Malicious Software

Computer Security | Lecture Four

 Lecture Outline
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Lecture Objective

▪ This lecture discusses malicious software (malware) in

categories:
▪ Computer Viruses and Worms
▪ Rootkits
▪ Botnets and other families
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Introduction

▪ Among the many possible ways to name and classify

malware, we use groupings based on characteristics
including
▪ Propagation Tactics and Malware Motives
▪ It can be hard to Stop malware from entering systems,
Detect it, Remove it.

5
 Introduction

▪ Malware often takes advantage of specific software

Vulnerabilities to gain a foothold on victim machines.
▪ Even when vulnerabilities are patched, and software updates
eliminate entire classes of previous vulnerabilities,
▪ it remains worthwhile to understand past failures, for awareness of
recurring failure patterns.

6
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 What is a Malware?
▪ Malicious Software (Malware) are software intentionally
designed or deployed to have effects contrary to the best
interests of one or more Users
▪ Contrary interest includes Potential Damage related to Resources,
Devices, or other Systems.
▪ e.g., Data, Software, Hardware, or Compromise of privacy.
▪ Malware runs without the explicit approval of the User
▪ If users had full knowledge of the design intent or possible
consequences of such malware, they would (if given a choice) not allow
it to run.

8
 Some Questions Regarding Malware
How does Malware get into Devices?
▪ Websites ▪ Either pure malware or with
hidden functionality;
▪ By links in Phishing emails,
search engine results, and web ▪ A site visit may result in
page ads directing traffic to software installation without
both compromised legitimate user knowledge.
sites and malicious sites. ▪ Vulnerabilities in network
▪ Downloaded executables communications services
▪ Users may be tricked to install ▪ Computer worms spread
Exes may be repackaged to malware by exploiting
include bundled malware vulnerabilities

9
 Some Questions Regarding Malware
How does Malware get into Devices?
▪ Computer viruses spread by various means including
▪ Malicious email attachments
▪ Source code: Malware may also be embedded in source code in
development repositories;
▪ Legitimate developers may play the role of insiders, or repositories may
be compromised by outsiders.
▪ Computer firmware and Hardware may be malicious
▪ Depending on how firmware is provided and updated, and controls
within the hardware supply chain
10
 What makes Malware hard to Detect?
▪ Detection is easy in some cases, ▪ Undecidable problem: decision
problem that is impossible to
but hard in general, for multiple construct an algorithm that always
reasons. leads to a correct yes-or-no answer
▪ Malware depends on context, not ▪ Personal viewpoints may also differ
functionality alone ▪ Is a Program that displays ads to
▪ —e.g. SSH server software is not generate revenue malware?
viewed as malware, else installed by ▪ Some forms of malware are more
an attacker for covert system aggressive than others.
access
▪ Often, Malwares are specifically
▪ A theoretical result shows that designed to be hard to detect, and
malware identification is an hard to reverse-engineer.
Undecidable Problem.

11
 How to Prevent Malware Installation?
▪ If we can’t decide what malware ▪ Useful to some degree, but also
difficult, costly, never-ending,
is, it seems unreasonable to
▪ Insufficient against many malware
expect any program to prevent all tactics including persuasive social
forms of it. engineering.
▪ Restricting what software users are ▪ Malware risks can be reduced by
allowed to install on their machines Code-signing Architectures that
reduces risks test, before installing or running,
▪ But is both inconvenient and that executable content is from
unpopular. known sources.
▪ Better user education is often
suggested

12
 How to Prevent Malware Installation?

▪ Anti-Virus/Malware Tools and Intrusion Detection Systems

are industry-driven partial solutions.
▪ Some tools remove or filter out specific instances of detected
malware
▪ In severe cases a host machine’s entire software base may need to
be re-installed with a clean base OS and all applications
▪ with loss of any data files not recoverable from Backup Storage

13
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Viruses and Worms
▪ Computer Viruses and Worms ▪ There is nothing magical about
are the first types of malware Viruses, Worms, and other
to gain notoriety Malware.
▪ Both differ in some aspects ▪ They are simply software, with
▪ Share a distinguishing power and functionality as
propagation feature available to other software.
▪ Employ clever means to cause ▪ Like “ordinary” software,
their number of instances to malware can thus do
grow, and spread across extraordinarily complex things,
machines especially if it runs with
elevated privileges

15
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Viruses
▪ A Virus is a program that can infect other programs or files
by modifying them to include a possibly evolved copy of
itself.
▪ A typical virus Replicates, spreading to further programs or files on
the same machine;
▪ Also across machines aided by some form of Human action
▪ Inserting into a device a USB flash drive (or floppy disk in the past),
▪ Clicking on an email attachment that turns out to be some form of
executable file.

17
 Viruses

▪ A virus embeds itself into a host program or file that

contains some form of executable content,
▪ It operates such that its own code runs when the host is processed
or itself runs.
▪ Viruses typically check whether a file is already infected;
▪ As Infecting only new files is more Effective.

18
 Generic Structure of Virus
▪ Dormancy ▪ Payload
▪ A virus is typically dormant until ▪ The functionality delivered by
the host program runs. the malware (other than
▪ Propagation propagating)
▪ Payload actions range from
▪ Defines when (and how) the
▪ Relatively benign (an image
malware spreads. walking across a screen)
▪ Trigger Condition ▪ Severe (erasing files or taking
software actions that damage
▪ Controls when the payload is hardware).
executed.

19
20
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Program File Viruses

▪ Most viruses infect executable program files.

▪ How and where virus code is inserted (in the host file) varies.
▪ Strategies include:
▪ Shift and Prepend
▪ Append Virus Code to end of Host File
▪ Overwrite the host file, starting from the top
▪ Overwrite the host file, starting from some interior point

22
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Infection Strategies

▪ Shift and Prepend the program entry point JUMPs

▪ The virus code is inserted at the to a start-execution point within
front after shifting the original the file.
file, which is arranged to ▪ The original jump target is
execute after the virus code. changed to be the first line of
▪ This increases the file length. the appended virus code.
▪ The virus code ends by jumping
▪ Append Virus Code to end of
to the originally indicated start-
Host File execution point
▪ Convenient in file formats where

24
 Infection Strategies

▪ Overwrite the Host File, Starting ▪ With luck, a point that execution is
from the Top expected to reach
▪ The host program is destroyed (so ▪ a negative side effect is damaging
it should not be critical to the OS’s the original program.
continuing operation). ▪ However, an advantage is gained
▪ This increases the chances that the against virus detection tools that,
virus is noticed and complicates its ▪ as an optimization, take shortcuts
removal such as scanning for viruses only at
the start and end of files
▪ Overwrite the Host File, Starting ▪ This strategy may evade such tools.
from some Interior Point

25
26
 Infection Strategies

▪ Other Variations involve

▪ Relocating parts of program files
▪ Copying into temporary files
▪ Arranging control transfers
▪ These have their own complications and advantages in
different file formats, systems, and scenarios;
▪ However, the general ideas are similar.

27
 Example | Brain Virus (1986)

▪ The Brain virus commonly cited as the first PC virus, is a

boot sector virus.
▪ Networks were less common;
▪ Most viruses spread from an infected program on a floppy disk,
▪ To one or more programs on the PC in which the floppy was
inserted,
▪ Then to other PCs the floppy was later inserted into.

28
 Example | Brain Virus (1986)
▪ On startup, an IBM PC would read code ▪ Boot sector viruses overwrite or replace-
for BIOS from the ROM and-relocate the boot sector code, so
▪ Next, early PCs loaded from a floppy if that virus code runs first
one was present. ▪ The Brain Virus occasionally destroyed
▪ After the BIOS, the first code executed the File Allocation Table (FAT) of
was read from a boot sector, which for a infected floppies, causing loss of user
floppy was its first sector. files.
▪ It was not particularly malicious—and
▪ Execution of boot sector code would although stealthy
result in further initialization and then
▪ The virus binary contained the note
loading of the OS into memory. “Contact Us For Vaccination” and the
▪ Placing Virus Code in this boot sector correct phone number and Pakistani
resulted in its execution before the OS. address of the two brothers who wrote it!

29
 Example | Chernobyl Virus (1998-2000)
▪ The CIH or Chernobyl Virus, Software damage.
found first in Taiwan and ▪ CIH overwrites critical sectors
affecting Windows 95/98/ME of the hard disk including the
machines primarily in Asia partition map
▪ Very Destructive (per-device) ▪ Crashes the OS
▪ Very Costly (in numbers of ▪ The drive must be Reformatted
devices damaged) with all data thereon lost
▪ Depending on the device’s File
▪ It demonstrated that malware Allocation Table (FAT) details
can cause Hardware and
30
 Example | Chernobyl Virus (1998-2000)
▪ Worse yet, CIH attempts to write to the system BIOS firmware
▪ Also, on some types of Flash ROM chip,
▪ CIH succeeds to write-enable sequence on the Flash
▪ Victim machines then will not restart, needing their Flash BIOS chip
reprogrammed or replaced.
▪ CIH was also called Spacefiller
▪ Unlike viruses that insert themselves at the top or tail of a host file, it inserts into
Unused Bytes within Files (in file formats that pad up to block boundaries)
▪ Splits itself across such files as necessary
▪ Thus also defeating Anti-virus Programs that look for files whose length changes.

31
 📝To Study

▪ Macro Viruses
▪ Summarize the technical details of Concept virus (1995),
▪ The first “in-the-wild” macro virus infecting Microsoft Word documents
▪ Summarize the technical details of another macro virus that
infected such documents: Melissa (1999).
▪ Aside: neither had a malicious payload, but Melissa gained attention as
the first mass-mailing email virus. Spread by Outlook Express, it chose
50 email addresses from the host’s address book as next-victim targets.

32
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of a Virus ▪ By Technical Properties
▪ Worms
 Email-Based Malware

▪ Email-based malware that combines Virus + Worm properties is

called an Email Virus, Email Worm, or Mass-mailing Worm-virus.
▪ It spreads through email-related file infection, attachments, and
features of clients and infrastructure (often enabled by default).
▪ It typically Requires a User action
▪ e.g., Opening an email client or reading a message
▪ May involve social engineering (tricking the user into taking some action).
▪ A common tactic is to extract next-targets from the mail client’s
address book.
▪ Since email allows long recipient lists, spreading is One-to-Many

34
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Virus Detection: Undecidable Problem

▪ It turns out to be impossible ▪ Thus, the security industry’s

for a single program to history of Anti-virus Products.
correctly detect All viruses. ▪ As detection techniques
improve, the agents creating
▪ Should we then give up trying to
viruses continue to develop
detect viruses in practice? No.
new techniques,
▪ Even if no program can detect
▪ Makes detection more difficult.
all viruses, can useful programs
▪ Results in an Attacker-Defender
detect many, or even some,
Move-Countermove game of
viruses? Yes increasing complexity.

36
 Virus Detection in Practice | Denylist
▪ Denylist-Type mechanism protects against known malware, but
not new malware.
▪ A basic method to detect malware is to obtain its Object Code, and then
find Malware signatures
▪ Signatures are relatively short byte-sequences that uniquely identify it.
▪ Candidate signatures are Regression-tested against extensive program
databases, to ensure uniqueness
▪ Then, signatures for malware active in the field are stored in a dataset,
▪ Before any executable is run by a user, an AV (Anti-Virus) program
intervenes to test it against the dataset using highly efficient Pattern-
matching Algorithms.

37
 Virus Detection in Practice | Allowlist
▪ Allowlist-Type Mechanism to signatures is the use of Behavioral
detect malware uses Integrity- Signatures;
checker or Change-detection ▪ These aim to identify malware by
detecting sequences of actions
Programs and lists of known- (behaviors) pre-identified as
good hashes of valid programs. suspicious
▪ An AV program may forego byte- ▪ Briefly pre-running target
matching on a to-be-run executable executables in an emulated
environment may be done to
by use of such allowlists
facilitate behavioral detection, and
▪ Or if the executable has a valid so that malware self-decrypts,
digital signature of a trusted party. which then allows byte-pattern
matching
▪ An extension of byte-match

38
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Classification of Viruses

▪ A virus making no attempt to evade detection consists of Static

Cleartext Code as in normal programs.
▪ Advanced viruses may use Encryption or Self-variation to evade
being identified and reverse-engineered.
▪ This gives one way to classify viruses, as follows
▪ Virus with encrypted body
▪ Polymorphic Virus
▪ Virus with external decryption key
▪ Metamorphic Virus

40
 Classification of Viruses
Virus with Encrypted Body
▪ A simple form of hiding uses
▪ Fixed Mappings (e.g., XOR with a fixed string) or
▪ Basic symmetric-key encryption using the same key across instances.
▪ Execution requires first Decrypting the virus body, by a small
decryptor portion that remains unmodified
▪ This can be easily detected by a string-matching virus detector
▪ To complicate detecting the modified body,
▪ The key, which is stored in the decryptor to allow decryption, can be
changed on each new infection.
41
 Classification of Viruses
Polymorphic Virus
▪ These viruses have fixed bodies machine instructions (yielding
encrypted with per-instance keys, combinatorially large numbers of
variations);
but change their decryptor portions
▪ Techniques are related to those used
across infections by using a for non-malicious code obfuscation
Mutation Engine. and by optimizing compilers.
▪ Weak form: Stores a fixed pool of ▪ After polymorphic virus decryption
decryptors in the body; selects one as reveals its static body, they can be
the actual decryptor in a new
infection.
detectable by string matching;
▪ Virus detection tools thus pre-run
▪ Strong form: Mini-compiler creates
executables in emulators to detect in
new decryptor instances by combining
this way
functionally equivalent sets of

42
 Classification of Viruses
Virus with External Decryption Key
▪ To complicate manual analysis of an infected file that is
captured, the Decryption Key is stored external to the virus itself.
▪ There are many possibilities: The key could be
▪ Inside another file on the same host machine or on an external machine.
▪ Generated on the fly from host-specific data.
▪ Retrieved from a networked device whose address is obtained through a
level of indirection
▪ Such as a search engine query, or a domain name lookup with a frequently
changed name-address mapping

43
 Classification of Viruses
Metamorphic Virus

▪ These use no encryption and thus have no decryptor

portion.
▪ Instead, on a per-infection basis, the virus rewrites its own code,
▪ Mutating both its body (infection and payload functionality) and the
mutation engine itself.
▪ Sophisticated metamorphic viruses have carried source code and
enlisted compiler tools on host machines to aid their task.

44
45
 Anti-detection Strategies

▪ The above strategies aim to hide the Virus code itself.

▪ Other tactics aim to hide telltale signs of infection, such as
▪ Changes to Filesystem Attributes (e.g., file byte length, timestamp)
▪ The location or existence of code
▪ The existence of running processes and the resources they
consume

46
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Worms

▪ Worms differ from viruses in Protocols and Network

Daemons
3 main ways.
▪ Rather than infecting Host
▪ Worms Propagate Programs as in Viruses
Automatically and ▪ Worms Exploit Software
Continuously without User Vulnerabilities
Interaction. ▪ e.g., Buffer overflows,
▪ Worms Spread across ▪ Meanwhile viruses tend to
Machines over Networks abuse software features or
▪ Leveraging Network use social engineering

48
 Worms

▪ As a result of how they spread, worms are also called

Network Worms or Network Viruses.
▪ Worms have no Dormant stage
▪ Therefore,
▪ Tend to spread More quickly
▪ More likely to overload network communications channel capacity,
▪ Can cause a form of Denial Of Service, even when that is not their end-goal.

49
 Worm Spreading
▪ Worms spread by a different already inside a corporate network.
means than Viruses. ▪ This method select next-target
▪ A worm’s universe of possible addresses by harvesting
next-targets is the set of Network information related to the current
devices reachable from it host machine, including:
▪ Traditionally the full IPv4 address ▪ Email address lists
space, perhaps parts of IPv6 ▪ Peer-to-peer lists
▪ The idea is that if topologically ▪ URLs on disk,
nearby machines are similarly ▪ Addresses in browser bookmark
vulnerable, targeting local machines and favorite site lists
spreads malware faster once

50
 Faster Worm Spreading

▪ The following ideas have been brought to the community’s

attention as means that improve the speed at which worms
may spread
▪ Hit-list scanning
▪ Permutation scanning
▪ Internet-scale hit-lists

51
 Faster Worm Spreading
Hit-list Scanning
▪ The time to infect all members of a vulnerable population is
dominated by early stages before a critical mass is built.
▪ Thus to accelerate the initial spreading,
▪ Lists are built of perhaps 10,000 hosts believed to be more vulnerable
to infection than randomly selected addresses
▪ The list is generated by stealthy scans beforehand over a period of weeks or
months.
▪ The first instance of a worm retains half the list
▪ Passes the other half on to the next victim, and each proceeds likewise

52
 Faster Worm Spreading
Permutation Scanning
▪ Random scanning is inefficient
▪ To reduce re-contacting machines already infected, next-victim scans
are made according to a Fixed Ordering (Permutation) of addresses.
▪ Each new worm instance starts at a random place in the ordering;
▪ If a given worm instance learns it has contacted a target already infected,
the instance resets its own scanning to start at a random place in the
original ordering.
▪ A machine infected in the hit-list stage is reset to start scanning after its
own place in the ordering
▪ Permutation Scanning minimising duplication of Effort
53
 Faster Worm Spreading
Internet-Scale Hit-lists
▪ A list of (most) servers on the Internet can be pre-generated by
scanning tools.
▪ For a given worm that spreads by exploiting the vulnerabilities of
a particular web server platform, the addresses of all such
servers can be pre-identified by scanning (vs. a smaller hit-list
above).
▪ In 2002, when this approach was first proposed, there were 12.6 million
servers on the Internet;
▪ A full uncompressed list of their IPv4 addresses (32 bits each) requires only
50 megabytes

54
 Faster Worm Spreading
▪ Using Hit-list Scanning to reach pre-filtered vulnerable
quickly seed a population hosts directly
▪ Fast Start-up ▪ It was estimated that a Flash
▪ then moving to Permutation Worm could spread to all
vulnerable Internet hosts in just
Scanning to reduce re-
tens of seconds
contacting infected machines
▪ “So fast that no human-
▪ Extremely Efficient mediated counter-response is
▪ then Internet-scale hit-lists to possible”

55
 Example | The 1988 Internet Worm

▪ The Morris worm was the first widescale incident

demonstrating the power of network worms.
▪ It directly infected 10% of Internet devices then in use,
▪ Worm-related traffic overloaded networks and caused system
crashes through resource consumption
▪ It was a widespread Denial Of Service.
▪ This early “wake-up call” foreshadowed a wave of malicious worms
in the early 2000s.

56
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Stealth Mode
Trojan Horses, Backdoors, Keyloggers, Rootkits

▪ Malware may use Stealthy tactics to escape or delay

detection.
▪ Stealthy malware is named based on goals and methods
used; including
▪ Trojan Horse
▪ Backdoors
▪ Rootkits

58
 Trojan Horse

▪ By legend, the Trojan horse was an enormous wooden

horse offered as a gift to the city of Troy.
▪ Greek soldiers hid inside as it was rolled within the city gates,
emerging at nightfall to mount an attack.
▪ [Watch Clip]

59
 Trojan Horse
▪ Trojan horse or Trojan software are software delivering
malicious functionality instead of, or in addition to,
purported functionality—With the malicious part possibly
staying Hidden
▪ Some Trojans are installed by trickery through Fake updates
▪ —e.g., Users are led to believe they are installing critical updates for
Java, video players such as Adobe Flash, or anti-virus software;
▪ Other Trojans accompany miscellaneous Free Applications such as
screen savers repackaged with accompanying malware.
60
 Trojan Horse

▪ Trojans may perform benign actions while doing their evil in the
background
▪ The malicious functionality may become apparent immediately after
installation, or might remain undetected for some time.
▪ If malware is silently installed without end-user knowledge or
actions, we tend not to call it a Trojan
▪ Reserving this term for when the installation of software with extra
functionality is “Voluntarily” accepted into a protected zone
▪ Without knowledge of its full functionality

61
 Backdoors
▪ A Backdoor is a way to access a device bypassing normal entry points
and access control.
▪ It allows ongoing stealthy remote access to a machine, often by enabling a
network service.
▪ A backdoor program contacted via a backdoor may be used for malware
installation and updates
▪ Backdoors may be Stand-alone or Embedded into legitimate programs
▪ —e.g., standard login interface code may be modified to grant login access to a
special-cased username without requiring a password.
▪ A Backdoor is often included in (provided by) Trojan Software and
Rootkits
62
 Rootkits

▪ A Rootkit on a computing device is a set of software

components that:
▪ Surreptitiously installed and takes active measures to conceal its
ongoing presence;
▪ Seeks to control or manipulate selected applications and/or host
OS functions;
▪ Facilitates some long-term additional malicious activity or
functionality.

63
 Rootkits

▪ The techniques used to remain hidden and control other software

functionality distinguish Rootkits from other malware.
▪ The end-goal is facilitating malicious payload functionality
▪ e.g., Surveillance, Data theft, Theft of CPU cycles
▪ The main rootkit categories are
▪ User Mode: Runs in user space, typically with superuser privileges
▪ Kernel Mode: Runs in kernel space; access to kernel resources and
memory, and all processor instructions; harder to detect and remove

64
 Rootkit Payloads may be Malwares
▪ Backdoor ▪ Surveillance or session-logging
▪ Functionality for ongoing remote software
access to a compromised machine. ▪ Remote use of device microphones,
This may facilitate the machine being webcams, and sensors, allowing
enlisted in a botnet. eavesdropping
▪ Software keylogger Programs ▪ When a user is active, their local
▪ Which record and send user session (including mouse movements
keystrokes to an attacker. Information and keystrokes) can be reflected to a
targets include remote attacker’s desktop, providing a
continuous screen capture.
▪ Credit card details, Username-
password pairs for online banking, ▪ Milder variations record subsets of
Corporate VPNs or enterprise information (e.g., web sites visited,
accounts etc files accessed).

65
 📝To Study

▪ Rootkits Vs. Trojans

▪ Explain what distinguishes rootkits from Trojans

66
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Drive-by Downloads

▪ Malware also exploits the rich functional design of browser-

server interaction
▪ The browser’s job is to (process and) display the web pages it receives
▪ The execution of content embedded in the page is “authorized” simply by
visiting a web page
▪ Even if the page includes malicious content embedded through actions of
an attacker.
▪ Simply visiting a web page can result in binary executable
malware being silently downloaded and run on the user device
▪ This is called a Drive-by Download

68
69
 Means Of Drive-by Exploitation
▪ Web Page ads
▪ often provided through several levels of third parties
▪ Web widgets
▪ Small third-party apps executed within a page, e.g., weather updates
▪ User-provided content reflected to others via sites
▪ e.g., web forums) soliciting input;
▪ Malicious parameters as part of links (URLs) received in
HTML email.
70
 Drive-by Deployment Means
▪ Drive-by downloads can install various types of malware
▪ Including Keyloggers, Backdoors, and Rootkits
▪ Rather than a separate malware category, Drive-by Downloads is a
deployment means or spreading method that exploits features of
browser-server ecosystems.
▪ As a distinguishing spreading characteristic, the victim
devices visiting a compromised web site in a Pull Model.
▪ Traditional worms spread in a Push Model, with a compromised
source initiating contact with next-victims.
71
 Droppers (Downloaders)
▪ A Dropper is malware that installs source or control center or await
(on a victim host) other malware contact.
that contains a malicious payload. ▪ The initial malware installed, or a
software package including both the
▪ If this involves downloading
dropper and its payload, may be
additional malware pieces, the
called the Egg.
dropper may be called a
downloader. ▪ The Dropper itself may arrive by
▪ Droppers may install backdoors to any means
aid installation and update ▪ Including Virus, worm, drive-by
download, or User-installed Trojan
▪ The payload may initiate network
Horse Software
communications to a malware

72
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Ransomware and Botnets

▪ Ransomware is malware with a specific motive: TO

EXTORT USERS.
▪ This typically involves compromise of a host, and communication
between the compromised device and a remote computer
controlled by Attackers.
▪ Attackers often communicate with and control large numbers of
compromised devices, in which case the collection is called a
BOTNET.

74
 Ransomware That Encrypts Files

▪ A powerful type of malware is that which prevents access to files

(file lockers) by Encryption.
▪ It encrypts user data files
▪ Asks users to pay a Sum of Money in return for a Decryption Key (e.g.,
from a remote site) that allows File Recovery.
▪ Payment is demanded in hard-to-trace, non-reversible forms such
as pre-paid cash vouchers or digital currencies
▪ The dramatic increase in ransomware in parallel with Bitcoin is notable.

75
 Ransomware That Encrypts Files
▪ Ransomware may involve rootkit functionality to make removal
difficult
▪ Removal of the malware itself does not solve the problem: Encrypted
files remain unavailable.
▪ Ransomware may be deployed by any means used for other
malware, including
▪ Trojan software installed by users unwittingly
▪ Via Social Engineering
▪ Best practice defenses include Regular Backup of all data files
76
 Ransomware (Non-Encrypting)
▪ Other variations of file lockers make files unavailable by
▪ Standard access control means, or
▪ threaten to erase user files or reformat disks,
▪ (falsely) claim to have encrypted files.
▪ Other non-encrypting ransomware may
▪ Deny user access to OS functionality until a ransom is paid (again,
e.g., in bitcoin),
▪ Disable OS debug modes (e.g., safe mode or safe boot).
77
 Example | WannaCrypt 2017
▪ WannaCry ransomware
reportedly infected over
200,000 Victims across
150 countries.
▪ Ransomware encrypting
files with $300–600
demand (via bitcoin)
▪ Suspects: Lazarus Group,
Pyongyang, North Korea
▪ 4 days duration

78
 Botnets and Zombies
▪ A common goal of malware is to with collected information), is called
obtain an OS command shell a Bot (Robot) or Zombie
interface and then arrange ▪ A coordinated network of such
instructions sent to/from an machines is called a Botnet.
external source. ▪ The individual controlling it is the
▪ A payload delivering this Botnet Herder.
functionality is called Shellcode. ▪ Owners of machines on which
▪ A computer that has been zombie malware runs are often
compromised by malware and can unaware of this state of
be remotely controlled (report back compromise (perhaps the owners
are the Real Zombies).

79
 Botnets
Communication Structures and Tactics
▪ A simple botnet command and control architecture involves
a Central Administrative Server in a client-server model.
▪ Initially, control communications were over (Internet Relay Chat) IRC
channels, allowing the herder to send one-to-many commands.
▪ Such centralized systems have a single point of failure
▪ i.e. the central node, if found, can be shut down.
▪ More advanced botnets use Peer-to-peer Communications,
▪ Coordinating over any suitable network protocol (including HTTPS);
80
 Social Engineering
▪ In contrast to silently installed malware, Social Engineering
attacks may trick users into one-step download, installation
and execution of malware
▪ Some operating systems hide filename extensions
▪ Aids such attacks by obscuring the extensions such as .exe
(executable).
▪ Mostly, Double-Clicking a file results in program execution
▪ It transfers the user process’ execution privileges to the .exe or file
▪ This is a form of User-enabled Execution
81
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Malware Classification

▪ Underlying Goals ▪ Technical Properties

▪ Damage to host and its data ▪ Breed Mode
▪ Data theft ▪ Hosted
▪ Direct financial gain ▪ Stealth Mode
▪ Ongoing surveillance ▪ Attack Vector
▪ Spread of malware
▪ Control of resources

83
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Malware Classification By Objectives
▪ Damage to Host and its Data ▪ Credentials stolen:
▪ Intentional destruction of data ▪ Account passwords or crypto
or disrupting the host machine. keys, may allow fraudulent
account login, including to
▪ E.g. Crash the OS, Deletion, online banking or enterprise
Corruption, or Modification of accounts; or be sold en masse,
files or entire disks. to others on underground or
▪ Data Theft non-public networks (e.g.,
darknets).
▪ Documents stolen:
▪ Stolen information is sent to
▪ Corporate strategy files,
intellectual property, Credit card attacker-controlled computers
details, or personal data.

85
 Malware Classification By Objectives
▪ Direct financial gain ▪ Ongoing surveillance
▪ Direct credit card risks include ▪ User voice, camera video, and
deceiving users into purchasing screen actions may be recorded
unneeded online goods such as surreptitiously, by
fake anti-virus software. ▪ Microphones and web cameras
▪ Users may also be extorted, as on mobile and desktop devices,
in the case of Ransomware. ▪ Software that records web sites
visited, keystrokes and mouse
▪ Malware may generate revenue
movements.
by being rented out, e.g., on
darknets (above).

86
 Malware Classification By Objectives

▪ Spread of Malware ▪ Botnet service,

▪ Bitcoin mining,
▪ Compromised machines may be
used to further spread malware. ▪ As a host server for Phishing,
▪ As a steppingstone for further
▪ Control of Resources attacks
▪ Once a machine is compromised, ▪ Reducing risk that an attack is
code may be installed for later traced back to the originating
execution or backdoor access. agent
▪ Zombies enlisted to send spam
▪ Remote use is made of computing
are called Spambots; those in a
cycles and communication DDoS botnet are DDoS Zombies
resources for purposes including

87
 Lecture Outline | Progress
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms
 Malware Classification by Tech Properties
▪ Does it Breed (self-replicate)? ▪ By what Vector does infection
▪ Drive-by download website causes occur? Automatically over networks
malware to spread; site itself does not or with user help (Social
self-replicate. engineering?)
▪ Trojans and Rootkits may spread by ▪ Involves an insider (with privileges
various means, but such means are
typically independent of the core beyond that of an external party)?
functionality that characterizes them. ▪ Transient (e.g., active content in
▪ Does it require a Host Program, as HTML pages) or Persistent (e.g., on
a parasite does? startup)?
▪ Is Stealthy, has measures to evade
detection and hide its functionality?

89
90
 Lecture Outline | End
▪ Introduction ▪ Stealth Mode:
▪ What is a Malware? ▪ Trojan Horse, Backdoor and
Rootkits
▪ Viruses and Worms
▪ Viruses ▪ Drive-by Downloads and
▪ Program File Virus
Droppers
▪ Infection Strategies ▪ Ransomware and Botnets
▪ Email-based Malware ▪ Malware Classification
▪ Virus Detection ▪ By Objectives
▪ Classification of Viruses ▪ By Technical Properties
▪ Worms