LITERATURE SURVEY ON MALWARE

PROPAGATION, DETECTION AND

ANALYSIS.

Submitted by: Shodhana Tumma

Student Id: 19839745

Course: Master’s in information and

communication technology, Latrobe
University

Submitted on: October 2019

Under the supervision of:

Dr Prakash Veeraraghavan

Latrobe University, Plenty Rd & Kingsbury Dr, Bundoora, VIC-3085.

i
Literature survey on Malware Propagation, detection and Analysis
 ABSTRACT:
Now a days, there is huge war in between the malicious software
developers and the opposite team security community. These security
programmers develop and use all the possible strategies, methods and techniques
to remove the threats. On the other side, malware developers to bypass the
implemented security programs utilizes new types of malwares. In this literatures
survey, I have closely looked into the basic understanding of malware, types of
malware, how the malware propagates, analysis of malware and some
mechanisms of detecting malware. All the study contributes in protecting and
enhancement of security in networks, systems, etc.

For the Malware detection during propagation, I have investigated anomaly

based, signature based and combination of both detection methods.

Malware detection is the most challenging task. The main contributions in my

thesis are understanding of malware propagation, and analysis, and the detection
systems introduced till now and observed weakness of the existing systems.
Hence, my proposal shows a behaviour-based detection system protecting our
computer networks.

ii
Literature survey on Malware Propagation, detection and Analysis
 ACKNOWLEDGEMENT:

This Research work has been supported by Latrobe University, Melbourne

campus, Australia. The opinion and views mentioned in this document are of
authors alone. I would like to express my gratitude to Thesis co-ordinator Mr.
Eric Pardede and my thesis supervisor who gave me the golden opportunity to do
the thesis on my topic - “Malware propagation, detection and analysis”.
I would specially thanks Dr Prakash Veeraraghavan, who provided expertise and
insight and me in research also I’m great full for the comments provided by him
and gave his support in drawing conclusions of this paper.

I hereby acknowledge that any results, opinions, observations and discussions

presented in this survey are based on the work of mine solely.

iii
Literature survey on Malware Propagation, detection and Analysis
 TABLE OF CONTENTS:
Title i
Abstract ii
Acknowledgement iii
Table of contents iv
List of figures or illustrations v
List of Tables v
Chapter1 Introduction: 1
1.1. Architecture…………………………………………………………….2
1.2. Kinds of MALWARE ……………………………………………… 2
Chapter2 Related Research on Malware Propagation: 4
2.1 Through Operating System…………………………………………… 4
2.2 Through Social Networking………………………………………….. 4
2.3 Through Virtualized Systems………………………………………… 6
2.4 Through wireless networks:…………………………………………… 7
2.5 Through File Sharing:………………………………………………… 11
2.6 Through Email Communications……………………………………….13
Chapter3 Related research on malware detection analysis 14
3.1 Peculiarity Based:…………………………………………………….. 14
3.2 . Honeypots …………………………………………………………….14
3.3 Sandboxing……………………………………………………………. 18
3.4 Mathematical Models…………………………………………………..20
Chapter4 Related research on malware analysis: 22
4.1 Malware Behaviour…………………………………………………… 23
4.2 Malware Signature…………………………………………………… 24
Chapter5 Current situation and summary of constraints of the solutions
suggested: 25
5.1 Issues with identified methods:…………………………………………26
Chapter6 Conclusion and Future work: 27
Chapter7 References 29
Chapter8 Appendixes 32

iv
Literature survey on Malware Propagation, detection and Analysis
List of Figures or Illustrations:
Figure1: Bluetooth warm infection cycle

Figure2: Search sequence example

Figure3: First investigation on honeypot

Figure4: Honey net structure

Figure5: Flow chart of TWMAN model

List of Tables:
Table 1. Summary of surveying results- Blue Bag task

Table 2. Service types and number devices

Table3. Honeypots attack information

Table4: number of attacks and their unique ip addresses

Appendices:
Appendix1: Most studied Topics related to the Malware

Appendix2: Top10 industries affected by Malware in 2019

v
Literature survey on Malware Propagation, detection and Analysis
 Chapter1 Introduction:
With the raising development of information systems, data frameworks and
communications, another term and abbreviation attacked the advanced world called as
malware. It is a general term, which represents malignant programming and has numerous
shapes (codes, contents, dynamic substance and others). It has been intended to accomplish a
few targets, for example, gathering delicate information, getting to private PC frameworks,
even in some cases effecting the frameworks.

Why Malware? - People started creating viruses and malware but why did they start?

Answer to this question is to make money, to steal the account information of the customers,
also some malware also been created to cause trouble and problems to others. Lots of malware
not just slows down our computers but target for their advertising by gathering the information
that we search more or interested in viewing and further displays ads related to those either in
form of emails, popups ads etc. Some malware is used to gather account information and further
leads to stealing of our valuable things either in terms of currency or goods. More than 317
million new pieces of malware computer viruses or other malicious software were created last
year 2018.

The malware reaches the systems in various ways and by numerous media; the most
widely recognized way for malware to enter any system is downloading software from the web,
once the malware discovers its way to the frameworks, considering the elements of the malware
the story starts. In some situations, the malware won't thoroughly attacks the framework, rather
influence the exhibition and makes over-burden process; in the event of spying, the malware
shrouds itself in the framework, which can't be recognized by the counter infection
programming as anti-virus software, then the basic data is sent to the sources by malware
which is hidden inside the system .

Considering the above challenges mentioned, it is basic to complete a top to bottom

investigation in malware understanding for better removal and detection chance. This paper is
sorted out as pursues: Second part has secured the ongoing condition of the malware threats
and security through outcomes acquired from various journals. third segment talks about the
malware types, fourth part shows the malware investigation strategies. Fifth part of this study

1
Literature survey on Malware Propagation, detection and Analysis
explains the malware propagation in various conditions and applications, sixth part clarifies
malware detection methods and lastly part seven tells the future proposal.

1.1 Architecture:
Malware (Malicious Software) are programs intended to intrude, disturb, take information
or access target PC frameworks. Numerous general types of programs of malware
incorporate Viruses, rootkits, Trojan Horses, browser hijacking, spyware, worms and
others. The quantity of new types of malware being released keeps on developing quickly
and all these malicious programs has its very own remarkable qualities. Which are planned
with the goal to interfere, fabricate, change and intercept components of software,
hardware, programming and information. At the point when the pay load is being dropped
by these malicious programs, along with the authenticity, integrity and availability and
confidentiality of PCs, networks, servers, mobile technologies etc [P1] will be attacked.
As per the recent reports [C1], the percentage of malware activity increased from Dec’18
to Jan’19 is 61%.
Also, there is many types of new and latest malware introduced through abuse of legitimate
network protocols as below:
WannaCry: it is a ransomware crypto worm which uses the eternal blue exploit. This
spreads via SMB (server message block) protocol. It’s version 1 has a domain called “kill
switch” which stop the encryption process.
Emotet: It is a latest info stealer which downloads banking trojans. It is delivered through
download links, pdf downloads etc.
Other famous types of malware are explained in the next part.

1.2 Kinds of MALWARE

Recently, the quantity of data security dangers caused by malware has quickly moved high,
which prompts direly concentrating the dangers and in like manner sorting them, to improve
the way toward handling and discovering them, to find the suitable arrangements. Malware has
been sorted into 17 unique sorts [M1], in this area we have recorded and talked about the
primary and most normal categories as pursues:

2
Literature survey on Malware Propagation, detection and Analysis
Worm: is one of the harmful programs, which can invisibly transfer and repeat itself through
networking. The impacts of worms vary from infections as the previous need assistance from
any document, to work and principally its impact is on networking data transfer capacity which
is bandwidth or sending garbage messages well known as junk mails. One case of worms is
Conficker [S1], [M3].
Virus: is a PC program that can damage and self-imitating to contaminate host; viruses are
attached or linked to a software utility (for example PDF report). Propelling the contaminated
PDF record could then actuate the infection and based on the function of the virus [P1], [M3],
launching the pdf document which is infected may then activate the viruses and leads to
sequence of such events.
Adware: this sort typically occurs, while downloading available free games or it is
consolidated and inserted with ads, so, this implanted code is introduced to our PCs when we
watch ads. When utilizing networking [P1], this type aims to capture the user's activity.
Trojan: this offers capacity to remote criminals or hijackers, to utilize your framework/system
as they wish. They may damage the system files [P1] or observe it and they may get your
passwords as well.
Spyware: When clients download trial versions or free software, this may occur. The users
account numbers, personal detail and their passwords become vulnerable [P1] as they are being
observed by these spies.
Botnet: Your system is remotely controlled by this kind of malware and spam or spyware is
sent to it. The vast majority of zombie and botnets and waits for order of the gathering who
runs it.
There are two kinds of botnet, for example, hierarchical [B1] or simple.
Propagation of the malware considering some of the authors research is followed in the next
chapter. It includes the different types of paths chosen by malware to propagate into respective
systems or networks.

3
Literature survey on Malware Propagation, detection and Analysis
 Chapter2 Related Research on Malware Propagation:

Malware propagation in the digital world is being focused by many researches and studies in
this advanced world, computer networks and communications, a portion of the demonstrating
and trial methodology have been pursued to study how malware propagates in this fields and
also the impact of malware, likewise, the investigations and studies cover some techniques and
concepts in relation to detection of malware. The idea of malware propagation refers to the
electronic strategy, by which, malware is transmitted to a platform, information system, or
gadget it tries to contaminate for instance the malware can propagate through PDF records and
access the host except if the client in PDF reader [D2] disables the JavaScript.

2.1 Propagation through Operating System

Malware hugely is attacking systems such as Android, MAC, Linux, and windows through
operating system, yet not in a similar level and quality since some OS have more defence
mechanisms which don't permit the malware to accomplish its design purpose [J4, A1, J5].

Consistently with countless operating systems which are new and malware with more stronger
propagation and techniques are made. In the accompanying lines a few attacks pursued by
malware against OSs will be featured to indicate how the operating systems acts.

The malware pursues adaptive and dynamic propagation to attack the architecture operating
system, for example, to open the security threat it attacks the operating systems security level.

To create the virtual tasks and to infect the executable file, another malware propagates the
operating system which slows down the operating systems performance[A1].Malware
propagation varies, based on operation system, for instance, the malware works on (.plist)
Macintosh framework documents [J5], yet in Android it effects and comes as spyware which
attacks the source code of Android OS [J4].

2.2 Through Social Networking

During the most recent couple of years, online social networking communities have turned out
to be prominent and developed hugely as they tend to be as foundation of real-world
relationship; from the component of virtual communication techniques [S2] comes its
popularity.

4
Literature survey on Malware Propagation, detection and Analysis
As per [H1], OSN gives the clients numerous services, for example, clips, records, sharing
photographs, files and applications apart from that it also includes call services and chat. And
the most recent 2 years have demonstrated that, the OSNs are not just a website for fun and
communication yet can contribute during the time spent changing the way of lifestyle and
culture. On the other hand, regarding security, these OSNs can be considered as an (perfect
environment) ideal situation for security threats and malware. The threats and attacks can be
arranged into four wide classifications based on the researches and studies:

a) Privacy Breach Attacks: there are three essential gatherings that interact with each other
in an OSN: there are breaches from well-known service providers such as, Twitter, Facebook,
etc, breaches from third party applications and breaches from account owners and other general
user which are engaged with numerous phases of OSNs.

There are threats which are related to privacy issues. they are named as follows: cyberstalking,
user activities related to browsing, cyber-bullying, user's identity being disclosed, harassing,
cyberstalking, and slandering. The best security level is clients sharing data to just their
companions or a group of clients; this standard is, however, vulnerable against cybercriminals,
who posture themselves as a companion utilizing an image and fake name to access all data
shared by the targeted clients. Nowadays, regular countless clients associate with OSNs from
better places and utilizing various media and gadgets, where control on the security and
protection exists. Moreover, most current OSNs don't give a safe and secure communication
layer and due to these vulnerabilities, there is a danger of sniffing devices capturing the
information.

b) Malware Attacks: This worm attack is one of the most well-known attacks nown as
Koobface worm.

c) Network Structural Attacks, for example, Sybil Attacks. There are some defence
mechanisms for example, resource testing, trusted certificates and recurring costs.

d) Viral Marketing: this refers to the strategies of promoting, including different technologies
and OSNs. This can be considered as an undesirable and great environment for malware in
OSNs, one of the most widely recognized models is the spam in OSNs, in addition to the social
engineering technique [S6] which is the process of phishing attacks.

5
Literature survey on Malware Propagation, detection and Analysis
 2.3 Through Virtualized Systems

Virtualization procedure is rapidly turning into a standard method for business. The innovation
and latest technology give one server or PC a chance to run various OS, or different sessions
of an OS simultaneously, which gives clients a chance to run lot of applications and capacities
on a single server or PC rather than running them on various machines as done when using old
technology. The greatest challenge faced by associations presently is, about hot the virtualised
system can be secured, which are helpless and vulnerable against indistinguishable sort of
dangers from genuine frameworks (real systems). Virtualized frameworks and real systems
can't generally be verified by a similar procedure always, because every virtualized system on
a similar machine may confront various threats and need distinctive levels of security, and we
need extra security methods to verify the channels between virtualized systems on a similar
machine.

In [S4], the writer has examined several virtual framework security issues. He has followed the
virtual system history from security perspective and has recognized that virtualization makes
new security challenges for associations, and it is to be guaranteed by the organization that
each virtualized system follows the guidelines and policies of the association, for example,
constraining access to certain information and applications. A significant case of new issue
made by utilizing virtualization is that, the network system-based security framework doesn't
more often trace the communication between two different virtual machines which are installed
on a same server. The author has also displayed the significance of security zones, to upgrade
the degree of security level for virtual systems. The host server in security zones isolates the
virtualized frameworks into zones; where in turn each zone has its security level, based upon
the prerequisites of virtualized systems.

In [M4], the authors have concentrated on litigation techniques and detection methods for the
most acclaimed VME products these days, VMware. They have introduced two strategies
utilized by malware to identify VMware. With VMWare communication channel, the primary
strategy is identified. The communication among guest and host OS happens through a custom
communication channel hard-coded into all VMware products. The visitor and host working
frameworks cooperate and works together during this channel for a range and scope of all
functions, including improved GUI execution, dragging and drop of files from host and guest
6
Literature survey on Malware Propagation, detection and Analysis
and vice versa, data support for moving in and out of the clipboard of the host and files
dragging. A sample program with a little bit of code that checked for the nearness of this sort
of communication channels have been discovered by the authors.

The subsequent strategy to identify VMware existence is the Red Pill strategies. With the
operating system of the guest, the physical system is shared, which is virtualized by
programming and is kept running by the hosts Operating system. Some differences in the area
of memory worldwide items mapping is introduced usually by VME.

Like the areas of (LDT) the Local Descriptor Table and (IDT) the Interrupt Descriptor Table
to map guest and host operating systems. By looking at the new memory location, malware can
detect VMWare. Red Pill was the first discharged device that utilized this system.

2.4 Through wireless networks:

The Authors have presented the mobile and cell phone applications and some wireless systems
security issues through Wireless Networks In [A2], [S4].

In the above examinations, the Bluetooth innovation has been presented in explicit project
which is named as Blue Bag that incorporates scanning device and an attack , which exhibits
how attackers can infect and arrive at a wide scope of mobiles and gadgets that are running a
Bluetooth Technology, they have discovered a few loopholes in Bluetooth innovation, which
may enable attackers to reach at the gadgets. In [L2] the creators have clarified some attacks
that can influence the Bluetooth and wireless communication, for example,

BlueBug: the attacker will have the option to utilize telephone services, which incorporate
outgoing, incoming and active calls, receiving and sending SMS, and so forth all through
getting to the mobile phone.

Bluejacking: happens by sending a short dubious instant message into authenticated dialogue,
and the clients will utilize the entrance codes of the message which is tricky a bit , this enables
the complete control of the device in to the hands of the attacker.

BlueSnarf: it utilizes the (Object exchange) push administration and the access is taken by the
attacker without any confirmation and as of late in the redesigned form of this sort of attack,
the aggressor can get a full access that includes read and compose.

7
Literature survey on Malware Propagation, detection and Analysis
Blue Dump: after dumping the put away connection key, the attacker will include himself in
the pairing procedure through Bluetooth.

Blue Smack: it just advices for administration refusal.

Car Whisperer: In this, the default setup of certain gadgets makes the PIN code that is fixed
for matching and trading, which will make it simple for the attackers, to manhandle the gadgets
and assume responsibility for the gadgets as in once they get the PIN, which isn't variable.

Blue Chop: here the attacker can terminate or disconnect the connection establishes,
particularly when different connections are supported by the master of the connection.

Blue Bump: it experiences the loopholes of Bluetooth in the manner it handles connection
keys, and it can prompt getting the information or mishandling the portable administrations,
for example, WAP, web and GPRS.

HeloMoto: it is a mix of BlueSnarf and BlueBug impact.

The hardware and programming structure of the Blue Bag task have been outlined with
specifications and the review results have been condensed as appeared in the accompanying
table:

Table 1. surveying results.

In the table above unique devices indicates, devices which are in discoverable mode. And the
device rate denotes rate per minute.

8
Literature survey on Malware Propagation, detection and Analysis
Table 2 shows, active service OBEX Push service was in range for enough time to allow 313
devices to scan. This service is generally used for transferring files, information (business
cards, for instance) and applications-including worms.

The writers of this examination have turned out with certain focuses and results as follows:

1) Bluetooth innovation is associated with numerous gadget such as PCs Notebooks, cell and
Smartphones, palm pilot, GPS Printers and others, which means greater probability for
malware to spread.

2) Social Engineering factor: 7.5% of the proprietors are just thoughtless as far as the records
that they received, and they will in general acknowledge the obscure documents from obscure
sources.

3)Visibility time is a significant factor in the plausibility of being attacked, possibility is more
with longer time, and few clients are unfortunately don’t know about this point and
subsequently keep Bluetooth on discoverable and noticeable mode out of luck and without
need.

4) The Survey demonstrates that, the technology is developing quick as against the methods of
dealing with security issues related with the new technology, and there is a genuine gap among
security upgrade process and technology, which may influence the strength and reliability of
the technology.

5) Other than Blue tooth connections, MMS messages are another approach to spread malware.

6) The overview demonstrates that, little percentage of individuals know about the dangers that
they may confront, when they utilize the new technology gadgets, for example, advanced
mobile phones, and how this can influence their work and associations, where the information
worth is critical and high, they are carrying the risk by saving all such information in their

9
Literature survey on Malware Propagation, detection and Analysis
devices. With this the possibility of risk also is carried to their organizations or work places
where they work which in turn may imply that the attackers can easily reach the network of the
CEO of the company which is the main motive.

In [G1] One model has been specified for this, as displaying the Data Throughput and Packet
loss Probability. Infection Curve was modelled by authors finally, by utilizing the logistic
equation with the variable pairwise infection rate, The final point concluded by authors in
related to point of assuming Bluetooth worm's propagation curve in a huge population for
example, Los Angeles city, assuming that all individuals in the city are utilizing and conveying
a Bluetooth-enabled cell phones which are vulnerable and walking in the city carrying those.

10
Literature survey on Malware Propagation, detection and Analysis
Figure 1: Bluetooth warm infection cycle

Subsequently and dependent on the work done in this segment of malware propagation, it is
apparent that surveying and modelling process gives us the clear picture regarding the worm
propagation and Bluetooth malware. Since examining the cycle of the worms, malware and
their behaviour guides for upgrade of the security level in technology of Bluetooth and give
more assurance to the gadgets, where there is lot of involvement of wireless technology and
Bluetooth.

2.5 Through File Sharing:

File sharing has turned into an exceptionally basic application for Peer-to-Peer networking,
which enables the clients to share countless data digitally. One of the most widely recognized
file sharing systems is Kazaa, which has been created in 2001, considering the Fast Track
Protocol, Kazaa was hence under permit as a lawful music membership administration,
however as of August 2012, the Kazaa site isn't offering a music administration any longer
[S1].

The purpose for the vulnerability of the Peer to-Peer document sharing systems to numerous
security attacks is having a very few defence mechanisms; as per this P2P is utilized by many
viruses as a propagation vector , the creators have portrayed how KaZaA functions and shares
records and clarified the idea of indexing process and super node for the hosts, where there is
an encryption connection is associated between hosts with a key exchange toward the start of
the session , likewise they have talked about Krawler ( A KaZaA Crawler ), which has two
principle parts : the fetcher, which is in charge of speaking with the Dispatcher , Sending
Queries and updating process and the other the dispatcher, which keeps up a rundown of super
nodes.

11
Literature survey on Malware Propagation, detection and Analysis
Figure2:Searchsequenceexample:

After the clarification of the ideas of KaZaA, the authors have moved deeply into the
examination, where they have considered the propagation of malware in the KaZaA and P2P
and turned out with certain outcomes that supports the way toward upgrading protection and
security components as below:

Virus propagation in P2P is not normal and is different from the operation for worms, it itself
doesn't send duplicates to the hosts, rather the viruses are occupied in the file exchange
procedure from where the propagation of virus starts.

To build the opportunity of infection and downloading, an extra step made is to make the
various copies of those viral file with multiple names.

In the last phase of this examination by the authors, Krawler mechanism has been clarified in
clear way, where the Krawler keeps running on three machines and had the option to explore
in excess of 60,000 records in an hour approximately, the objective of this was to gather an
enormous number of popular executable documents in KaZaA network and also malicious
12
Literature survey on Malware Propagation, detection and Analysis
programs percentage. At that point, authors have examined the signature of the viruses and
utilized the hashing mechanism, to affirm, regardless of whether the downloadable document
is a match with the first record (original) or to know if it is a malicious software. The outcomes
have been taken from two different datasets, in both datasets same arrangement of query strings
has been utilized for crawling, where the Krawler issues 24 quires (in series) to each super node
and simultaneously, the responses that may originate from any peering super nodes is
assembled.

After the explanation of the outcomes, the discussion of research about the distribution of
malware and the level of percentage of the infections for the hosts and concentrated on the
purpose of viral naming mechanism and utilizing the well-known document names, the
investigation results demonstrate that 15% of the complete number of downloadable executable
record samples have a viral code, and 71% of cases of infection in the customers and Hosts
were a direct result of SD Drop worm and its Tanked viruses and its variants.

In 2019’ as per new statistics the level of malware through file sharing has been increased
which contributes 92% of malware is through filesharing.

2.6 Through Email Communications

To attack emails, there are numerous approaches, which influences the sending messages
(email backscatter) for example spam mails utilizing worms or viruses. For that, we must
educate the sender about the genuine explanations behind not getting email from the opposite
side. The attackers sometimes, intercepts or block the email, and erase the sender's address
leading the email to get spammed and further procedure i;e receiving process fails. With this a
failure notification is send to the sender and he/she now cannot determine the actual reason for
the failure of the mail.

The email spam propagation can be examined by numerous factors, for example, the timeframe
between the sending of the email and sending report for mail failure for the sender, another
factor to be considered is the mail which notifies the failure does not contains the reason for
failure. For example, it may say the system is down right now please attempt later again [C3].

Next chapter explains some of the detection techniques and related research on some of the
methods used for detecting malware.

13
Literature survey on Malware Propagation, detection and Analysis
 Chapter3 Related research on malware detection techniques.

Since malware has various types, diverse level of risks, behaviours and, a similar detection
strategies and instruments can't be utilized in all cases. It is unrealistic to have only one security
programming to productively deal with the malwares. Henceforth having distinctive
identification strategies for various situations ends up unavoidable. This study had concentrated
on the most widely recognized and ground-breaking methods as, honeynet, honeypot,
sandboxing virtualization (halfway and full), and behaviour operation sets. Taiwan malware
examination net (TWMAN) has done a massive experiment , which is based on virtualization
idea and client-server model, the research increased the value of the field of malware
recognition since it had the option to detect numerous malwares which were not noticeable by
typical detection strategies, going ahead, we can observe that the identification procedure needs
more PC handling force and advance techniques to ensure that the behaviour and nature of
malware are clear and secured from every one of the points and perspectives.

3.1 Peculiarity Based:

Anomaly-based detection searches for surprising or unusual behavioural indication, which

demonstrate the presence of malware. In more detail, Anomaly based identification makes a
standard of anticipated activities baseline. After this standard has been made, any extraordinary
type of this baseline is detected as malware. We have recognized that the anomaly-based
detection method utilizes the past learning of what is known as would be expected to discover
what is suspicious. An exceptional sort of anomaly-based recognition procedures is
specification-based identification. A detail (specification) based identification uses set of
guidelines to figure out what is considered as expected, to settle on a choice about the
maliciousness of the program that breaches the standard set.

Weakness of the peculiarity-based detection system: The fundamental limitation of the

specification-based framework method is difficult to correctly find the system behaviour [P1]
or the program.

14
Literature survey on Malware Propagation, detection and Analysis
 3.2 . Honeypots

The customary strategies for detecting and avoiding malware, such as utilizing anti-virus can
just recognize the malware with similar highlights. In this strategy, security merchants
assemble pattern files, which contain the highlights of malware that have been as of now
gathered and investigated. With various characteristics and features in malware and especially
with increase in the variety in the proportion of malware [A3], it is not easily possible to detect
malware.

To tackle this issue, [U1] proposed honeypots procedures, to examine and analyse the
distribution of malware to sites. malware attacks which especially target web applications
‘vulnerabilities can be gathered by Honeypots. There are two sorts of web honeypots, high-
interaction and low-interactions. High interaction type has real vulnerabilities which previously
introduced to honeypot while Low-interactions type doesn't have genuine web vulnerabilities,
however simulates applications and OS execution. To examine the proportion of anti-virus
software identification, the authors have come with two strategies. They have picked six server
protection software programming, from various security sellers. Fig. 3 illustrates six antivirus
programming refreshed by last pattern files, and the malware gathered from September 2009
to January 2010 by the web honeypot. Table 3 demonstrates the data attack that was gathered
by web honeypots.

Comparing to the year 2019 number of RFI attacks takes place around 25% of the total attacks
which lasts about 60 days maximum. One million threats were being released every day now a
days.

Figure3:Firstinvestigation

Table 3: Honeypots attack information

15
Literature survey on Malware Propagation, detection and Analysis
In the primary examination, the malware discovery proportion of the six tools anti-virus was
quickly checked and then 3.13% is the average detection value. In the 2nd examination, after
4 months, ratio of the malware detection of the six tools of anti-virus was checked and the avg
detection value seemed to be 39.8%. From these outcomes it is apparent that we can't avoid the
malware from tainting our PCs eve after we use anti-virus software. The great note was the IP
addresses appearance frequencies for the source of malware and attack download sites. IP
frequencies for the source of the attack and the malware download sites s shown in below table.

Total Number of unique IP address

Number of attacks 4621 92
Number of malware 2666 45
download sites

Table 4: Number of unique Ip address and number of attacks.

From this above table, we have recognized that, around 92 malware attacks have IP address
that are unique, and furthermore for attacks, only just 45 remarkable malwares download
websites were utilized, this means 98% of malware data has been appeared again. The patterns
of traffic, for example, the other data including a source IP attacker address which was gathered
by honeypots are extremely valuable to identify and examine malware.

The authors in [M5], have characterized the honeypot as a trap which deflect or identify the
unauthorized access to the device. A honeynet is defined as a network system that contains
more than one honeypot. The honeynet expects to welcome attacker, at that point its exercises
and features can be considered and examined to build network security. The honeynet/honeypot
generally has genuine administrations and applications in this manner it appears to the attackers
as a valuable object and as a normal network. article. Below Figure demonstrates a case of
honeynet structure.

Figure4: Honey net structure

16
Literature survey on Malware Propagation, detection and Analysis
The successful structure above of a honeynet is multi-agents’ system. 3 sorts of agents are used
by this system. The first two agents work in honeynet, and the production network is examined
and considered by the third agent. The first and second specialists gather malware data and
attempt to identify them utilizing anti -virus software. This data collected is utilized by the third
agent to remove the malware from the production network or possibly limit its activity.

As per authors in [Y1], they talk about a client honeypot and the advantage of applying
automated state machine. These honeypots visit and access the websites which are suspected
to recognize and bringing the malware data. Malicious sites may

cause numerous exercises to happen in a victim’s individual's system and this every activity is
done in various stages.

The state machine is utilized to describe the activities performed by the effected sites into
predefined states. At that point using the similar structure of state machine, these states are
utilized to summarize the collaborations with the malicious sites. The states are then applied to
an algorithm calculation to assemble comparative noxious sites with the point of seeing how
to get better response by developing the software. The yields of this algorithm are characterized
to develop comparable state groups that depict the malignant activities performed on the injured
individual's framework. The upside of utilizing this system is to assemble behaviour families
(every family has the equivalent qualities) which will prompt in creation of common
approaches to manage such exploits.
17
Literature survey on Malware Propagation, detection and Analysis
In [Y1], an experiment was proposed for utilizing automated state machine to identify the
vindictive sites. They utilized Capture-HPC as a client honeypot to sites scanning (scan of
URLs) provided to discover the log files. These log records will be changed over to the state
machine files structures utilizing the tool - client honeypot state machine (CHSM). At the
following stage the clustering algorithms will be applied to the produced state transition to find
the similitudes in various attacks and form these attacks utilizing these likeliness’s. The
examination was finished utilizing 116 Capture-HPC log documents. They got these log
records by checking distinctive 116 sites.

By gathering comparable documents time of analysing malevolent sites activities has been
decreased by the authors, they got 77 main gatherings instead 116, which imply that they have
diminished 0.336 of required examination time.

In [S3] the creators propose a Bluetooth honeypot system which is bluebeat. By utilizing
bluebeat they intend to give new way to understand both existing and developing dangers that
target Bluetooth systems (PANs) and wireless networks.

Weakness observed: As observed, honey pot has many advantages, but it seems that there are
many disadvantages as well. Honey pots can only see what is directed against them. Honey pot
will be unaware of the attacks if attacker breaks and attacks a variety of systems in a network.
It has limited field of view. Honeypots can also increase the risk, and these once get attacked
can be used to attack or harm other systems in the organizations.

3.3 Sandboxing

Sandboxing is a strategy of software management that confines applications from critical

framework assets and different projects. It gives an additional layer of security that keeps
malware or unsafe applications from negatively affecting your framework.

[B1] To manage the enormous gap left by antivirus programs, new classes of PC security items
that utilizes virtualization and sandboxing application have been created. Prominent
applications that use sandboxing includes Adobe Reader X, Google Chrome program, and
Internet Explorer in Protecting Mode. Isolating untested code from the framework utilizing a
sandbox can impressively mitigate the malware by keeping noxious behaviour from
influencing the other PC programs.

18
Literature survey on Malware Propagation, detection and Analysis
In [H2], the creators have structured a test model to the examiner behaviour of malware in real
environment, as the creators have watched numerous contrasts between virtual and real
environment.

There are numerous anti VM applications to counteract investigation and find malware in a
VM domain. This trial model represents to the execution of the Taiwan Malware Analysis Net
(TWMAN), which represents to an operational environment(real) for investigation and report
behaviour of malware.

Fig. demonstrates the flowchart for TWMAN model.

It is a client server model and automatically configures to run the analysis. Installation of the
Linux OS is made on the server, while on the client-side Microsoft Windows is installed. The
customer downloads malware from the store of Linux server and gathers the data about changes
in registers and records like picture of dump memory, at that point the customer needs to restart
and save the infected picture of windows in Linux server as an image file.

Figure:5 flowchart of TWMAN model.

This technique is rehashed multiple times (4840) and the outcome was reported after analysing.
TWMAN can identify a great deal of malware behaviour which can't be identified by sandbox
and VM environment.

19
Literature survey on Malware Propagation, detection and Analysis
Weakness: For every program identified to detect malware, the malware attackers are smart
enough to find solutions, even though authors explained the best advantages of their
mechanism, sand boxing and methods have its weakness. One of those weakness observed is,
if a file is of larger size, sandbox cannot process. Also, if the process is circumvented, the
software gains the “blind spot” where the malicious code can be deployed.

3.4 Mathematical Models

To create numerical models on PC viruses infecting the framework under various conditions,
various attempts have been made.

In [D1], variance and differential equation have been used to identify or express the behaviour
of virus/internetwork.

There are four mathematical model described as below:

1st Mathematical model:

This talks about the circumstance to discover the probability that at time t what number of
programming segments are infected by virus, imagining the proportion of uninfected
population and recovery rate, getting infection per unit time doesn't change with time.

2nd Mathematical model: is to estimate the extent of population software component

infected whenever and at any uncertain time under various cases.

3rd mathematical model:

The third model is to discover total population's the rate of change of proportion with precisely
j viruses (where 1 ⩽ j < ∞) and total population's proportion with zero virus, if the population
is divided into various groups depending on the quantity of viruses present in a specific module.

4th Mathematic model:

The fourth model is to discover what is the probability that at time t, z number of software
components are infected, with an assumption that at first (for example at t = 0), various parts
are infected and furthermore there is a change from uninfected to infected or the other way
around.

20
Literature survey on Malware Propagation, detection and Analysis
Various strategies and mechanisms have been structured to identify worms, some of them
depend on the observation of the behaviour of scanning of the worms [M1], and some others
depend on the content [L1], [J2].

Weakness of mathematical models: Mathematical models has a very great impact on current
technology, but as far as I observed, these models have some limitations. Most of the
mathematical models, are data dependant, and most of the old models were incomplete.

But in general, user is not clear about how accurate the results are, and validity of results must
matter.

Next chapter explains analysis of malware and related research done on malware analysis by
authors and observations.

21
Literature survey on Malware Propagation, detection and Analysis
 Chapter4 Related research on MALWARE ANALYSIS:

Malware analysis is the inspection of the malware from its behaviour or signature, to find the
characteristics and functionalities of the malware; and to discover the source, range of the
target, approach of propagation and malware s defence mechanisms. The after effect of these
assessments helps expanding the security of the end clients by giving better security through
some products as intrusion detection systems, anti-virus and firewalls. The software Antivirus
generally keeps up a virus signatures database, which contains the malicious codes binary
pattern characteristics. The files that are thought to be infected for the presence of a virus
signature is generally checked by this software. Until the creator of malware began composing
metamorphic and polymorphic code, the detection method worked successfully. These changes
of malware code made them to avoid detection by utilizing encryption strategies, to prevent
detection which is based on signature. Virus scanners and products of security search for the
sequence of signature (characteristic bytes), to malicious code recognition. The detection
techniques are determined by the detector. A decent quality technique of malware ought to
have the option to recognize malicious codes that are inserted and covered up in the base
program(original) and should have the option to identify new unknown malware. The vast
majority of business antivirus programming doesn't have the expected flexibility, in new
attacks identification.

Since the scholars of malware consistently make new muddling strategies, to cheat the
detection software, so that the malware can stay away from detection. Definition of a Malware
detector is characterized as follows. Range is the set of {malicious, benign}, and set of
programs 'P' is the domain of detector [J2].

If p contains "benign" or malicious code otherwise, then D(p) becomes "malicious".

Verification of this program is do verify if it is malicious or benign. This test aims to discover
hit ratio, or false negative and false positive. Malware signature is used by malware detector to
detect the malware. Basically, signature is the machine code binary pattern of a virus. Antivirus
software’s compares their files which are on the hard drive, RAM and removable devices with
the virus signature database and the that data propagates to the computer or device through the
network. Security merchants update the database of signatures constantly and make it
accessible to clients through their sites. The consequence of this detection function can be
divided into one of the below mentioned three classes [P1]:
22
Literature survey on Malware Propagation, detection and Analysis
a) Hit ratio:

when the stored signature matches with the malware signature, the malware detector then takes
the decision to detect the malware thus resulting in hit ratio.

b) False positive:

this results when existence of virus in a non-infected file is incorrectly detected by a virus
scanner. False positives happen when the signature used to recognize the virus isn't solely for
this infection, because that the signature appears in non-infected software or in legal software.

c) False negative:

This results when a virus existence cannot be detected by the virus scanner. Detection of virus
may not be succeeded by the antivirus scanner since this virus is new and its signature isn't yet
accessible, or it might fail to recognize it in because, the detectors ability is less than the virus
robust and may the settings in the configurations is very complex and dynamic for that virus.

4.1 Malware Behaviour:

Detection techniques which are behaviour-based analyses and study the malicious codes
unknown or suspicious behaviour, such as source and destination locations of this code, and
how, the code was appended.

This technique varies from the other scanning systems as instead of the binary pattern, it
considers the activity performed by the malware, Collection of the projects with various binary
content but with similar behaviour takes place. These sorts of recognition procedures help in
recognizing the malware, which continues creating new versions of signature, since they will
consistently utilize the resources of the device in a similar way. Data is collected by the
behaviour detector and then matching algorithm [L1], [Q1] is applied.

Authors have proposed new strategies to remove and detect malware behaviour in [L1].
Behaviour of 236 mainstream malwares have been analysed. when executed, about 67% of
malware produces sub-process. self-delete and thread injection type of malicious behaviours
appear after the exe malware execution. These suspicious behaviours are called as Malicious
Behaviour Feature (MBF). The creators have presented the term Behaviour Operation Set
(BOS), which characterized by file activities (for example rename, read etc), registry actions

23
Literature survey on Malware Propagation, detection and Analysis
(for example query value and open key), process actions (for example create and terminate)
and network actions (for example TCP, UDP). These four tasks were utilized to examine the
behaviour. Among the two tests done by the authors, in the main test 328 of non-influenced
records were tried, the outcome demonstrated that lone 7 of them were dishonestly recognized
as malware, at that point the exactness rate is 97.87% and the error rate is 2.13. In the
subsequent test, the creators tried and tested the suspected file and discovered new malware,
by watching the regular and common behaviour with well-known malwares.

4.2 Malware Signature

Ordinary antivirus programming search for signatures, which are a sequence of bytes in the
malware code to express that if the program scanned, is malignant or not. Basically, there are
three sorts of malware: Basic, polymorphic, and metamorphic malware.

In fundamental malware, the malware designer changes the entry point of the program.
Polymorphic infections modify themselves, while leaving the first code unaltered. A
polymorphic infection besides the decryption part contains an encoded noxious code.
Polymorphic engine enables this virus which is injected into the body of the virus. This engine
produces new versions each time it is run; it is exceptionally hard to recognize this sort of virus
by signature-based recognition methods. metamorphic malware utilizes propelled jumbling
obfuscation procedures, to reprogram itself accordingly the parent and child signatures are
altogether different. It is beyond the realm of imagination to expect to recognize this kind of
malware without dismantle the virus file [P1], [M7], [U1].

Issue with the signature- based detection:

There are numerous issues related with the signature-based detection method. The most
concerning issue is that, generating a signature extremely hard procedure and requires a solid
code examination algorithm. The subsequent issue is that the signatures are spread as quick as
possible. The third issue is that, new signatures can without much of a stretch pass the
identifiers, and the last issue is that, the size of signature database is expanding.

Next chapter explains the current situation of malware and the issues identified in all of the
above-mentioned research solutions suggested and implemented by respective authors.

24
Literature survey on Malware Propagation, detection and Analysis
 Chapter5 Current situation and summary of constraints of the
solutions suggested:

In today’s world technology has become key element where all the research world and business
rely on applications of technology. However, like the opposite side of the coin, these
advancements have likewise opened the entryways for the attacking community and hacking,
and inside a couple of years the malware has turned into a noteworthy security danger,
influencing networks, PCs and systems generally.
At first, the programmers and assailants began attacking others PCs for no reason in particular
they didn't have any genuine expectation to search for any extraordinary additions, until online
trade picked up its prevalence particularly in banking, money related exchanges and so on,
which made the programmer to get monetary profits [R1], this has spurred the aggressors, to
work increasingly more to keep the machines tainted as longer as could reasonably be expected,
to get progressively monetary profits and progressively esteemed data and information [R1],
consequently a major test has risen as far as ensuring the data and business frameworks and a
sort of arm races have begun between attackers community and security products [J1].
since it has been found and identified in hosts and systems ,the timeline of malware
demonstrates that it has a great deal of changes and stages , beginning from a self-duplicating
malware which is virus however not self-moving [R1], moving to a self-replicating and self-
transporting [P1] which is worm, and going more for other malware types and families . With
the quickly expanding multifaceted nature and interconnection of rising data frameworks, the
quantity of malware assaults is likewise expanding piercingly. While, there are a recognizable
advancement in security techniques and defence technologies, there is comparative
improvement additionally in complex hacking methods and presence of new security
vulnerabilities from everyday [J2]. For this situation, where the greater part of the papers is
excessively explicit in their comparing exploration field and reason, it is hard to sum up the
example into measurable information with higher precision. I have likewise understood that
most papers are from IEEE productions, and along these lines recognized this as a type of
impediment on accessibility of increasingly related research distributions in different sources.

25
Literature survey on Malware Propagation, detection and Analysis
We can now obviously feel the effect of malware on different PC infrastructures, innovations
and administrations, for example, Bluetooth [L2], [D1], file-sharing [S1], wireless Networks
[S3] and online social networking [H1], [S2]. Numerous strategies have been created and used
to detect malware and avoid its propagation like and virtual environment [S4] and sand-boxing
[C2] and some time by utilizing FRAM model [J3], the malware condition has been mimicked
to make it simple to distinguish. The upgrade and improvement process for security ought to
be incredible and at the same time move in two ways; looking for inventive thoughts and savvy
examination for dealing with the malware issues and shielding the frameworks from the
outstanding malware dangers.

5.1 Issues with identified methods:

No single mechanism can be effective in vanishing the all malware threats.
Many investigations, overviews, tests, conceptualizing, factual examination and displaying
strategies have been done to increase further learning and profitable data about malware [M1],
because the attackers are constantly building up their capacities, assaulting abilities and
systems. To make the detection and tracking troublesome, and to present new difficulties to
controllers, every one of these investigations and works are not adequate to cover the quick
increment in malware advancement. Virus Bulletin (1988) was the first principal devoted
Journal as per our understandings to read the malware [R1], while, presently there are a great
deal of Journals accessible that are committed to the security issues, particularly malware
issues. This paper has been introduced to increase understanding about the different issues
identified with malware. I have utilized much response to shape various papers and diaries, the
subtleties of the resources that we utilized, which are appeared in other information part in
clearer. However, as mentioned above, with the advantages there observed many weaknesses
such as issues with file size, issues with identifying traffic which is spread in all directions,
also there are still some issues with mathematical models regarding the data input.
The writers were looking to the malware from various edges and perspectives, which are
extraordinary, yet will confuse the users from which weakness have been observed. The
quantities of measurements examined are additionally few, to satisfactorily obtain the results,
exceptionally continuation of research is still needed so that best solution can be obtained.
The following chapter concludes the related research and weakness observed. With the
conclusion the following chapters explains my proposal idea which is to propose a distributed
architecture to stop the malware from entering into system.
26
Literature survey on Malware Propagation, detection and Analysis
 Chapter6 Conclusion and Future Proposal:

The malware engineer attempts to compose new systems and methodologies to conceal the
noxious code and contaminate the objectives. Then again, the identifiers break down malware
practices persistently and attempt to oppose these systems and procedures thus, we must permit
recognition advancement methods to lead malware refreshing through very well investigative
procedure for malware development practices to fix any possible targeted threats.

A new detection technique must be developed so that whenever the malware tries to enter the
system or any device, it can be prompted to the client that some program is trying to modify
the files and with this, client can make sure the files are not infected by the real malware.

I would like to propose a malware protection architecture which tells the behaviour of a
program. I would like to propose a distributed architecture which includes proxy server
protection mechanism and personal firewall.

We understood the threat attacks computer in multiple ways such as through email, installing
new applications, downloads etc and steals our private information. Before using proxy servers,
basically when we hit a web site, our browser communicates directly with server and hosts the
webpage that we would like to see. By using a proxy server, it acts as gateway between our
browser and server, it also accepts data from server and forwards the same to our browser.
Sometimes, although we use many anti-virus software’s, we also have the additional security
option through using firewall. These firewalls protect our data by monitoring all the incoming
and outgoing data. Using proxy settings, we can filter certain sites. This can be seen in
universities, schools where some of the sites cannot be entered. These settings are done by
administrator. Including some algorithms and settings, these proxy configurations can be used
to prevent malware from spreading and help people to be away from these dangerous sites with
causes the malicious software that enters our system. We can make the proxy sit between the
protected network and the network that I would like to be protected from making proxy as a
security gateway. With this every time an application makes request, instead of the destination
server directly replying, the request goes to proxy and it initiates request and this way all the
client and destination server communication is made indirect. In proxy here, I would like to
suggest configuration so that the whole packet is inspected completely and saved from
malicious data.

27
Literature survey on Malware Propagation, detection and Analysis
 Also, having a personal firewall can end the confusion that we have about the
system getting attacked. Hijackers mainly, takes our internet connection as an entry point which
is in on mode most of the time. Here, we can make us e of the firewall which acts like as
security at the border stopping the malicious things entering into our computer either through
any network or internet or broadband connections. By using Firewall basically, we can create
a barrier between trusted network and untrusted external network.

We can make use of firewall to monitor all the traffic which enters into our computer network.
Generally, information is sent into one network to another network in form of packets. Firewall
can investigate these packets and can also determine the hazardous to our network security. By
creating our own personal firewall, we can block the trojan horses. Those can be blocked from
outset, before entering into computers and infecting our systems. By implementing a better
command to create firewall, we can also, stop the attackers entering into our systems using our
internet connection. Such kind of intrusions can be stopped by using firewalls. To target our
key strokes. Cyber criminals try to inject a spyware called keyloggers. Having the security
using firewall, we can make the entrance of keyloggers reduce.

Using both the above mentioned, proxy and personal firewall, I would like to propose a
distributed architecture which prevents the malicious software or programs from entering into
our system. This includes an advantage of filtering traffic from both the internal network and
also the internet network. This type of architecture is being proposed so that it enables to
prevent malicious code entering which originated from both the networks. By making use of
firewall, I would like to implement some security policies and create a personal firewall to stop
the intrusions. There is an increasing need to implement new security access control securities.
With this distributed architecture, I would like to form a securing policy as a second layer of
protection beyond the tradition firewalls which exists in our systems.

An architecture to be proposed which states a policy that determines what kind of traffic and
internet protocols to be permitted, and what sort of traffic is to be denied. Also, with this
implementation acceptance of packets can be implemented in such a way that there is very less
or no scope of malicious intrusions to enter into the system.

28
Literature survey on Malware Propagation, detection and Analysis
 Chapter7 References
A1: A. J. O’Donnell, “When malware attacks (anything but windows),” Secur. Priv. IEEE,
vol. 6, no. 3, pp. 68–70.

A2: A. Dehghantanha, N. I. Udzir, and R. Mahmod, “Towards data centric mobile security,”
in Information Assurance and Security (IAS), 2011 7th International Conference on, pp. 62–
67.

A3: A. Vasudevan, “MalTRAK: tracking and eliminating unknown malware,” in Computer

Security Applications Conference pp. 311–321.

B1: B. Stone-Gross, M. Cova, B. Gilbert, R. Kemmerer, C. Kruegel, and G. Vigna, “Analysis

of a botnet takeover,” Secur. Priv. IEEE, vol. 9, no. 1, pp. 64–72.

C1: Cisecurity-2019: https://www.cisecurity.org/blog/top-10-malware-january-2019/

C2: C. Greamo and A. Ghosh, “Sandboxing and virtualization: Modern tools for combating
malware,” Secur. Priv. IEEE, vol. 9, no. 2, pp. 79–82.

C3: C. P. Fuhrman, “Forensic value of backscatter from email spam,” in Digital Forensics
and Incident Analysis. WDFIA’08. Third International Annual Workshop on, 2008, pp. 46–
52.

C4: C. A. Martínez, G. I. Echeverri, and A. G. C. Sanz, “Malware detection based on cloud

computing integrating intrusion ontology representation,” in Communications
(LATINCOM), pp. 1–6.

D1: D. M. Nicol, “The impact of stochastic variance on worm propagation and detection,” in
Proceedings of the 4th ACM workshop on Recurring malcode, pp. 57–64.

D2: D. Stevens, “Malicious PDF documents explained,” Secur. Priv. IEEE, vol. 9, no. 1, pp.
80–82.

G1: G. Yan and S. Eidenbenz, “Modeling propagation dynamics of bluetooth worms

(extended version),” Mob. Comput. IEEE Trans. On, vol. 8, no. 3, pp. 353–368.

H1: H. Gao, J. Hu, T. Huang, J. Wang, and Y. Chen, “Security issues in online social
networks,” Internet Comput. IEEE, vol. 15, no. 4, pp. 56–63.

H2: H.-D. Huang, C.-S. Lee, H.-Y. Kao, Y.-L. Tsai, and J.-G. Chang, “Malware behavioral
analysis system: TWMAN,” in Intelligent Agent (IA), pp. 1–8.

J1: J. R. Crandall, R. Ensafi, S. Forrest, J. Ladau, and B. Shebaro, “The ecology of

Malware,” in Proceedings of the 2008 workshop on New security paradigms, pp. 99–106.

29
Literature survey on Malware Propagation, detection and Analysis
J2: J.-H. Park, M. Kim, B.-N. Noh, and J. B. Joshi, “A Similarity based Technique for
Detecting Malicious Executable files for Computer Forensics,” in Information Reuse and
Integration, 2006 IEEE International Conference on, 2006, pp. 188–193.

J3: J. Van Randwyk, K. Chiang, L. Lloyd, and K. Vanderveen, “Farm: An automated

malware analysis environment,” in Security Technology, 2008. ICCST 2008. 42nd Annual
IEEE International Carnahan Conference on, pp. 321–325.

J4: J. Boutet, “Malicious Android Applications: Risks and Exploitation,” Inst. InfoSec Read.
Room, vol. 2.

J5: J. Yonts, “Mac OS X Malware Analysis,” Inst. InfoSec Read. Room, vol. 2.

L1: -L. Wu, R. Ping, L. Ke, and D. Hai-xin, “Behavior-Based Malware Analysis and
Detection,” in Complexity and Data Mining (IWCDM), 2011 First International Workshop
on, 2011, pp. 39–42.

L2: L. Carettoni, C. Merloni, and S. Zanero, “Studying bluetooth malware propagation: The
bluebag project,” IEEE Secur. Priv., vol. 5, no. 2, pp. 17–25.

M1: M. Apel, C. Bockermann, and M. Meier, “Measuring similarity of malware behavior,”

in Local Computer Networks, 2009. LCN 2009. IEEE 34th Conference on, 2009, pp. 891–
898.

M2: M. F. Zolkipli and A. Jantan, “An approach for malware behavior identification and
classification,” in Computer Research and Development (ICCRD), 3rd International
Conference on, vol. 1, pp. 191– 194.

M3: M. R. Rieback, P. N. Simpson, B. Crispo, and A. S. Tanenbaum, “RFID malware:

Design principles and examples,” Pervasive Mob. Comput., vol. 2, no. 4, pp. 405–426, 2006

M4: M. Carpenter, T. Liston, and E. Skoudis, “Hiding virtualization from attackers and
malware,” Secur. Priv. IEEE, vol. 5, no. 3, pp. 62–65.

M5: M. Szczepanik and I. Jóźwiak, “Detecting New and Unknown Malwares Using
Honeynet,” Adv.

Multimed. Netw. Inf. Syst. Technol., pp. 173–180.

M6: M. Ramilli, M. Bishop, and S. Sun, “Multiprocess malware,” in Malicious and

Unwanted Software (MALWARE), 2011 6th International Conference on, pp. 8–13.

M7: M. Ramilli and M. Prandini, “Always the Same, Never the Same,” Secur. Priv. IEEE,
vol. 8, no. 2, pp. 73–75.

P1: Pfleeger, C & Pfleeger, S. (2003), Security in Computing, Third Addition, Pearson
Education inc.

30
Literature survey on Malware Propagation, detection and Analysis
P1: P. Vinod, R. Jaipur, V. Laxmi, and M. Gaur, “Survey on malware detection methods,” in
Proceedings of the 3rd Hackers’ Workshop on Computer and Internet Security
(IITKHACK’09), pp. 74–79.

Q1: Q. Jiang, X. Zhao, and K. Huang, “A feature selection method for malware detection,” in
Information and Automation (ICIA), 2011 IEEE International Conference on, 2011, pp. 890–
895.

R1: R. Ford and W. H. Allen, “Malware Shall Greatly Increase...,” Secur. Priv. IEEE, vol. 7,
no. 6, pp. 69–71.

S1: S. Shin, J. Jung, and H. Balakrishnan, “Malware prevalence in the KaZaA file-sharing
network,” in Proceedings of the 6th ACM SIGCOMM conference on Internet measurement,
pp. 333–338.

S2: S. Mohtasebi and A. Dehghantanha, “A Mitigation Approach to the Privacy and Malware
Threats of Social Network Services,” in Digital Information Processing and Communications,
Springer, pp. 448–459.

S3: S. Zanero, “Wireless malware propagation: A reality check,” Secur. Priv. IEEE, vol. 7,
no. 5, pp. 70–74.

S4: S. J. Vaughan-Nichols, “Virtualization sparks security concerns,” Computer, vol. 41, no.
8, pp. 13–15.

S5: S. H. Mohtasebi, A. Dehghantanha, and H. G. Broujerdi, “Smartphone Forensics: A Case

Study with Nokia E5-00 Mobile Phone,” Int. J. Digit. Inf. Wirel. Commun. IJDIWC, vol. 1,
no. 3, pp. 651–655.

S6: S. Abraham and I. Chengalur-Smith, “An overview of social engineering malware:

Trends, tactics, and implications,” Technol. Soc., vol. 32, no. 3, pp. 183–196.

U1: U. Zurutuza, R. Uribeetxeberria, and D. Zamboni, “A data mining approach for analysis
of worm activity through automatic signature generation,” in Proceedings of the 1st ACM
workshop on Workshop on AISec, pp. 61– 70.

Y1: Y. Alosefer and O. Rana, “Clustering client honeypot data to support malware analysis,”
Knowl.-Based Intell. Inf. Eng. Syst., pp. 556–565.

31
Literature survey on Malware Propagation, detection and Analysis
 Chapter8 Appendixes

Appendix1: Most studied Topics related to the Malware

Appendix2: Top10 industries affected by Malware in 2019:

32
Literature survey on Malware Propagation, detection and Analysis