HiLCoE

School of Computer Science &

Technology
A Summary : An Introduction To Malware

December , 2020 KALEB BERHANU | AMELIA ABERA

 1 Malware

Malware is a Software which is used with the aim of attempting to breach a computer
system’s security policy with respect to Confidentiality, Integrity or Availability.

Malware is a contraction for “malicious software.” Examples of common malware

includes viruses, worms, Trojan viruses, spyware, adware, and ransomware.

Malware is the collective name for a number of malicious software variants, including
viruses, ransomware and spyware.

Shorthand for malicious software, malware typically consists of code developed by

AN INTRODUCTION TO MALWARE

cyberattackers , designed to cause extensive damage to data and systems or to gain

unauthorized access to a network.

Malware is typically delivered in the form of a link or file over email and requires the
user to click on the link or open the file to execute the malware.
 2 Usage of Malware
Many early infectious programs, including the first Internet Worm, were written as
experiments or pranks.

Today, malware is used primarily to steal sensitive personal, financial, or business information
for the benefit of others.

Malware is sometimes used broadly against government or corporate websites to gather

guarded information, or to disrupt their operation in general.

However, malware is often used against individuals to gain personal information such as social
AN INTRODUCTION TO MALWARE

security numbers, bank or credit card numbers, and so on.

Malware is commonly divided into a number of classes, depending on the way in which it is
introduced into the target system and the sort of policy breach which it is intended to cause.
 3 Classification of Malware
Virus
Viruses are a subgroup of malware.

A virus is malicious software attached to a document or file that supports macros to execute its code
and spread from host to host.

medium of transport is often known as the vector of the virus

Once downloaded, the virus will lay dormant until the file is opened and in use.
AN INTRODUCTION TO MALWARE

Viruses are designed to disrupt a system’s ability to operate. As a result, viruses can cause
significant operational issues and data loss.

Examples of Computer Viruses Are:MacroVirus, BootVirus, Logic Bomb Virus, Directory Virus,
Resident Virus
 4 Classification of Malware
Worms

Worms are a malicious software that rapidly replicates and spreads to any device within the network.

Unlike viruses, worms do not need host programs to disseminate.

A worm infects a device via a downloaded file or a network connection before it multiplies and
disperses at an exponential rate.
AN INTRODUCTION TO MALWARE

Like viruses, worms can severely disrupt the operations of a device and cause data loss.

Examples of Computer Worms Are:- Email Worms, Instant Messaging Worms, Internet Worms, IRC
Worms, File-Sharing Worms
 5 Classification of Malware
Trojan Virus
Trojan viruses are disguised as helpful software programs.

they are embedded in a piece of software which has an apparently useful effect.

The useful effect is often known as the overt effect, as it is made apparent to the receiver, while
the effect of the malware, known as the covert effect, is kept hidden from the receiver.

Once the user downloads it, the Trojan virus can gain access to sensitive data and then modify, block,
or delete the data.
AN INTRODUCTION TO MALWARE

can be extremely harmful to the performance of the device.

Unlike normal viruses and worms, Trojan viruses are not designed to self-replicate.

Examples of Trojan Viruses Are:- Remote Acces Trojans (RATs), , Back Door Trojans Backdoors
(backdoors), IRC Trojans (IRCbots ), Keylogging Trojans
 6 Classification of Malware
Spyware
Spyware is malicious software that runs secretly on a computer and reports back to a remote user.

Rather than simply disrupting a device’s operations, spyware targets sensitive information and can
grant remote access to predators.

Spyware is often used to steal financial or personal information.

A specific type of spyware is a keylogger, which records your keystrokes to reveal passwords and
personal information.
AN INTRODUCTION TO MALWARE

Examples of Spywares Are:-

Keyloggers, Password Stealers, Infostealers , Banking Trojans

 7 Classification of Malware
Adware
Adware is malicious software used to collect data on your computer usage and provide appropriate
advertisements to you.

While adware is not always dangerous, in some cases adware can cause issues for your system.

Adware can redirect your browser to unsafe sites, and it can even contain Trojan horses and spyware.
Additionally, significant levels of adware can slow down your system noticeably.

Because not all adware is malicious, it is important to have protection that constantly and intelligently
AN INTRODUCTION TO MALWARE

scans these programs.

Examples of AdWares Are:-

Legitimate Adware, Potentially Unwanted App

 8 Classification of Malware
Ransomware
Ransomware is malicious software that gains access to sensitive information within a system,
encrypts that information so that the user cannot access it, and then demands a financial payout for
the data to be released.

Ransomware is commonly part of a phishing scam.

By clicking a disguised link, the user downloads the ransomware.

The attacker proceeds to encrypt specific information that can only be opened by a mathematical key
AN INTRODUCTION TO MALWARE

they know. When the attacker receives payment, the data is unlocked.

Examples of Ransomwares Are:-

Badrabbit, Cerber. Cryptolocker, Crysis, Goldeneye

 9 Classification of Malware
Fileless Malware
Fileless malware is a type of memory-resident malware.

As the term suggests, it is malware that operates from a victim’s computer’s memory, not from files on
the hard drive. Because there are no files to scan, it is harder to detect than traditional malware.

It also makes forensics more difficult because the malware disappears when the victim computer is
rebooted.

In late 2017, the Cisco Talos threat intelligence team posted an example of fileless malware that they
AN INTRODUCTION TO MALWARE

called DNSMessenger.

Examples of Fileless Malware

Malicious link, Malicious Codes, Malicious System Tools

 10 How Virus Spread

A virus spreads by embedding its copies of itself into to a targeted files

typically consists of two parts, each responsible for one of the characteristic actions which the
virus will perform:

Insertion code: Code to insert a copy of the virus into one or more files on the target. We shall call
these the victim files

Payload: Code to perform the malicious activity associated with the virus
AN INTRODUCTION TO MALWARE

All virus contain insertion code, but the payload is optional, since the virus may have been
constructed just to reproduce itself without doing anything more damaging than that

the payload may produce serious damage, such as deleting all files on the hard disc or causing a
DoS attack by sending billions of requests to a Web site
 11 Spreading condition:
The criterion for attempting to propagate the virus.

For example, if the virus is to infect the computer’s boot program, this condition could be that
he boot sector is uninfected.

Infection strategy:
The criterion for selecting the set of victim files.
If executable files are to be infected, this criterion might be to select files from some standard
library.
If the virus is based on the use of macros, files which support these macros should be looked for,
etc.
AN INTRODUCTION TO MALWARE

Code placement strategy:

The rules for placing code into the victim file
The simplest strategy is of course to place it at the beginning or the end, but this is such an
obvious idea that most antivirus programs would check there first
 12
Execution strategy:
The technique chosen for forcing the computer to execute the various parts of the virus and
the infected program

The code to achieve this is also something which might easily be recognised by an antivirus
system

Disguise strategy:
Although not seen directly in the schema, the designer may attempt to disguise the presence
of the virus by including nonsense code

it can be by encryption, by compression or in other ways

AN INTRODUCTION TO MALWARE

The detailed action of the virus depends on a number of strategic choices,

It is in general depend on the effort which the virus designer is prepared to put into avoiding
detection by antivirus systems
 13
Example :
First it is necessary to understand the layout of files which contain executable programs or
libraries
AN INTRODUCTION TO MALWARE
 14
Several of the fields are obviously targets for virus to manipulate. By changing the sizes or
positions given in the section headers

it is possible to make room for extra, malicious code within an executable. Since the section will
always be allocated an integral number of sectors on the disc,

regardless of its real size, this expansion will not necessarily change the size of the file – the
extra code can be fitted into the “waste space” at the end of the disc sector

If there is no single section with enough waste space, the malicious code can be divided among
several sections,

A common arrangement is for the largest area of waste space to be used to contain a small
loader which can load the remaining pieces of the virus code as required
AN INTRODUCTION TO MALWARE

One of the tests used for selecting the set of victim files would then typically be that they must
contain a contiguous area of waste space which is large enough to hold the virus loader

Dividing the virus code up into small pieces also helps the virus designer to avoid his virus being
detected, as the antivirus system will find it difficult to recognise a signature which is spread out
over several regions of the file.
 15 signature-based antivirus systems attempt to find viral code by looking for characteristic byte
sequences in the executable, virus designers have adopted various techniques for disguising
such sequences.

Encryption
Encryption of the viral code with different encryption keys will produce different ciphertexts,
thus ensuring that a signature scanner cannot recognise the virus

Polymorphism
A polymorphic (from the Greek for “many formed”) virus is deliberately designed to have a large
number of variants of its code, all with the same basic functionality.
AN INTRODUCTION TO MALWARE

Code transposition
to swap round the order of instructions (or whole blocks of instructions) and insert extra jump
instructions in order to achieve the original flow of control.
 16 How Worms Spread
Worms are, according to our definition, pieces of software which reproduce themselves on hosts
in a network without explicitly infecting files. A worm typically consists of three parts:

Searcher: Code used to identify potential targets, i.e. other hosts which it can try to infect.
Propagator: Code used to transfer the worm to the targets.
Payload: Code to be executed on the target.

the payload is optional, and it may or may not have a damaging effect on the target. Some
worms are just designed to investigate how worms can be spread, or actually have a useful
function.

Worms with a malicious payload can have almost any effect on the target hosts. Some well-known
AN INTRODUCTION TO MALWARE

examples are:

exploit the targets - Apache/mod ssl (2002)

Website defacement on the targets - Perl.Santy (2004),
Installation of a keylogger to track the user’s input - spyware
Installation of a backdoor- breaches of confidentiality
breaches of confidentiality - LoveLetter (2000)
 17 Searching for Targets:
The search for new targets can be based on information found locally on the host which the
worm is currently visiting, or it may be based on a more or less systematic search of the
network.
Searching through the network is usually based on port scanning, since propagation of the
worm depends on the presence of a suitable open port which can be contacted.

Propagating the Worm:

once it descoveres its target the worm will try to use its chosen propagation technique to send
itself to these new hosts and get its code executed on them
The transmission of the worm is typically automatic, whereas its activation on the target host
may involve a human user on that host

Examples:
AN INTRODUCTION TO MALWARE

Email Worm - Loveletter : malicious executable of the worm as a mail attachment. If the user
opened this attachment, which contained a Visual Basic script disguised as a .txt file, the worm
would be activated on his system
The CodeRed worm (2001) exploited a buffer overflow vulnerability in the ldq.dll library used in
Microsoft’s IIS server, which enabled the worm to get control over the thread which the server
started up to handle an incoming HTTP GET request. Essentially, the vulnerability allowed the
worm to insert code into the thread, a technique generally known as Code Injection
 18 How Botnets Spread
Botnets illustrate the specialised use of a worm or Trojan horse to set up a private
communication infrastructure which can be used for malicious purposes

Regardless of how the bot code is spread, the computers which it reaches almost always have to
sign up with a master server, after which they can be given orders. This means that the activities
associated with a botnet typically fall into four phases:

Searching: Search to find target hosts which look suitable for attack, typically because they appear
to have a known vulnerability or easily obtainable e-mail addresses which can be attacked by an e-
mail worm or Trojan horse.
AN INTRODUCTION TO MALWARE

Installation: The backdoor code is propagated to the targets, where an attempt is made to install the
code or persuade the user to do so, so that the targets become bots.
Sign-on: The bots connect to the master server and become ready to receive Command and Control
(C&C) traffic.
C&C: The bots receive commands from the master server and generate traffic directed
towards further targets.
 19
Malware Detection
Backup all useful data
The only foolproof way to protect your data from being lost forever is by backing it up to a trusted and
secure online backup provider. Backing up your data with a secure software will ensure your data is
never actually lost.

Update operating systems and programs that are on use

Frequently checking for software updates and patches and making sure the updated versions of
these are usefull in order to protect one self from any malicious attacs.
AN INTRODUCTION TO MALWARE

Watch or read what to click

When browsing around on the Internet, it’s easy to get lost in all the links and enticing features. When
pop-up windows appear, don’t just click the OK button because that’ll usually just take you to another
pop-up. Also, don’t install anything without reading a license agreement first!
 20
Malware Detection
Avoid using Internet Explorer
IE has some inherent problems and vulnerabilities that attract malware installation, even by just
browsing a corruptive website. Chrome is only of the more secure web browsers in the marketplace,
and using Adblock Plus with Chrome is another good way to protect yourself from downloading
malware.
Install antivirus software
Look at reviews online to do sufficient research on the best antivirus softwares. They should scan and
update regularly. Antivirus softwares help to remove and prevent viruses, worms, trojans, and some
spyware. It’s important to note, however, that antivirus software won’t recover your files if they’re lost.
AN INTRODUCTION TO MALWARE

The only measure that will really do that for you is backing up your data.

Install anti-spyware and anti-adware software

These should also scan and update regularly. They’ll remove and sometimes prevent future adware
and spyware. Remember, each malicious software does something different to your computer, so each
often needs its own protection.
 21
Malware Detection
Detection by Emulation
Detection of polymorphic or encrypted malware in general requires a more advanced technique
than signature scanning.
A common method is to emulate the execution of the code under strictly controlled conditions. In
the case of encrypted virus , this is often known as Generic Decryption (GD), as it uses the virus’
own decryption algorithm to decrypt the virus and reveal the true code Emulation has two basic
problems: It is very slow , It is not always 100% accurate

Detection by Static Program Analysis

AN INTRODUCTION TO MALWARE

One promising technique for dealing with polymorphic virus is the use of static program analysis to
build up a control flow graph (CFG) for the executable being checked.
A CFG is a graph whose nodes correspond to the basic blocks of the program, where a basic block
is a sequence of instructions with at most one control flow instruction (i.e. a call, a possibly
conditional jump etc.),
if present, is the last instruction in the block, and where the edges correspond to possible paths
between the basic blocks.
AN INTRODUCTION TO MALWARE

22

Thank You!!!