CHAPTER 6

Malicious Software
(Malware)
 Types of Software
Useful and Malware

Useful Software could be:

- Operating Systems (OS): Control the computer hardware and act as an

interface with application programs.

- Application programs: perform a specific function directly for an end user.

( MS office, video player, games, email, …etc.)

- Utility programs: help to manage, maintain and control computer

resources. ( drivers, Antivirus, backup software, disk tools: disk
management, cleanup, defragmentation, compression tools, file
management. These are a set of computer programs which are designed
to perform certain supporting operations.
 Malicious Software
(Malware)

“Software that exploits vulnerabilities in a computing system to create an

attack.”

“A program that is covertly inserted into a system with the intent to

1. destroy data
2. run destructive or intrusive programs
3. compromise the confidentiality, integrity, or availability of the victim’s data,
applications, or operating system,
4. or otherwise annoying or disrupting the victim.”
 Malicious Software (Malware)

• Malware can pose a threat to application programs, to utility programs, and to

kernel-level programs

• Malware is perhaps the most significant security threat to organizations.

• As a matter of fact, the European Union Agency for Network and Information
Security’s annual threat report lists malware as the top cyber threat for 2016 and
2017.

• Key findings of the report states that the Ransomware continues to dominate the
Windows malware scene, with an evolution from 55% in January 2017 to 75% in
July 2017.
 Types of Malware
Backdoor (trapdoor)
Adware Auto-rooter Any mechanism that
Advertising that is integrated A malicious hacker tool bypasses a normal security
into software; it can result in check; it may allow
pop-up ads or redirection of a
used to break in to new
machines remotely unauthorized access to
browser to a commercial site
functionality

Dropper
Downloader A malware installer that carries
Exploit A program that installs malicious software to be
other items on a machine executed on the compromised
Code specific to a single machine;
vulnerability or set of that is under attack;
Droppers don’t cause harm
vulnerabilities Usually a downloader is directly but deliver a malware
sent in an email message payload onto a target machine
without detection
 Types of Malware
Polymorphic dropper
Also called a polymorphic Flooder
packer, a software exploit tool A tool used to attack Keyloggers
that bundles several types of networked computer
malware into a single A software tool that
systems with a large volume
package, such as an email captures keystrokes on a
attachment, and can force its of traffic to carry out a
compromised system
“signature” to mutate over denial-of-service (DoS)
time, making it difficult to attack
detect and remove

Logic bomb Malware as a Service

A program inserted into (MaaS)
Kit (virus generator) software by an intruder. A A web-based provider of
A set of tools for generating logic bomb lies dormant malware. MaaS may provide
new viruses automatically until a predefined condition access to botnets, support
is met, at which point the hotlines, and servers that
program triggers an regularly update and test
unauthorized act malware strains for efficacy
 Types of Malware
Potentially Unwanted Ransomware
Mobile code Program (PUP) A type of malware in which
Software that can be shipped A program that may be the data on a victim’s
unchanged to a unwanted, despite the computer is locked, typically
heterogeneous collection of possibility that users consented by encryption, and payment
platforms and execute with to download it; PUPs are often is demanded before the
identical semantics downloaded in conjunction ransomed data is decrypted
with programs that users and access returned to the
actually want victim

Remote access Trojan Scraper

(RAT) A simple program that searches a
A malware program that
Rootkit computer’s memory for sequences
of data that match particular
includes a back-door for A set of hacker tools used patterns; point-of- sale terminals
administrative control over after attacker has broken into and other computers usually
the target computer; RATs a computer system and encrypt payment card data when
storing and transmitting it, and
are usually downloaded gained root-level access attackers often use scrapers to
invisibly with user-requested locate card numbers in memory
programs—such as games— before they are encrypted or after
or sent as email attachments they are decrypted for processing
 Types of Malware

Spyware
Spammer programs
Software that collects information
Programs used to send large volumes
from a computer and transmits it to
of unwanted email
another system

Trojan horse
Virus
A computer program that appears to have
a useful function but also has a hidden and Malware that, when executed, tries to
potentially malicious function that evades replicate itself into other executable
security mechanisms, sometimes by code; when it succeeds, the code is
exploiting legitimate authorizations of a infected; when the infected code is
system entity that invokes the Trojan horse executed, the virus also executes
program
 Types of Malware

Worm
Web drive-by A computer program that runs
An attack that infects a user system independently and propagates a
when the user visits a web page complete working version of itself
onto other hosts on a network

Zombie, bot
A program that is activated on an
infected machine to launch attacks on
other machines
 Classification of Malware

Classified into two

Also classified by:
broad categories:

Based first on how it spreads or

Those that need a host program
propagates to reach the desired
(parasitic code such as viruses)
targets

Those that are independent, self-

Then on the actions or payloads it
contained programs (worms,
performs once a target is reached
trojans, and bots)

Malware that does not replicate

(trojans and spam e-mail)
Infection, exploit a
vulnerability
Or Social engineering Malware that does replicate
(viruses and worms)
 Classification of Malware

Propagation mechanisms include:

• Infection of existing content by viruses that is subsequently spread to other systems
• Exploit of software vulnerabilities by worms or drive-by-downloads to allow the malware to
replicate
• Social engineering attacks that convince users to bypass security mechanisms to install
Trojans or to respond to phishing attacks

Payload actions performed by malware once it reaches a target system

can include:
• Corruption of system or data files
• Theft of service/make the system a zombie agent of attack as part of a botnet
• Theft of information from the system/keylogging
• Stealthing/hiding its presence on the system

Virus accomplish this by temporarily moving itself away from the infected file and copying itself to another drive and
replacing itself with a clean file.
The stealth virus can also avoid detection by concealing the size of the file it has infected.
 Attack Kits
• Initially the development and deployment of malware required considerable
technical skill by software authors
o The development of virus-creation toolkits in the early 1990s and then more general attack kits in the 2000s greatly
assisted in the development and deployment of malware
• Toolkits are often known as “crimeware”
o Include a variety of propagation mechanisms and payload modules that even novices can deploy
o Variants that can be generated by attackers using these toolkits creates a significant problem for those defending
systems against them
• Widely used toolkits include:
o Zeus
o Blackhole
o Sakura
o Phoenix
 Attack Sources
• Another significant malware development is the change from attackers
being individuals often motivated to demonstrate their technical
competence to their peers to more organized and dangerous attack sources
such as:

Organizations
Politically that sell their National
Organized
motivated Criminals services to government
crime
attackers companies agencies
and nations

• This has significantly changed the resources available and motivation

behind the rise of malware and has led to development of a large
underground economy involving the sale of attack kits, access to
compromised hosts, and to stolen information
 Advanced Persistent Threats (APTs)

• Well-resourced, persistent application of a wide variety of intrusion

technologies and malware to selected targets (usually business or political)

• Typically attributed to state-sponsored organizations and criminal enterprises

• Differ from other types of attack by their careful target selection and stealthy
intrusion efforts over extended periods

• High profile attacks include Aurora, RSA, APT1, and Stuxnet

 APT Characteristics
Advanced
• Used by the attackers of a wide variety of intrusion technologies and malware
including the development of custom malware if required
• The individual components may not necessarily be technically advanced but are
carefully selected to suit the chosen target

Persistent
• Determined application of the attacks over an extended period against the chosen
target in order to maximize the chance of success
• A variety of attacks may be progressively applied until the target is compromised

Threats
• Threats to the selected targets as a result of the organized, capable, and well-funded
attackers intent to compromise the specifically chosen targets
• The active involvement of people in the process greatly raises the threat level from
that due to automated attacks tools, and also the likelihood of successful attacks
 APT Attacks
• Aim:
o Varies from theft of intellectual property or security and infrastructure related data to the
physical disruption of infrastructure
• Techniques used:
o Social engineering
o Spear-phishing email
o Drive-by-downloads from selected compromised websites likely to be visited by
personnel in the target organization
• Intent:
o To infect the target with sophisticated malware with multiple propagation mechanisms
and payloads
o Once they have gained initial access to systems in the target organization a further range
of attack tools are used to maintain and extend their access
 Viruses
• Piece of software that infects programs
o Modifies them to include a copy of the virus
o Replicates and goes on to infect other content
o Easily spread through network environments

• When attached to an executable program a virus can do

anything that the program is permitted to do
o Executes secretly when the host program is run

• Specific to operating system and hardware

o Takes advantage of their details and weaknesses
 Virus Components

Infection mechanism

• Means by which a virus spreads or propagates

• Also referred to as the infection vector

Trigger

• Event or condition that determines when the payload is activated or

delivered
• Sometimes known as a logic bomb

Payload

• What the virus does (besides spreading)

 Virus Phases
Dormant phase
Will eventually be activated by
Virus is idle Not all viruses have this stage
some event

Triggering phase
Virus is activated to perform the function for
Can be caused by a variety of system events
which it was intended

Propagation phase
Virus places a copy of itself into Each infected program will now
May not be identical to the
other programs or into certain contain a clone of the virus which
propagating version
system areas on the disk will itself enter a propagation phase

Execution phase

Function is performed May be harmless or damaging

Virus Structure
 Virus Classifications
Classification by concealment
Classification by target strategy
• Boot sector infector • Encrypted virus
o Infects a master boot record or o A portion of the virus creates a
boot record and spreads when a random encryption key and encrypts
system is booted from the disk the remainder of the virus
containing the virus • Stealth virus
• File infector o A form of virus explicitly designed
o Infects files that the operating to hide itself from detection by anti-
system or shell considers to be virus software
executable • Polymorphic virus
• o A virus that mutates with every
Macro virus
infection (only appearance)
o Infects files with macro or
• Metamorphic virus
scripting code that is interpreted
o A virus that mutates and rewrites
by an application
itself completely at each iteration
• Multipartite virus and may change behavior as well
o Infects files in multiple ways as appearance
 Worms
• Program that actively seeks out more machines to infect and each infected machine
serves as an automated launching pad for attacks on other machines

• Exploits software vulnerabilities in client or server programs

• Can use network connections to spread from system to system

• Spreads through shared media (USB drives, CD, DVD data disks)

• E-mail worms spread in macro or script code included in attachments and instant
messenger file transfers

• Upon activation the worm may replicate and propagate again

• Usually carries some form of payload

• First known implementation was done in Xerox Palo Alto Labs in the early 1980s
 Worm Replication

Electronic mail or instant • Worm e-mails a copy of itself to other systems

messenger facility • Sends itself as an attachment via an instant message service

• Creates a copy of itself or infects a file as a virus on removable

File sharing media

Remote execution • Worm executes a copy of itself on another system

capability

Remote file access or • Worm uses a remote file access or transfer service to copy itself
transfer capability from one system to the other

• Worm logs onto a remote system as a user and then uses

Remote login capability commands to copy itself from one system to the other
 Target Discovery
• Scanning (or fingerprinting)
o First function in the propagation phase for a network worm
o Searches for other systems to infect

Scanning strategies that a worm can use:

Random
o Each compromised host probes random addresses in the IP address space using a different seed
o This produces a high volume of Internet traffic which may cause generalized disruption even before
the actual attack is launched
Hit-list
o The attacker first compiles a long list of potential vulnerable machines
o Once the list is compiled the attacker begins infecting machines on the list
o Each infected machine is provided with a portion of the list to scan
o This results in a very short scanning period which may make it difficult to detect that infection is
taking place
Topological
o This method uses information contained on an infected victim machine to find more hosts to scan
Local subnet
o If a host can be infected behind a firewall that host then looks for targets in its own local network
o The host uses the subnet address structure to find other hosts that would otherwise be protected by
the firewall
 Morris Worm
• Earliest significant worm infection
• Released by Robert Morris in 1988
• Designed to spread on UNIX systems
o Attempted to crack local password file to use login/password to logon to
other systems
o Exploited a bug in the finger protocol which reports the whereabouts of a
remote user
o Exploited a trapdoor in the debug option of the remote process that receives
and sends mail
• Successful attacks achieved communication with the operating
system command interpreter
o Sent interpreter a bootstrap program to copy worm over
 Multiplatform

Metamorphic Multi-exploit

Worm
Technology

Ultrafast
Polymorphic
spreading
 Mobile Code Malware
• Programs that can be shipped unchanged to a variety of platforms
• Transmitted from a remote system to a local system and then
executed on the local system
• Often acts as a mechanism for a virus, worm, or Trojan horse
• Takes advantage of vulnerabilities to perform its own exploits
• Popular vehicles for mobile code include Java applets, ActiveX,
JavaScript and VBScript
 Mobile Phone Worms
• First discovery was Cabir worm in 2004
• Then Lasco and CommWarrior in 2005
• Communicate through Bluetooth wireless connections or MMS
• Target is the smartphone
• Can completely disable the phone, delete data on the phone, or force
the device to send costly messages
• CommWarrior replicates by means of Bluetooth to other phones,
sends itself as an MMS file to contacts and as an auto reply to
incoming text messages
WannaCry - Ransomware Cryptoworm

Ransomware attack in May

2017 that spread extremely It spread as a worm by aggressively
fast over a period of hours to scanning both local and random
days, infecting hundreds of remote networks, attempting to
thousands of systems exploit a vulnerability in the SMB
belonging to both public and file sharing service on unpatched
Windows systems
private organizations in more
than 150 countries

Once installed on
infected systems, it also
encrypted files, Tactics such as threatening
demanding a ransom to publish sensitive
payment to recover them. personal information, or to
Recovery of this permanently destroy the
information was generally encryption key after a
only possible if the short period of time, are
organization had good sometimes used to
backups and an increase the pressure on
appropriate incident the victim to pay up
response and disaster
recovery plan
 Drive-By-Downloads

another propagation mechanism

Exploits browser and plugin

vulnerabilities so when the user
views a webpage controlled by the
attacker, it contains code that exploits
the bug to download and install
malware on the system without the
user’s knowledge or consent

In most cases the malware does

not actively propagate as a worm
does

Spreads when users visit the malicious

Web page
 Clickjacking
• Also known as a user-interface • Vulnerability used by an
(UI) redress attack attacker to collect an infected
• Using a similar technique, user’s clicks
keystrokes can also be hijacked o The attacker is hijacking clicks
o A user can be led to believe they are meant for one page and routing them
typing in the password to their email or to another page
bank account, but are instead typing into
an invisible frame controlled by the
attacker
Clickjacking
 Propagation: Social Engineering

• “Tricking” users to assist in the compromise of their own

systems

Spam Trojan horse

Unsolicited bulk
e-mail Program or utility containing
harmful hidden code

Significant carrier of malware

Used to accomplish functions that

the attacker could not accomplish
Used for phishing attacks directly
 Social Engineering
The most common examples of social engineering are:

• Phishing
• Spear Phishing
• Vishing (voice phishing)

• Baiting (The difference between them is that baiting primarily exploits human curiosity, whereas
phishing attacks rely largely on trust, fear, and a sense of urgency.)

• Pretexting (threat actors typically ask victims for certain information, stating that it is
needed to confirm the victim's identity.)

• Quid Pro Quo (“something for something.”)

• Tailgating (unauthorized person gains physical access to an off-limits location)

 Payload :
1. System Corruption
Chernobyl virus Klez
• First seen in 1998 • Mass mailing worm infecting
• Windows 95 and 98 virus Windows 95 to XP systems
• Infects executable files and • On trigger date causes files on the
corrupts the entire file system hard drive to become empty
when a trigger date is reached

Ransomware
• Encrypts the user’s data and
demands payment in order to
access the key needed to recover
the information
• PC Cyborg Trojan (1989)
• Gpcode Trojan (2006
 Payload :
System Corruption

• Real-world damage
• Causes damage to physical equipment
o Chernobyl virus rewrites BIOS code
• Stuxnet worm
o Targets specific industrial control system software
• There are concerns about using sophisticated targeted malware for
industrial sabotage

• Logic bomb
• Code embedded in the malware that is set to “explode” when certain
conditions are met
 Payload :
2. Service Theft
Attack Agents - Bots

• Takes over another Internet attached computer and uses that

computer to launch or manage attacks

• Botnet - collection of bots capable of acting in a coordinated

manner.

• Unlike worm which propagates itself and activates itself, a Bot is initially
controlled from some central facility

• Uses:
• Distributed denial-of-service (DDoS) attacks
• Spamming
• Sniffing traffic
• Keylogging : captures keystrokes on the infected machine, an attacker can
retrieve sensitive information.

• Spreading new malware

• Installing advertisement add-ons
• Manipulating online polls/games
 Remote Control Facility

- Distinguishes a bot from a worm

- Worm propagates itself and activates itself
- Bot is initially controlled from some central facility
 Payload
3. Information Theft
Keyloggers and Spyware

Keylogger
• Captures keystrokes to allow attacker to monitor sensitive information
• Typically uses some form of filtering mechanism that only returns information
close to keywords (“login”, “password”)

Spyware
• Subverts the compromised machine to allow monitoring of a wide range of
activity on the system
• Monitoring history and content of browsing activity
• Redirecting certain Web page requests to fake sites
• Dynamically modifying data exchanged between the browser and certain Web
sites of interest
 Payload : Information Theft

Phishing
• Exploits social engineering to leverage
the user’s trust by masquerading as
communication from a trusted source • Spear-phishing
• Recipients are carefully
• Include a URL in a spam e-mail researched by the attacker
that links to a fake Web site that
• E-mail is crafted to
mimics the login page of a specifically suit its
banking, gaming, or similar site
recipient, often quoting a
• Suggests that urgent action is range of information
required by the user to to
authenticate their account convince them of its
authenticity
• Attacker exploits the account
using the captured credentials
 Payload :
4. Stealthing
Backdoor, Rootkit
Backdoor
• Also known as a trapdoor
• Secret entry point into a program allowing the attacker to gain access and bypass
the security access procedures
• Maintenance hook is a backdoor used by Programmers to debug and test
programs

Rootkit
• Set of hidden programs installed on a system to maintain covert access to that
system
• Gives administrator (or root) privileges to attacker
• Can add or change programs and files, monitor processes, send and
receive network traffic, and get backdoor access on demand
 Malware Countermeasure Approaches

• Ideal solution to the threat of malware is prevention

Four main elements of prevention:

• Policy (updates, access controls)>> CH 12
• Awareness >> CH 17
• Vulnerability mitigation
• Threat mitigation

• If prevention fails, technical mechanisms can be used to

support the following threat mitigation options:
• Detection == locate the malware
• Identification == what is the malware that has infected the system
• Removal == so malware cannot spread further
 Generations of Anti-Virus Software
First generation: simple scanners
• Requires a malware signature to identify the malware
• Limited to the detection of known malware

Second generation: heuristic scanners

• Uses heuristic rules to search for probable malware instances
• Another approach is integrity checking

Third generation: activity traps

• Memory-resident programs that identify malware by its actions rather than its
structure in an infected program

Fourth generation: full-featured protection

• Packages consisting of a variety of anti-virus techniques used in conjunction
• Include scanning and activity trap components and access control capability
 Sandbox Analysis
• Running potentially malicious code in an emulated sandbox or on a
virtual machine
• Allows the code to execute in a controlled environment where its
behavior can be closely monitored without threatening the security
of a real system

• Running potentially malicious software in such environments

enables the detection of complex encrypted, polymorphic, or
metamorphic malware
• The most difficult design issue with sandbox analysis is to
determine how long to run each interpretation
• Called Generic Decryption
 Host-Based Behavior-Blocking Software
• Integrates with the operating system of a host computer and
monitors program behavior in real time for malicious action
• Blocks potentially malicious actions before they have a chance to affect the system
• Blocks software in real time so it has an advantage over anti-virus detection techniques
such as fingerprinting or heuristics

Limitations
• Because malicious code must run on the target
machine before all its behaviors can be identified, it
can cause harm before it has been detected and
blocked
 Perimeter Scanning Approaches
• Anti-virus software typically
included in e-mail and Web
proxy services running on an Ingress Egress
organization’s firewall and
IDS
monitors monitors
• May also be included in the Located at the
traffic analysis component of Located at the egress point of
border between the
an IDS enterprise network
individual LANs as
well as at the border
and the Internet between the
• May include intrusion enterprise network
prevention measures, and the Internet
blocking the flow of any
suspicious traffic One technique is to
Monitors outgoing
look for incoming
traffic for signs of
• Approach is limited to
traffic to unused
local IP addresses scanning or other
suspicious behavior
scanning malware

Two types of monitoring software

 Malware Protection Software
• There are numerous open source and commercial malware
protection software packages available for enterprise use
• SP 800-83 lists the following as desired capabilities in
malware protection software:

o Scanning critical host components such as startup files and boot records
o Watching real-time activities on hosts to check for suspicious activity
o Monitoring the behavior of common applications
o Scanning files for known malware
o Identifying common types of malware as well as attacker tools
o Disinfecting files, (removing malware from within a file), and quarantining files, (files
containing malware are stored in isolation for future disinfection or examination)
 Summary
• Types of malicious software • Payload
o System corruption
(malware)
o Attack agent
• Advanced persistent threat • Zombie
• Propagation • Bots
o Infected content
o Information theft
• viruses • Keyloggers
o Vulnerability exploit • Phishing
• worms • Spyware
o Social engineering o Stealthing
• spam • Countermeasures
• e-mail
• Trojans