Lecture – 11

Malware
Information Security (CSNC3413)
Course Instructor: Annas W. Malik
Malicious Software – Malware
Malware is “a program that is inserted into a system, usually covertly,
with the intent of compromising the confidentiality, integrity, or
availability of the victim’s data, applications, or operating system or
otherwise annoying or disrupting the victim" – NIST
Classification of Malware
• Propagation: How the malware spreads
 Viruses
 Worms
 Social engineering
• Payload: Actions malware takes when it reaches the victim
 System corruption
 Zombies and bots
 Information theft
 Stealthing (Concealment)
Countermeasures: Anti-virus software
Malware By Propagation Techniques:
Computer Viruses
• A virus is piece of software that “infects” programs and copies itself to
other programs.
• The self-replication property is what distinguishes computer viruses
from other kinds of malware, such as logic bombs.
• Another distinguishing property of a virus is that replication requires
some type of user assistance, such as clicking on an email attachment
or sharing a USB drive.
Malware By Propagation Techniques:
Computer Viruses
• Biological Analogy:
 Computer viruses share some properties with Biological viruses.
Malware By Propagation Techniques:
Computer Viruses
• The phases of a virus are:
 Dormant: virus is idle; will be activated by some event (like logic bomb).
 Propagation: virus copies itself into other programs or areas of operating
system.
 Triggering: virus is activated to perform some function; similar triggers to
logic bombs, but also number of times virus copied.
 Execution: function is performed, either harmless (display a message) or
malicious (delete or modify files).
• Most viruses are specific to operating systems and/or hardware
platforms.
Types of Computer Viruses
Malware By Propagation Techniques:
Computer Viruses
Types of viruses by target:
• Boot Sector Infector:
 Infects the master boot record or boot record of a disk.
 Spreads when the system is booted from the infected disk.
• File Infector:
 Infects files that are considered executable by the operating system or shell.
• Macro Virus:
 Infects files containing macro or scripting code that is interpreted by an application.
• Multipartite Virus:
 Infects files using multiple methods or techniques.
Malware By Propagation Techniques:
Computer Viruses
Types of Viruses by Concealment Strategy:
• Encrypted Virus:
 Uses encryption to hide the main portion of the virus.
 Generates a random encryption key to encrypt itself.
• Stealth Virus:
 Specifically designed to evade detection by anti-virus software.
 Implements techniques to hide its presence and activities.
• Polymorphic Virus:
 Mutates with each infection to avoid detection.
 Changes its code structure while preserving its functionality.
• Metamorphic Virus:
 Mutates and completely rewrites itself with each iteration.
 Can alter both its behavior and appearance to avoid detection.
Malware By Propagation Techniques:
Computer Worm
• “A computer worm is a malware program that spreads copies of itself without the
need to inject itself in other programs, and usually without human interaction.”
 Differs from computer viruses as it doesn't infect other programs.
 Confusion between worms and viruses due to self-replication.
 Often carries a malicious payload (e.g., file deletion or backdoor installation).
• Acts as a launching pad for attacks on other machines.
• Exploits software vulnerabilities in client or server programs.
• Spreads through network connections and shared media (USB drives, CDs, DVDs).
• E-mail worms spread through attachments and instant messenger file transfers.
• Replicates and propagates upon activation.
Malware By Propagation Techniques:
Computer Worm
• Worm Propagation:
Malware By Propagation Techniques:
Computer Worm
• Worm Replication:
• E-mail/IM (Instant Message Service) replication: Worm sends itself as
an attachment via e-mail or instant messaging
• File sharing: Worm creates copies or infects files on removable media
• Remote execution: Worm executes a copy of itself on another system
• Remote file access: Worm uses a remote file access or transfer service
to copy itself to another system
• Remote login: Worm logs onto a remote system as a user and uses
commands to copy itself to another system
Malware By Propagation Techniques:
Trojan Horses
• Trojan horse is a deceptive malware program that disguises itself as a
useful task.
• It carries out hidden actions with negative consequences, such as
launching a keylogger.
• Trojans can be installed alongside other malware or by
users/administrators, intentionally or unintentionally.
Malware By Payloads: Zombies and
Bots
• Zombies and bots refer to compromised computers that are under the
control of an attacker.
• They are used to launch and manage attacks on other systems.
• Multiple bots form a botnet, enabling coordinated actions.
• Common uses of zombies and bots include distributed denial-of-
service (DDoS) attacks, spamming, sniffing traffic, keylogging,
spreading malware, installing browser add-ons, attacking IRC chat
networks, and manipulating online polls/games.
Malware By Payloads: Spyware
• Spyware is a type of malware that covertly monitors and gathers
information from a compromised computer.
• It enables unauthorized access to the system, allowing the monitoring
of various activities.
• Spyware commonly tracks browsing history and content, potentially
compromising privacy.
• It may redirect web page requests to fraudulent sites, tricking users
into providing sensitive information.
• Spyware can also manipulate data exchanged between the web
browser and specific websites of interest.
Malware By Payloads: Ransomware
• Ransomware is a type of malicious software that encrypts files on a victim's computer or
network, rendering them inaccessible.
• It then demands a ransom payment, usually in cryptocurrency, in exchange for decrypting
the files and restoring access.
• Ransomware typically spreads through phishing emails, malicious downloads, or
exploiting vulnerabilities in software.
• Once the ransomware infects a system, it rapidly encrypts files and displays a ransom
message with instructions on how to pay the ransom.
• The ransomware authors hold the encrypted files hostage until the ransom is paid, often
with the threat of permanent data loss if the ransom is not paid within a specified
timeframe.
• Ransomware attacks have targeted individuals, businesses, and even critical
infrastructure, causing significant financial losses and disruptions.
Malware Countermeasure
Approaches
• Prevention is the ideal solution, but it is challenging to achieve complete prevention.
• Prevention involves implementing policies, raising awareness, mitigating
vulnerabilities, and addressing threats.
• Keeping systems up-to-date with patches and applying access controls is crucial.
• User awareness and training play a significant role in preventing malware infections.
• Detection, identification, and removal are essential for combating malware.
• Effective countermeasures should be general, timely, resilient, minimize denial-of-
service costs, transparent, and provide global and local coverage.
• Multiple approaches can be employed, such as host-based scanners, perimeter
scanning, and distributed intelligence gathering, to meet the requirements of
countermeasures.