MODULE 5: Malware

Objectives:
1. To identify various malware programs and their extent of harm to the computing society.
2. To learn how these tricky programs can spread to almost any device connected to a
network.

5.1. Malware
Malware is any program or file that is harmful to a computer user. Malware includes
computer viruses, worms, Trojan horses, spam, backdoor, rootkit, keylogger, and spyware. A
malware started as a prank among software developers. However, malware converted into a full-
pledged industry of black and white market.
Malware is typically used: 1) To steal information that can be readily monetized, such as
login credentials, credit card, and bank account numbers; 2) Intellectual property such as
computer software, financial algorithms, and trade secrets; 3) To ransom money in Bitcoin, for
example, Wannacry Ransomware; 4) To spy on computer users for an extended period without
their knowledge, for example, Reign Malware; 5) It may be designed to cause harm, often as
sabotage, for instance, Stuxnet; and 6) Extort payment for example Cryptolocker.

5.1.1. VIRUS
A computer virus is a malicious piece of executable code that propagates typically by
attaching itself to a host document that will generally be an executable file. The term “host”
means a document or a file. In the context of computer networking protocols, a “host” is typically
a digital device capable of communicating with other devices.

Typical hosts for computer viruses are:

a. Boot sectors on disks and other storage media. Since the boot sector code is executed
automatically, it is a common attack vector for viruses.
b. Executable files for system administration (such as the batch files in Windows
machines, shell script files in Unix, etc.)
c. Documents that are allowed to contain macros (such as Microsoft Word documents,
Excel spreadsheets, Access database files, etc.). Macros in documents are executable
segments of code and are generally written in a language that is specific to each
document type. Macros are used for automating complex or repetitive formatting
tasks. The macro programming capability can be exploited for creating executable
code that acts like a virus.

Any operating system that allows third-party programs to run can support viruses. A virus
will duplicate itself when it attaches itself to another host document, that is, to another
executable file. But the critical thing to note is that this copy does not have to be a replica of
itself. In order to make more difficult its detection by pattern matching, a virus may alter itself
when it propagates from host to host.
Computer viruses need to know if a potential host is already infected since otherwise, the
size of an infected file could grow without bounds through repeated infection. Viruses typically
place a signature (such as a string that is an impossible date) at a specific location in the file for
this purpose.

5.1.2. WORMS

The main difference between a virus and a worm is that a worm does not need a host
document. In other words, a worm does not need to attach itself to another program because it
is self-contained. On its own, a worm can send copies of itself to other machines over a network.
Therefore, whereas a worm can harm a network and consume network bandwidth, the damage
caused by a virus is mostly local to a machine. But note that a lot of people use the terms ‘virus’
and ‘worm’ synonymously. That is particularly the case with the vendors of anti-virus software.
A commercial anti-virus program is supposed to catch both viruses and worms. Since, by
definition, a worm is supposed to hop from machine to machine on its own, it needs to come
equipped with considerable networking support.

A program may hop from one machine to another by a variety of means that include:
o By using the remote shell facilities, as provided by, say, ssh, rsh, rexec, etc., in Unix,
to execute a command on the remote machine. If the target machine can be
compromised in this manner, the intruder could install a small bootstrap program on
the target machine that could bring in the rest of the malicious software.
o By cracking the passwords and logging in as a regular user on a remote machine.
Password crackers can take advantage of the people’s tendency to keep their
passwords as simple as possible (under the prevailing policies concerning the length
and complexity of the words).
o By using buffer overflow vulnerabilities in networking software. In networking with
sockets, a client socket initiates a communication link with a server by sending a
request to a server socket that is constantly listening for such requests. If the server
socket code is vulnerable to buffer overflow or other stack corruption possibilities, an
attacker could manipulate that into the execution of certain system functions on the
server machine that would allow the attacker’s code to be downloaded into the server
machine.

In all cases, the extent of harm that a worm can carry out would depend on the privileges
accorded to the guise under which the worm programs are executing. So if a worm manages to
guess someone’s password on a remote machine (and that someone does not have superuser
privileges), the extent of harm done might be minimal.
Nevertheless, even when no local “harm” is done, a propagating worm can bog down a
network and, if the propagation is fast enough, can cause a shutdown of the machines on the
network. The shutdown can happen when the worm is not smart enough to keep a machine from
getting re-infected repeatedly and simultaneously. Machines can only support a certain
maximum number of processes running simultaneously. Thus, even “harmless” worms can cause
a lot of harm by bringing a network down to its knees.

5.1.3. TROJAN
A Trojan horse or Trojan is a type of malware that disguises as legitimate software. Trojans
are written with the purpose of discovering financial information, taking over your computer’s
system resources, and in larger systems creating a “denial-of-service attack” which is making a
machine or network resource unavailable to those attempting to reach it.

5.1.4. SPAM
Spamming is a method of flooding the internet with copies of the same message. Most
spams are commercial advertisements which are sent as an unwanted email to users. Spam is
also known as Electronic junk emails or junk newsgroup postings. These spam emails are very
annoying as it keeps coming every day and keeps your mailbox full.

5.1.5. BACKDOORS
Backdoors are much the same as Trojans or worms, except that they open a “backdoors”
on a computer, providing a network connection for hackers or other Malware to enter or for
viruses or spam to be sent. A front-door, on the other hand, requires the action of a legitimate
user. For example, malware that is run when a legitimate user runs an infected email attachment
or runs a malicious program the user downloaded from the internet.

5.1.6. ROOTKIT
A rootkit is compared to a burglar hiding in the attic of a house, waiting to take from you
while you are not home. It is the hardest of all malware to detect and therefore to remove; many
experts recommend entirely wiping your hard drive and reinstalling everything from scratch. It is
designed to permit the other formation gathering malware to get the identity information from
your computer without you realizing anything is going on.

5.1.7. KEYLOGGER
The keylogger records everything you type on your PC to glean your log-in names,
passwords, and other sensitive information, and send it on to the source of the keylogging
program.

5.1.8. SPYWARE
Spyware is a software that spies on you, tracking your internet activities to send
advertising (adware) back to your system.
NAME: ________________________________ COURSE/YR: _________________

ASSESSMENT:

1. Explain how front-door and backdoor attacks differ and give one example of each.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
2. Give some examples of what malware tries to accomplish.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
3. Explain the dangers posed by computer malware.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
4. Describe things you can do to secure your computer from attack.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
5. List the top five viruses from http://securityresponse.symantec.com.
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________