Mirza Adnan Baig
Software deliberately designed to harm
Malicious software program causes undesired
actions in information systems.
Spreads from one system to another through:
1. E-mail (through attachments)
2. Infected floppy disks
3. Downloading / Exchanging of corrupted files
4. Embedded into computer games
These are the programs that spread to other
software in the system .i.e., program that
incorporates copies of itself into other programs.
Two major categories of viruses:
1. Boot sector virus : infect boot sector of systems.
activate while booting machine
2. File virus : infects program files.
activates when program is
Dormant phase - the virus is idle
Propagation phase - the virus places an
identical copy of itself into other programs
Triggering phase – the virus is activated to
perform the function for which it was
Execution phase – the function is performed
Henric Johnson 6
modified & fully
& different code
every time when
virus is copied &
transmitted to a
detect & remove.
tricks make the
the code difficult.
methods used to
design code, so
difficult to repair
has made to
files or to the
false values to
they read files
or data from
shell, instead of
Identifying Viruses :
A virus is a unique program.
It as a unique object code.
The pattern of object code and where it is inserted
provides a signature to the virus program.
This virus signature can be used by virus scanners to
identify and detect a particular virus.
Some viruses try to hide or alter their signature:
Random patterns in meaningless places.
Self modifying code – metamorphic, polymorphic
Encrypt the code, change the key frequently.
Effect of Virus attack on computer system
Virus may affect user’s data in memory –
Virus may affect user’s program – overwriting.
Virus may also overwrite system’s data or
programs – corrupting it – disrupts normal
operation of system.
“Smashing the Stack” – Buffer overflow due to
execution of program directed to virus code.
prevention - ideal solution but difficult
if detect but can’t identify or remove, must
discard and replace infected program
virus & antivirus tech have both evolved
early viruses simple code, easily removed
as become more complex, so must the
first - signature scanners
second - heuristics
third - identify actions
fourth - combination packages
runs executable files through GD scanner:
CPU emulator to interpret instructions
virus scanner to check known virus signatures
emulation control module to manage process
lets virus decrypt itself in interpreter
periodically scan for virus signatures
issue is long to interpret and scan
tradeoff chance of detection vs time delay
Rabbit : This malicious software replicates
itself without limits. Depletes some or all the
Re-attacks the infected systems – difficult
Exhausts all the system’s resources such as CPU
time, memory, disk space.
Depletion of resources thus denying user access
to those resources.
Hoaxes : False alerts of spreading viruses.
e.g., sending chain letters.
message seems to be important to recipient,
forwards it to other users – becomes a chain.
Exchanging large number of messages (in chain)
floods the network resources – bandwidth wastage.
Blocks the systems on network – access denied due
to heavy network traffic.
A Trojan horse (or Trojan) is a malware program
that appears to perform some useful task, but
which also does something with negative
consequences (e.g., launches a keylogger).
Trojan horses can be installed as part of the
payload of other malware but are often installed
by a user or administrator, either deliberately or
A "time bomb" is simply a Trojan horse set to
trigger at a particular time/date.
one of oldest types of malicious software
code embedded in legitimate program
activated when specified conditions met
◦ eg presence/absence of some file
◦ particular date/time
◦ particular user
when triggered typically damage system
◦ modify/delete files/disks, halt machine, etc
Trojans currently have largest infection potential
◦ Often exploit browser vulnerabilities
◦ Typically used to download other malware in multi-stage attacks
Report, April 2009
1. Remote access Trojan takes full control of
your system and passes it to the hacker.
2. The data-sending Trojan sends data back to
the hacker by means of e-mail.
e.g., Key-loggers – log and transmit each
3. The destructive Trojan has only one purpose: to
destroy and delete files. Unlikely to be detected
by anti-virus software.
4. The denial-of-service (DOS) attack Trojans
combines computing power of all
computers/systems it infects to launch an attack
on another computer system. Floods the system
with traffic, hence it crashes.
5. The proxy Trojans allows a hacker to turn user’s
computer into HIS (Host Integration Server) server
– to make purchases with stolen credit cards and
run other organized criminal enterprises in
particular user’s name.
6. The FTP Trojan opens port 21 (the port for
FTP transfer) and lets the attacker connect
to your computer using File Transfer
7. The security software disabler Trojan is
designed to stop or kill security programs
such as anti-virus software, firewalls, etc.,
without you knowing it.
Transmitting medium :
1. spam or e-mail
2. a downloaded file
3. a disk from a trusted source
4. a legitimate program with the Trojan inside.
Trojan looks for your personal information and
sends it to the Trojan writer (hacker). It can also
allow the hacker to take full control of your
For example, you download what appears
to be a movie or music file, but when you
click on it, you unleash a dangerous
program that erases your disk, sends your
credit card numbers and passwords to a
stranger, or lets that stranger hack your
computer to commit illegal Denial of service
1. Clean Re-installation:
Back up your entire hard disk, format the
disk, re-install the operating system and all
your applications from original CDs.
2. Anti-Virus Software:
Anti-virus software is always going to be playing
catch up with active virus on the system. Make
sure your computer has an anti virus program on
it and update it regularly. If you have an auto-
update option included in your anti-virus
program you should turn it on; that way if you
forget to update your software you can still be
protected from threats
These programs are the most effective against
Trojan horse attacks, because they specialize in
Trojans instead of general viruses.
NEVER download blindly from people or sites which you
aren't 100% sure about
Even if the file comes from a friend, you still must be
sure what the file is before opening it
NEVER use features in your programs that automatically
get or preview files
Never blindly type commands that others tell you to
type, or go to web addresses mentioned by strangers,
or run pre-fabricated programs or scripts
A simple example of a trojan horse would be a
program named “waterfalls.scr" claiming to be a free
waterfall screensaver which, when run, instead would
allow access to the user's computer remotely.
AIDS, also known as Aids Info Disk or PC Cyborg
Trojan, is a trojan horse that replaces the
AUTOEXEC.BAT file, which would then be used by AIDS
to count the number times the computer has booted.
Once this boot count reaches 90, AIDS hides
directories and encrypts the names of all files on drive
C: (rendering the system unusable).
Spyware programs explore the files in an
Information forwarded to an address specified in
Spyware can also be used for investigation of
software users or preparation of an attack.
Secret undocumented entry point to the program.
An example of such feature is so called back door,
which enables intrusion to the target by passing user
A hole in the security of a system deliberately left in
place by designers or maintainers.
Trapdoor allows unauthorized access to the system.
Only purpose of a trap door is to "bypass" internal
controls. It is up to the attacker to determine how
this circumvention of control can be utilized for his
program that spreads copies of itself through a
Does irrecoverable damage to the computer system.
Stand-alone program, spreads only through
Also performs various malicious activities other than
spreading itself to different systems e.g., deleting
1. Deleting files and other malicious actions
2. Communicate information back to attacker
e.g., passwords, other proprietary
3. Disrupt normal operation of system, thus
denial of service attack (DoS) – due to re-
infecting infected system.
4. Worms may carry viruses with them.
Means of spreading Infection by Worms :
Infects one system, gain access to trusted host lists
on infected system and spread to other hosts.
Another method of infection is penetrating a
system by guessing passwords.
By exploiting widely known security holes, in case,
password guessing and trusted host accessing
e.g., A well-known example of a worm is the
ILOVEYOU worm, which invaded millions of
computers through e-mail in 2000.
◦ July 2001 exploiting MS IIS bug
◦ probes random IP address, does DDoS attack
Code Red II variant includes backdoor
◦ early 2003, attacks MS SQL Server
◦ mass-mailing e-mail worm that appeared in
◦ installed remote access backdoor in infected
Warezov family of worms
◦ scan for e-mail addresses, send in attachment
first appeared on mobile phones in 2004
target smartphone which can install s/w
they communicate via Bluetooth or MMS
to disable phone, delete data on phone, or
send premium-priced messages
CommWarrior, launched in 2005
replicates using Bluetooth to nearby phones
and via MMS using address-book numbers
overlaps with anti-virus techniques
once worm on system A/V can detect
worms also cause significant net activity
worm defense approaches include:
signature-based worm scan filtering
filter-based worm containment
payload-classification-based worm containment
threshold random walk scan detection
rate limiting and rate halting
Preventing infection by malicious software :
Use only trusted software, not pirated software.
Test all new software on isolated computer system.
Regularly take backup of the programs.
Use anti-virus software to detect and remove viruses.
Update virus database frequently to get new virus
Install firewall software, which hampers or prevents the
functionality of worms and Trojan horses.
Make sure that the e-mail attachments are secure.
Do not keep a floppy disk in the drive when starting a
program, unless sure that it does not include malicious
software, else virus will be copied in the boot sector.
Webopedia.com. Trojan Horse. Retrieved Nov 8, 2003 from website:
Staffordshire University, Information & Security Team (Jun 8,
2002). Information Systems Security Guidelines. Retrieved
Nov 10, 2003 from website:
M.E.Kabay, Norwich University, VT (2002). Malicious Software.
Retrieved Nov 9, 2003 from website:
Computer Emergency Response Team (CERT), Information Security (Jul
2, 2002). Malicious Software – general. Retrieved Nov 10, 2003 from