IA 124:

INTRODUCTION TO IT SECURITY

LECTURE 07
Malicious Software

1 6/6/2025
 What is Malware?
❖Malware (short for malicious software) refers to any
software specifically designed to harm, exploit, or gain
unauthorized access to a computer system, network, or
data.
❖Characteristics of Malware
1. Malicious Intent: Created with the purpose of damaging
systems or stealing data.
2. Disguised Behavior: Often appears harmless to trick users
or avoid detection.
3. Unauthorized Actions: Performs operations without user
permission, such as file deletion or spying.
4. Various Forms: Comes in different types, each with
specific goals and behaviors.
2 6/6/2025
 Malware
❖Key Purpose of Malware
1. Disrupt system operations
2. Steal sensitive data (like passwords or bank info)
3. Gain unauthorized access
4. Damage or destroy data and devices
❖How Malware Spreads:
1. Infected email attachments or phishing links
2. Malicious downloads or software bundles
3. Infected USB drives or external devices
4. Exploiting security vulnerabilities in systems or
software
5. Visiting compromised or malicious websites
3 6/6/2025
 Malware
❖Defense Against Malware
1. Use reputable antivirus and anti-malware tools
2. Keep operating systems and applications updated
3. Avoid suspicious emails, websites, and downloads
4. Implement firewalls and intrusion detection systems
5. Regularly back up important data

❖Malware covers all kinds of malicious software including

Virus, Worm, Trojan Horse, Spyware, Adware,
Ransomware, Rootkit, Keylogger, Trapdoor/Backdoor,
logic bomb/ slag codes, computer zombies etc.

4 6/6/2025
 Malware Categories
❖Malware can be categorized based on how it operates and
whether it requires another program (a "host") to function.
❖Two Categories of Malware:
1. Malware That Needs a Host Program: These types of
malwares cannot function independently and must attach
themselves to legitimate executable programs or files in
order to be activated.
❖ Virus, Logic bomb
2. Independent Malware (Self-contained): This type of
malware is self-sufficient and does not require any host
program to be executed.
❖ E.g. Worm

5 6/6/2025
 Malware Categories

6 6/6/2025
 Types of Malware (Trojan Horse)
❖ A Trojan Horse is a type of malware that disguises itself as a
legitimate or harmless file or program to trick users into
installing it. Once inside, it executes malicious actions without the
user’s knowledge.
❖ Key Features of a Trojan:
1. Disguised: Pretends to be useful (e.g., game, software, email
attachment),
2. Non-replicating: Unlike viruses or worms, Trojans do not self-
replicate,
3. Delivers payload: Can download other malware, open
backdoors, or steal data,
4. User-activated: Requires the user to install or open it (no auto-
spread)
7 6/6/2025
 Types of Malware (Trojan Horse)…
❖ Common Trojan Activities:
1. Installing spyware or ransomware, Logging keystrokes
(keyloggers),
2. Creating backdoors for remote access,
3. Stealing personal or financial information,
4. Disabling antivirus or firewall protections
❖ E.g. You download what looks like a free antivirus tool from a
shady website. After installing it, the "tool" silently: Records your
keystrokes, Sends your passwords to an attacker, Opens a backdoor
to allow hackers into your system
❖ Protect Against Trojans: (1) Only download software from
trusted sources, (2) Keep your antivirus and OS updated, (3) Be
cautious of email attachments and pop-ups, (4) Scan files before
8 opening or installing. 6/6/2025
 Malicious Programs (Logic Bombs)
❖ Logic Bombs (also called slag code): A Logic Bomb is a type of
malicious code hidden inside a legitimate program that is triggered
by a specific condition or event.
✓ Once triggered, it executes harmful actions, such as: Deleting
files, Corrupting data, Disabling applications or security tools.
✓ Unlike viruses or worms, logic bombs do not replicate.
✓ E.g. An employee embeds a logic bomb in a payroll system to
delete all data if they are ever removed from the payroll (i.e., fired).
❖ Protection:

1. Monitor code changes and system behavior.

2. Restrict access to sensitive systems and scripts.
3. Conduct regular audits and code reviews.
9 6/6/2025
 Malicious Programs (Trapdoors)
❖ Trapdoors: A Trapdoor, or Backdoor, is a hidden method of bypassing
normal authentication or security mechanisms in a computer system,
application, or network.
✓ It allows unauthorized access to the system. Usually inserted by
developers (intentionally or maliciously). Can be exploited by attackers to
gain control without being detected.
✓ Why Are Trapdoors Created? (1) For legitimate debugging or
maintenance (e.g., during software development). (2) For malicious
purposes, to secretly access systems later.
✓ E.g. A programmer adds a hidden account with full system access that
does not appear in the user list. Later, they or an attacker uses this account
to control the system.
❖ Prevention: Conduct security code reviews. Limit developer access in
production systems. Use intrusion detection systems (IDS). Regularly
10 6/6/2025
audit user accounts and network activity.
 Malicious Programs (Zombie)
❖Zombie: A program that secretly takes over (hijack) an
Internet attached computer and then uses it to launch an
untraceable attack. Very common in Distributed Denial-
Of-Service attacks
❖How Does a Computer Become a Zombie?
1. Infection: A computer is infected by a Trojan, worm, or
backdoor malware.
2. Control: The infected computer connects to a
Command & Control (C&C) server run by the attacker.
3. Obedience: The hacker can now remotely control the
zombie computer to perform various tasks.
11 6/6/2025
 Malicious Programs (Zombie)…
Purpose of Zombie: Protection:
❖ DDoS Attacks: Overwhelm websites or ❖ Install and update antivirus and anti-
servers with traffic to shut them down,
malware software
❖ Spam Email Distribution: Send large
❖ Avoid clicking on suspicious links or
volumes of spam or phishing emails,
attachments
❖ Data Theft: Collect personal or financial
data, ❖ Keep your operating system and
applications up to date
❖ Spreading Malware: Infect other
computers across a network, ❖ Use a firewall to monitor network activity

❖ Cryptomining: Secretly use a victim’s ❖ Disconnect devices that behave

CPU to mine cryptocurrency. suspiciously or slow down without reason

❖Zombie Networks = Botnets

❖ A botnet is a network of many zombie computers controlled by a hacker.
Botnets can contain thousands or millions of zombie devices.

12 6/6/2025
 Malicious Programs (Spyware)
❖ Spyware is malicious software that secretly collects information
from a system, transmitting it to external actors for surveillance,
theft, or manipulation purposes. It poses a serious threat to data
privacy and system integrity.
❖ Characteristics
1. Stealth Operation: Operates in the background without alerting
the user.
2. Information Theft: Collects sensitive data such as login
credentials, browsing habits, or files.
3. Remote Reporting: Transmits collected data to an external
server controlled by an attacker.
4. System Monitoring: Tracks keyboard inputs, screen activity, and
13 6/6/2025
application usage.
 Malicious Programs (Spyware)…
Purpose of Spyware: Methods of Infection:
❖ Logging of keystrokes to capture passwords or ❖ Bundled with freeware or pirated
messages. software.
❖ Monitoring of web browsing and search history. ❖ Delivered via phishing emails or
❖ Capturing of screenshots or webcam images. malicious attachments.
❖ Redirecting of internet traffic to fraudulent ❖ Installed through fake system updates
websites. or pop-up ads.
❖ Distributed through compromised
❖ Installation of additional malware or adware.
websites or drive-by downloads.

❖Prevention and Protection Measures:

1. Install and update reputable antivirus or anti-spyware tools.
2. Avoid downloading files or software from untrusted sources.
3. Keep operating systems and applications updated with security patches.
4. Employ firewall protection and browser security settings.
5. Limit administrative privileges to reduce exposure to unauthorized installations.
14 6/6/2025
 Malicious Programs (Ransomware)
❖Ransomware is a type of malicious software
(malware) that encrypts a victim's files or locks their
system, making the data or device inaccessible.
❖The attacker then demands a ransom payment,
typically in cryptocurrency, in exchange for the
decryption key or to restore access.
❖Ransomware attacks can target individuals, businesses,
or government systems and are often delivered through
phishing emails, malicious attachments,
compromised websites, or remote desktop protocol
(RDP) vulnerabilities.
15 6/6/2025
 Malicious Programs (Ransomware)…
❖ There are two main types:
1. Crypto-ransomware – encrypts files and demands payment for the
decryption key.
2. Locker ransomware – locks the entire system and prevents access
to the desktop or applications.
❖ Prevention strategies include:
1. Regular data backups (offline and cloud-based)
2. Up-to-date antivirus and antimalware tools
3. Employee awareness training
4. Strong email filtering and endpoint protection
5. Regular software patching
❖ Ransomware is a serious cybersecurity threat that can lead to data
loss, business disruption, financial loss, and reputational damage if
16 not managed properly. 6/6/2025
 Malicious Programs (Keylogger)
❖ Keylogger is a type of surveillance or malicious software
(malware) that secretly records every keystroke typed on a
keyboard.
❖ This information can include usernames, passwords, credit
card numbers, messages, or any other typed data, which is
then transmitted to an attacker without the user’s knowledge.
❖ Keyloggers can target individuals, businesses, or institutions
and are often delivered through phishing emails, malicious
downloads, software vulnerabilities, or bundled with other
malware like trojans.
❖ In some cases, physical hardware keyloggers can be plugged
between the keyboard and computer.
17 6/6/2025
 Malicious Programs (Keylogger)
❖ Prevention strategies include:
1. Up-to-date antivirus and antimalware software
2. Avoiding suspicious email attachments or links
3. Using on-screen keyboards for sensitive inputs (where
feasible)
4. Multi-factor authentication (MFA) to reduce the risk even if
credentials are stolen
5. System monitoring for unauthorized processes or outbound
data
❖ Keyloggers are dangerous cybersecurity threats that can lead
to identity theft, financial fraud, unauthorized system access,
and significant privacy violations. Detecting and removing
them requires both technical tools and strong user awareness.
18 6/6/2025
 Types of Malware (Computer Virus)
❖ A computer virus is a host-dependent, self-replicating type
of malware that spreads by attaching itself to legitimate files
or programs, requiring user interaction to activate, and often
causing harm to data, system performance, or security.
❖ Key Characteristics:
1. Self-replicating: Copies itself by attaching to other files or
programs.
2. Host-dependent: Needs a host file (e.g., .exe, .doc) to spread and
activate.
3. Activation required: Executes only when the infected file or
program is opened or run.
4. Can be harmful or harmless: May corrupt, delete, or modify data;
or simply display messages or slow down systems.
19 6/6/2025
 Types of Malware (Computer Virus)
Behaviors of a Virus Spread Mechanisms
❖ Corrupting or deleting files ❖ Infected email attachments
❖ Slowing down system performance ❖ Downloading files from
❖ Displaying unwanted messages or pop- untrusted sources
ups ❖ Using infected USB drives
❖ Disabling programs or system functions ❖ File sharing across networks
❖ Spreading to other systems via USB, ❖ Opening compromised
email, or network websites

❖ General Prevention Methods:

20 6/6/2025
 Malicious Programs
❖ Four stages of virus lifetime
1. Dormant phase: Here, the virus remains idle and gets activated
based on a certain action or event (date, time, program launch, etc.)
2. Propagation phase: The virus starts replicate, that is multiplying
itself (cloning of virus). It spreads by copying itself into other
files, programs, or systems (e.g., via USB drives, emails, or
networks).
3. Triggering phase: A Dormant virus moves into this phase when it
gets activated, that is, the event it was waiting for gets initialized.
E.g. When a user opens a certain application or file, the virus
recognizes this as its trigger.
4. Execution phase: The virus performs its intended malicious
action, such as: Deleting files, Corrupting data, Displaying
messages or Slowing down the system.
21
 Others: Stages of virus life (6 Stages)
1. Design stage: developing virus code using programming
languages or construction kits.
2. Replication stage: virus replicate for a period of time
within the target system and then spreads itself
3. Launch stage: it gets activated with the user performing
certain actions such as running an affected program.
4. Detection stage: a virus is identifies as threat infection
target systems
5. Incorporation stage: ant-virus software developers
assimilate defenses against the virus.
6. Elimination stage: users install ant-virus updates and
22 eliminate the virus threats 6/6/2025
 Computer Virus
❖ Avoiding Detection: Infected version of program is longer
than the corresponding uninfected one
✓Solution: compress the executable file so infected and
uninfected versions are identical in length
❖ Encryption in the operation of a virus: A portion of the
virus, generally called a mutation engine, creates a random
encryption key to encrypt the remainder of the virus.
✓The key is stored with the virus, and the mutation engine
itself is altered. When an infected program is invoked, the
virus uses the stored random key to decrypt the virus.
✓When the virus replicates, a different random key is
selected.
23 6/6/2025
 Indications of virus attack
❖ Abnormal activities: Is the systems acts in unprecedented
manner, you can suspect a virus attack.
✓ Processes take more resources and time
✓ Computer beeps with on display
✓ Driver label changes
✓ Unable to load Operating System
✓ Anti-virus alerts
✓ Browser window “freezes”
✓ Hard drive is accessed often
✓ Files and folders are missing
✓ Computer freezes frequently or encounters errors
✓ Computer slows down when programs start.
❖ Note: false positive
24 ✓ However, not all glitches can be attributed to virus attacks
 Types of viruses
 System or boot sector  Stealth virus/tunneling virus
viruses  Encryption virus
 Files virus  Polymorphic virus
 Cluster viruses  Overwriting file or cavity virus
 Macro virus  Sparse virus
 Multipartite virus  Companion virus/camouflage virus
 Shell virus
 File extension virus
What do they infect?  Add-on virus
 Intrusive virus
 Direct action or transient virus
 Terminate and stay resident virus
How do they infect? (TSR)
25 6/6/2025
 System or boot sector viruses
❖ Boot sector virus moves master boot record (MBR) to another
location on the hard disk and copies itself to the original
location of MBR
❖ When system boots, virus code is executed first and then
control is passed to original MBR

MBR: Master Boot Record

26 6/6/2025
 Types of viruses…
❖ Files and multipartite viruses
✓ File virus: File virus infect files which are executed or
interpreted is the system such as COM, EXE, SYS, OVL, OBJ,
PRG, MNU and BAT files
✓ Multipartite virus: Multipartite virus that attempts to attack
both the boot sector and the executable or program files at the
same time
❖ Macro virus
✓ Macro viruses infect files created by Microsoft Word or Excel
✓ Most macro viruses are written using macro language Visual
Basic for Application (VBA)
✓ Macro viruses infect templates or convert infected documents
into template files, while maintaining their appearance if
ordinary document files.
27 6/6/2025
 Types of viruses…
❖ Cluster viruses
✓ Cluster viruses modify directory table entries so that directory
entries point to the virus code instead of the actual program.
✓ There is only copy of the virus on the disk infecting all the programs
in the computer system
✓ It will launch itself first when any program on the computer system
is started and then the control is passed to actual program
❖ Stealth/tunneling viruses
✓ These viruses evade the anti-virus software by intercepting its
requests to the operation system
✓ A virus can hide itself by intercepting the ant-virus software’s
request to read the file and passing the request to the virus, instead
of the OS.
✓ The virus can then return an uninfected version of the file to the
ant-virus software, so that it appears as if the file is “clean”
28 6/6/2025
 Types of viruses…
❖ Encryption viruses
✓ This type of virus uses simple encryption to
encipher the code
✓ The virus is encrypted with a different key for each
infected files
✓ AntiVirus (AV) scanner cannot directly detect these
types of viruses using signature detection method.
❖ Polymorphic code
✓ Polymorphic code is a code that mutates (constantly changes)
while keeping the original algorithm intact
✓ To enable polymorphic code, the virus has to have a polymorphic
engine (also called mutation engine or mutation engine)
✓ A well-written polymorphic virus therefore has no parts that stay
same on each infection making it difficult to detect with anti-
29 malware programs. 6/6/2025
 Types of viruses…
❖ Metamorphic viruses
✓ Metamorphic viruses rewrite themselves completely each time
they are to infect new executable.
✓ Metamorphic code can reprogram itself by translating its own
code into a temporary representation and then back to the
normal code again.
✓ For example, W32/simile consisted of over 1400 lines of
assembly code, 90% lines of assembly code, 90% of it is of the
metamorphic engine.
❖ File overwriting or cavity viruses: Cavity virus overwrites a part
of the host file with a constant (usually nulls), without increasing
the length of the file and preserving its functionality.

30 6/6/2025
 Types of viruses…
❖Sparse Infector viruses
✓Sparse infector virus infects only occasionally
(e.g. every 10th program execute), or only files
whose lengths falls within a narrow range.
✓By infection less often, such viruses try to
minimize the probability of being discovered.

31 6/6/2025
 Types of viruses…
❖Companion/camouflage viruses
✓A companion virus creates a companion file for each
executable file the virus infects.
✓Therefore, a companion virus may save itself as
notepad.com and every time a user executes a
notepad.exe (good program), the computer will load
notepad.com (virus) and infect the system.

32 6/6/2025
 Types of viruses…
❖ Shell viruses
✓ Virus code forms a shell around the target host program’s code, making
itself the original program and host code as its sub-routine.
✓ Almost all boot program viruses are shell viruses

❖ Add-on and intrusive viruses: Add-on viruses append their code

to the host code without making any changes to the latter or
relocate the host code to insert their own code at the beginning.

33 6/6/2025
 File extension viruses
❖File extension viruses change the extensions of the files
❖.TXT is safe as it indicates as pure text file
❖With extension turned off, if someone sends you a file
named BAD.TXT.VBS, you will only see BAD.TXT
❖If you have forgotten that extensions are turned off, you
might think is a text file and open it.
❖This is an executable visual basic script virus file and
could do serious damage.
❖Countermeasure is turn off “Hide file extensions” in
windows.
34 6/6/2025
 Transient and terminate and stay
resident viruses
Basic infection techniques
 Direct action or transient virus
✓Transfers all the controls of the host code to where it
resides
✓Selects the target program to be modified and corrupt it
 Terminate and stay resident virus (TSR)
✓Remains permanently in the memory during the entire
work session even after the target host’s program is
executed and terminated; can be removed only by
rebooting the system.
35 6/6/2025
 Computer worms
❖Computer Worm is a type of self-replicating
malicious software (malware) that spreads across
networks without any human interaction or the
need to attach itself to a host program.
❖Worms exploit vulnerabilities in operating systems,
software, or network protocols to infect systems
and propagate automatically.
❖Computer worms can target personal computers,
enterprise networks, or even industrial systems.

36 6/6/2025
 Computer worms
❖They are typically delivered through email attachments,
infected websites, or unsecured network shares. Once
inside a network, they rapidly scan and spread to other
connected devices.
❖There are several types, including:
1. Email worms – spread by sending copies of themselves
to contacts via infected email.
2. Internet worms – scan and exploit vulnerabilities in
devices connected to the internet.
3. File-sharing worms – hide in shared folders or peer-to-
peer networks to infect users.

37 6/6/2025
 Computer worms…
❖ Prevention strategies include:
1. Regular software patching and system updates
2. Using firewalls and intrusion detection/prevention systems
(IDS/IPS)
3. Strong network segmentation and traffic monitoring
4. Antivirus/antimalware solutions with real-time scanning
5. Educating users to avoid suspicious links and files
❖ Computer worms are especially dangerous due to their speed
and ability to spread autonomously, potentially leading to
network congestion, system crashes, data loss, and
unauthorized access.
❖ Some infamous worms (e.g., ILOVEYOU, WannaCry) have
38
caused massive global damage. 6/6/2025
 How is worm different from a virus?

❖A worm is special type of malicious software that

can replicate itself and use memory, but cannot
attach itself to other programs.
❖A worm takes advantage of file information
transport features on computer systems and spreads
through the infected network automatically but a
virus does not.

39 6/6/2025
 Virus detection methods
❖Scanning
✓Once a virus has been detected, it is possible to write
scanning programs that look for signature string
characteristics of the virus.
❖Integrity checking
✓Integrity checking products work by reading the entire
disk and recording integrity data that acts as a
signature for the files and system sectors.
❖Interception
✓The interceptor monitors the operation system
requests that are written to the disk.
40 6/6/2025
 Viruses Countermeasures
1. Antivirus approaches
2. Advanced antivirus techniques
✓Generic Decryption
✓Digital Immune System
3. Behavior-blocking software

41 6/6/2025
 Viruses Countermeasures
1. Antivirus Approaches
 Detection : Determine that it has occurred and locate the virus
 Identification: Identify the specific virus
 Removal : Remove all traces and restore the program to its
original state

❖ Generations of Antivirus Software

✓ First: Simple scanners (record of program lengths)
✓ Second: Heuristic scanners (integrity checking with checksums)
✓ Third: Activity traps (memory resident, detect infected actions)
✓ Fourth: Full-featured protection (suite of antivirus techniques,
access control capability)
42 6/6/2025
 WHAT ARE THE CURRENT AVAILABLE ANTIVIRUS
PROGRAMS?

43 6/6/2025
 Viruses Countermeasures

2. Advanced Antivirus Techniques

 Generic Decryption
 Digital Immune System

44 6/6/2025
 Generic Decryption
❖ Generic Decryption (GD) is an antivirus technique used to
detect encrypted or complicated malware, especially
polymorphic viruses that change their appearance with each
infection.
❖ GD works by executing the suspicious code in a controlled,
virtual environment (sandbox or emulator) and monitoring
its behavior as it decrypts or unpacks itself in memory.
❖ Purpose: To detect and analyze malware that hides its true
behavior until runtime.
❖ How it works: The antivirus loads the potentially infected
file in a safe virtual machine, waits for it to decrypt or reveal
its real code, and then scans it using standard virus signatures.
❖ Benefit: It enables the detection of malware variants that
would otherwise evade traditional signature-based detection.
45 6/6/2025
 Generic Decryption…
❖ Contains following elements:
✓CPU emulator: software based virtual computer.
Instructions in an executable file are interpreted by the
emulator rather than executed on the underlying processor
so that the underlying processor is unaffected by programs
interpreted on the emulator.
✓Virus signature scanner: scans target code looking for
known signatures
✓Emulation control module: control execution of target
code. Thus, if the code includes a decryption routine that
decrypts and hence exposes the malware, that code is
interpreted. In effect, the malware does the work for the
anti-virus program by exposing itself. Periodically, the
control module interrupts interpretation to scan the target
46
code for malware signatures. 6/6/2025
 Digital Immune System
❖ Digital Immune System (DIS) is an automated, adaptive
threat detection system inspired by the biological immune
system.
❖ It quickly analyzes, responds to, and neutralizes new, unknown,
or zero-day malware by learning from new threats and sharing
updates across a network.
❖ Purpose: To reduce response time and improve malware
detection across multiple systems.
❖ How it works: When a new file or threat is encountered, it's
automatically sent to a central analysis server where it is
analyzed, and a cure (antivirus signature or update) is generated
and distributed back to all connected systems.
❖ Benefit: It enables scalable, collaborative defense with rapid
response to emerging threats across enterprises or large networks.
47 6/6/2025
 Digital Immune System…
❖ DIS (Digital Immune System): A closed-loop, suspect-code
submission system designed to detect unknown but
potentially malicious code, quarantine the code, submit it for
analysis, and finally push out new virus definitions to
affected systems.
❖ Developed by IBM (refined by Symantec) for general
purpose emulation and virus detection system
❖ Motivation: rising threat of internet-based virus propagation
✓Integrate mail systems (eg MS outlook )
✓Mobile-program system (eg Java and ActiveX)
❖ Expands the use of program emulation
❖ Depends on a central Virus Analysis Machines (VAM)
48 6/6/2025
 Digital Immune System

1. Each PC runs a monitoring program to detect unusual behavior

2. Encrypt the sample and forward to VAM- Virus Analysis Machines
3. Analyze the sample in a safe environment via emulation
4. Prescription via sent back to Admin. Machine
49
5-6 Forwarded to the infected client as well as the other PCs on the same network
7. All subscribers receive regular antivirus updates
 Viruses Countermeasures
3. Behavior-blocking Software
❖ Behavior-blocking software integrates with the operating system of a
host computer and monitors program behavior in real time for
malicious actions.
❖ The behavior blocking software then blocks potentially malicious
actions before they have a chance to affect the system.
❖ IPS – Intrusion Prevention Systems
❖ Monitored behaviors can include
✓ Attempts to open, view, delete, and/or modify files;
✓ Attempts to format disk drives and other unrecoverable disk operations;
✓ Modifications to the logic of executable files or macros;
✓ Modification of critical system settings, such as start-up settings;
✓ Scripting of e-mail and instant messaging clients to send executable
content;
50 6/6/2025
✓ Initiation of network communications.
51 6/6/2025
 Malicious Code Protection
Types of Products
 Scanners - identify known malicious code - search
for signature strings
 Integrity Checkers – determine if code has been
altered or changed – checksum based
 Vulnerability Monitors - prevent modification or
access to particularly sensitive parts of the system –
user defined
 Behavior Blockers - list of rules that a legitimate
program must follow – sandbox concept

52 6/6/2025
 Virus and Worms countermeasures (others)
1. Ensure the executable code sent to the organization is approved
2. Do not boot the machine with infected bootable system disk
3. Know about the latest virus threats
4. Check the DVDs and CDs for virus infection
5. Ensure the pop-up blocker is returned on use an internet firewall
6. Run disk clean up, registry scanner and defragmentation once a week
7. Block the files with more than one file type extension
8. Be caution with the files being sent through the internet
9. Install ant-virus software that detects and removes infections as they appear
10. Generate an anti-virus policy for safe computing and distribute it to the staff
11. Pay attention to instructions while downloading files or any programs from the Internet
12. Update the ant-virus software on the monthly basis, so that it can identify and clean out new bugs
messenger.
13. Avoid opening the attachments received form an unknown sender as virus spread via e-mail
14. Possibility of virus infection may corrupt data, thus regularly maintain data back up
15. Schedule regular scans for all drivers after the installation of ant-virus
16. Do not accept disks or programs without checking them first using a current version of anti-virus
53
program. 6/6/2025
 PRACTICE:
USE CARE WHEN READING EMAIL WITH ATTACHMENTS

⚫ Executable content
⚫ Interesting to you (social engineering)
⚫ Violates trust
⚫ KRESV tests
✓ Know test: Know the sender?
✓ Received test: Received email before?
✓ Expect test: Did you expect this email?
✓ Sense test: Does this email make sense?
✓ Virus test: Contain a virus?
⚫ Doesn’t pass all tests? Don’t open!
⚫ Level of effort: High

54 6/6/2025
 INSTALL AND USE ANTIVIRUS SOFTWARE
⚫ Easy way to gain control of your
computer or account
⚫ Violates “trust”
⚫ DURCH tests
➢ Demand: Check files on demand?
➢ Update: Get new virus signatures
automatically?
➢ Respond: What can be done to
infected files?
➢ Check: Test every file for viruses.
➢ Heuristics: Does it look like a virus?
⚫ Level of effort: low
55 6/6/2025
 PRACTICE:
MAKE BACKUPS OF IMPORTANT FILES AND FOLDERS

⚫ Can you recover a file or folder if lost?

⚫ Does your computer have a “spare tire”?
⚫ FOMS tests
➢ Files: What files should be backed up?
➢ Often: How often should a backup be made?
➢ Media: hat kind of media should be used?
➢ Store: Where should that media be stored?
⚫ Level of effort:
➢ setup: medium to high
➢ maintaining: medium

56 6/6/2025
 INSTALL AND USE A FIREWALL PROGRAM
⚫ Limit connections to computer
⚫ Limit connections from computer based on
application
⚫ Portable – follows the computer (laptop)
⚫ PLAT tests
➢ Program – What program wants to connect?
➢ Location – Where does it want to connect?
➢ Allowed – Yes or no?
➢ Temporary – Permanent or temporary?
⚫ Level of effort:
➢ install: low
➢ maintain: high
57 6/6/2025
 USE CARE WHEN DOWNLOADING AND
INSTALLING PROGRAMS
Program may satisfy needs but may harm computer
⚫ What does it really do?
⚫ LUB tests
− Learn – What does the
program do to your computer?
− Understand – Can you return
it and completely remove it?
− Buy – Purchase/download
from reputable source?
⚫ Level of effort: high

58 6/6/2025
 END

IA 124 LECTURE 07
59 6/6/2025