Malware:

Malicious Software

07/25/2021 Malware 1
 Viruses, Worms, Trojans, Rootkits
• Malware can be classified into several categories, depending
on propagation and concealment
• Propagation
– Virus: human-assisted propagation (e.g., open email attachment)
– Worm: automatic propagation without human assistance
• Concealment
– Rootkit: modifies operating system to hide its existence
– Trojan: provides desirable functionality but hides malicious operation
• Various types of payloads, ranging from annoyance to crime

07/25/2021 Malware 2
 Insider Attacks
• An insider attack is a security breach that is
caused or facilitated by someone who is a part
of the very organization that controls or builds
the asset that should be protected.
• In the case of malware, an insider attack refers
to a security hole that is created in a software
system by one of its programmers.

07/25/2021 Malware 3
 Backdoors
• A backdoor, which is also sometimes called a trapdoor,
is a hidden feature or command in a program that
allows a user to perform actions he or she would not
normally be allowed to do.
• When used in a normal way, this program performs
completely as expected and advertised.
• But if the hidden feature is activated, the program does
something unexpected, often in violation of security
policies, such as performing a privilege escalation.
• Benign example: Easter Eggs in DVDs and software
07/25/2021 Malware 4
 Logic Bombs
• A logic bomb is a program that performs a malicious action as a result of
a certain logic condition.
• The classic example of a logic bomb is a programmer coding up the
software for the payroll system who puts in code that makes the
program crash should it ever process two consecutive payrolls without
paying him.
• Another classic example combines a logic bomb with a backdoor, where
a programmer puts in a logic bomb that will crash the program on a
certain date.

07/25/2021 Malware 5
 The Omega Engineering Logic Bomb
• An example of a logic bomb that was actually
triggered and caused damage is one that
programmer Tim Lloyd was convicted of using
on his former employer, Omega Engineering
Corporation. On July 31, 1996, a logic bomb was
triggered on the server for Omega Engineering’s
manufacturing operations, which ultimately
cost the company millions of dollars in damages
and led to it laying off many of its employees.
07/25/2021 Malware 6
 The Omega Bomb Code
• The Logic Behind the Omega Engineering Time Bomb included the
following strings:
• 7/30/96
– Event that triggered the bomb
• F:
– Focused attention to volume F, which had critical files
• F:\LOGIN\LOGIN 12345
– Login a fictitious user, 12345 (the back door)
• CD \PUBLIC
– Moves to the public folder of programs
• FIX.EXE /Y F:\*.*
– Run a program, called FIX, which actually deletes everything
• PURGE F:\/ALL
– Prevent recovery of the deleted files
07/25/2021 Malware 7
 Defenses against Insider Attacks
• Avoid single points of failure.
• Use code walk-throughs.
• Use archiving and reporting tools.
• Limit authority and permissions.
• Physically secure critical systems.
• Monitor employee behavior.
• Control software installations.

07/25/2021 Malware 8
 Computer Viruses
• A computer virus is computer code that can replicate
itself by modifying other files or programs to insert
code that is capable of further replication.
• This self-replication property is what distinguishes
computer viruses from other kinds of malware, such
as logic bombs.
• Another distinguishing property of a virus is that
replication requires some type of user assistance,
such as clicking on an email attachment or sharing a
USB drive.
07/25/2021 Malware 9
 Biological Analogy
• Computer viruses share some properties with
Biological viruses

Attack Penetration

Replication and assembly Release

07/25/2021 Malware 10
 Early History
 1972 sci-fi novel “When HARLIE Was One” features a
program called VIRUS that reproduces itself
 First academic use of term virus by PhD student Fred
Cohen in 1984, who credits advisor Len Adleman with
coining it
 In 1982, high-school student Rich Skrenta wrote first
virus released in the wild: Elk Cloner, a boot sector
virus
 (c)Brain, by Basit and Amjood Farooq Alvi in 1986,
credited with being the first virus to infect PCs

07/25/2021 Malware 11
 Virus Phases
• Dormant phase. During this phase, the virus just exists—the
virus is laying low and avoiding detection.
• Propagation phase. During this phase, the virus is replicating
itself, infecting new files on new systems.
• Triggering phase. In this phase, some logical condition causes
the virus to move from a dormant or propagation phase to
perform its intended action.
• Action phase. In this phase, the virus performs the malicious
action that it was designed to perform, called payload.
– This action could include something seemingly innocent, like displaying
a silly picture on a computer’s screen, or something quite malicious,
such as deleting all essential files on the hard drive.

07/25/2021 Malware 12
 Infection Types
• Overwriting original code
– Destroys original code
virus
• Pre-pending
– Keeps original code, possibly
compressed
• Infection of libraries
– Allows virus to be memory resident compressed
– E.g., kernel32.dll
• Macro viruses
– Infects MS Office documents
– Often installs in main document
template

07/25/2021 Malware 13
 Degrees of Complication
• Viruses have various degrees of complication in
how they can insert themselves in computer code.

07/25/2021 Malware 14
 Concealment
• Encrypted virus
– Decryption engine + encrypted body
– Randomly generate encryption key
– Detection looks for decryption engine
• Polymorphic virus
– Encrypted virus with random variations of the decryption engine (e.g., padding
code)
– Detection using CPU emulator
• Metamorphic virus
– Different virus bodies
– Approaches include code permutation and instruction replacement
– Challenging to detect

07/25/2021 Malware 15
 Computer Worms
• A computer worm is a malware program that spreads
copies of itself without the need to inject itself in other
programs, and usually without human interaction.
• Thus, computer worms are technically not computer
viruses (since they don’t infect other programs), but
some people nevertheless confuse the terms, since
both spread by self-replication.
• In most cases, a computer worm will carry a malicious
payload, such as deleting files or installing a backdoor.

07/25/2021 Malware 16
 Early History
 First worms built in the labs of John Shock and Jon
Hepps at Xerox PARC in the early 80s
 CHRISTMA EXEC written in REXX, released in
December 1987, and targeting IBM VM/CMS
systems was the first worm to use e-mail service
 The first internet worm was the Morris Worm,
written by Cornell student Robert Tappan Morris
and released on November 2, 1988

07/25/2021 Malware 17
 Worm Development
• Identify vulnerability still • Worm template
unpatched – Generate target list
• Write code for – For each host on target list
– Exploit of vulnerability • Check if infected
– Generation of target list • Check if vulnerable
• Random hosts on the internet • Infect
• Hosts on LAN
• Recur
• Divide-and-conquer
– Installation and execution of payload • Distributed graph search
– Querying/reporting if a host is algorithm
infected – Forward edges: infection
• Initial deployment on botnet – Back edges: already infected or
not vulnerable
07/25/2021 Malware 18
 Worm Propagation
• Worms propagate by finding and infecting vulnerable hosts.
– They need a way to tell if a host is vulnerable
– They need a way to tell if a host is already infected.

initial infection

07/25/2021 Malware 19
 Propagation: Theory
 Classic epidemic model Source:
Cliff C. Zou, Weibo Gong, Don Towsley,
– N: total number of vulnerable hosts and Lixin Gao.
The Monitoring and Early Detection of Int
– I(t): number of infected hosts at ernet Worms
, IEEE/ACM Transactions on Networking,
time t 2005.
– S(t): number of susceptible hosts at
time t
– I(t) + S(t) = N
– b: infection rate
 Differential equation for I(t):
dI/dt = bI(t) S(t)
 More accurate models adjust
propagation rate over time

07/25/2021 Malware 20
 Propagation: Practice
• Cumulative total of unique IP addresses infected by the first
outbreak of Code-RedI v2 on July 19-20, 2001

Source:
David Moore, Colleen
Shannon, and Jeffery
Brown.
Code-Red: a case study
on the spread and victim
s of an Internet worm
, CAIDA, 2002

07/25/2021 Malware 21
 Trojan Horses
• A Trojan horse (or Trojan) is a malware program that appears
to perform some useful task, but which also does something
with negative consequences (e.g., launches a keylogger).
• Trojan horses can be installed as part of the payload of other
malware but are often installed by a user or administrator,
either deliberately or accidentally.

07/25/2021 Malware 22
 Current Trends
• Trojans currently have largest infection potential
– Often exploit browser vulnerabilities
– Typically used to download other malware in multi-stage attacks

Source:
Symantec Internet
Security Threat
Report, April 2009

07/25/2021 Malware 23
 Rootkits
• A rootkit modifies the operating system to hide its existence
– E.g., modifies file system exploration utilities
– Hard to detect using software that relies on the OS itself
• RootkitRevealer
– By Bryce Cogswell and Mark Russinovich (Sysinternals)
– Two scans of file system
– High-level scan using the Windows API
– Raw scan using disk access methods
– Discrepancy reveals presence of rootkit
– Could be defeated by rootkit that intercepts and modifies results of
raw scan operations
07/25/2021 Malware 24
 Malware Zombies
• Malware can turn a computer in to a zombie, which is a
machine that is controlled externally to perform
malicious attacks, usually as a part of a botnet.
Botnet Controller (Attacker)

Attack Commands

Botnet:

Attack Actions

07/25/2021 25
Victim
 Financial Impact
 Malware often affects a large user
population
 Significant financial impact, though
estimates vary widely, up to $100B
per year (mi2g)
 Examples
LoveBug (2000) caused $8.75B in
damages and shut down the British
parliament
In 2004, 8% of emails infected by
W32/MyDoom.A at its peak
In February 2006, the Russian Stock
Exchange was taken down by a virus.

07/25/2021 Malware 26
 Economics of Malware
Source:
• New malware threats have Symantec Internet
grown from 20K to 1.7M Security Threat Re
port
in the period 2002-2008 , April 2009

• Most of the growth has

been from 2006 to 2008
• Number of new threats
per year appears to be
growing an exponential
rate.

07/25/2021 Malware 27
 Professional Malware
• Growth in professional cybercrime and
online fraud has led to demand for
professionally developed malware
• New malware is often a custom-
designed variations of known exploits,
so the malware designer can sell
different “products” to his/her
customers.
• Like every product, professional
malware is subject to the laws of
supply and demand.
– Recent studies put the price of a software
keystroke logger at $23 and a botnet use
Image by User:SilverStar from http://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg
at $225. used by permission under the Creative Commons Attribution ShareAlike 3.0 License

07/25/2021 Malware 28
 Adware
Adware software payload Computer user
Adware engine infects
a user’s computer

Adware engine requests

advertisements
Advertisers contract with from adware agent
adware agent for content

Adware agent delivers

ad content to user
Adware agent

Advertisers
07/25/2021 Malware 29
 Spyware
Spyware software payload Computer user

1. Spyware engine infects

a user’s computer.

2. Spyware process collects

keystrokes, passwords,
and screen captures.

3. Spyware process
periodically sends
collected data to
spyware data collection
agent.

Spyware data collection agent

07/25/2021 Malware 30
Signatures: A Malware Countermeasure
• Scan compare the analyzed object with a database of
signatures
• A signature is a virus fingerprint
– E.g.,a string with a sequence of instructions specific for each
virus
– Different from a digital signature
• A file is infected if there is a signature inside its code
– Fast pattern matching techniques to search for signatures
• All the signatures together create the malware
database that usually is proprietary
07/25/2021 Malware 31
 Signatures Database
• Common Malware
Enumeration (CME)
– aims to provide unique,
common identifiers to
new virus threats
– Hosted by MITRE
– http://cme.mitre.org/d
ata/list.html
• Digital Immune
System (DIS)
– Create automatically
new signatures
07/25/2021 Malware 32
 White/Black Listing
• Maintain database of cryptographic hashes for
– Operating system files
– Popular applications
– Known infected files
• Compute hash of each file
• Look up into database
• Needs to protect the integrity of the database

07/25/2021 Malware 33
 Heuristic Analysis

• Useful to identify new and “zero day” malware

• Code analysis
– Based on the instructions, the antivirus can determine whether
or not the program is malicious, i.e., program contains
instruction to delete system files,
• Execution emulation
– Run code in isolated emulation environment
– Monitor actions that target file takes
– If the actions are harmful, mark as virus
• Heuristic methods can trigger false alarms
07/25/2021 Malware 34
 Shield vs. On-demand
• Shield On-demand
– Background process • Scan on explicit user
(service/daemon) request or according to
– Scans each time a file is regular schedule
touched (open, copy, • On a suspicious file,
execute, etc.) directory, drive, etc.
Performance test of scan techniques
o Comparative: check the number of already known viruses that are
found and the time to perform the scan
o Retrospective: test the proactive detection of the scanner for unknown
viruses, to verify which vendor uses better heuristics
Anti-viruses are ranked using both parameters:
http://www.av-comparatives.org/
07/25/2021 Malware 35
 Online vs Offline Anti Virus Software
Online Offline
• Free browser plug-in • Paid annual subscription
• Authentication through third • Installed on the OS
party certificate (i.e. VeriSign) • Software distributed securely by the
vendor online or a retailer
• No shielding
• System shielding
• Software and signatures update
• Scheduled software and signatures
at each scan
updates
• Poorly configurable
• Easily configurable
• Scan needs internet connection
• Scan without internet connection
• Report collected by the company • Report collected locally and may be
that offers the service sent to vendor
07/25/2021 Malware 36
 Quarantine
• A suspicious file can be isolated in a folder called quarantine:
– E.g,. if the result of the heuristic analysis is positive and you are waiting
for db signatures update
• The suspicious file is not deleted but made harmless: the user can
decide when to remove it or eventually restore for a false positive
– Interacting with a file in quarantine it is possible only through the
antivirus program
• The file in quarantine is harmless because it is encrypted
• Usually the quarantine technique is proprietary and the details
are kept secret

07/25/2021 Malware 37
 Static vs. Dynamic Analysis
Static Analysis Dynamic Analysis
• Checks the code without trying to
execute it
• Check the execution of codes
• Quick scan in white list inside a virtual sandbox
• Filtering: scan with different antivirus • Monitor
and check if they return same result
– File changes
with different name
• Weeding: remove the correct part of – Registry changes
files as junk to better identify the virus – Processes and threads
• Code analysis: check binary code to – Networks ports
understand if it is an executable, e.g.,
PE
• Disassembling: check if the byte code
shows something unusual
07/25/2021 Malware 38
 Virus Detection is Undecidable
• Theoretical result by Fred • Suppose program
Cohen (1987) isVirus(P) determines
• Virus abstractly modeled as whether program P is a
program that eventually virus
executes infect • Define new program Q
• Code for infect may be as follows:
generated at runtime if (not isVirus(Q))
• Proof by contradiction infect
stop
similar to that of the halting
problem • Running isVirus on Q
achieves a contradiction
07/25/2021 Malware 39
 Other Undecidable Detection Problems
• Detection of a virus
– by its appearance
– by its behavior
• Detection of an evolution of a known virus
• Detection of a triggering mechanism
– by its appearance
– by its behavior
• Detection of a virus detector
– by its appearance
– by its behavior
• Detection of an evolution of
– a known virus
– a known triggering mechanism
– a virus detector

07/25/2021 Malware 40
 Resources
• Computer Emergency Response Team
– Research center funded by the US federal government
– Vulnerabilities database
• Symantec
– Reports on malware trends
– Database of malware
• Art of Computer Virus Research and Defense by Peter Szor

07/25/2021 Malware 41