Malicious Software

Dr. Kamalakanta Sethi

Malicious Software
● Malware is a combination of the words “Malicious” and “Software".
● Its an umbrella term to describe any software that is used to cause harm or to
steal/breach data.
● Different kinds of Malware
○ Virus
○ Worms
○ Adware
○ Spyware
○ Trojan Horses etc
 Malware
Abstract
MALWARE is
Malicious Software.
Adware, Spyware,Virus,Worm, Ransomware
Malware can do
▪ allow cybercriminals to get into other people’s computers without their
permission
▪ steal personal information
▪ delete files
▪ steal software serial numbers
According to AV-Test in March 2017,the total number of malwares is increasing
exponentially since 2008.
Due to such increasing ,it is necessary to detect these files before they harm
Virus
● A virus is a program or code that can replicate itself and pass on malicious code to
other nonmalicious programs by modifying them. Virus can not spread without a
human action such as running the infected program.
● A good program can be modified to include a copy of the virus program, so the
infected good program itself begins to act as a virus
● There are two broad categories of virus
○ A transient virus has a life span that depends on the life of its host; the virus runs when
the program to which it is attached executes, and it terminates when the attached
program ends.
○ A resident virus locates itself in memory; it can then remain active or be activated as a
stand-alone program, even after its attached program ends.
○ ( A virus which saves itself in the memory of the computer and then infects other files and
programs when its originating program is no longer working. This virus can easily infect
other files because it is hidden in the memory and is hard to be removed from the
system.)
Computer Virus Symptoms
You may have a computer virus if you notice any of the following:
○ Your computer is slow (including slow to start up and to open programmes)
○ Issues shutting down or restarting
○ Missing files
○ Frequent system crashes and/or error messages
○ Malfunctioning antivirus programmes
○ Unexpected pop-ups
○ Emails sent autonomously from your account.
How does a computer gets Virus
● Sharing music, files, or photos with other users
● Visiting an infected website
● Opening spam email or an email attachment
● Downloading free games, toolbars, media players and other system utilities
● Installing mainstream software applications without thoroughly reading license
agreements
Virus Life Cycle Phases
Dormant Phase:
The virus won’t self-replicate, nor will it delete, capture or modify data on the infected computer. The
dormant phase lives up to its namesake by keeping the virus dormant and inactive.
Propagation Phase:
.During the propagation phase, viruses will create copies of their malicious code, which they’ll store on other
parts of the infected computer’s disk drive.
Trigger Phase:
The third phase in a virus’s infection cycle is the trigger phase. The trigger phase involves activation.
Viruses aren’t considered active until they enter the trigger phase. Upon entering the trigger phase, viruses will
be activated to perform their malicious activities. Once the virus has self- replicated 100 times, it will enter the
trigger phase.
Execution Phase:
The fourth and final phase of a virus’s infection is the execution phase. The execution phase involves the
release of a payload. Viruses have a payload. The payload is the malicious code that’s designed to harm or
otherwise negatively affect the targeted computer. Some payloads can delete data. Others can cause unwanted
pop-ups or advertisements.
Virus Life Cycle
Attached Virus
Virus surrounding a Program
Integrated Virus
Worm
● A computer worm is a standalone malware computer program that replicates itself in
order to spread to other computers (law of exponential growth).
● The biggest danger with a worm is its capability to replicate itself on your system, so
rather than your computer sending out a single worm, it could send out hundreds or
thousands of copies of itself, creating a huge devasting effect. One example would be
for a worm to send a copy of itself to everyone listed in your email-addrss book. Then
worm replicates and sends itself out to everyone listed in each of the receivers address
book and manipast contiues on down the line.
● Due to copying nature of worm and its capability to travel across networks the end
result in most cases is that the worm consumes too much system memory (or network
bandwith) causing web servers, network servers, and individual computers to stop
responding.
● Worms spread computer to computer, but unlike a virus it has capability to travel
without any human action.
Trojan Horse
● A Trojan horse at the first glance looks like a useful or genuine software but will actually do
damage once installed or run on your computer.
● One of the critical characteristics of a Trojan is that it cannot replicate itself like virus (also
can not reproduce by infecting other files) and worms, and a user has to install it themselves.
● Once installed, Trojan Horse software can steal the important information of user. For
example, Trojan horse software observe the e-mail ID and password while entering in web
browser for logging.
● Trojans also known create a backdoors on your computer that gives malicious users to
access to your system possibly allowing confidential or personal information to be
compromised.
● Some Trojan horses are designed to be more annoying (like changing your desktop, adding
silly active desktop icons, cause pop-up windows) or they can cause serious damage by
deleting files or destroying information on your system.
.
Virus vs Worm
● Computer viruses generally require a host program. The virus writes its own code into
the host program. When the program runs, the written virus program is executed first,
causing infection and damage (such as deleting files from the computer system).
● Virus has self replicating power and can’t be controlled by remote.

● A computer worm does not need a host program, as it is an independent program or

code chunk. Therefore, it is not restricted by the host program, but can run
independently and actively carry out attacks. In other words worms is also a computer
program like virus but it does not modify the program. It replicate itself more and
more to cause slow down the computer system. Worms can be controlled by remote.
● Worms has self-replicating power and can be controlled the remote.
Virus vs Worm vs Trojan Horse
Virus
Virus is a software or computer
program that connect itself to
another software.
Virus replicates itself.
Virus can’t be controlled by remote.
Spreading rate of viruses are
moderate.
The main objective of virus to
modify the information.
Viruses are executed via
executable files.
Worm
Worms replicate itself to
cause slow down the
computer system
Worms are also replicates
itself.
Worms can be controlled by
remote.
While spreading rate of
worms are faster than virus
and Trojan horse.
The main objective of worms
to eat the system resources.
Worms are executed via
weaknesses in system.
Trojan Horse
Trojan Horse rather than replicate
capture some important information
about a computer system or a
computer network.
But Trojan horse does not replicate
itself.
Like worms, Trojan horse can also
be controlled by remote.
And spreading rate of Trojan horse
is slow in comparison of both virus
and worms.
The main objective of Trojan horse
to steal the information.
Trojan horse executes through a
program and interprets as utility
software.
Spyware
● This type of malicious software, spies on you, tracks your internet activities. It
helps the hacker in gathering information about the victim’s system, without
the consent of the victim. This spyware’s presence is typically hidden from the
host and it is very difficult to detect.
● For example, some spywares like keyloggers save your keystrokes to a text
file. When you type in the address of something like a banking website and
then type in your username and password, the keylogger captures that
information and sends it back home.
Adware
● Adware is a form of malware that hides on your device and designed to throw
advertisements up on your screen, most often within a web browser.
● Adware is known as as advertising-supported software.
● It shows advertisements for the purpose of generating revenue for its author.
● Adware is programmed to examine which Internet sites, the user visits
frequently and to present and feature related advertisements.
● Not all adware has malicious intent, but it becomes a problem anyway
because it harms computer performance and can be annoying.
Ransomware
● Ransomware is a particularly nasty type of malware that doesn’t destroy your
data but locks it behind strong encryption. Following this, the creators of the
malware demand a ransom from you in order to get your data back.
Wannacry Attack
● The WannaCry ransomware attack was a worldwide cyberattack in May 2017
which targeted computers running the Microsoft Windows operating system
by encrypting data and demanding ransom payments in the Bitcoin
cryptocurrency.
WannaCry
● The WannaCry attack (in 2017) targetted computers running Windows by
encrypting data and demanding ransom
○ “Ransomware” attack
○ NHS and FedEx servers were affected
● WannaCry propagates using a buffer overflow vulnerability in the SMB (Sever
Message Block) protocol
● Once the ransomware infects a system, it tries to contact an obscure server
and proceeds to encrypt the system if the server was not reachable
● Once it infects a system, it searches for other systems on the network and
spreads using the SMB protocol
Incident Response
Event Vs Response
It is important to know the difference between a security event and a security
incident. A security event is an occurrence in the network that might lead to a
security breach. If a security event is confirmed to have resulted in a breach, the
event is termed a security incident. A security incident results in risk or damage
to the resources and assets of an enterprise. Based on the breach detected,
sufficient action has to be taken to limit the damage and prevent the incident from
getting worse.
Event
● Security events are the first step towards identifying a threat or a complete attack.
An enterprise might run into thousands of security events per day. However, not all
security events indicate a cyberattack. Some of the most common sources of
security events that should be analyzed in a network are explained below.
● Security events related to Firewall
○ Spike in incoming or outgoing traffic:
○ Configuration changes to firewall policies:
○ Modification to firewall settings:
● Security events to Critical Servers (file servers, web servers, and domain
controllers)
○ User logins.
○ User permission changes to access the servers.
○ Changes to system settings.
○ Changes to security configurations.
Event vs Incident
A security incident is a security event that damages network resources or data as part
of an attack or security threat. An incident doesn’t always cause direct damage, but it
still puts the enterprise's security at risk. For example, a user clicking on a link in a
spam email is a security incident. This incident doesn't directly cause any damage, but it
could install malware that causes a ransomware attack.
Some of the security incidents that you should be monitoring in your network include:
○ Traffic from known malicious IP addresses:
○ Suspicious malware installations on endpoints:
○ Unauthorized changes to configurations of critical devices:
○ Malware infection through removable media:
○ Data manipulation in databases:
Incident Response

● Incident response is a term used to describe the process by

which an organization handles a data breach or cyberattack,
including the way the organization attempts to manage the
consequences of the attack or breach (the “incident”).
● Ultimately, the goal is to effectively manage the incident so
that the damage is limited in both recovery time and costs,
as well as collateral damage such as brand reputation, are
kept at a minimum.
● As the cyberattacks increase in scale and frequency,
incident response plans become more vital to a company’s
cyber defenses.
Need for Incident Response

● Supports responding to incidents systematically.

● Minimize loss or theft of information and disruption of
services.
● Ability to use information gained during incident
handling to better prepare for handling future incidents
● Helps with dealing properly with legal issues that may
arise during incidents.