This document discusses various types of malware including viruses, spyware, grayware, and phishing. It provides details on the characteristics and behaviors of viruses, how they replicate and spread. It also discusses signs of infection and methods for detecting, preventing, and remediating malware through antivirus software, firewalls, and user education. Common remediation steps mentioned include repairing infected files, quarantining them, or deleting them. The document also covers spyware, grayware, phishing attacks and their risks as well as countermeasures organizations can take to help protect against social engineering and malicious software threats.

1. Security
Frank H. Vianzon
Community College of Aurora

2. • A virus is a program that attempts to damage a computer
system and replicate itself to other computer systems. A virus
has the following characteristics: A virus requires a replication
mechanism which is a file that it uses as a host. When the host
file is distributed, the virus is also distributed. Viruses typically
attach to files with execution capabilities such as .doc, .exe,
and .bat extensions. Many viruses are distributed via e-mail
and are distributed to everyone in your address book.
• The virus only replicates when an activation mechanism is
triggered. For example, each time the infected file or program
is executed, the virus is activated.
• The virus is programmed with an objective, which is usually to
destroy, compromise, or corrupt data.
• Originally some viruses were created for nuisance
Virus

3. • Win32/Conficker
• This virus is a network worm and exploits the RPC sub-system vulnerability present
in the Microsoft Windows operating system, allowing an attacker to remotely attack a
computer without valid user credentials. Win32/Conficker infects the computer using
unsecured folders, removable medium or by making use of Autorun facility enabled
by default in windows. This threat contacts other domain names
to download additional malicious code.
•
•
•
•
•
•
•
•
Win32/PSW.OnlineGames
Win32/Agent
Win32/FlyStudio
INF/Conflicker
INF/Autorun
Win32/Pacex.Gen
WMA/TrojanDownload.GetCodec
Win32/Qhost
http://www.techonzo.com/2010/03/9-computer-viruses-you-should-be-awareabout/
*Windows Virus

4. Virus Scans
•
•
•
Trend Micro
Norton
McAfee
• Keep them updated?
Daily?
Every 4 hours
• Look for processes
•
Task Manager
Look for connections
•
Net Stat
Common symptoms of malware on your system include:
•
•
•
•
•
•
•
•
•
The browser home page or default search page has changed.
Excessive pop-ups or strange messages being displayed.
Firewall alerts about programs trying to access the Internet.
System errors about corrupt or missing files.
File extension associations have changed to open files with a different program.
Files that disappear, are renamed, or are corrupt.
New icons appear on the desktop or taskbar, or new toolbars show in the browser.
The firewall or antivirus software is turned off, or you can't run antivirus scans.
The system won't boot.
*How to detect
•
•

5. Some malicious software can hide itself such that there
might not be any obvious signs of its presence. Other
symptoms of an infection include:
• Slow Internet access.
• Excessive network traffic, or traffic during times when no
activity should be occurring.
• Excessive CPU or disk activity.
• Low system memory.
• An unusually high volume of outgoing e-mail, or e-mail
sent during off hours.

6. Additional Countermeasures
• Install anti-virus scanning software on e-mail servers.
Attachments are scanned before e-mail is delivered. You can
also block all attachments to prevent any unwanted
software, but this can also block needed attachments as
well.
• Implement spam filters and real-time blacklists. When
implementing filters, be sure not to make the filters too
broad, otherwise legitimate e-mails will be rejected.
• Train users to use caution when downloading software or
responding to e-mail.
• Train users to update the virus definition files frequently
and to scan removable storage devices before copying files.
• Disable scripts when previewing or viewing e-mail.
• Implement software policies that prevent downloading
software from the Internet.

7. Additional Countermeasures
• Keep your operating system files up to date; apply securityrelated hotfixes as they are released.
• In highly-secured areas, remove removable drives (such as
recordable optical drives and USB drives) to prevent
unauthorized software from entering a system. Show full
file extensions on all files. Viruses, worms, and Trojans
often make use of double file extensions to change the
qualities of files that are normally deemed harmless. For
example, adding the extension .TXT.EXE to a file will make
the file appear as a text file in an attachment, when in reality
it is an executable.
• Train users about the dangers of downloading software and
the importance of anti-malware protections. Teach users to
scan files before running them, and make sure they keep the
virus protection definition files up to date.

8. • Computers must meet certain health requirements before they
are allowed to connect to the network. These requirements
might include having the latest security patches installed,
having antivirus software, or having completed a recent
antivirus scan.
• Computers that meet the health requirements are given access
to the network; computers that do not pass the health checks are
denied full access.
• Remediation for unhealthy computers provides resources to fix
the problem. For example, the computer might be given limited
network access in order to download and install the required
antivirus software.
• Network Access Protection (NAP) is Microsoft's
implementation of NAC.
Additional Countermeasures
• Network Access Control (NAC) is a network-based solution
that prevents unprotected computers from connecting to the
network. With NAC:

9. Spyware is software that is installed without the user's
consent or knowledge, designed to intercept or take partial
control over the user's interaction with the computer.
• Spyware: Is installed on your machine by visiting a
particular Web page or running a particular application.
• Can interfere with user control of the computer such as
installing additional software, changing computer settings,
and redirecting Web browser activity. – Ever Google
search and cannot go back?
Spyware

10. • Collects various types of
personal information, such as
Internet surfing habits and
passwords, and sends the
information back to its
originating source.
• Cookies are text files that are
stored on a computer to save
information about your
preferences, browser settings,
and Web page preferences.
• Cookies are often used for
legitimate purposes on ecommerce sites, but can be read
or used for malicious purposes
by spyware and other software.
• Uses tracking cookies to collect
and report a user's activities.
Spyware

11. • Grayware is software that might offer a
legitimate service, but which also includes
features that you aren't aware of or features
that could be used for malicious purposes.
Grayware is often installed with the user's
permission, but without the user fully
understanding what they are adding.
• Features included with grayware might be
identified in the end user license agreement
(EULA), or the features could be hidden or
undocumented. The main objection to
grayware is that the end user cannot easily tell
what the application does or what was added
with the application.
Grayware

12. • Repair the infection. Repair is possible for true viruses that have
attached themselves to valid files. During the repair, the virus is
removed and the file is placed back in its original state (if possible).
• Quarantine the file. Quarantine moves the infected file to a secure
folder where it cannot be opened or run normally. You might
quarantine an infected file that cannot be repaired to see if another
tool or utility might be able to recover the file at another time.
• Delete the file. You should delete files that are malicious files such
as worms, Trojan horse programs, or spyware or adware programs.
In addition, you should periodically review the quarantine folder
and delete any files you do not want to recover.
• *System Restore?
• *Format and Recover!
Remediation
• Remediation is the process of correcting any problems that are
found. Most antivirus software remediates problems automatically
or semi-automatically (i.e. you are prompted to identify the action
to take). Possible actions in response to problems are:

13. • Spam is unwanted and
unsolicited e-mail sent to
many recipients. Spam: Can
be benign as e-mails trying to
sell products.
• Can be malicious containing
phishing scams or malware as
attachments.
• Wastes bandwidth and could
fill the inbox, resulting in a
denial of service condition
where users can no longer
receive e-mails.
Spam

14. •
•
•
•
•
Dumpster Diving
Shoulder Surfing
Piggybacking
Eavesdropping
Masquerading
• Phishing – where do you see phishing now?

15. Countermeasures
•
•
•
•
•
•
•
Train employees to demand proof of identity over the phone and in person.
Define values for types of information, such as dial-in numbers, user names, passwords,
network addresses, etc. The greater the value, the higher the security around those items
should be maintained.
If someone requests privileged information, have employees find out why they want it
and whether they are authorized to obtain it.
Verify information contained in e-mails and use bookmarked links instead of links in emails to go to company Web sites.
Dispose of sensitive documents securely, such as shredding or incinerating.
Dispose of disks and devices securely by shredding floppy disks or overwriting disks
with all 1's, all 0's, then all random characters.
Verify information from suspicious e-mails by visiting two or more well-known
malicious code threat management Web sites. These sites can be your antivirus vendor or
a well-known and well-regarded Internet security watch group.

16. • Phishing uses an e-mail
and a spoofed Web site to
gain sensitive information.
In a phishing attack: A
fraudulent message that
appears to be legitimate is
sent to a target.
• The message requests the
target to visit a Web site
which also appears to be
legitimate.
• The fraudulent Web site
requests the victim to
provide sensitive
information such as the
account number and
password.
Phishing

18. • Hoax virus information e-mails is a form of a phishing
attack. This type of attack preys on e-mail recipients who
are fearful and will believe most information if it is
presented in a professional manner. All too often, the
victims of these attacks fail to double check the
information or instructions with a reputable third party
antivirus software vendor before implementing the
recommendations. Usually these hoax messages instruct
the reader to delete key system files or download Trojan
horses.
Phishing with Hoax Virus

19. • New scam involving
text messages
• Call the bank
because your card
has been cancelled
*Phishing with Text

20. • Spear phishing is an e-mail spoofing fraud attempt that
targets a specific organization, seeking unauthorized access
to confidential data. Spear phishing attempts are not
typically initiated by "random hackers" but are more likely
to be conducted by perpetrators out for financial gain, trade
secrets or military information
•
•
•
•
•
Facebook
LinkedIn
eBay/Paypal
Click here to see your grade
Other social media
So why have a facebook at all?
*Spear Phishing

21. Depends on three things
1. The apparent source must appear to be a
known and trusted individual,
2. there is information within the message that
supports its validity
3. the request the individual makes seems to
have a logical basis.
Combine with Social Engineering
*Spear Phishing

22. Countermeasures
The most effective countermeasure for social engineering is
employee awareness training on how to recognize social
engineering schemes and how to respond appropriately.
Specific countermeasures include:
• Train employees to demand proof of identity over the phone
and in person.
• Define values for types of information, such as dial-in
numbers, user names, passwords, network addresses, etc.
The greater the value, the higher the security around those
items should be maintained.
• If someone requests privileged information, have employees
find out why they want it and whether they are authorized to
obtain it.
• Verify information contained in e-mails and use
bookmarked links instead of links in e-mails to go to
company Web sites.

23. Counter Measures
• Dispose of sensitive documents securely, such as
shredding or incinerating.
• Dispose of disks and devices securely by shredding
floppy disks or overwriting disks with all 1's, all 0's,
then all random characters.
• Verify information from suspicious e-mails by visiting
two or more well-known malicious code threat
management Web sites. These sites can be your antivirus
vendor or a well-known and well-regarded Internet
security watch group.

24. BIOS Security
BIOS Passwords
Chassis Intrusion Detection
Hard Disk Password
TPM

25. • You cannot read the passwords from the disk.
• You cannot move the drive to another system to access the
disk without the password (the password moves with the disk).
• You cannot format the disk to remove the passwords.
Hard Disk Password
• Some portable computers allow you to set a password on a
hard disk. When set, the password must be given at system
startup or the disk cannot be used.
• Hard disk passwords are part of the ATA specifications so
they are not dependent upon a specific disk manufacturer.
• There are two different passwords: user and master.
• Set the password(s) by using the CMOS program. Some
programs do not allow you to set a password, only let you
set the user password, or let you set both a user and a
master password.
• Passwords are saved on the hard disk.

26. Hard Disk Password
• If you forget the user password, use the master password
to access the drive. If you do not know either password,
you cannot access any data on the drive.
• Most drives allow a limited number of incorrect
password attempts. After that time, you must restart the
system to try entering additional passwords. You can try
as long as you want, but constantly restarting the system
makes guessing the password a tedious job.
• Drives might ship with a default master password.
However, these passwords (if they exist) are not publicly
available and cannot be obtained from disk
manufacturers.
• Setting a hard disk password is sometimes referred to as
locking the hard disk.

27. Trusted Platform Module
(TPM)
• A TPM is a special chip on the motherboard that
generates and stores cryptographic keys. Use the
CMOS program to initialize the TPM.
• During initialization, you set a TPM owner
password. The TPM password is required to
manage TPM settings.
• The TPM includes a unique key on the chip that
can be used for hardware system identification.
• The TPM can generate a cryptographic key or hash
based on the hardware in the system, and use this
key value to verify that the hardware has not
changed. This value can be used to prevent the
system from booting if the hardware has changed.
• The TPM can be used by applications to generate
and save keys that are used with encryption.

28. Trusted Platform Module
(TPM)
• *Protects encrypted keys
• *Together with the BIOS, the TPM forms a Root of
Trust: The TPM contains several PCRs (Platform
Configuration Registers) that allow a secure storage
and reporting of security relevant metrics. These
metrics can be used to detect changes to previous
configurations and derive decisions how to proceed. A
good example can be found in Microsoft's BitLocker
Drive Encryption (see below).
• *Therefore the BIOS and the Operating System have
the primary responsibility to utilize the TPM to assure
platform integrity. Only then applications and users
running on that platform can rely on its security
characteristics such as secure I/O "what you see is what
you get", uncompromised keyboard entries, memory
and storage operations.