Malware, Spyware, and Viruses

By: Anthony Bosnak

Malware How Antivirus Programs Work Future Threats

Overview

General misconception among people Malware = “malicious software” Malware is any kind of unwanted software

that is installed without your consent on your computer.

Viruses, worms, Trojan horses, bombs, spyware, adware are subgroups of malware.

Malware

A virus tries to infect a carrier, which in turn relies on the carrier to spread the virus around.

A computer virus is a program that can replicate itself and spread from one computer to another.

Viruses

Direct infection: virus can infect files every time a user opens that specific infected program, document or file.

Fast Infection: is when a virus infects any file that is accessed by the program that is infected.

Slow infection: is when the virus infects any new or modified program, file or document.◦ Great way to trick a antivirus program!

Viruses cont.

Sparse Infection: is the process of randomly infecting files, etc. on the computer.

RAM-resident infection: is when the infection buries itself in your computer’s random access memory.

Video: Hippi Virus + Cascade Virus

Viruses cont.

ANSI Bombs: MS-DOS days◦ More of a joke malware, than anything else.◦ Change code in ANSI.SYS file, which calls a driver

that displays colors and graphics.◦ One feature is keyboard macros. So the bomb

would remap common keys the user would press.◦ Most of the ANSI bombs would be disguised as a

batch file to be run in the MS-DOS menu.

Bombs

ESC[99; “format c:”;13p  ESC[66; “format c:”13p  This code remaps the letter C and c. Every time the user presses C

or c it tries to reformat the hard drive. The only problem with this is the computer asks, “Do you really want to reformat drive C: (Y/N)?” Most users then press N or n for No. So the hacker remaps the Y and N keys.

  ESC[110; 121;13p  ESC[78;89;13p  When the user now presses the N or n key it will actually make the

user press Y or y; and vice versa.

Example Code

Logic Bombs: is programming code that is designed to execute or explode when a certain condition is reached.◦ Most the time it goes off when a certain time is

reached or a program fails to execute. But it these bombs wait for a triggered event to happen.

◦ Most common use of this is in the financial/business world.

◦ Most IT employees call this the disgruntled employee syndrome.

Bombs cont.

Trojan horse: is a program or software designed to look like a useful or legitimate file.

Once the program is installed and opened it steals information or deletes data.

Trojan horses compared to other types of malware is that it usually runs only once and then is done functioning.

Trojans

Some create back-door effects Another distribution of Trojans is by

infecting a server that hosts websites. Downfall of Trojans: very reliant on the user. Video Example: Netural Zlob Trojan

Trojans cont.

Worms and viruses get interchanged commonly in the media.

In reality a worm is more dangerous than a virus.

User Propagation vs. Self Propagation Worm is designed to replicate itself and

disperse throughout the user’s network. Email Worms and Internet Worms are the

two most common worm.

Worms

Email worm goes into a user’s contact/address book and chooses every user in that contact list.

It then copies itself and puts itself into an attachment; then the user will open the attachment and the process will start over again!

Video Example: I LOVE YOU WORM

Email Worm

A internet worm is designed to be conspicuous to the user.

The worms scans the computer for open internet ports that the worm can download itself into the computer.

Once inside the computer the worms scans the internet to infect more computers.

Internet Worms

Adware is a type of malware designed to display advertisements in the user’s software.

They can be designed to be harmless or harmful; the adware gathers information on what the user searches the World Wide Web for.

With this gathered information it displays ads corresponding to information collected.

Adware and Spyware

Spyware is like adware it spies on the user to see what information it can collect off the user’s computer to display pop ads on the user’s computer.

Spyware unlike adware likes to use memory from programs running in the background of the computer to keep close watch on the user.

This most often clogs up the computer causing the program or computer to slow down and become un-fuctional.

Adware and Spyware cont.

Antivirus programs are designed to detect malware trying to enter the user’s system.

There are several ways a antivirus program can track malware entering the computer.

Software can use: ◦ Signature based detection◦ Heuristics◦ Cloud Antivirus ◦ Network Firewall

Antivirus Programs

Most common way a antivirus finds malware on a computer

Database of virus signatures Constant Updates Not 100% foolproof

Signature-Based Detection

Detection of malware is done by monitoring files and how certain programs try to reform the files on the system.

When a modification takes place the antivirus alerts the user and tries to elevate the problem.

Heuristics

New form of antivirus program The virus scanning is done from a remote

location(not on the computer). Why this is so popular is because it relieves

the physical computer resources.◦ Constant functionality (Nonstop scanning)

Security Issues

Cloud Antivirus

Operating systems way of protecting the user from unknown programs.

Not technically a antivirus program Monitors the TCP/IP ports programs tries to

access.

Network Firewall

Almost everything is hooked up to the internet in some sort of form.

Recent events have widened the eyes of many security experts.

The ability to gain access to high security organizations, infrastructures or mainframes has frightened many people.

Could one click of the mouse start World War III?

Future Threats

Attack on Estonia◦ Attacked parliament, ministries, banks,

newspapers, and other websites were attacked by Denial of Service Attacks.

Major infrastructures attacked◦ Stuxnet Virus◦ Japan’s Defense Contractors◦ Zeus Malware

Obama almost started a Cyberware in Libya.

Cyberspace

Use an antivirus program and keep it up to date!◦ Yes they only protect from know malicious code

out there, but it’s still something!

How can we protect ourselves

Keep your Operating System up to date!◦ Windows is one of the most hacked OS on the

market.◦ The updates are mostly focused on security

patches

Operating System’s Security

Become aware of what you are doing on the internet!◦ Don’t click on pop up ads!

◦ Keep up to date on current issues happening on the web!

Become An Informed User!

Wang, Wallace. (2006). Steal This Computer Book 4.0: What They Won’t Tell You About the Internet. San Francisco, CA: William Pollock.

Panda Cloud Antivirus. (n.d.) Retrieved October 29, 2011 from Wikipedia: http://www.en.wikipedia.org/wiki/Panda_Cloud_Antivirus

Fowler, Daniel. (2008). Importance of Cybersecurity Increases as Attacks Get More Dangerous. In Richard Joseph Stein (Ed.), Internet Safety (pp. 5-7). New York, NY: H.W. Wilson

Company. Viega, John. (2009). The Myths of Security: What the computer Security Industry Doesn’t Want you

to Know. Sebastopol, CA: O’Reilly Media, Inc. http://www.alanbonnici.com

References