Introduction 

to Malicious Code 
(Malware)
EDA 263 – Computer Security

Original Slides: Erland Jonsson
Changes by Magnus Almgren
http://www.zdnetasia.com/malware‐link‐to‐air‐crash‐inconclusive‐62202513.htm
 Malicious code ‐ some observations
Malicious code is any code added, changed or removed from a 
software system in order to intentionally cause harm or subvert
the intended function of the system.

• “If you let somebody else execute code on your computer, then it is 
not your own computer”
– User convinced of running a program, maybe done indirectly by just 
inserting a USB memory (CD/DVD) into computer,
– User/system running a program (e.g. web browser) with a vulnerability 
that can be taken advantage of,
– …
• Malicious code can be many things: viruses, worms, Trojan horses, 
rabbits, etc.
• Note that from a technical/scientific viewpoint:
malicious code is “normal” code!!
• Thus: the malware problem is a software problem.
 Malicious Code (2)
• Many users say: 
I would never download unsecure content!
• But what type of content is safe?
Targeted attacks
• 48% of exploits target Adobe Acrobat / Adobe Reader
• Adobe begins a quarterly patch cycle
• Health Check statistics show that Adobe Reader is among
the top unsecured applications
 Malicious code ‐ some recent trends
• Previously malware was normally of one specific kind. 
Nowadays, it is “multifunctional” and complicated.
– Malware is targeting end users through Web‐based 
attacks  (Symantec Internet Security Report xiv)
• Most viruses today are non‐destructive. Rather, they 
try to take control over your computer to 
– collect financial information or 
– using it for malicious purposes, becoming a zombie, e.g. to 
distribute spam.  (claim is that 70% of all email is spam)
• All kinds of malware tend to be called “virus”. 
– Bagle, Mydoom, Netsky, Sasser, Kargo and Sober (2004)
– Conficker (2009)
 Latest Threats

http://www.pandasecurity.com/homeusers/security‐info/default.aspx?lst=ul (100831)
 Most Active Viruses

http://www.pandasecurity.com/homeusers/security‐info/default.aspx?lst=ac (100831)
http://mtc.sri.com/live_data/binaries/
 Malicious code ‐ reasons for increase
A few trends that largely influence the wide spread of malicious code:
• Growing number and connectivity of computers
– “everybody” is connected and dependant on computers
– the number of attacks increases
– attacks can be launched easily (automated attacks)
• Growing system complexity
– unsafe programming languages
– heterogeneity
– hiding code is easy
– verification and validation is impossible (let alone proofs)
• Systems are easily extensible
– mobile code, dynamically loadable modules
– incremental evolution of systems
 Types of Malicious code (1)
• Traditional virus (1982)
– attaches to existing program code
– intervenes in normal execution
– replicates and propagates
• Document virus (macro virus)
– highly formatted documents include commands (+data)
• Stealth virus (and rootkits)
– hides the modifications it has made in the system, normally by 
monitoring system calls and forging the results of such calls
• Polymorphic virus
– avoids virus scanners by producing multiple variant of itself or 
encrypting itself.
 Virus Surrounding a Program
Physically Logically
Virus Code (a)

Original  Original 
Virus Code Virus Code
Program Program

Virus Code (b)

Pfleeger: p. 115 (119)
Virus Integrated into a Program

Original  Modified 
Virus Code
Program Program

Pfleeger : p. 115 (120)
 Boot Sector Virus Relocating Code
Before Infection
Boot Sector Other Sectors
Bootstrap  System 
Loader Initialization

Chain

After Infection
Boot Sector Other Sectors
System  Bootstrap 
Virus Code
Initialization Loader

Chain
Chain

Pfleeger: p. 119 (123)
 Entry Phases of viral action
into
System

Condition

Triggering
Dormancy Propagation Action

New Viruses Damage
 Types of Malicious code (2)
• Hoax virus
– is no virus at all. It is an email with a bogus warning
• Rabbit (or bacteria, greedy programs)
– is a virus (or worm) that replicates without bounds, thus 
exhausting some computing resource. Does not spread to 
other systems (thus attacking availability only).
• Worm (1975, 1982)
– is a stand‐alone program that replicates and spreads 
copies of itself via the network. Non‐trivial to make.
• Trojan Horse
– is a “normal” program that contains some hidden 
functionality, that is unwanted by the user.
 Hoax virus
----- Original Message -----
From: *** ********* <***@**.*****.***>
To: ***** ********* <**********@*****.***>
Sent: Wednesday, October 25, 2008 5:12 PM
Subject: Virus Warning

IMPORTANT, URGENT - ALL SEEING EYE VIRUS !

PASS THIS ON TO ANYONE YOU HAVE AN E-MAIL ADDRESS FOR.

If you receive an email titled "*********" DO NOT OPEN IT ! It will erase

everything on your hard drive. This information was announced yesterday morning
from IBM, FBI and Microsoft states that this is a very dangerous and malicious
virus, much worse than the "I Love You," virus and that there is NO remedy for
at this time. Some very sick individual has succeeded in using the reformat
function from Norton Utilities causing it to completely erase all documents on
the hard drive. It has been designed to work with Netscape Navigator and
Microsoft Internet Explorer. It destroys Macintosh and IBM compatible computers.
This is a new, very malicious virus and not many people know about it. Pass this
warning along to EVERYONE in your address book and please share it with all your
online friends ASAP so that this threat may be stopped. Please practice
cautionary measures and tell anyone that may have access to your computer.
Forward this warning to everyone that might access the Internet.
 Signature (Code Red Worm)
• Uses an unchecked buffer in a section of code that 
handles the input of the URLs:
• GET/default.ida?NNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u909
0%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78
01%u9090%u6858%ucbd3%u7801%u9090%u9090%u8
190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
000%u00=a HTTP/1.0

Sans: http://www.sans.org/resources/malwarefaq/code‐red.php ; Pfleeger: p. 120 (124)
Trojan Horse Example
http://home.mcafee.com/AdviceCenter/most‐dangerous‐celebrities

Dangerous People (!!!)
“Cameron Diaz”‐searches yield ten percent 
risk of landing on a malicious site
 Types of Malicious code (3)
• Logic bomb
– malware that triggers on a condition and “detonates”
• Time bomb
– malware that triggers on a time condition and “detonates
• Trap door (Back door)
– is an undocumented and unknown (to the user) entry point to a 
system,  
– normally inserted during the system design phase, and
– could be put there for a useful purpose (trouble shooting, 
testing, maintenance, but left by mistake.
• Salami attack
– achieving some economic benefit but making a large number of 
insignificant changes, e.g. rounding errors.
 Types of Malicious Code
Code Type Characteristics
Virus Attaches itself to a program and propagates copies of itself to 
other programs (1980:ies)
Trojan horse Contains unexpected, additional functionality
Logic bomb Triggers action when condition occurs
Time bomb Triggers action when specified time occurs
Trapdoor, backdoor Allows unauthorized access to functionality
Worm Propagates copies of itself through a network, replicating, 
stand‐alone (1975, 1982)
Rabbit, Bacteria,  Replicates itself without limit to exhaust resource 
Greedy program (cmp flooding Denial‐of‐service attack)
Salami attack Uses seemingly inconsequential data; Example: fractions of 
cents when calculating interests for bank accounts 
accumulated into hacker’s account. Each account owner would 
not notice but ∑ many small pieces = significant amount.
Stallings: p. 217;Pfleeger: p. 112 (117)
 Hardware Tampering
• So far, only discussed problems in software.
• Tampering can also happen in the hardware, 
where the vulnerability or the Trojan horse is 
permanently etched in the component. 
• Supply chain is becoming global, and the very 
complex components are made all over the 
world, which makes it difficult to control the 
process.
• Can you really trust your computer?
 Mobile code
Examples
• Attack script
– Javascript, VisualBasic scripts, …
• Java applets
• ActiveX control
• is a Microsoft version of a Java applet, and 
• is much more powerful that the Java applet.
• ActiveX controls are extremely dangerous if used for 
malicious purposes.

Stallings: p. 219
 Drive‐by Downloads
• Download of malware through exploitation of 
a web browser, e‐mail client or operating 
system bug, without any user intervention 
whatsoever. (Wikipedia)
• Pwn2Own 2009: Hacking contest targeting 
browsers
– Firefox, Safari, Internet Explorer hacked immediately.
– Google Chrome had problem but could not be hacked.

http://research.google.com/archive/provos‐2008a.pdf
http://arstechnica.com/security/news/2009/03/chrome‐is‐the‐only‐browser‐left‐standing‐in‐pwn2own‐contest.ars
 Drive‐by Downloads
An Example (6)
Company A
Ad + Malicious Code
Company B