3. What is Malware?
Program or code
• Made up of two words
“Malicious” + “Software”.
• 'Malware' is an umbrella term
used to refer to a variety of
forms of hostile or intrusive
software, including
• viruses, worms, trojan
horses, spyware, adware
etc.
4. The purpose of Malware
• To subject the user to advertising
5. The purpose of Malware
• To launch DDoS on another service
6. The purpose of Malware
• To spread spam.
• To commit fraud, such as
identity theft
• For kicks (vandalism), and to
spread
FUD (fear, uncertainty, doubt)
• . . . and perhaps other
reasons
9. What exactly is a Virus?
Virus propagates by infecting other
programs
• It attaches itself to other programs or
file.
• But to propagate a human has to run
an infected program.
• A term mistakenly applied to trojans
and worms.
• Self-propagating viruses are often called
worms
10. • Many propagation methods
• Insert a copy into every executable
(.COM, .EXE)
• Insert a copy into boot sectors of
disks
• Infect common OS routines, stay in
memory
11. First Virus: Creeper
Written in 1971
Infected DEC PDP-10
machines running TENEX OS
Jumped from machine to machine over ARPANET
copied its state over, tried to delete old copy
Payload: displayed a message
“I’m the creeper, catch me if you can!”
Later, Reaper was written to hunt down Creeper
12. Types of Viruses
Parasitic Virus - attaches itself to executable files as
part of their code. Runs whenever the host program
runs.
Memory-resident Virus - Lodges in main memory as
part of the residual operating system.
Boot Sector Virus - infects the boot sector of a disk,
and spreads when the operating system boots up
(original DOS viruses).
Stealth Virus - explicitly designed to hide from Virus
Scanning programs.
Polymorphic - Virus - mutates with every new host to
prevent signature detection.
13. Virus Phases
Dormant - waits for a trigger to start replicating
Propagation - copies itself into other programs of the
same type on a computer. Spreads when the user
shares a file with another computer. Usually searches a
file for it’s own signature before infecting.
Triggering - starts delivering payload. Sometimes
triggered on a certain date, or after a certain time after
infection.
Execution - payload function is done. Perhaps it put a
funny message on the screen, or wiped the hard disk
clean. It may become start the first phase over again.
14. Okay, So Then What’s a Worm?
Similar to a virus, but propagates itself without human
interaction.
15. Six Components of Worms
1) Reconnaissance
2) Specific Attacks
3) Command Interface
4) Communication Mechanisms
5) Intelligence Capabilities
6) Unused and Non-attack Capabilities
21. Worm Propagation
Back-Chaining Propagation
The Cheese worm is an example of this type of
propagation where the attacking computer initiates a file
transfer to the victim computer. After initiation, the
attacking computer can then send files and any payload
over to the victim without intervention. Then the victim
becomes the attacking computer in the next cycle with a
new victim. This method of propagation is more reliable
then central source because central source data can be cut
off.
22. Worm Propagation
Central Source Propagation
This type of propagation involves a central location
where after a computer is infected it locates a source
where it can get code to copy into the compromised
computer then after it infects the current computer it
finds the next computer and then everything starts over
again. And example of the this kind of worm is the 1i0n
worm.
23. Worm Propagation
Autonomous Propagation
Autonomous worms attack the victim
computer and insert the attack instructions
directly into the processing space of the victim
computer which results in the next attack
cycle to initiate without any additional file
transfer. Code Red is an example of this type
of worm. The original Morris worm of 1988
was of this nature as well.
24. Yeah, but what’s a Trojan?
A small program that is designed to appear
desirable but is in fact malicious
Must be run by the user
Do not replicate themselves
Used to take over a computer, or steal/delete data
Good Trojans will not:
alert the user
alter the way their computer works
25. TROJANS
Trojan Horses can install backdoors, perform malicious scanning, monitor
system logins and other malicious activities.
Majority of modern trojan horses are backdoor utilities
Sub Seven
Netbus
Back Orifice
Feature set usually includes remote control, desktop viewing, http/ftp server,
file sharing, password collecting, port redirection
Some of these trojan horses can be used as legitimate remote
administration tools
Other trojans are mostly programs that steal/delete data or can drop viruses
26. HOW MALWARE SPREADS…
Just by visiting seemingly harmless website. DRIVE BY
DOWNLOAD.
By mails, attachments, links.
By physical media.
Software vulnerabilities or bugs.
28. ANTI-MALWARE
Softwares developed to combat all types of Malwares.
Are they different from Anti-Viruses?
Viruses were extremely “popular” in the ‘90s, which is when the
term “Antivirus” became common.
but today viruses are the minority when it comes to malware.
So, nearly all anti-virus provides security from most of the
malwares.
29. So the difference…
ANTI-VIRUS
usually deals with the older,
more established threats, such
as Trojans, viruses, and worms
protects users from lingering,
predictable-yet-still-dangerous
malware.
best at crushing malware
you might contract from a
traditional source, like a USB
or an email attachment
ANTI-MALWARE
typically focuses on newer stuff,
such as polymorphic malware and
malware delivered by zero-day
exploits
protects users from the latest,
currently in the wild, and even
more dangerous threats.
updates its rules faster than
antivirus, meaning that it's the
best protection against new
malware you might encounter
while surfing the net
31. Anti-Malware Engine
Scanning
• Monitor and examines various locations on computer like
hard disk, registry.
• If change has been made to a critical component, it could
be sign of infection
Detection
• Matching with the definition list.
• Classifying as appropriate type such as virus, spyware or
Trojans.
Removal
32.
33. Common challenges…
RootKits
• Program that can hide files, registry entries, network traffic, or
other information.
• Kernel mode rootkit could tamper with operating system at
lowest level.
Blended Threats
• Combined characteristics of viruses, worms and spyware.
Performance
• Maintaining high level performance on machine is critical.
Classification
• Understand the nature of threat.
• Wide variety of nature and context make it difficult to manage.
34. Two Approaches of Scanning
1.Specific Scanning
• signature detection
• the application scans files to look for known viruses
matching definitions in a “dictionary”.
• after recognizing the malicious software the antivirus
software can take one of the following actions:
1. attempt to repair the file by removing the virus itself from
the file.
2. quarantine the file.
3. or delete the file completely.
35. Generic Scanning
Generic scanning is also referred to as the suspicious
behavior approach.
Used when new malware appear.
In this method the software does not look for a specific
signature but instead monitors the behavior of all
applications.
if anything questionable is found by the software the
application is quarantined and a warning is broadcasted to
the user about what the program may be trying to do.
36. Generic Scanning
if the software is found to be a virus the user can send it to
a virus vendor
researchers examine it, determine its signature, name and
catalogue it and release antivirus software to stop its
spread.
37. Two Other Approaches
Heuristic analysis
another form of generic scanning
The sandbox method
38. Heuristic Analysis
software tries to emulate the beginning of the code
of each new executable that the system invokes
before transferring control to that executable.
if the program attempts to use self-modifying code
or appears to be a virus, it’s assumed the virus has
infected the executable.
there are many false positives in this approach.
39. Sandboxing
in this approach an antivirus program will take
suspicious code and run it in a “virtual machine” to
see the purpose of the code and exactly how the
code works.
after the program is terminated the software
analyzes the sandbox for any changes, which
might indicate a virus.