Malware refers to malicious software like viruses, worms, and trojans. Viruses propagate by infecting other programs and spread when an infected program is run. Worms propagate without human interaction by exploiting vulnerabilities. Trojans appear desirable but are malicious, and must be run by the user. Malware spreads through websites, email attachments, links, and removable media. Anti-malware software uses signatures and behavior analysis to detect and remove malware through scanning, detection, and removal capabilities.

1. MALWARE &
ANTI-MALWARE
BY: ARPIT MITTAL

2. CONTENTS
MALWARE
PURPOSE OF MALWARES
TYPES OF MALWARE
VIRUSES, WORMS, TROJANS
HOW MALWARE SPREADS

3. What is Malware?
 Program or code
• Made up of two words
“Malicious” + “Software”.
• 'Malware' is an umbrella term
used to refer to a variety of
forms of hostile or intrusive
software, including
• viruses, worms, trojan
horses, spyware, adware
etc.

4. The purpose of Malware
• To subject the user to advertising

5. The purpose of Malware
• To launch DDoS on another service

6. The purpose of Malware
• To spread spam.
• To commit fraud, such as
identity theft
• For kicks (vandalism), and to
spread
FUD (fear, uncertainty, doubt)
• . . . and perhaps other
reasons

7. Types of Malware

8. But we willbediscussing….
MALWARE
WORMS
VIRUSES TROJAN
HORSES

9. What exactly is a Virus?
Virus propagates by infecting other
programs
• It attaches itself to other programs or
file.
• But to propagate a human has to run
an infected program.
• A term mistakenly applied to trojans
and worms.
• Self-propagating viruses are often called
worms

10. • Many propagation methods
• Insert a copy into every executable
(.COM, .EXE)
• Insert a copy into boot sectors of
disks
• Infect common OS routines, stay in
memory

11. First Virus: Creeper
 Written in 1971
 Infected DEC PDP-10
 machines running TENEX OS
 Jumped from machine to machine over ARPANET
 copied its state over, tried to delete old copy
 Payload: displayed a message
 “I’m the creeper, catch me if you can!”
 Later, Reaper was written to hunt down Creeper

12. Types of Viruses
 Parasitic Virus - attaches itself to executable files as
part of their code. Runs whenever the host program
runs.
 Memory-resident Virus - Lodges in main memory as
part of the residual operating system.
Boot Sector Virus - infects the boot sector of a disk,
and spreads when the operating system boots up
(original DOS viruses).
Stealth Virus - explicitly designed to hide from Virus
Scanning programs.
Polymorphic - Virus - mutates with every new host to
prevent signature detection.

13. Virus Phases
Dormant - waits for a trigger to start replicating
Propagation - copies itself into other programs of the
same type on a computer. Spreads when the user
shares a file with another computer. Usually searches a
file for it’s own signature before infecting.
Triggering - starts delivering payload. Sometimes
triggered on a certain date, or after a certain time after
infection.
Execution - payload function is done. Perhaps it put a
funny message on the screen, or wiped the hard disk
clean. It may become start the first phase over again.

14. Okay, So Then What’s a Worm?
Similar to a virus, but propagates itself without human
interaction.

15. Six Components of Worms
1) Reconnaissance
2) Specific Attacks
3) Command Interface
4) Communication Mechanisms
5) Intelligence Capabilities
6) Unused and Non-attack Capabilities

16. Reconnaissance
• Target identification
• Active methods
• scanning
• Passive methods
• OS fingerprinting
• traffic analysis

17. Specific Attacks
• Exploits
• buffer overflows, cgi-bin, etc.
• Trojan horse injections
• Limited in targets
• Two components
• local, remote

18. Command Interface
• Interface to compromised system
• administrative shell
• network client
• Accepts instructions
• person
• other worm node

19. communications
 Information transfer
 Protocols
 Stealth concerns

20. Intelligence Database
 Knowledge of other
nodes
 Concrete vs. abstract
 Complete vs.
incomplete

21. Worm Propagation
Back-Chaining Propagation
The Cheese worm is an example of this type of
propagation where the attacking computer initiates a file
transfer to the victim computer. After initiation, the
attacking computer can then send files and any payload
over to the victim without intervention. Then the victim
becomes the attacking computer in the next cycle with a
new victim. This method of propagation is more reliable
then central source because central source data can be cut
off.

22. Worm Propagation
Central Source Propagation
This type of propagation involves a central location
where after a computer is infected it locates a source
where it can get code to copy into the compromised
computer then after it infects the current computer it
finds the next computer and then everything starts over
again. And example of the this kind of worm is the 1i0n
worm.

23. Worm Propagation
Autonomous Propagation
Autonomous worms attack the victim
computer and insert the attack instructions
directly into the processing space of the victim
computer which results in the next attack
cycle to initiate without any additional file
transfer. Code Red is an example of this type
of worm. The original Morris worm of 1988
was of this nature as well.

24. Yeah, but what’s a Trojan?
A small program that is designed to appear
desirable but is in fact malicious
Must be run by the user
Do not replicate themselves
Used to take over a computer, or steal/delete data
Good Trojans will not:
alert the user
alter the way their computer works

25. TROJANS
 Trojan Horses can install backdoors, perform malicious scanning, monitor
system logins and other malicious activities.
 Majority of modern trojan horses are backdoor utilities
 Sub Seven
 Netbus
 Back Orifice
 Feature set usually includes remote control, desktop viewing, http/ftp server,
file sharing, password collecting, port redirection
 Some of these trojan horses can be used as legitimate remote
administration tools
 Other trojans are mostly programs that steal/delete data or can drop viruses

26. HOW MALWARE SPREADS…
Just by visiting seemingly harmless website. DRIVE BY
DOWNLOAD.
By mails, attachments, links.
By physical media.
Software vulnerabilities or bugs.

27. Anti-MALWARE

28. ANTI-MALWARE
Softwares developed to combat all types of Malwares.
Are they different from Anti-Viruses?
 Viruses were extremely “popular” in the ‘90s, which is when the
term “Antivirus” became common.
 but today viruses are the minority when it comes to malware.
 So, nearly all anti-virus provides security from most of the
malwares.

29. So the difference…
ANTI-VIRUS
 usually deals with the older,
more established threats, such
as Trojans, viruses, and worms
 protects users from lingering,
predictable-yet-still-dangerous
malware.
 best at crushing malware
you might contract from a
traditional source, like a USB
or an email attachment
ANTI-MALWARE
 typically focuses on newer stuff,
such as polymorphic malware and
malware delivered by zero-day
exploits
 protects users from the latest,
currently in the wild, and even
more dangerous threats.
 updates its rules faster than
antivirus, meaning that it's the
best protection against new
malware you might encounter
while surfing the net

30. Effective Anti-Malware Strategy
Core Product
Research Team
Update infrastructure

31. Anti-Malware Engine
Scanning
• Monitor and examines various locations on computer like
hard disk, registry.
• If change has been made to a critical component, it could
be sign of infection
 Detection
• Matching with the definition list.
• Classifying as appropriate type such as virus, spyware or
Trojans.
 Removal

33. Common challenges…
RootKits
• Program that can hide files, registry entries, network traffic, or
other information.
• Kernel mode rootkit could tamper with operating system at
lowest level.
 Blended Threats
• Combined characteristics of viruses, worms and spyware.
 Performance
• Maintaining high level performance on machine is critical.
 Classification
• Understand the nature of threat.
• Wide variety of nature and context make it difficult to manage.

34. Two Approaches of Scanning
1.Specific Scanning
• signature detection
• the application scans files to look for known viruses
matching definitions in a “dictionary”.
• after recognizing the malicious software the antivirus
software can take one of the following actions:
1. attempt to repair the file by removing the virus itself from
the file.
2. quarantine the file.
3. or delete the file completely.

35. Generic Scanning
 Generic scanning is also referred to as the suspicious
behavior approach.
 Used when new malware appear.
 In this method the software does not look for a specific
signature but instead monitors the behavior of all
applications.
 if anything questionable is found by the software the
application is quarantined and a warning is broadcasted to
the user about what the program may be trying to do.

36. Generic Scanning
 if the software is found to be a virus the user can send it to
a virus vendor
 researchers examine it, determine its signature, name and
catalogue it and release antivirus software to stop its
spread.

37. Two Other Approaches
 Heuristic analysis
 another form of generic scanning
 The sandbox method

38. Heuristic Analysis
 software tries to emulate the beginning of the code
of each new executable that the system invokes
before transferring control to that executable.
 if the program attempts to use self-modifying code
or appears to be a virus, it’s assumed the virus has
infected the executable.
 there are many false positives in this approach.

39. Sandboxing
 in this approach an antivirus program will take
suspicious code and run it in a “virtual machine” to
see the purpose of the code and exactly how the
code works.
 after the program is terminated the software
analyzes the sandbox for any changes, which
might indicate a virus.