AI & ML for Cyber Security-III

Malware
What is Malware?
• Malware (short for "malicious software") refers to programs designed to harm, exploit,
or gain unauthorised access to computer systems.
• It targets data, privacy, or functionality of devices.
Examples
• Virus-infected USB drives
• Ransomware encrypting user les (WannaCry)
• Spyware that tracks user activity (Keylogger)
fi
 Why Should We Study Malware?

• Understanding malware helps in:

◦ Strengthening cybersecurity defenses.
◦ Identifying attack patterns.
◦ Responding effectively to breaches.
 Types of Malware
❖ Virus
❖ De nition: A program that attaches itself to a host le and spreads when executed.
Case Study: Melissa Virus (1999)
• How It Worked:
Melissa arrived as an email attachment ("Important Message") and infected Microsoft Word documents. When opened, it sent itself to the
top 50 contacts in the victim's Outlook address book.
• Impact:
◦ Spread rapidly, clogging email systems worldwide.
◦ Companies like Microsoft temporarily shut down email servers.
◦ Estimated damages: $80 million.
• Lessons:
◦ Avoid opening unsolicited email attachments.
◦ Employ email ltering and antivirus tools to detect malicious macros.
fi
fi
fi
 Types of Malware

Worm
❖ De nition: Self-replicating malware that spreads across networks without user interaction.
Case Study: WannaCry Ransomware Worm (2017)
• How It Worked:
Exploited the EternalBlue vulnerability in Microsoft’s SMB protocol to spread without user intervention. It encrypted les and demanded
Bitcoin as ransom.
• Impact:
◦ Affected over 200,000 systems in 150 countries, including critical services like the UK NHS.
◦ Caused $4 billion in damages globally.
• Lessons:
◦ Patch vulnerabilities promptly.
◦ Segment networks to prevent worm-like propagation.
◦ Maintain up-to-date backups.
fi
fi
 Types of Malware

Trojan Horse
❖ De nition: Malware disguised as legitimate software that performs malicious activities once executed.
Case Study: Zeus Trojan (2007)
• How It Worked:
Zeus targeted banking credentials by embedding itself in websites or phishing emails. Once installed, it monitored user
activity and sent sensitive data to attackers.
• Impact:
◦ Stole over $70 million from businesses and individuals globally.
◦ Evolved into a platform for distributing other malware.
• Lessons:
◦ Deploy multi-factor authentication (MFA) for online accounts.
◦ Educate users about phishing attacks and suspicious downloads.
fi
 Types of Malware

Ransomware
❖ De nition: Encrypts user data and demands ransom for decryption.
Case Study: Ryuk Ransomware (2018)
• How It Worked:
Delivered via phishing emails or as a second-stage payload from TrickBot. Targeted high-value organizations like hospitals and
newspapers.
• Impact:
◦ One hospital system in the U.S. paid $1 million to recover patient records.
◦ Downtime led to disruptions in emergency services and critical care.
• Lessons:
◦ Implement of ine backups.
◦ Test ransomware recovery processes regularly.
◦ Use endpoint detection and response (EDR) tools to detect threats early.
fi
fl
 Types of Malware

Rootkit
❖ De nition: Hides deep within a system, granting attackers administrative access.
Case Study: Stuxnet Rootkit (2010)
• How It Worked:
Stuxnet targeted Iranian nuclear facilities, hiding in programmable logic controllers (PLCs) to sabotage centrifuges.
• Impact:
◦ Delayed Iran's nuclear program signi cantly.
◦ Marked the rst major cyberattack targeting industrial control systems (ICS).
• Lessons:
◦ Secure ICS environments with network isolation.
◦ Conduct regular audits to detect anomalies.
fi
fi
fi
 Types of Malware
Botnet
❖ De nition: A network of infected devices controlled by attackers, often used for DDoS attacks.
Case Study: Mirai Botnet (2016)
• How It Worked:
Exploited weak IoT device credentials to form a botnet, launching massive DDoS attacks on websites like Twitter and Net ix.
• Impact:
◦ Disrupted major online services for hours.
◦ Highlighted the vulnerabilities of IoT devices.
• Lessons:
◦ Use strong, unique passwords for IoT devices.
◦ Update IoT rmware regularly.
fi
fi
fl
 Types of Malware

Cryptojacking
❖ De nition: Uses a victim’s computer to mine cryptocurrency without consent.
Case Study: Coinhive Cryptojacking (2017)
• How It Worked:
Websites embedded Coinhive scripts to mine cryptocurrency using visitors' CPUs without permission.
• Impact:
◦ Slowed down devices and increased energy costs for users.
◦ Affected thousands of websites, including government domains.
• Lessons Learned:
◦ Use browser extensions to block mining scripts.
◦ Monitor CPU usage for unexplained spikes.
fi
Malware Analysis
 Malware Analysis
❖ Detecting new malware in pre-execution with similarity hashing:
❖ Malware detection on computers was based on heuristic features that identi ed particular
malware les by:
❖ code fragments
❖ hashes of code fragments or the whole le
❖ le properties
❖ combinations of these features.
fi
fi
fi
fi
 Botnet Detection with Machine Learning
❖ Overview of Botnet

❖ Botnet is a combination of the two terms bot and net.

❖ The bot part represents the fact that this malware automates things and tasks like a robot.
❖ The second part refers to a network, in other words, a network of compromised devices.
❖ A botnet is a form of malware that attacks computers on the internet and controls them
with command and control servers to perform a wide variety of automated tasks,
including sending spam emails and performing Distributed Denial of Service (DDoS)
attacks.
 Botnet Detection with Machine Learning
❖ Some of the tasks performed by botnets are:
❖ Advertising fraud and sending spam emails.
❖ Cryptocurrency mining.
❖ Stealing personal data and sensitive information.
❖ Performing DDoS attacks.
❖ Performing brute force attacks.
 Components/Actors in the Botnet
❖ Components of a botnet
❖ Hacker Controller of bots on the botnet.
❖ C&C server: A computer used to control bots.
❖ A hacker uses the C&C server to deliver control
instructions to control a large number of bots on the
botnet.
❖ Control protocol: Medium used by a hacker to control the
bots on the botnet.
❖ A common communications protocol is IRC(Internet Fig.1: Different Actors in the Botnet
Relay Chat), which allows a hacker to send control
commands to all bots through the created IRC channel.
❖ BotsHosts that have been controlled by a hacker. They
perform malicious tasks under remote control.
 Botnet working Phases
❖ Botnets work based on four different phases:
❖ Infection: In this phase, the attackers infect the targeted machines by sending the
malware.
❖ Connection: In this phase, the botnet initiates an internet connection with the control and
command server to receive the commands and automated tasks.
❖ Control: In this phase, the attack occurs, for example, sending spam emails.
❖ Multiplication: In this phase, the botnet will try to compromise more machine to join
them in the network and become what we call zombies.
Botnet working Phases

Fig.2: Botnet Working Phases

 Common Propagation Paths
Botnets spread through the following ways:
❖ Operating system vulnerabilities: A hacker obtains the permission to access the operating system of a host by exploiting the vulnerabilities
in the host operating system.
❖ The hacker infects the attacked computers, which become bots when the shellcode is used to execute bot programs. They also combine bot
programs (such as AgoBot) with worms, so that bot programs can spread automatically.
❖ Emails: Hackers often use emails to spread bot programs in attachments or links.
❖ They send a large number of such emails to users, and exploit social engineering techniques to induce email receivers to execute programs
in the attachments or click links.
❖ Sometimes, they exploit the vulnerabilities on the mail clients to automatically execute bot programs. As a result, the mail receivers' hosts
are infected and become bots.
❖ Instant messaging software: A hacker exploits instant messaging software to send links to users in the friend list, using social engineering
techniques to trick them into clicking the links to execute the bot programs.
❖ As a result, their hosts are infected. An example is Worm.MSNLoveme, which broke out in early 2005.
❖ Malicious website scripts: Hackers bind malicious scripts to HTML pages of websites that provide web services.
❖ When visitors access these websites, malicious scripts are executed to download bot programs to hosts.
❖ The programs run automatically. As a result, the visitors' hosts become bots.
 Harms Caused by a Botnet

DDoS attacks
❖ DDoS attacks are one of the major botnet threats. A hacker can instruct all controlled bots to
continuously send access requests to a speci c network target at a speci c time.
❖ A large number of bots can launch DDoS attacks simultaneously, making DDoS attacks more
harmful and dif cult to defend against.

Fig.3: DDoS Attack

fi
fi
fi
 Harms Caused by Botnets
❖ Spam: Hackers use botnets to send a large amount of spam. The spam senders are bots, so hackers
can hide their IP addresses easily.
❖ Personal information leakage: Botnet controllers can steal sensitive user information, such as
personal account passwords and con dential data, from bots.
❖ Abuse of resources: Hackers use botnets to perform various activities that consume network
resources, deteriorating network performance and even resulting in economic loss.
❖ Examples include implanting adware, using bots to store large-scale or illegal data, and using
bots to build fake bank websites for phishing.
❖ Cryptocurrency mining: Hackers control a large number of bots to perform mining activities,
thereby consuming the computing resources of the victim hosts, increasing the host temperature,
and consuming extra power.
fi
 How to Prevent Botnet?
❖ Create a secure password: In many cases, creating a secure password can effectively prevent
botnet intrusion.
❖ Creating a secure password makes brute force cracking dif cult, and creating a sophisticated
and secure password makes it almost impossible.
❖ Closely monitor the network status: Closely monitor the abnormal activities on your network.
❖ If there are abnormal activities on the network, handle them in time and check whether your
devices are attacked by malicious software.
❖ Check system les regularly. Regularly review les in the system and delete unnecessary junk
les to prevent botnet intrusion through malicious programs.
❖ Execute only authenticated software services.
fi
fi
fi
fi
 Thank you

Any Questions??