Malware 101: The Payload

By:  Mike Twomey | InfoTank, Inc.

Shortly after the 9/11 attacks I remember hearing multiple news accounts of a deadly substance known as anthrax being spread in sealed envelopes sent through the US Postal Service. According to the FBI, 5 people were killed and 17 were severely sickened throughout these mailings. I don’t believe anyone in the country expected something as basic as the postal service to be exploited for such a malicious reason. At 14 years old, I was now filled with a paranoia about the world that I’d never before felt much less been able to put words toward. Checking the mail had become a game of roulette where you were either getting a postcard from a family member or an envelope filled with biochemical warfare.
The reason I tell you this story is to point out a very important aspect of cybersecurity: where trust is implied, trust can/or will be broken. Malware is built to exploit our trust by hiding within a package we globally accept as valid (email/websites/programs) and waiting patiently for our opening of that package to unleash malicious code, known as a payload, into the systems we use.
Payloads have many usages that can range from corrupt governments tracking journalists to shady businesses trying to push products by replacing legitimate ads on websites and even to attackers looking to get rich quick by holding your files captive. With that said, let’s take a look at three payloads most commonly found in modern attacks.

With its persistent pop-ups, redirecting of search engine queries and replacement of legitimate ads to promote the author’s products, Adware is unlike it’s siblings in that it’s predominantly just an annoyance. Adware is often found in two flavors: the “free programs downloaded from unverified sources” flavor and the “compromised website that exploits flaws in the browser of the visitor allowing the site to upload its payload” flavor.
The common symptoms of adware include excessive pop-up ads while browsing or the homepage looking very different than it used to. Whenever I come across a computer with a homepage that looks like an off-brand version of Google’s search engine, I can usually bank on adware as the culprit. Adware has been known to replace legitimate ads on websites for its own in order to spread further to unsuspecting victims visiting the page. So don’t go clicking willy-nilly on just any old ad you see on any given website! In fact, don’t click ads on websites at all!

This one hurts not only your feelings but your wallet. Ransomware encrypts all files on a computer with an algorithmic key and typically displays a full screen message stating that the only way to regain access to the computer and its files is to pay a certain amount of cryptocurrency to the attacker in order to obtain the decryption key.
Typically ransomware is spread via malicious email attachments or exploit kits that take advantage of vulnerabilities found in devices that have not been updated. However, some ransomware cases have been the result of a targeted attack in which an attacker used other tools to access a network or computer before installing the ransomware and letting it run wild.
If you want an example that hits close to home Google search “City of Atlanta ransomware attack” and get to reading. Plenty of lessons to be learned there.

In my opinion, spyware is the most threatening of the three. It’s not that spyware will completely hose your computer like ransomware, it’s that spyware can be used for literally what it sounds like… spying on someone.
You’ll find spyware used by private investigators, law enforcement, governments, stalkers and protective parents (overbearing or otherwise). Spyware has the ability to monitor web browsing, search hard drives and cloud storage, log keystrokes (aka steal usernames/passwords) all without the victim knowing that they’re being tracked.
The worst part about spyware is that there are companies capitalizing on these tools and there are no regulations against it. These companies are marketing commercial spyware as a way for parents to monitor their kid’s smartphone/computer usage but what happens when that same tool gets loaded onto a journalist’s computer or phone by a government that they’re speaking out against? What if a divorce goes awry and one side compromises a cell phone to get pictures, passwords, text messages and microphone/camera access all without the other knowing? Currently, regulations on spyware are basically non-existent and the potential for personal harm to victims is very high.

How should I protect myself from these styles of payload?
First, it’s always important that you know the origin of the attachments/files you’re opening and the reputation of the sites you’re visiting. Maintain proper backups of all drives on your computer, network and phone should something really get deep into one of your systems and need to be wiped. Also, keep in mind that with something like ransomware the attackers are not obligated to give you the decryption key once you pay the ransom.
Second, be smart about your mobile devices. We are in a world of increasing connectivity and our mobile devices are being targeted more and more. Don’t leave them unattended in public places and be doubly sure you understand what you’re opening on your phone/tablet before doing so.

Do you recommend any detection/removal software?
At the time of this writing, if you suspect that your computer/smartphone/tablet may be infected with malware I recommend products such as Malwarebytes (PC/Mac/iOS/Android) or SuperAntiSpyware (PC) for detection and removal. Both have free download options, are reputable and not paying me to say any of this. I use these tools often enough at work to see positive results and recommend them based on my experience.
I hope this delve into malware payloads has been mildly enlightening and that it has better prepared you for hardening your systems against such attacks. As always, stay safe out there!