Chapter 6

Malicious Software
 Malware

“a program that is inserted into a

system, usually covertly, with the
intent of compromising the
confidentiality, integrity, or
availability of the victim’s data,
applications, or operating system
or otherwise annoying or
disrupting the victim.”
Malware
Terminology
Classification of Malware
Different Types Of Malicious Software
1. Computer Malicious
A computer malicious is a malicious software type that self-replicates and attaches itself to other files/programs.
Malware Software is capable of executing secretly when the host program/file is activated.The different types of
Computer malicious are Memory-Resident viruses, Program File Viruses, Boot Sector Viruses, Stealth viruses,
Macro viruses, and Email Viruses.
2. Worms
A worm is a malicious software type similar to that of a computer malicious is a self-replicating
program, however, in the case of worms, malicious automatically executes itself. Worms spread over a network
and are capable of launching a cumbersome and destructive attack within a short period.
3. Trojan Horses
Unlike a computer malicious or a worm – the trojan horse is a malicious software non-replicating program that
appears legitimate. After gaining the trust, it secretly performs malicious and illicit activities when executed.
Hackers make use of trojan horses to steal a user’s password information and destroy data or programs on the
hard disk. It is hard to detect!
4. Spyware/Adware
Spyware is malicious software type secretly records information about a user and forwards it to third parties. The
information gathered may cover files accessed on the computer, a user’s online activities, or even the user’s
keystrokes.
Adware is a malware software type as the name interprets displays advertising banners while a program is
running. Adware can also work like spyware, it is deployed to gather confidential information. Basically, to spy on
and gather information from a victim’s computer.
5. Rootkit
A rootkit is a malicious software type that alters the regular functionality of an OS on a computer in a stealthy
manner. The altering helps the hacker to take full control of the system and the hacker acts as the system
administrator on the victim’s system. Almost all the rootkits are designed to hide their existence
 Types Of Malicious Software
6. A backdoor virus or remote access Trojan (RAT) secretly creates a
backdoor into an infected computer system that enables threat actors to
remotely access it without alerting the user or the system's security
programs.
7.Adware tracks a user's browser and download history with the intent to
display pop-up or banner advertisements that lure the user into making a
purchase. For example, an advertiser might use cookies to track the
webpages a user visits to better target advertising.
8. Keyloggers, also called system monitors, track nearly everything a user
does on their computer. This includes emails, opened webpages,
programs and keystrokes.
 Attack Kits
• Initially the development and deployment of
malware required considerable technical skill by
software authors
• The development of virus-creation toolkits in the early 1990s and then more
general attack kits in the 2000s greatly assisted in the development and
deployment of malware

• Toolkits are often known as “crimeware”

• Include a variety of propagation mechanisms and payload modules that even
novices can deploy
• Variants that can be generated by attackers using these toolkits creates a
significant problem for those defending systems against them

• Examples are:
• Zeus
• Angler
 Attack Sources
• Another significant malware development is the change from
attackers being individuals often motivated to demonstrate their
technical competence to their peers to more organized and
dangerous attack sources such as:

• This has significantly changed the resources available and

motivation behind the rise of malware and has led to development
of a large underground economy involving the sale of attack kits,
access to compromised hosts, and to stolen information
 Advanced Persistent Threats (APTs)
• An advanced persistent threat (APT) is a cyber attack launched by an attacker with
substantial means, organization and motivation to carry out a sustained assault
against a target.
The attacker's goal is to remain hidden over an extended period of time and
incrementally obtain the permissions required to achieve the attack's objectives.
APTs differ from zero day and other types of cyber attacks in a number of ways:

• This type of cyber security attack is expensive to conduct so it is often aimed at

highly valuable targets, such as government facilities, defense contractors, media
outlets and manufacturers of high-tech products.
• Threat actors often use legitimate credentials they have acquired by exploiting
known vulnerabilities, using social engineering tactics and conducting brute
force attacks.
• The attacker will often develop and deploy customized malware and seek to
compromise trusted third-party software.
• APT threat actors will spend time and money to monitor their target closely and
pivot attack vectors when necessary.
• High profile attacks include Aurora, RSA, APT1, and Stuxnet
APT Characteristics
 APT Attacks
• Aim:
• Varies from theft of intellectual property or security and infrastructure
related data to the physical disruption of infrastructure

• Techniques used:
• Social engineering
• Spear-phishing email
• Drive-by-downloads from selected compromised websites likely to be
visited by personnel in the target organization

• Intent:
• To infect the target with sophisticated malware with multiple
propagation mechanisms and payloads
• Once they have gained initial access to systems in the target
organization a further range of attack tools are used to maintain and
extend their access
 Viruses
• Computer virus refers to a program which damages computer
systems and/or destroys or erases data files.
• A malicious program that self-replicates by copying itself to
another program. spreads by itself into other executable code or
documents.
• The purpose of creating a computer virus is to infect vulnerable
systems, gain admin control and steal user sensitive data.
Symptoms:
• Letter looks like they are falling to the bottom of the screen.
• The computer system becomes slow.
• The size of available free memory reduces.
• The hard disk runs out of space.
• The computer does not boot.
Virus Components
Virus Phases
 Types of Computer Virus:
• Parasitic –
These are the executable (.COM or .EXE execution starts at first instruction).
Propagated by attaching itself to particular file or program. Generally resides at
the start (prepending) or at the end (appending) of a file, e.g. Jerusalem.
• Boot Sector –
Spread with infected floppy or pen drives used to boot the computers. During
system boot, boot sector virus is loaded into main memory and destroys data
stored in hard disk, e.g. Polyboot, Disk killer, Stone, AntiEXE.
• Polymorphic –
Changes itself with each infection and creates multiple copies. Multipartite: use
more than one propagation method. >Difficult for antivirus to detect, e.g.
Involutionary, Cascade, Evil, Virus 101., Stimulate.
Three major parts: Encrypted virus body, Decryption routine varies from
infection to infection, and Mutation engine.
• Memory Resident –
Installs code in the computer memory. Gets activated for OS run and damages
all files opened at that time, e.g. Randex, CMJ, Meve.
 Types of Computer Virus:
• Stealth –
Hides its path after infection. It modifies itself hence difficult to
detect and masks the size of infected file, e.g. Frodo, Joshi, Whale.
• Macro –
Associated with application software like word and excel. When
opening the infected document, macro virus is loaded into main
memory and destroys the data stored in hard disk. As attached with
documents; spreads with those infected documents only, e.g. DMV,
Melissa, A, Relax, Nuclear, Word Concept.
• E-Mail Viruses– Melissa, Happy99
– exploits MS Word macro in attached doc
– if attachment opened, macro activates
– sends email to all on users address list and does local damage
 Macro and Scripting Viruses
• macro virus :
“a virus that attaches itself to documents and uses the macro
programming capabilities of the document’s application to execute and
propagate”
•Macro viruses infect scripting code used to support
active content in a variety of user document types
•Are threatening for a number of reasons:
•Is platform independent
•Infect documents, not executable portions of code
•Are easily spread
•Because they infect user documents rather than system programs,
traditional file system access controls are of limited use in preventing their
spread, since users are expected to modify them
•Are much easier to write or to modify than traditional executable viruses
 Virus Classifications

Classification by target Classification by concealment

strategy

• Boot sector infector • Encrypted virus

• Infects a master boot record or • A portion of the virus creates a
random encryption key and
boot record and spreads when encrypts the remainder of the virus
a system is booted from the
disk containing the virus • Stealth virus
• File infector • A form of virus explicitly designed
to hide itself from detection by
• Infects files that the operating anti-virus software
system or shell considers to be • Polymorphic virus
executable
• A virus that mutates with every
• Macro virus infection
• Infects files with macro or • Metamorphic virus
scripting code that is • A virus that mutates and rewrites
interpreted by an application itself completely at each iteration
• Multipartite virus and may change behavior as well as
• Infects files in multiple ways appearance
 Virus countermeasures
Antivirus Approaches
• The ideal solution to the threat of viruses is prevention:
Do not allow a virus to get into the system in the first
place. four main elements of prevention:
1. policy 2. awareness 3. vulnerability mitigation 4.
threat mitigation
• if prevention fails, technical mechanisms can be used to
support the following threat mitigation options:
• detection
• identification
• removal
If detected but can’t identify or remove, must discard
and replace infected program
 Anti-virus evolution
As the virus arms race has evolved, both viruses and, necessarily, antivirus software
have grown more complex and sophisticated.

1st Generation, Simple Scanners: (bit patterns all the same)searched files for any of a library of
known virus “signatures.”
Checked executable files for length changes.
limited to the detection of known malware

2nd Generation, Heuristic Scanners: (integrity checks; checksums)

looks for more general signs than specific signatures (code segments common to many viruses).
Checked files for checksum or hash changes.

3rd Generation, Activity Traps: (find by actions they do)

stay resident in memory and look for certain patterns of software behavior (e.g., scanning files).

4th Generation, Full Featured: combine the best of the techniques above.
• packages consisting of a variety of anti-virus techniques used in conjunction
• include scanning and activity trap components and access control capability
 Advanced Antivirus Techniques
GENERIC DECRYPTION (GD)
• GD technology enables the anti-virus program to easily detect complex
polymorphic viruses and other malware while maintaining fast scanning
speeds
• executable files are run through a GD scanner which contains the following
elements:
• CPU emulator: A software-based virtual computer. Instructions in an
executable file are interpreted by the emulator rather than executed on the
underlying processor. The emulator includes software versions of all
registers and other processor hardware, so that the underlying processor is
unaffected by programs interpreted on the emulator
• virus signature scanner: A module that scans the target code looking for
known virus signatures.
• emulation control module: Controls the execution(manage process) of the
target code.
 Lets virus decrypt itself in interpreter
 Periodically scan for virus signatures
 the most difficult design issue with a GD scanner is to determine how long to
run each interpretation
 Advanced Antivirus Techniques
Digital immune system :The digital immune system is a
comprehensive approach to virus protection developed by IBM

1. A monitoring program infers a virus, sends a copy to an admin machine

2. Admin encrypts, sends to a central analysis machine
3. Central analysis: Safe exec of virus, analyze, give a prescription
4. Prescription sent back to the admin machines
5. Admin machine forwards to all clients
6. Prescription forwarded to other organizations
7. Subscribers worldwide receive regular updates IBM/Symantec Project
 Host-Based Behavior-Blocking Software
• Unlike heuristics or fingerprint-based scanners, behavior-
blocking software integrates with the operating system of
a host computer and monitors program behavior in real-
time for malicious actions
• blocks potentially malicious actions before they have a
chance to affect the system
• blocks software in real time so it has an advantage over
anti-virus detection techniques such as fingerprinting or
heuristics
limitations: because malicious code must run on the target
machine before all its behaviors can be identified, it can
cause harm before it has been detected and blocked
Behavior-blocking software
Integrates with the OS; looks for bad behavior

Monitored behaviors:
-Attempts to open, view, delete, modify files
-Attempts to format drives
-Modifications to the logic of executables
-Modifications to critical system settings
-Scripting of emails to send exec contents
 Features of Antivirus:
• Malware Detection & Removal:
• Firewall:
• Auto SandBoxing Technique:
• Virus Scan:
• Identity protection:
• Backup:
• Email Protection:
• Social media Protection:
 worm
• A worm is a destructive program that fills a computer system with self-
replicating information, clogging the system so that its operations are slowed
down or stopped.
• Program that actively seeks out more machines to infect and each infected
machine serves as an automated launching pad for attacks on other
machines
• Exploits software vulnerabilities in client or server programs
• Can use network connections to spread from system to system
• Spreads through shared media (USB drives, CD, DVD data disks)
• Upon activation the worm may replicate and propagate again
• Has phases like a virus:
dormant, propagation, triggering, execution
• propagation phase: searches for other systems, connects to it, copies self to
it and runs
• Usually carries some form of payload
• First known implementation was done in Xerox Palo Alto Labs in the early
1980s
 Types of Worm:

• Email worm – Attaching to fake email messages.

• Instant messaging worm – Via instant messaging
applications using loopholes in network.
• Internet worm – Scans systems using OS services.
• Internet Relay Chat (IRC) worm – Transfers infected
files to web sites.
• Payloads – Delete or encrypt file, install backdoor,
creating zombie etc.
• Worms with good intent – Downloads application
patches.
Worm Replication
 Morris worm
• One of best know worms
• Released by Robert Morris in 1988
– Affected 6,000 computers; cost $10-$100 M
• Various attacks on UNIX systems
– cracking password file to use login/password to
logon to other systems
– exploiting a bug in the finger protocol
– exploiting a bug in sendmail
• If succeed have remote shell access
– sent bootstrap program to copy worm over
 Recent worm attacks
• Code Red
– July 2001 exploiting MS IIS bug
– probes random IP address, does DDoS attack
– consumes significant net capacity when active
– 360,000 servers in 14 hours
• Code Red II variant includes backdoor: hacker controls the
worm
• SQL Slammer (exploited buffer-overflow vulnerability)
– early 2003, attacks MS SQL Server
– compact and very rapid spread
• Mydoom (100 M infected messages in 36 hours)
– mass-mailing e-mail worm that appeared in 2004
– installed remote access backdoor in infected systems
 More Recent Worm Attacks
Melissa 1998 E-mail worm
First to include virus, worm and Trojan in one package
Code Red July 2001 Exploited Microsoft IIS bug
Probes random IP addresses
Consumes significant Internet capacity when active
Code Red II August 2001 Also targeted Microsoft IIS
Installs a backdoor for access
Nimda September 2001 Had worm, virus and mobile code characteristics
Spread using e-mail, Windows shares, Web servers, Web clients,
backdoors
SQL Slammer Early 2003 Exploited a buffer overflow vulnerability in SQL server
compact and spread rapidly
Sobig.F Late 2003 Exploited open proxy servers to turn infected machines into spam engines

Mydoom 2004 Mass-mailing e-mail worm

Installed a backdoor in infected machines
Warezov 2006 Creates executables in system directories
Sends itself as an e-mail attachment
Can disable security related products
Conficker November 2008 Exploits a Windows buffer overflow vulnerability
(Downadup) Most widespread infection since SQL Slammer
Stuxnet 2010 Restricted rate of spread to reduce chance of detection
Targeted industrial control systems
 State of worm technology
The state of the art in worm technology includes the following:
• Multiplatform: Newer worms are not limited to Windows machines but
can attack a variety of platforms, especially the popular varieties of UNIX.
• Multi-exploit: New worms penetrate systems in a variety of ways, using
exploits against Web servers, browsers, e-mail, file sharing, and other
network based applications.
• Ultrafast spreading: One technique to accelerate the spread of a worm is
to conduct a prior Internet scan to accumulate Internet addresses of
vulnerable machines.
• Polymorphic: each copy has a new code
• Metamorphic: change appearance/behavior
• Transport vehicles: Because worms can rapidly compromise a large
number of systems, they are ideal for spreading other distributed attack
tools, such as distributed denial of service bots.
• Zero-day exploit: To achieve maximum surprise and distribution, a worm
should exploit an unknown vulnerability that is only discovered by the
general network community when the worm is launched.
 Worm countermeasures
• Overlaps with anti-virus techniques
• Once worm on system A/V can detect
• Worms also cause significant net activity
• A signature is a virus fingerprint
– E.g.,a string with a sequence of instructions specific for each virus
– Different from a digital signature

six classes of worm defense approaches include:

– signature-based worm scan filtering: define signatures
– filter-based worm containment (focus on contents)
– payload-classification-based worm containment (examine packets
for anomalies)
– threshold random walk scan detection (limit the rate of scan-like
traffic)
– rate limiting and rate halting (limit outgoing traffic when a
threshold is met)
Proactive worm containment
1. PWC agent monitors
outgoing traffic for
increased activity

2. When an agent notices

high traffic, it informs
the PWC manager; mgr
propagates to other
hosts

3. Hosts receive alert

and decide if to ignore
(based on time of last
incoming pkt)

4. Relaxation period
(based on threshold)
 Mobile Code
• Mobile code refers to programs (e.g., script, macro, or other portable
instruction) that can be shipped unchanged to a heterogeneous
collection of platforms and execute with identical semantics
• Transmitted from a remote system to a local system and then
executed on the local system
• Often acts as a mechanism for a virus, worm, or Trojan horse
• Takes advantage of vulnerabilities to perform its own exploits
• Can act as an agent for viruses, works, and Trojan horses
• Most common ways of using mobile code for malicious operations on
local system are:
• Cross-site scripting
• Interactive and dynamic Web sites
• E-mail attachments
• Downloads from untrusted sites or of untrusted software
 Mobile Phone Worms
• Worms first appeared on mobile phones with the
discovery of the Cabir worm in 2004, and then Lasco
and CommWarrior in 2005. These worms
communicate through Bluetooth wireless connections
or via the multimedia messaging service (MMS).
• Target is the smartphone
• Can completely disable the phone, delete data on the
phone, or force the device to send costly messages
• communicate the Bluetooth connections (e.g.,
CommWarrior on Symbian but attempts on Android
and iPhone)
 Client-Side Vulnerabilities and
Drive-by-Downloads
• A common technique exploits browser vulnerabilities
so that when the user views a Web page controlled
by the attacker, it contains code that exploits the
browser bug to download and install malware on the
system without the user’s knowledge or consent.
• This is known as a drive-by download attack and is a
common exploit in recent attack kits. In most cases,
this malware does not actively propagate as a worm
does, but rather waits for unsuspecting users to visit
the malicious Web page in order to spread to their
systems
 Clickjacking
• Also known as a user- • Vulnerability used by an
attacker to collect an
interface (UI) redress infected user’s clicks
attack • The attacker can force the user to do a
variety of things from adjusting the
• Using a similar technique, user’s computer settings to unwittingly
sending the user to Web sites that
might have malicious code
keystrokes can also be
• By taking advantage of Adobe Flash or
hijacked JavaScript an attacker could even place
a button under or over a legitimate
• A user can be led to believe button making it difficult for users to
detect
they are typing in the • A typical attack uses multiple
password to their email or transparent or opaque layers to trick a
user into clicking on a button or link on
bank account, but are another page when they were
intending to click on the top level page
instead typing into an
• The attacker is hijacking clicks meant
invisible frame controlled for one page and routing them to
another page
by the attacker
 Types of clickjacking attacks
• Likejacking
Likejacking tricks social media users into liking things they didn’t intend to.
• Cursorjacking
Cursorjacking changes the user’s cursor position to a different place from
where the user perceives it.
• Cookiejacking
Cookiejacking is a UI redress attack that steals the victim’s cookies. Once the
attacker obtains the cookies, they can access the information they contain
and use it to impersonate the victim. This is typically achieved by tricking the
victim into dragging and dropping an element on the page. What they are
actually doing is selecting the contents of their cookies on the embedded
invisible page and handing that over to the attacker. The attacker can then
perform actions on the target website on behalf of the user.
• Filejacking
• Filejacking allows the attacker to access the victim’s local file system and
take files. For example, when you upload a photo to social media, a file
browser window appears and you can navigate your file system.
 What is social engineering
• Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation to trick
users into making security mistakes or giving away sensitive information.
• The attack cycle gives these criminals a reliable process for deceiving you. Steps for the
social engineering attack cycle are usually as follows:
• Prepare by gathering background information on you or a larger group you are a part of.
• Infiltrate by establishing a relationship or initiating an interaction, started by building
trust.
• Exploit the victim once trust and a weakness are established to advance the attack.
• Disengage once the user has taken the desired action.
 Social Engineering
• The final category of malware propagation we consider involves
social engineering, “tricking” users to assist in the compromise of
their own systems or personal information. This can occur when a
user views and responds to some SPAM e-mail, or permits the
installation and execution of some Trojan horse program or
scripting code
Types of Social Engineering Attacks

1. Phishing
2. Pretexting
3. Baiting
4. Quid Pro Quo
5. Tailgating
6. CEO Fraud
 Trojan Horse
A destructive program. It usually pretends as computer games or
application software. If executed, the computer system will be
damaged. Trojan Horse usually comes with monitoring tools and
key loggers. These are active only when specific events are alive.
These are hidden with packers, crypters and wrappers. Hence,
difficult to detect through antivirus. These can use manual
removal or firewall precaution.
Example of Trojan Horses
• Remote access Trojans (RATs)
• Backdoor Trojans (backdoors)
• IRC Trojans (IRCbots)
• Keylogging Trojans.
 Malware Payload
• a payload is the part of a computer virus or other
malware containing the code that carries out the virus's
harmful activity.
• A payload is the part of a computer worm or virus that
executes the code that conducts malicious activity.
Some viruses search for and steal information, monitor
activity, delete files, or encrypt files to hold them
hostage. The other parts of a virus are the vector, which
is the method the virus uses to infect the computer, and
the trigger, which is the condition that activates the
payload.
 Payload-System Corruption
• Once malware is active on the target system, the next concern is
what actions it will take on this system. That is, what payload does
it carry. Some malware has a nonexistent or nonfunctional payload.
Its only purpose, either deliberate or due to accidental early
release, is to spread. More commonly, it carries one or more
payloads that perform covert actions for the attacker.
• Data destruction, theft
• Data encryption (ransomware)
• Real-world damage
• Causes damage to physical equipment
• Chernobyl virus rewrites BIOS code
• Stuxnet worm
• Targets specific industrial control system software
• There are concerns about using sophisticated targeted malware
for industrial sabotage
• Logic bomb
• Code embedded in the malware that is set to “explode” when certain
conditions are met
 Logic Bombs
• A logic bomb is a program that performs a malicious action as a result
of a certain logic condition.
• The classic example of a logic bomb is a programmer coding up the
software for the payroll system who puts in code that makes the
program crash should it ever process two consecutive payrolls without
paying him.
• Another classic example combines a logic bomb with a backdoor,
where a programmer puts in a logic bomb that will crash the program
on a certain date.
 The Omega Engineering Logic Bomb
• An example of a logic bomb that was actually
triggered and caused damage is one that
programmer Tim Lloyd was convicted of using
on his former employer, Omega Engineering
Corporation. On July 31, 1996, a logic bomb
was triggered on the server for Omega
Engineering’s manufacturing operations,
which ultimately cost the company millions of
dollars in damages and led to it laying off
many of its employees.
 Payload
System Corruption
 Payload – Attack Agents
Bots (zombie/drone)
• Program taking over other computers and launch
attacks
– hard to trace attacks
• If coordinated form a botnet
• Characteristics:
– remote control facility (distinguishing factor)
• via IRC (Internet Relay Chat)/HTTP etc
– spreading mechanism
• attack software, vulnerability, scanning strategy
• Various counter-measures applicable ( Intrusion
Detection System (IDS), honeypots, …)
 Uses of bots
• DDoS an attack on a computer system or network that causes a loss of
service to users
• Spamming With the help of a botnet and thousands of bots, an attacker
is able to send massive amounts of bulk e-mail (spam).
• Sniffing traffic Bots can also use a packet sniffer to watch for interesting
clear text data passing by a compromised machine. The sniffers are
mostly used to retrieve sensitive information like usernames and
passwords
• Keylogging by using a keylogger, which captures keystrokes on the
infected machine, an attacker can retrieve sensitive information
• Spreading malware Botnets are used to spread new bots
• Installing advertisement by setting up a fake Web site with some
advertisements
• Manipulating games and polls Online polls/games are getting more and
more attention and it is rather easy to manipulate them with botnets
 Remote Control Facility

• Distinguishes a bot from a worm

• Worm propagates itself and activates itself
• Bot is initially controlled from some central facility
• Typical means of implementing the remote control facility is
on an Internet Relay Chat (IRC) server
• Bots join a specific channel on this server and treat
incoming messages as commands
• More recent botnets use covert communication
channels via protocols such as HTTP
• Distributed control mechanisms use peer-to-peer
protocols to avoid a single point of failure
Payload – Information Theft
Keyloggers and Spyware
Payload – Information Theft
Phishing
 Payload – Stealthing
Backdoors
• A backdoor, which is also sometimes called a
trapdoor, is a hidden feature or command in a
program that allows a user to perform actions he
or she would not normally be allowed to do.
• When used in a normal way, this program
performs completely as expected and advertised.
• But if the hidden feature is activated, the program
does something unexpected, often in violation of
security policies, such as performing a privilege
escalation.
 Non-malicious Backdoors
• Some backdoors are put into a program by its
programmers
– Debugging purpose (bypass some tedious steps to
speed up debugging)
– Many computer games have backdoors
• Secret key code to change gaming role (full health, full
map, invincible)
 Malicious Backdoors
• Deliberate backdoors inserted by malicious
programmers
– Blackmail, secret previlige
• Backdoor created by malware on
compromised machines
– Open a TCP listening service, anyone can have a
shell connection to the machine without account
and password
– Example: Code Red II
Payload - Stealthing
Rootkit
Rootkit Classification Characteristics
 Rootkit System Table Mods
A Unix Example
User API calls refer to a number; the system
maintains a system call table with one entry per number;
each number is used to index to a corresponding system routine

rootkit modifies the table and the calls go to the hackers

replacements
Malware Countermeasure Approaches
• Ideal solution to the threat of malware is
prevention

• If prevention fails, technical mechanisms can be used to support

the following threat mitigation options:
» Detection
» Identification
» Removal
Generations of Anti-Virus Software
 Sandbox Analysis

• Running potentially malicious code in an emulated

sandbox or on a virtual machine
• Allows the code to execute in a controlled
environment where its behavior can be closely
monitored without threatening the security of a real
system
• Running potentially malicious software in such
environments enables the detection of complex
encrypted, polymorphic, or metamorphic malware
• The most difficult design issue with sandbox analysis
is to determine how long to run each interpretation
Host-Based Behavior-Blocking Software
• Integrates with the operating system of a host
computer and monitors program behavior in real
time for malicious action
• Blocks potentially malicious actions before they have a chance
to affect the system
• Blocks software in real time so it has an advantage over anti-
virus detection techniques such as fingerprinting or heuristics
 Perimeter Scanning Approaches
• Anti-virus software
typically included in
e-mail and Web proxy
services running on an
organization’s firewall
and IDS
• May also be included in
the traffic analysis
component of an IDS
• May include intrusion
prevention measures,
blocking the flow of any
suspicious traffic
• Approach is limited to
scanning malware Two types of monitoring software
 Summary
• Types of malicious software (malware) • Propagation-social engineering-span
• Broad classification of malware E-mail, Trojans
• Attack kits • Spam E-mail
• Attack sources • Trojan horses
• Advanced persistent threat • Mobile phone Trojans

• Propagation-vulnerability exploit- • Payload-system corruption

worms • Data destruction
• Target discovery • Real-world damage
• Worm propagation model • Logic bomb
• The Morris Worm
• Brief history of worm attacks • Payload-attack agent-zombie, bots
• State of worm technology • Uses of bots
• Mobile code • Remote control facility
• Mobile phone worms
• Client-side vulnerabilities • Payload-information theft-
• Drive-by-downloads keyloggers, phishing, spyware
• Clickjacking • Credential theft, keyloggers, and spyware
• Payload-stealthing-backdoors, •
•
Phishing and identity theft
Reconnaissance, espionage, and data exfiltration
rootkits
• Backdoor
• Rootkit
• Countermeasures
• Malware countermeasure approaches
• Kernel mode rootkits • Host-based scanners
• Virtual machine and other external rootkits • Signature-based anti-virus
• Perimeter scanning approaches
• Distributed intelligence gathering approaches