MALWARE

• Malware
• Usage of Malware
• Types of Malware
• How Malware Spreads?
• How Can You Protect Computer?
• Symptoms
• Anti-Malware Program
 Malware

• Short for malicious software.

• A malicious software is used or created to disrupt computer
operation, gather sensitive information, or gain access to private
computer systems.
• It can appear in the form of code, scripts, active content, and other
software.
• 'Malware' is a general term used to refer to a variety of forms of
hostile, intrusive, or annoying software
 Usage of Malware
• Many early infectious programs, including the first Internet Worm,
were written as experiments or pranks.
• Today, malware is used primarily to steal sensitive, personal, financial,
or business information for the benefit of others.
• Malware is sometimes used broadly against government or corporate
websites to gather guarded information, or to disrupt their operation
in general.
• However, malware is often used against individuals to gain personal
information such as social security numbers, bank or credit card
numbers, and so on.
 Types of Malware
• Viruses
• Trojan horses
• Worms
• Spyware
• Zombie
• Phishing
• Spam
• Adware
• Ransomware
• Botnet
 Viruses
• A computer virus is a malicious piece of executable code that
propagates typically by attaching itself to a host document that
will generally be an executable file.
• A program or piece of code that is loaded onto your computer
without your knowledge and runs against your wishes.
• Viruses can also replicate themselves.
• All computer viruses are manmade.
• Viruses copy themselves to other disks to spread to other
computers.
• They can be merely annoying or they can be vastly destructive to
your files.
 Virus go through four stages

1. Dormant phase – not all have this stage.

2. Propagation phase – copies itself
3. Triggering phase – caused by some event
• count of the number of copies made
• A particular date, etc
4. Execution phase – do damage!
 Examples of famous viruses
• 1981 – first computer virus
written by 15 yr old student named Richard Skernta
used floppy disk to travel between machines

• 1988 – Jerusalem
Infected both .EXE and .COM files
Friday 13th it deleted all programs in the infected system
Boot sector viruses – Yale from USA, Stoned form New Zealand, Ping Pong from Italy
first self-encrypting virus

• 1991 – first polymorphic virus change pattern and encrypt itself.

• Michelangelo (traditional virus)
• 1998 – Chernobyl
launched in Taiwan – infecting .exe files
remained resident in the memory
overwrite data on the hard drive making it inoperable
overwrites BIOS preventing boot-up
estimated damage $20 to $80 million

• 1999 – Melissa – mass mailer

Used Outlook to send email messages of itself to 50 names on the contact list of a
user
Message read: “Here is that document you asked for don’t show anyone else.”
Infected 15 to 20 percent of all business PCs
Estimated damage between $300 and $600 million

• 2000 – I love You Virus – spread via Outlook

file attachment, over-written files
 Types of viruses
• Parasitic – traditional
• Memory-resident: infects every program that runs
• Boot sector – infects the master boot record
• Polymorphic – mutates with each infection
creates copies that are functionally equivalent, but have different bit
patterns
may randomly insert superfluous instructions or interchange the order
May use encryption – each infection generates a different random key
• Stealth – uses compression – intercept I/O subroutines
• Macro Viruses – two thirds of all computer viruses
Aimed at MS Word docs
 Antivirus Protection
• Prevention – IPS such as firewall
• Detection (locate the virus)
• Identification (identify the specific virus)
• Removal – using antivirus and other tools

Currently four generations of antivirus software

• Scanners
• Heuristic rules – look for fragments of code
• Memory-resident programs – watch for activity associated with infection
attempts
• Fourth gen. uses all of these + access control capability, which limits
ability of viruses to penetrate a system.
 Trojan Horses
• A Trojan Horse program has the appearance of having a useful
and desired function.
• A Trojan Horse neither replicates nor copies itself, but causes
damage or compromises the security of the computer.
• A Trojan Horse must be sent by someone or carried by another
program and may arrive in the form of a joke program or software of
some sort.
• These are often used to capture your logins and passwords.
• Uses social engineering
 Example of Trojan Horses
• Zeus Trojan (infiltrates through spam emails): developed by hackers to
steal banking details from infected devices.
• Remote access Trojans (RATs): sent as an email attachment and create
a backdoor for administrative control over the target computer.
• Backdoor Trojans (backdoors)
• IRC Trojans (IRCbots) – Trojans use Internet Relay Chat (IRC)
• Keylogging Trojans:
• NetBus - is Trojan horse malware created in 1998 with the target to
remotely control a system running windows OS. Like any other Trojan,
NetBus also has 2 components: the client and server. The server
infects the host computer and the client is used to control it.
 Example of Trojan Horses
• Keylogging Trojans: keylogging or keyboard capturing, is the action of
recording (logging) the keys struck on a keyboard, typically covertly, so that
person using the keyboard is unaware that their actions are being
monitored.
 WORMS
• A computer worm is a self-replicating computer program.
• It uses a network to send copies of itself to other nodes (computers on
the network) and it may do so without any user intervention.
• It does not need to attach itself to an existing program.

• Worm uses one of the following:

Email facility
Remote execution capability – executes a copy of itself on another system
Remote login capability – worm logs in as a user
File-sharing services
 Example of a Typical Worm
1. Scan for hosts running infected product
Check if port is open
Check version or even try to infect anyway
2. Download/infect machine with code which will continue the spread
of the worm
Once in, downloads tools from third party host, or even download more
copies of itself
3. Issuing a payload
Deleting, modification, back-dooring, flooding or other related activity
4. Scan more hosts and repeat
Repeat Step 1
 Morris worm
• Released by Robert Morris – 1988
one of the first computer worms distributed via the Internet. It was the first to
gain significant mainstream media attention. According to its creator, the Morris
worm was not written to cause damage, but to gauge the size of the Internet.
• Quite sophisticated
• Tried a variety of methods for gaining access:
Attempted to login to a remote host as a legitimate user
Exploited a bug in finger protocol (port 79)
• Sentenced to 400 hours community service and $10,000 fine
 Code Red – July 2001
• Two variants – attacked MS IIS servers
• Operated in three stages: scanning, flooding and sleeping
• Scanning phase phase: searched for vulnerable computers (MS II
servers)
• Flooding phase: DoS attack on the White House Website
• Sleep mode could last indefinitely
• Replaced website text with the phrase “hacked by Chinese.”
• At its peak, it infected 2,000 machines every minute = 250,000 under 9
hours.
 Code Red II
• Variant of Code Red
• Exploited the same vulnerability as Code Red
• Gave the attacker control over the infected system
• Each variant was smarter than the previous one

• Many MS IIS servers had not been patched

• Alarm messages arrived in first few hours
• No one was monitoring these systems
• Emails bounced
• Worm continue unchecked for days
Sobig Worm – August 03 – has six variants
• Some features similar to a Trojan virus because it disguises itself as
electronic mail
• Example: Mydoom – January 2004
Also known as Novang, Shimgapi e.g. W32.MyDoom@mm, and Mimail.R
Record for the fastest-spreading e-mail worm
100,000 infected emails per hour were blocked
Gets computer user to open an infected email attachment – installed a backdoor
Worst email worm to date
$250,000 bounty for creator of these worms
 Blaster Worm – August 2003
• Also known as Lovsan or Lovesan
• Focus on Windows 2000 and Windows XP OS
• Attack 120,000 unpatched systems during first 36 hrs
• DoS attack on MS Windows Update Website
• Caused OS to crack
• Contains two messages
“I just want to say Love You San” – hence the name
“Billy Gates why do you make this possible? Stop making money and fix your
software”
• Infected over 1 million computers
 Conflicker Worm
• Modifies the Registry
• Resets PC’s System Restore point
• Downloads files from the hacker’s website
 Stuxnet Worm – July 13, 2010
• Targets industrial control systems – known as SCADA systems
• If found it attempts to steal code and design projects
• Exploits four zero-day vulnerabilities
Link fine vulnerability to spread through USB drives
Remote code execution vulnerability
Two local priviledge escalation vulnerabilities

Stuxnet worm – target Iran, specifically industrial to cool the fans or reduce the fan
of a nuclear reactor.
 Defences Against Worms
• Modus operandi of true worms is to exploit a known vulnerability
• Key defence – latest patches
• Host-based IDS – detects unauthorized system activity
• Network-based IDS – detects signatures of known worms
• Antivirus software for email worms
• Don’t run executables or open files from unknown sources!
 Adware and Spyware
• Annoying and deceptive software
• Information gathering programs
• Designed to monitor user behavior
• Includes – spyware, adware and spam

• Adware – (short for advertising-supported software) is a type of malware

that automatically delivers advertisements.
Economically motivated e.g. online advertisements
Collects info about your surfing habits – with or without your knowledge
Not illegal and Not necessarily malicious
Common examples of adware include pop-up ads on websites and advertisements that
are displayed by software.
Often times software and applications offer “free versions that come bundled with
adware.
 Spyware
• Spyware is a type of malware installed on computers that collects
information about users without their knowledge.
• The presence of spyware is typically hidden from the user and can be
difficult to detect.
• Spyware programs lurk on your computer to steal important information,
like your passwords and logins and other personal identification
information and then send it off to someone else.
 Spyware does not directly spread like a virus or worm
1. Installed without user’s knowledge
Usually presented as a useful utility, which users download and install
Example:
Web accelerator
Bonzi Buddy – targeted at children

2. Bundled with shareware and other free software

When the user installs it – also install spyware
3. Tricks users by manipulating security features
Download requires a user action
No matter which “button” the user presses, a download starts
• Spyware – exist as independent executable programs
• Have the capability to:
Monitor your keystrokes
Scan files on the hard drive
Snoop other applications, such as chat programs or word processors
Install other spyware programs
Read cookies
Change the default home page on the Web browser
Consistently relaying information back to the spyware author
• Can slow down your computer
 Spam
Spam
• Spam is email that you did not
request and do not want.
• One person's spam is another's useful
newsletter or sale ad.
• Spam is a common way to spread
viruses, trojans, and the like.
 Zombie
• Zombie programs take control of your computer and use it and its Internet
connection to attack other computers or networks or to perform other
criminal activities.
 Phishing
• Phishing (pronounced like the word 'fishing') is a message that tries to
trick you into providing information like your social security number or
bank account information or logon and password for a web site.
• The message may claim that if you do not click on the link in the
message and log onto a financial web site that your account will be
blocked, or some other disaster.
 Ransomware

• Ransomware is a form of malware that essentially holds a computer

system captive while demanding a ransom.
It restricts user access to the computer either by encrypting files on the hard
drive or locking down the system and displaying messages that are intended to
force the user to pay the malware creator to remove the restrictions and regain
access to their computer.
In 2012, a major ransomware known as Reveton began to spread. It displayed a
warning purportedly from a law enforcement agency claiming that the computer
has been used for illegal activities, such as downloading unlicensed software or
child pornography. Due to this behavior, it is commonly referred to as the "Police
Trojan".
 Buffer Overflow
• Advanced hacking technique
• Requires some skill and programming knowledge
• Aim – utilize a vulnerable/security hole
• Objective – to gain root priviledges

• How does it work?: when a program is executed, it is mapped into

memory in an organized manner.
• The defence: buffer overflow attacks often take advantage of poor
application programming.
Write secure code
 Bots
• Programs that perform some predefined actions in an automated way.
• A bot is a computer that has been compromised through a malware
infection and can be controlled remotely by a cyber criminal.
• Cause: software vulnerabilities, IE misconfiguration, or opening an email
attachment.
• Used for DDoS attacks – similar to zombies

• Spam: spammers pay to access bots that run email-gateways

• Harder to block is spam from multiple sources
• Harvesting valuable information – includes online banking credentials,
software activation license keys, etc
• Secondary infection – scanning and creating more zombies.
 Botnet Example
Zeus
• Began to spread in 2006
• Objective – stealing banking information by keystroke logging (tracking/
logging the keys struck on a keyboard) and form grabbing
• Purchased for around $3000-4000

Storm
• Uses email spamming and phishing websites
• Begins gathering infected computers into the storm botnet
• Infected 1.7 million computers
• Responsible for blasting out 20 percent of spam sent worldwide
• Storm 2.0 strain 2010
relays junk e-mail advertising male enhancement pills and adult websites
 Action
• Keystroke logging – passwords to get keys to decrypt the packets
• Sniffing Traffic – watching for clear text passwords
• Installing Advertisement Add-ons
Set up a fake website with some advertisement
Negotiate a deal with hosting companies that pay for clicks on adds
Bots click on the pop-ups
• Manipulating online polls/games
• Mass identity theft – “phishing mails”
• Spreading new malware
 How Malware Spreads?
• Malware is a program that must be triggered or somehow
executed before it can infect your computer system and spread to
others.
• Here are some examples on how malware is distributed:
a) Social network
b) Pirated software
c) Removable media
d) Emails
e) Websites
 Damages
1. Data Loss - Many viruses and Trojans will attempt to delete files or wipe hard drives
when activated, but even if you catch the infection early, you may have to delete
infected files.

2. Account Theft
• Many types of malware include keylogger functions, designed to steal accounts and
passwords from their targets.
• This can give the malware author access to any of the user's online accounts, including
email servers from which the hacker can launch new attacks.

3. Botnets
• Many types of malware also subvert control over the user's computer, turning it into a
"bot" or "zombie."
• Hackers build networks of these commandeered computers, using their combined
processing power for tasks like cracking password files or sending out bulk emails.
 Damages contd
4. Financial Losses
• If a hacker gains access to a credit card or bank account via a keylogger,
he can then use that information to run up charges or drain the
account.
• Given the popularity of online banking and bill payment services, a
hacker who manages to secrete a keylogger on a user's system for a full
month may gain access to the user's entire financial portfolio, allowing
him to do as much damage as possible in a single attack.
 How Can You Protect Your Computer?
• Install protection software.
• Practice caution when working with files from unknown or
questionable sources.
• Do not open e-mail if you do not recognize the sender.
• Download files only from reputable Internet sites.
• Install firewall.
• Scan your hard drive for viruses monthly.
 Symptoms
• Increased CPU usage
• Slow computer or web browser speeds
• Problems connecting to networks
• Freezing or crashing
• Modified or deleted files
• Appearance of strange files, programs, or desktop icons
• Programs running, turning off, or reconfiguring themselves (malware will often
reconfigure or turn off antivirus and firewall programs)
• Strange computer behavior
• Emails/messages being sent automatically and without user’s knowledge (a friend
receives a strange email from you that you did not send)
• There seems to be a lot of network activity when you are not using the network
• The available memory on your computer is lower than it should be
• Programs or files appear or disappear without your knowledge
• File names are changed
 Anti-Malware Program
• Anti-Malware program is used to prevent, detect, and remove computer viruses,
worms, trojan horses and any other type of malware.
• Examples of Anti-Malware program:
– Antivirus program
– Anti-spyware program
– Anti-spam program
– Firewall

Antivirus Program
• “Antivirus" is protective software designed to defend your computer against
malicious software.
• In order to be an effective defense, the antivirus software needs to run in the
background at all times, and should be kept updated so it recognizes new versions of
malicious software.
 Examples of Antivirus Program
• Norton Antivirus
• AVG
• Kaspersky
• Avast!
• PC-Cilin
• McAffee
• Avira
• Panda
• Etc.
 Anti-Spyware Program
• Anti-spyware program is a type of program designed to prevent and detect
unwanted spyware program installations and to remove those programs if
installed.
• Examples of Anti-spyware program:
Spyware Doctor
AVG Anti-spyware
STOPzilla
Spysweeper

Anti-Spam Program
• Anti-spam software tries to identify useless or dangerous messages for
you.
 Firewall
• A firewall blocks attempts to access your files over a network
or internet connection.
• It blocks incoming attacks.
• Your computer can become infected through shared disks or
even from another computer on the network, so you
need to monitor what your computer is putting out over
the network or internet also.
 Summary
• Malicious code attacks work because of:
Flaws in software design
Vulnerabilities caused by insecure configurations
Social engineering
Human error and/or naïve users
Persistence on the part of hackers