Cyber Security and Forensics - I

05201296
Prof. Reena Panchal, Assistant Professor
Faculty of IT & Computer Science
 CHAPTER-3
Introduction to Malware
 What are cyber security threats?
• A cyber security threat is a type of threat that targets computer
networks, systems, and user data.
• Cyber threats can originate from a variety of sources, from
hostile nation states and terrorist groups, to individual hackers, to
trusted individuals like employees or contractors, who abuse their
privileges to perform malicious acts.
• These threats can come in the form of malware, phishing, worms,
viruses, Trojan horse and other malicious activity.
 What is Malware?

• Malware (short for “malicious software”) is a file or code,

typically delivered over a network, that infects, explores,
steals or conducts virtually any behavior an attacker wants.
And because malware comes in so many variants, there are
numerous methods to infect computer systems.
• Types of Malware: Adware, Botnet, Ransomware, Spyware,
Trojans Malware, Virus Malware, Worm Malware etc.
 Virus

• Computer viruses are unwanted software programs or pieces of

code that interfere with the functioning of the computer.
• Full form of virus is ‘Vital Information Resources under Siege’
• They spread through contaminated files, data, and insecure
networks. Once it enters your system, it can replicate to produce
copies of itself to spread from one program to another program and
from one infected computer to another computer.
• So, we can say that it is a self-replicating computer program that
interferes with the functioning of the computer by infecting files,
data, programs, etc.
 Virus

• There are many antiviruses, which are programs that can help
you protect your machine from viruses.
• It scans your system and cleans the viruses detected during
the scan.
• Some of the popular antiviruses include Avast, Quickheal,
McAfee, Kaspersky, etc.
 Types of Computer Virus:
1. Resident Virus
A type of virus that hides and stores itself within the
computer's memory. Depending on the virus'
programming, it can then infect any file run by the
computer.
2. Multipartite Virus
Multipartite Viruses are also a type of computer virus that
harms the files of computers, systems or devices and
attacks both the boot sector and the executable files.
Multipartite viruses are different from other viruses
because their way of attack is different from other viruses.
 Types of Computer Virus:

3. Direct Action
Direct Action Virus – When a virus attaches itself directly to a .exe
or .com file and enters the device while its execution is called a
Direct Action Virus. If it gets installed in the memory, it keeps itself
hidden. It is also known as Non-Resident Virus.
4. Browser Hijacker
Easily detected, this virus type infects your browser and redirects
you to malicious websites.
 Types of Computer Virus:

5. Overwrite Virus
As the name implies, overwrite viruses
overwrite file content to infect entire
folders, files, and programs.
6. Web Scripting Virus
The web scripting virus is really dangerous
malware that not only affects your devices
but web browser security. Whether spread
through infected web pages or other means,
this computer virus can steal data, damage
files, and interfere with normal device use.
 Types of Computer Virus:

7. File Infector
By targeting executable files (.exe), file
infector viruses slow down programs and
damage system files when a user runs them.
8. Network Virus
Network viruses travel through network
connections and replicate themselves
through shared resources.
 Types of Computer Virus:

9. Boot Sector Virus

A boot sector is the section of a disk
containing the code and data needed to start
the operating system (OS) of a computer.
While the computer is starting up and
before security software is engaged, the
virus executes its malicious code.
Boot sector viruses are a type of malware
that infects a system’s boot partition or the
master boot record (MBR) of a hard disk.
 Worms
• A computer worm is a type of malware that spreads copies of itself
from computer to computer. A worm can replicate itself without any
human intervention, and it does not need to attach itself to a
software program in order to cause damage.
• Full form of worms is’ write once, read many’
• Worms can be transmitted via software vulnerabilities Or computer
worms could arrive as attachments in spam emails or instant
messages (IMs). Once opened, these files could provide a link to a
malicious website or automatically download the computer worm.
Once it’s installed, the worm silently goes to work and infects the
machine without the user’s knowledge.
 Types of Worms
• Email Worms: Email Worms spread through malicious email as an
attachment or a link of a malicious website.

• Instant Messaging Worms: Instant Messaging Worms spread by

sending links to the contact list of instant messaging applications
such as Messenger, WhatsApp, Skype, etc.

• File sharing Worms: File sharing Worms place a copy of

them in a shared folder and distribute them via Peer To Peer
network.
 Types of Worms
• Internet Worms: Internet worm searches all available network
resources using local operating system services and/or scans
compromised computers over the Internet.

• IRC Worms: IRC Worms spread through Internet Relay Chat

(IRC) that means It is mainly used for group discussion in chat
rooms called “channels” although it supports private messages
between two users, data transfer, and various server-side and
client-side commands.
Through this chat channels, sending infected files or links to
infected websites.
 What is difference between virus and worm?
• Viruses and worms both cause damage and copy themselves
rapidly.
• The main difference is how they self-replicate, with viruses
requiring the help of a host and worms acting independently.
• Unlike viruses, worms can replicate and spread without any
human activation.
 Trojan horse

• The name of the Trojan Horse is taken from a classical story of

the Trojan War.
• It is a code that is malicious in nature and has the capacity to take
control of the computer.
• It is designed to steal, damage, or do some harmful actions on the
computer.
• It tries to deceive the user to load and execute the files on the
device. After it executes, this allows cybercriminals to perform
many actions on the user’s computer like deleting data from files,
modifying data from files, and more.
 Types of Trojan Horse

• Backdoor trojan: A trojan horse of this kind gives the attacker

remote access to the compromised machine.
• Ransom trojan: This kind of trojan horse is intended to encrypt the
data on the compromised system and then demand payment in
exchange for its decryption.
• Trojan Banker: It is designed to steal the account data for online
banking, credit and debit cards, etc.
• Trojan Downloader: It is designed to download many malicious
files like the new versions of Trojan and Adware into the computer
of the victims.
 Types of Trojan Horse

• Trojan Dropper: It is designed to prevent the detection of

malicious files in the system. It can be used by hackers for
installing Trojans or viruses on the victim’s computers.
• Trojan GameThief: It is designed to steal data from Online
Gamers.
• Trojan I’s: It is designed to steal the data of login and passwords
like: -a. skype b. yahoo pager and more.
Difference between Virus,
Worm and Trojan Horse
 Malicious spyware

• Spyware is malicious software that enters a user’s computer,

gathers data from the device and user, and sends it to third
parties without their consent.
• A commonly accepted spyware definition is a strand of
malware designed to access and damage a device without the
user’s consent.
• Spyware collects personal and sensitive information that it
sends to advertisers, data collection firms, or malicious actors
for a profit.
 Malicious spyware

• Attackers use it to track, steal, and sell user data, such as

internet usage, credit card, and bank account details, or steal
user credentials to spoof their identities.
• Spyware is one of the most commonly used cyberattack
methods that can be difficult for users and businesses to
identify and can do serious harm to networks.
• It also leaves businesses vulnerable to data breaches and data
misuse, often affects device and network performance, and
slows down user activity.
 Types of Spyware
1. Adware: This sits on a device and monitors users’ activity then sells
their data to advertisers and malicious actors or serves up malicious
ads.
2. Infostealer: This is a type of spyware that collects information from
devices. It scans them for specific data and instant messaging
conversations.
3. Keyloggers: Also known as keystroke loggers, keyloggers are a type
of infostealer spyware. It can potentially capture sensitive
information, such as passwords, credit card numbers, and personal
messages. If this data falls into the wrong hands due to a malicious
keylogger, it can lead to identity theft, financial loss, and other serious
consequences.
 Types of Spyware

4. Rootkits: These enable attackers to deeply infiltrate devices

by exploiting security vulnerabilities or logging into
machines as an administrator. Rootkits are often difficult and
even impossible to detect.
5. Red Shell: This spyware installs itself onto a device while a
user is installing specific PC games, then tracks their online
activity. It is generally used by developers to enhance their
games and improve their marketing campaigns.
6. System monitors: These also track user activity on their
computer, capturing information like emails sent, social
media and other sites visited, and keystrokes.
 Types of Spyware

7. Tracking cookies: Tracking cookies are dropped onto a

device by a website and then used to follow the user’s online
activity.
8. Trojan Horse Virus: This brand of spyware enters a device
through Trojan malware, which is responsible for delivering
the spyware program.
 Adware

• Adware is software that displays unwanted (and sometimes irritating)

pop-up adverts which can appear on your computer or mobile device.
Adware typically ends up on a user’s device through one of two ways:
1. You might install a free computer program or app without
necessarily realizing that it contains additional software that
contains adware. This allows the app developer to make money
but means you could download adware onto your systems without
necessarily consenting.
2. Alternatively, there may be a vulnerability in your software or
operating system which hackers exploit to insert malware,
including some types of adware, into your system.
 Botnet

• Botnets are networks of hijacked computer devices used to

carry out various scams and cyberattacks.
• The term “botnet” is formed from the word’s “robot” and
“network.” Assembly of a botnet is usually the infiltration
stage of a multi-layer scheme.
• The bots serve as a tool to automate mass attacks, such as
data theft, server crashing, and malware distribution.
• Botnets use your devices to scam other people or cause
disruptions — all without your consent.
 Types of Botnet Attacks

• Distributed Denial-of-Service (DDoS) is an attack based on

overloading a server with web traffic to crash it. Zombie
computers are tasked with swarming websites and other online
services, resulting in them being taken down for some time.
• Phishing schemes imitate trusted people and organizations for
tricking them out of their valuable information. Typically, this
involves a large-scale spam campaign meant to steal user account
information like banking logins or email credentials.
• Brute force attacks run programs designed to breach web
accounts by force. Dictionary attacks and credential stuffing are
used to exploit weak user passwords and access their data.
 Phishing

• Phishing is one type of cyber attack. Phishing got its name from
“phish” meaning fish.
• It’s a common phenomenon to put bait for the fish to get trapped.
• Similarly, phishing works. It is an unethical way to dupe the user
or victim to click on harmful sites.
• The attacker crafts the harmful site in such a way that the victim
feels it to be an authentic site, thus falling prey to it.
• The most common mode of phishing is by sending spam emails
that appear to be authentic and thus, taking away all credentials
from the victim.
 Phishing

• The main motive of the attacker behind phishing is to gain

confidential information like
– Password
– Credit card details
– Social security numbers
– Date of birth
 Types of Phishing Attacks

• Email Phishing: The most common type where users are tricked
into clicking unverified spam emails and leaking secret data.
Hackers impersonate a legitimate identity and send emails to
mass victims. Generally, the goal of the attacker is to get personal
details like bank details, credit card numbers, user IDs, and
passwords of any online shopping website, installing malware,
etc. After getting the personal information, they use this
information to steal money from the user’s account or harm the
target system, etc.
 Types of Phishing Attacks

• Spear Phishing: In spear phishing of phishing attack, a

particular user(organization or individual) is targeted. In this
method, the attacker first gets the full information of the target
and then sends malicious emails to his/her inbox to trap him into
typing confidential data. For example, the attacker targets
someone(let’s assume an employee from the finance department
of some organization). Then the attacker pretends to be like the
manager of that employee and then requests personal information
or transfers a large sum of money. It is the most successful
attack.
 Types of Phishing Attacks

• Whaling: Whaling is just like spear-phishing but the main target is

the head of the company, like the CEO, CFO, etc. a pressurized email
is sent to such executives so that they don’t have much time to think,
therefore falling prey to phishing.
• Vishing: Vishing is also known as voice phishing. In this method, the
attacker calls the victim using modern caller id spoofing to convince
the victim that the call is from a trusted source. Attackers also use IVR
to make it difficult for legal authorities to trace the attacker. It is
generally used to steal credit card numbers or confidential data from
the victim.
 Types of Phishing Attacks

• Smishing: In this type of phishing attack, the medium of phishing

attack is SMS. Smishing works similarly to email phishing. SMS texts
are sent to victims containing links to phished websites or invite the
victims to call a phone number or to contact the sender using the given
email. The victim is then invited to enter their personal information
like bank details, credit card information, user id/ password, etc. Then
using this information the attacker harms the victim.
 Types of Phishing Attacks

• Clone Phishing: Clone Phishing this type of phishing attack, the

attacker copies the email messages that were sent from a trusted
source and then alters the information by adding a link that redirects
the victim to a malicious or fake website. Now the attacker sends this
mail to a larger number of users and then waits to watch who clicks on
the attachment that was sent in the email. It spreads through the
contacts of the user who has clicked on the attachment.
 Spam

• Spam describes large numbers of undesired messages sent via

email, instant chatting, social media, or text messages.
• Full form of spam is :’ sales promotional advertising mail’
• It often contains promotional or advertising information and
may also contain phishing, malware-spreading, or fake links
or attachments.
• Spam’s main goal is to efficiently reach a large number of
recipients to make money or collect personal data. Spam is
typically considered an irritation and can risk people’s and
organizations’ security.
 Types of Spam

• Email Spam: Email spam remains a widespread and

persistent problem. These messages range from annoying
marketing promotions to phishing attempts to deceive
recipients into revealing sensitive information such as
passwords or credit card details. Spam filters and user
education play vital roles in mitigating email spam.
• Social Media Spam: Fake accounts, automated bots, and
comment spam flood timelines and posts with irrelevant or
malicious content. Common forms of social media spam
include fake followers, clickbait links, and deceptive
advertising.
 Types of Spam

• Messaging App Spam: As messaging apps gain popularity,

so does spam in this domain. Users often receive unwanted
messages containing scams, malware, or unsolicited
marketing. The challenge lies in striking a balance between
allowing genuine communication and filtering out unwanted
messages.
• Comment and Forum Spam: Online forums, blogs, and
comment sections often fall prey to spam attacks. Automated
bots or human spammers leave irrelevant or promotional
comments, disrupting meaningful discussions and polluting
online communities.
 Stack and Buffer overflow

• A buffer is a temporary area for data storage. When more

data (than was originally allocated to be stored) gets placed
by a program or system process, the extra data overflows. It
causes some of that data to leak out into other buffers, which
can corrupt or overwrite whatever data they were holding.
• In a buffer-overflow attack, the extra data sometimes holds
specific instructions for actions intended by a hacker or
malicious user; for example, the data could trigger a response
that damages files, changes data or unveils private
information.
 Stack and Buffer overflow

• Attacker would use a buffer-overflow exploit to take

advantage of a program that is waiting on a user’s input.
There are two types of buffer overflows: stack-based and
heap-based.
• Heap-based, which are difficult to execute and the least
common of the two, attack an application by flooding the
memory space reserved for a program.
• Stack-based buffer overflows, which are more common
among attackers, exploit applications and programs by using
what is known as a stack memory space used to store user
input.
www.paruluniversity.ac.in