Malware - WordPress.com
Download
Report
Transcript Malware - WordPress.com
Malware
(malicious software)
Is software that may be used to :
-Disrupt computer operation (cause harm to system/ sabotage)
-Gather sensitive information (steal information or spy)
-Gain access to private computer systems
Used by black hats and governments (white Hats) to stealing personal, financial, business
information.
• It can take the form of executable code, scripts, active content and other software.
• often disguised as/embedded in non-malicious files.
Types of malware
Computer Viruses
Computer Worms
Trojan horse
Ransom ware/ Scare ware
computer virus
Is a program that embeds itself in another executable software/file to target systems (OS) without the user
knowing.
It requires the user to run the infected program/OS/file for the virus to spread
Harmful activities performed on infected host:
Stealing hard disk space or CPU time
Accessing private information
Corrupting data
Displaying political or humorous messages on the user's screen
Spamming contacts
Logging keystrokes
Motives for creating viruses
Seeking profit
Desire to send a political message
Personal amusement
Demonstrate that a vulnerability exists in software/security
Sabotage and denial of service
Persons wish to explore artificial life and evolutionary algorithms
To be noticed
Linux /Unix prevents normal users from making changes to the operating system environment, person
have to be given root user privileges.
Users do not log in as an administrator/ root user except to install or configure software on Linux/Unix; as a
result, even if a virus runs, no harm is done to the operating system.
Windows is not that strict, meaning that viruses can easily gain control of the entire system on Windows
hosts from a user account that is standard.
Virus types
Memory-resident virus
Installs itself as part of the operating system when executed, remains in the RAM from booted up to shut down.
Overwrite interrupt handling code or other functions, and when the operating system attempts to access the target file or disk
sector, the virus code intercepts the request and redirects the control flow to the replication module, spreading the infection.
Non-memory-resident virus
When executed, scans the disk for targets, infects them, and then exits (doesn’t remain in memory after executing).
Macro viruses
Embedded in documents or emails, so that the programs may be run automatically when the document is opened.
Boot sector viruses
Targets the boot sector/Master Boot Record of the host's hard drive or removable storage devices
worm
Is a stand-alone malware program that actively transmits
itself over a network to infect other computers.
A worm spreads itself without the need of the user or
attaching to another programs
worms
• Exploits computers security holes
no antivirus
out of date systems/antivirus
• Cause slowness or block network
• Attack weak points in a network
• Very difficult to quarantine
• Need to clean each computer on the network
• May carry payloads that contain other malware
worms
• Install backdoors on the infected computer to allow the creation of a
"zombie" computer under control of the worm author. Often referred to
as botnets and are commonly used by spam senders for sending junk
email or to cloak their website's address or DOS attacks.
worm writers have been caught selling lists of IP addresses of infected
machines.
Trojan
Trojan conceals harmful or malicious executable code.
Acts as a backdoor, contacting a controller which can then have unauthorized access to the
affected computer.
Not easily detectable
Computers may appear to run slower due to heavy processor or network usage.
They do not attempt to inject themselves into other files (computer virus) or otherwise
propagate themselves (worm).
Trojan
Operations that could be performed by a hacker, or be caused unintentionally by program operation, on a
targeted computer system include:
• Crashing the computer,
• Data corruption
• Remote access
• Use of the machine as part of a botnet (Denial-of-service attacks)
• Infects entire Network and other connected devices
• Data theft, including confidential files, sometimes for industrial espionage, and information with financial
implications such as passwords and payment card information
• Modify / delete /download / upload of files for various purposes
• Keystroke logging
• Monitor user’s through screen/ webcam
Trojan
A site offers a free download to a program or game that normally costs
money. Downloading the pirated version of a program or game allows
you to illegally use or play it, however, during the install it my install a
Trojan onto the computer.
• Are Software packages that conceal malware, by modifying the host's operating system so that
the malware is hidden from the user. Rootkits can prevent a malicious process from being visible
in the system's list of processes, or keep its files from being read.
Root kit
• Rootkit installation can be automated, or an attacker can install it once they've obtained root or
Administrator access.
• Takes Full control over the system means that existing software can be modified/subverted, for
software to be used to detect or circumvent it.
• Removal can be complicated or practically impossible, especially in cases where the rootkit
resides in the kernel; reinstallation of the OS may be the only available solution.
• When dealing with firmware rootkits, removal may require hardware replacement, or specialized
equipment.
Root kit
Rootkits and their payloads have many uses:
• Provide an attacker with full access via a backdoor, permitting unauthorized access.
• Conceal other malware, notably password-stealing key loggers and computer viruses.
• Use system for Dos attack
• In some instances, rootkits provide desired functionality, and may be installed intentionally on behalf of
the computer user:
Conceal cheating in online games from software like Warden.
Enhance emulation software and security software.
Anti-theft protection: Where laptops may have BIOS-based rootkit software that will periodically report to a central
authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen.
Bypassing product activation
Example of Root kits
• Alcohol 120% and Daemon Tools are commercial examples of non-hostile rootkits used to defeat
copy-protection mechanisms such as SafeDisc and SecuROM.
• Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from
malicious actions. It loads its own drivers to intercept system activity, and then prevents other
processes from doing harm to itself.
Is a type of malware which restricts access to the computer system that it infects, and demands a
ransom paid to the creator(s) of the malware in order for the restriction to be removed.
Some forms of ransomware encrypt files on the system's hard drive (CryptoLocker), while some
may simply lock the system and display messages intended to coax the user into paying.
Initially popular in Russia
There are different types of Ransomware
What Ransom ware can do:
• Prevent users from accessing OS (Windows).
• Encrypt files so user can't use them.
• Stop certain apps/programs from running (web browser).
• They will demand that the user do something to get access to their PC/ files.
Demand you pay money.
Make you complete surveys.
There is no guarantee that paying the fine or doing what the ransomware tells you will give access to your PC
or files again.
Gray ware
Is unwanted applications that can worsen the performance of computers and may cause security risks.
Less serious or troublesome than malware.
Encompasses :
spyware,
adware,
joke programs,
remote access tools,
fraudulent dialers,
etc.
PUP/PUA (Potentially Unwanted Program / Potentially Unwanted Application)
Are applications that would be considered unwanted despite often having been downloaded by the user,
possibly after failing to read a download agreement. Include spyware, adware, fraudulent dialers.
key generators categorized as Grayware, although they deal with malicious content
Spy ware
Gathers information about a person or organization without their knowledge and sends such
information to another entity without the consumer's consent, or that asserts control over a
computer without the consumer's knowledge.
Difficult to detect.
May bundling itself with desirable software using a Trojan horse.
Classified into four types:
system monitors
adware
tracking cookies
In German-speaking countries called Govware (used to intercept communications from the target
computer). In the US its term as Policeware.
Spy ware
Infect a system through security holes in the Web browser or other software. When the user navigates to a
Web page controlled by the spyware author, the page contains code which attacks the browser and forces
the download and installation of spyware.
Targets Internet Explorer due to its history of security issues, which is integrated with the Windows
environment making susceptible attacks on the OS. Attachments may be in the form of Browser Helper
Objects, which modify the browser's behavior to add toolbars or to redirect traffic.
Some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security
settings, which further open the system to further opportunistic infections. Might even disable/remove
competing spyware programs.
Extend beyond simple monitoring. Spyware can collect almost any type of data, including personal
information like Internet surfing habits, user logins, and bank or credit account information.
Spyware has been closely associated with identity theft.
Spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Stability
issues, such as applications freezing, failure to boot, and system-wide crashes are also common.
Example of spyware
• Cool Web Search,
Took advantage of Internet Explorer vulnerabilities. Directed traffic to advertisements on Web
sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the
infected computer's hosts file to direct DNS lookups to these sites.
• Zlob trojan,
Downloaded to a computer via an ActiveX codec and reports information back to the Control
Server. This was the Brower history and also keystrokes.
• Sony Rootkit
Is a Trojan that was embedded into CDs sold by Sony, which silently installed and concealed
itself on purchasers' computers with the intention of preventing copying; it reported users' listening
habits, and unintentionally created vulnerabilities that were exploited by unrelatedmalware.
Detect /Protect/Recover against malware
• anti-virus
• anti-malware
• firewalls
• network hardware (proxies)
Resources
• Wikipedia
• Google
• Yahoo
• Bing
• Youtube
References
• https://www.youtube.com/watch?v=QIqA66eYpC0
• https://www.youtube.com/watch?v=c34QwtYI40g
• https://www.youtube.com/watch?v=7PVwCHBOqZM
• https://www.youtube.com/watch?v=a8hZQxWC3A8
• http://computer.howstuffworks.com