Malware: Computer Viruses, Worms, Trojan Horses, Spyware

Malware
Computer Viruses, Worms, Trojan

horses, Spyware
by
Himanshu
Outline
• Malware
– Viruses
– Worms
– Trojan horses
– Malicious mobile code
Malware
What is a Malware?
• Malware refer to any software code written with

the aim of degrading or subverting the normal
operation of a computer system. It is also referred
to as malicious code
• A Malware is a general term used by computer

professionals to mean a variety of forms of hostile,
intrusive, or annoying software or program code.
Definitions
• Computer virus is a program that when triggered by an

action of the user, causes copies of itself to be created.
• Computer worm is a program that causes copies of itself
to be created without any user intervention.
• Trojan horse is a program that appears to do something
useful, but in reality, masks some hidden malicious
functionality. It does not make copies of itself.
• Malicious mobile code is a lightweight malicious program
that is downloaded from a remote system and executed
with minimal intervention on the local system
• Spyware programs are commercially produced for the
purpose of gathering information about computer users,
showing them pop-up ads, or altering web-browser behavior
for the financial benefit of the spyware creator.
• Key logger which intercepts the user's keystrokes when

entering a password, credit card number, or other
information that may be exploited. It is possible for a
malware creator to profit by stealing sensitive information
from a victim.
Virus
How this work?
• A virus infects the operating system in two ways: by

completely replacing one or more of the operating
system’s programs or by attaching itself to an existing
operating system’s programs and altering their
functionalities.
• Once a virus has changed OS functionality, it can control
many OS processes that are running.
• There are two main phases in the lifecycle of a virus:
Replication and Activation.
• In the first phase, Replication, viruses typically remain
hidden and do not interfere with normal system functions.
During this time, viruses actively seek out new hosts to
infect by attaching themselves to other software programs or
by infiltrating the OS.
• During the second phase, Activation, the gradual or sudden
destruction of the system occurs. Typically, the decision to
activate is based on a mathematical formula with criteria
such as date, time, number of infected files, or others. The
possible damage at this stage could include destroyed data,
software or hardware conflicts, space consumption, and
abnormal behaviour.
But, a
computer
virus is not
inherently
dangerous
File
Be afraid. Be very afraid. Allocation
Table
– The Fly, 1986
Virus Classification
Virus
File virus Boot sector virus

Virus affects the
OS boot sector
Executable file Document file
virus virus
Virus attaches itself Virus coded into macros1
to executables embedded in documents
Very popular since easy
to write. No knowledge of
Overwriting Prepending Appending target machine required
unlike in the case of
virus virus virus
executable file viruses
1 Macros are commands embedded in documents for enhancing the
application, or automating some tasks. They are written in Visual Basic.
• Macro Viruses- To infect an application, macro viruses
attach themselves to the application’s initialization sequence.
When the application is executed, the virus’s instructions
execute before control is given to the application. Then the
virus replicates itself, infecting more and more of the system
• These macro viruses move from system to system through

email, file sharing, demo software, data sharing, and disk
sharing.
Steps in Normal Program Execution
Main memory BIOS locates & OS locates & copies Program A starts
is empty at the copies OS from the program to be executing
beginning disk to memory executed into memory
0x0 0x0 0x0 0x0
OS OS OS
Program A Program A
Main Memory Hard Disk

(volatile) 2 FAT
(non-volatile)
4 3
1 Executing programs
BIOS use the OS to
OS
code perform standard
ROM A functions like,
(non-volatile) FAT : File Allocation Table stores the reading and writing
location of all files on the system. It is files etc
maintained by the OS.
Virus Infection Mechanism
Infected program Virus searches Virus copies itself Virus copies the
enters memory for a suitable into the target infected target
program to infect program back into the disk
0x0 0x0 0x0 in memory 0x0
OS OS OS OS
Program A Program A Program A Program A

Virus Virus Virus Virus
Program B 4
Program B
Virus
FAT Hard Disk Hard Disk

Virus copies the
1 2 3 target program 5
OS to main memory
OS
From infected B + virus
B
floppy disk or
an email When program B
attachment Virus makes use of OS constructs is executed it
to search for target files, copying etc infects a new file
Virus Infecting a File
Jump
1st instruction 2nd instruction
2nd instruction
Program A
Viral Infection End program A

End program A 1st instruction
Program A
Virus
1st instruction
Jump
Program A infected
with virus
In in the execution of the infected program, the virus is executed

before program A, and the correct sequence of instruction execution
In program A is maintained
• Polymorphic - A polymorphic virus is simply a virus, which
is encrypted. A virus that changes its virus signature or it’s
(binary pattern) every time it replicates and infects a new file
in order to keep it from being detected by an anti-virus
program.
• There are three main components of a polymorphic virus: a
Scrambled virus body, a Decryption Routine, and a Mutation
Engine
The process of a polymorphic infection is:
 The decryption routine first gains control of the computer and then
decrypts both the virus body and the mutation engine.
 The decryption routine transfers control of the computer to the virus,
which locates a new program to infect.
 The virus makes a copy of itself and the mutation engine in RAM.
 The virus invokes the mutation engine, which randomly generates a new
decryption routine capable of decrypting the virus yet bearing little or no
resemblance to any prior decryption routine.
 The virus encrypts the new copy of the virus body and mutation engine.
 The virus appends the new decryption routine, along with the newly
encrypted virus and mutation engine, onto a new program.
Stealth Viruses
• Stealth viruses attempt to hide their presence from both the
OS and the antivirus software by:
• Hiding the change in the file’s date and time
• Hiding the increase in the infected file’s size
• Encrypting themselves
Worm
• Instead of attaching themselves to a single host program and
then replicating like viruses, worms are malicious self-
replicating computer programs designed to infect multiple
remote computers in an attempt to deliver a destructive
payload. Worms attack a network by moving from device to
device.
• Worms are constructed to infiltrate legitimate data processing
programs and alter or destroy the data. Most worms can infect
and corrupt files, degrade overall system performance and
security, steal user sensitive information or install other
dangerous parasites such as backdoors or Trojans. Because of
their replicating nature, unchecked worms can be
exceptionally dangerous to networking infrastructure
Virus and Worm Example
• Chernobyl
• Explore.Zip
• LoveLetter
• Melissa Virus
• Nimda Virus
• Pretty Park
• BugBear
• Klez
Trojan and Backdoors
How this work?
• A Trojan is a program that performs functions unwanted by the

target. The three accepted definitions of a Trojan Horse are:
• An unauthorized program contained within a legitimate program
that performs functions unknown and unwanted by the user
• A legitimate program that has been altered by the placement of
unauthorized code within it and that performs functions
unknown and unwanted by the user
• Any program that appears to perform a desirable and necessary
function but that, because of hidden and unauthorized code,
performs functions unknown and unwanted by the user.
Virus
How this work?

functionalities.
Virus
How this work?

functionalities.
Virus
How this work?

functionalities.
Virus
How this work?

functionalities.
Virus
How this work?

functionalities.
Thanks
View Demo

Malware: Computer Viruses, Worms, Trojan Horses, Spyware

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Malware: Computer Viruses, Worms, Trojan Horses, Spyware

Uploaded by

Copyright:

Available Formats

Malware

Computer Viruses, Worms, Trojan

• Malware refer to any software code written with

• A Malware is a general term used by computer

• Computer virus is a program that when triggered by an

• Key logger which intercepts the user's keystrokes when

• A virus infects the operating system in two ways: by

File virus Boot sector virus

• These macro viruses move from system to system through

Main Memory Hard Disk

Program A Program A Program A Program A

FAT Hard Disk Hard Disk

Viral Infection End program A

In in the execution of the infected program, the virus is executed

• A Trojan is a program that performs functions unwanted by the

• A virus infects the operating system in two ways: by

• A virus infects the operating system in two ways: by

• A virus infects the operating system in two ways: by

• A virus infects the operating system in two ways: by

• A virus infects the operating system in two ways: by

You might also like