Chapter 4: Malware:

Malicious Software

04/12/21 Malware 1
 Viruses, Worms, Trojans, Rootkits
• Malware can be classified into several categories, depending
on propagation and concealment
• Propagation
– Virus: human-assisted propagation (e.g., open email attachment)
– Worm: automatic propagation without human assistance
• Concealment
– Rootkit: modifies operating system to hide its existence
– Trojan: provides desirable functionality but hides malicious operation
• Various types of payloads, ranging from annoyance to crime

04/12/21 Malware 2
 Insider Attacks
• An insider attack is a security breach that is
caused or facilitated by someone who is a part
of the very organization that controls or builds
the asset that should be protected.
• In the case of malware, an insider attack
refers to a security hole that is created in a
software system by one of its programmers.

04/12/21 Malware 3
 Backdoors
• A backdoor, which is also sometimes called a
trapdoor, is a hidden feature or command in a
program that allows a user to perform actions he
or she would not normally be allowed to do.
• When used in a normal way, this program
performs completely as expected and advertised.
• But if the hidden feature is activated, the program
does something unexpected, often in violation of
security policies, such as performing a privilege
escalation.
04/12/21 Malware 4
 Non-malicious Backdoors
• Some backdoors are put into a program by its
programmers
– Debugging purpose (bypass some tedious steps to
speed up debugging)
– Many computer games have backdoors
• Secret key code to change gaming role (full health, full
map, invincible)

04/12/21 Malware 5
 Malicious Backdoors
• Deliberate backdoors inserted by malicious
programmers
– Blackmail, secret previlige
• Backdoor created by malware on
compromised machines
– Open a TCP listening service, anyone can have a
shell connection to the machine without account
and password
– Example: Code Red II
04/12/21 Malware 6
 Logic Bombs
• A logic bomb is a program that performs a malicious action as
a result of a certain logic condition.
• The classic example of a logic bomb is a programmer coding
up the software for the payroll system who puts in code that
makes the program crash should it ever process two
consecutive payrolls without paying him.
• Another classic example combines a logic bomb with a
backdoor, where a programmer puts in a logic bomb that will
crash the program on a certain date.

04/12/21 Malware 7
 The Omega Engineering Logic Bomb
• An example of a logic bomb that was actually
triggered and caused damage is one that
programmer Tim Lloyd was convicted of using
on his former employer, Omega Engineering
Corporation. On July 31, 1996, a logic bomb
was triggered on the server for Omega
Engineering’s manufacturing operations,
which ultimately cost the company millions of
dollars in damages and led to it laying off
many of its employees.
04/12/21 Malware 8
 The Omega Bomb Code
• The Logic Behind the Omega Engineering Time Bomb included the
following strings:
• 7/30/96
– Event that triggered the bomb
• F:
– Focused attention to volume F, which had critical files
• F:\LOGIN\LOGIN 12345
– Login a fictitious user, 12345 (the back door)
• CD \PUBLIC
– Moves to the public folder of programs
• FIX.EXE /Y F:\*.*
– Run a program, called FIX, which actually deletes everything
• PURGE F:\/ALL
– Prevent recovery of the deleted files

04/12/21 Malware 9
 Defenses against Insider Attacks
• Avoid single points of failure.
• Use code walk-throughs.
• Use archiving and reporting tools.
• Limit authority and permissions.
• Physically secure critical systems.
• Monitor employee behavior.
• Control software installations.

04/12/21 Malware 10
 Trojan Horses
• A Trojan horse (or Trojan) is a malware program that
appears to perform some useful task, but which also
does something with negative consequences (e.g.,
launches a keylogger).
• Trojan horses can be installed as part of the payload of
other malware but are often installed by a user or
administrator, either deliberately or accidentally.

04/12/21 Malware 11
 Current Trends
• Trojans currently have largest infection potential
– Often exploit browser vulnerabilities
– Typically used to download other malware in multi-stage attacks
Source:
Symantec Internet
Security Threat
Report, April 2009

04/12/21 Malware 12
 Financial Impact
 Malware often affects a large user
population
 Significant financial impact, though
estimates vary widely, up to $100B
per year (mi2g)
 Examples
 LoveBug (2000) caused $8.75B in
damages and shut down the
British parliament
 In 2004, 8% of emails infected by
W32/MyDoom.A at its peak
 In February 2006, the Russian
Stock Exchange was taken down
by a virus.

04/12/21 Malware 13
 Economics of Malware
Source:
• New malware threats Symantec Internet
have grown from 20K to Security Threat Re
port
1.7M in the period 2002- , April 2009
2008
• Most of the growth has
been from 2006 to 2008
• Number of new threats
per year appears to be
growing an exponential
rate.
04/12/21 Malware 14
 Professional Malware
• Growth in professional cybercrime
and online fraud has led to demand
for professionally developed
malware
• New malware is often a custom-
designed variations of known
exploits, so the malware designer
can sell different “products” to
his/her customers.
• Like every product, professional
malware is subject to the laws of
supply and demand.
– Recent studies put the price of a
software keystroke logger at $23 and
a botnet use at $225.
Image by User:SilverStar from http://commons.wikimedia.org/wiki/File:Supply-demand-equilibrium.svg
used by permission under the Creative Commons Attribution ShareAlike 3.0 License

04/12/21 Malware 15
 Adware
Adware software payload Computer user
Adware engine infects
a user’s computer

Adware engine requests

advertisements
Advertisers contract with from adware agent
adware agent for content

Adware agent delivers

ad content to user
Adware agent

Advertisers
04/12/21 Malware 16
 Spyware
Spyware software payload Computer user

1. Spyware engine infects

a user’s computer.

2. Spyware process collects

keystrokes, passwords,
and screen captures.

3. Spyware process
periodically sends
collected data to
spyware data collection
agent.

Spyware data collection agent

04/12/21 Malware 17
Signatures: A Malware Countermeasure
• Scan compare the analyzed object with a database of
signatures
• A signature is a virus fingerprint
– E.g.,a string with a sequence of instructions specific for
each virus
– Different from a digital signature
• A file is infected if there is a signature inside its code
– Fast pattern matching techniques to search for signatures
• All the signatures together create the malware
database that usually is proprietary

04/12/21 Malware 18
 White/Black Listing
• Maintain database of cryptographic hashes for
– Operating system files
– Popular applications
– Known infected files
• Compute hash of each file in hard drives
• Look up into database to compare
• Needs to protect the integrity of the database
• Example: TripWire software
04/12/21 Malware 19
 Heuristic Analysis
• Useful to identify new and “zero day” malware
• Code analysis
– Based on the instructions, the antivirus can determine
whether or not the program is malicious, i.e., program
contains instruction to delete system files,
• Execution emulation
– Run code in isolated emulation environment
• Such as in Virtual Machine
– Monitor actions that target file takes
– If the actions are harmful, mark as virus
• Heuristic methods can trigger false alarms
04/12/21 Malware 20
 Shield vs. On-demand
• Shield On-demand
– Background process • Scan on explicit user
(service/daemon) request or according to
– Scans each time a file is regular schedule
touched (open, copy, • On a suspicious file,
execute, etc.) directory, drive, etc.

04/12/21 Malware 21
 Online vs Offline Anti Virus Software
Online Offline
• Free browser plug-in • Paid annual subscription
• Authentication through third • Installed on the OS
party certificate (i.e. VeriSign) • Software distributed securely by
• No shielding the vendor online or a retailer
• Software and signatures update • System shielding
at each scan • Scheduled software and
• Poorly configurable signatures updates
• Scan needs internet connection • Easily configurable
• Report collected by the company • Scan without internet connection
that offers the service • Report collected locally and may
be sent to vendor
04/12/21 Malware 22
 Quarantine
• A suspicious file can be isolated in a folder called quarantine:
– E.g,. if the result of the heuristic analysis is positive and you are
waiting for db signatures update
• The suspicious file is not deleted but made harmless: the user can
decide when to remove it or eventually restore for a false positive
– Interacting with a file in quarantine it is possible only through the
antivirus program
• The file in quarantine is harmless because it is encrypted
• Usually the quarantine technique is proprietary and the details are
kept secret

04/12/21 Malware 23
 Static vs. Dynamic Analysis
Static Analysis Dynamic Analysis
• Checks the code without trying to • Check the execution of codes inside a
execute it virtual sandbox
• Quick scan in white list • Monitor
• Filtering: scan with different antivirus – File changes
and check if they return same result – Registry changes
with different name – Processes and threads
• Weeding: remove the correct part of – Networks ports
files as junk to better identify the
virus
• Code analysis: check binary code to
understand if it is an executable, e.g.,
PE
• Disassembling: check if the byte code
shows something unusual

04/12/21 Malware 24