should consider using open source operating systems instead.

E. By Using Anti-Malware Tools

There are different types of antivirus and anti-malware tools. However, just to make it more confusing, some tools are combined into one, and others have various capabilities enabled depending on whether or not they’ve been paid for.

If participants ask for a place to compare tools, you can point them to AV Comparatives’ Summary Reports for both Windows and OSX tools.

Types of antivirus and anti-malware tools to describe and differentiate for participants include:
  • Antivirus (more on these below)
  • Anti-malware scanners (like Malwarebytes)
  • Anti-Spyware scanners like SuperAntiSpywareFree

Have an active and updated antivirus program that checks for malware for other operating systems as well, not solely the one on the device it’s installed on - this is to avoid the spread of malware that doesn’t affect one kind of operating system to devices using other operating systems that may be affected. This is most relevant for OSX and Linux operating systems.

Free antivirus apps for Windows include:
Free antivirus apps for OSX include:

Have an antivirus program that has active monitoring capabilities, or “real-time protection”, and use it. This allows the program to actively monitor your computer’s activities to alert you to potential malware, instead of discovering malware during scans alone.

Do not run more than one antivirus/anti-malware tool that provides active monitoring capabilities.
  • Program your antivirus program to conduct regular scans.
  • If you can afford it, use an antivirus tool that provides “web browsing” protection if you have a Windows device.
  • This can help protect you from “drive-by downloads” when browsing the web, which can even happen on seemingly innocuous websites that have been exploited.

II. How Can We Avoid Phishing?

A) By Practicing Safe Email Habits

  • If you receive an email from your bank for anything besides routine updates, quarantine the email and contact them directly.
  • If you receive an email in your work account that looks suspicious (or a message to your organization via social media accounts), alert your IT team or manager immediately.
  • If necessary, email an alert to your co-workers as well if they’re also addressed in the email. Your organization may be experiencing a spearphishing attack that can affect the entire organization.
  • Double-checking with a contact if they appear to have sent you an attachment you weren’t expecting.
Trainer’s Note

For a case study of how an organization can be compromised by a spearphishing attack, this may be useful - it also illustrates how exploited email accounts of IT staff can be used once the initial email has been successful.

B) By Practicing Safe Web Browsing, Social Media and Chatting Habits

Be very suspicious of private messages on social networking sites or IM which prompt you to:

  • Click on links of “pictures of you” that don’t exist or look suspicious.
  • Download a tool or piece of software that looks appealing.
  • Download games that looks harmless.
  • Ask you to provide any type of sensitive information.

…on websites, social networking sites, and IM (as well as in emails). Sometimes this may be the only way to realize you’ve been redirected to a (sometimes very convincing) login page.

D) By Always Checking the URL

… when you’re unexpectedly directed to a login screen, or if you’re redirected to an unfamiliar “warning” page of any kind for a service that you use.

E) By Staying Alert for Phishing Attacks

…which are becoming far more effective and harder to recognize - examples to share include this fake Google login page and this fake Apple Store ID reset page.

  • Approaching links shared over social networking sites with extreme caution, especially if they’re posted by unknown people.
  • Avoiding any advertisements that appear to be scams.
  • Similar to avoiding phishing attacks in email, hover over URLs and hyperlinks to check where they lead.
  • Examine links from URL shortners like bit.ly before clicking on them: Copy them into the browser and adding a ”+” at the end of the URL.
  • If you’re unsure about a URL, check it at VirusTotal.

Step 4: Closing Exercise

Go through each list and identify each type of exposure to malware and each solution to malware as either technical or non-technical. Use this to illustrate how being safe online is a combination of technical and behavioral solutions.