Protecting Against Malware

Modes of Learning
For this module, the following modes of learning will be used:

• Interactive Module
• Self- Quizzes

Introduction
Welcome to Operating Systems Security- Windows. In this module we will look at the danger to the
Windows operating system from malicious software, how to protect against this software, and how to
clean this software from your system.

As you begin this module, please refer to the timeline and make note of any assessments or important
dates. If you have any questions, ask your instructor.

Learning Outcomes
Upon completion of this interactive module, you will be able to:

1. Explain healthy habits to avoid malware infection.

2. Categorize malware based on the effects they can have on a computer system.
3. Use anti-malware software to clean a computer system of malware.

Key Terms and Concepts

Listed below are some important key terms and concepts within this module.

• Virus
• Worm
• Rootkit
• Trojan
• Adware
• Spyware
• Ransomware
• Signature database
• Heuristic detection
• Multipartite virus
• Zero day attack
• Polymorphic code

Types and Purposes of Malware

Malware comes in many formats but whichever way it shows up it is a challenge for the administrator to
keep up with it. Keeping the system clean and avoiding malware in the first place is the obvious goal, but
if the system becomes infected then the administrator must take the appropriate steps to disinfect it.
A technical approach with the right software to guard against infection is needed, however, educating
users against foolish behavior is also a must. Downloading inappropriate files, clicking on links in email
or falling for phishing attacks are major vectors for infecting computers and networks.

Why Write Malware?

The motivation for writers of malware is varied. Some reasons include the following:

• There is a challenge, thrill or sense of satisfaction in writing software that can outwit the
developers of operating systems, applications or anti-virus software. No doubt they will bask in
the glory bestowed on them by their peers.
• The profit motive will be strong for many. This may be somewhat benign for adware which
encourages you to purchase products or somewhat less for spyware which attempts to track
your browsing pattern. Software which scans your computer for useful information or logs your
keystrokes for passwords is very threatening. The most dangerous may be ransomware which
will encrypt your files until you pay a ransom to free them up again.
• National security will be a motive for those who want to attack their rivals or enemies.
Corporate espionage to discover trade secrets may be a motive for some. It is even possible for
a national security agency to plunder the trade secrets of companies in other countries in order
to pass them along to their own companies for a commercial advantage.

What Effect Can Malicious Software Have?

Malicious software has a wide range of effects, some of which are devastating, some merely annoying.

These might include:

• Slowing down your computer.

• Freezing the computer or crashing it.
• Corrupting your system files or deleting files.
• Making some programs faulty or corrupt.
• Damaging your boot sector creating problems when you boot into Windows.
• Stealing important information from your computer and sending it to some other person.
• Making your computer part of a botnet.
• Intercepting your keystrokes in order to steal passwords.
• Copying your email address list in order to send out spam.
• Using your computer as a jump off point to infect other computers on your network.
• Activating/deactivating computer hardware such as the video camera or DVD drive.
• Modifying itself in order to avoid detection.
• De-activating your anti-virus software.

Categories of Malware
Malicious software can be classified into multiple categories. Be aware that despite being in different
categories, the malware may do the same type of damage. Viruses and worms are pretty much
interchangeable.
 • Viruses: These are malicious programs that can do any of the damage already described. The
feature to note about a virus is that it cannot exist by itself. Just like a virus in the natural world,
it must infect a file in order to reproduce.
• Worms: A worm can do the same damage as a virus but in contrast to a virus it is a self-
contained file, an executable file, and doesn’t need another file to replicate.
• Rootkits: A rootkit is malicious software that infects or replaces a system file. It makes a great
effort to disguise itself so that everything appears normal. As an example, an infected file may
report its size as the same as the original file even when it may in fact be much larger.
• Adware: Adware, unlike the other software discussed here, actually makes itself know by
providing a message to the user, most likely in a web page. It may also redirect a web page to an
unwanted advertising site. This may be in the form of a pop-up or a pop-under. This latter is a
web page that is opened up under your web browser so that you don’t discover it until you close
down the web browser.
• Trojans: A Trojan is a malicious file that is disguised as something interesting or useful such that
the user has a desire to download it. Besides its obvious useful function to the user, it installs
software that can perform other functions such as examining files, recording keystrokes or
installing a bot.
• Spyware: This type of malicious software gathers information about the user’s computer
covertly and sends it back to the spymaster. A common way to do so is to examine the cookies
on the computer.

Anti-virus Software
In order to avoid being infected, or to detect an infection if it occurs and eradicate it, an anti-virus
program can be used.

It should be noted that this type of program is usually designed to detect and eradicate a particular class
of software such as viruses and worms but that it will have limited effect on malicious software outside
of its expertise. Specialty programs may need to be acquired in order to attack other types of malware.

Another key point is that no vendor can do a perfect job on all malicious software which is in a constant
state of flux and that it is advisable to keep at least a second program available in case of an infection.

A partial list of some popular anti-virus software are:

• McAfee
• Norton
• BitDefender
• Kaspersky
• Panda
• TrendMicro
• AVG
• Microsoft Essentials
• Windows Defender
Anti-Rootkits
Finding rootkits and eradicating them is a specialty job; the following software programs are up to the
task:

• Kaspersky TDSSKiller
• Avast’s aswMBR
• GMER
• Sophos anti rootkit

Anti-Trojans
Although there are some dedicated Trojan scanners this software is usually combined with other
malware detection capabilities into a more general program. Some examples of anti-Trojan software
are:

• Trojan Hunter
• Trojan Remover
• Emsisoft Anti-malware
• Malwarebytes’ Anti-malware
• SuperAntiSpyware
• Comodo Cleaning Essentials

Anti-Adware/ Anti-Spyware
The ability to scan for and eradicate adware and spyware is usually combined in one program. The
following may be useful to scan and eradicate adware and spyware:

• Spy Sweeper
• Spybot-Search & Destroy
• Ad-aware
• Windows Defender

Microsoft’s Anti-malware Products

At this point we need to take a moment and discuss Microsoft’s two anti-malware products, Windows
Security Essentials and Windows Defender.

Some confusion exists because Windows Security Essentials was the anti-virus product for early
Windows but was replaced by Windows Defender in Windows 8 and 10. Meanwhile Windows Defender
was the anti-spyware product in Windows 7 but took on the anti-virus role for Windows 8/10.

Therefore, you should keep in mind that:

• Windows Security Essentials (Windows XP/Vista/7) is anti-malware, mostly anti-virus, software.

• Windows Defender (Windows 7) is anti-spyware software.
• Windows Defender (Windows 8/10) is anti-virus and other anti-malware software.
How Do Anti-virus Programs Work?
There are four functions to the anti-virus software; they are as follows:

• The Scanner: This component scans the computer looking for the malware. It scans memory,
drives, and boot files.
• Signature Database: A virus may be recognized by the actions it takes, the files it accesses or the
memory location it inhabits. These and other characteristics form the signature of the program.
The database of these signatures is used by the anti-malware program to recognize the malware
either residing in memory or in a file. The appropriate action to take is also found in the
database.
• The Vault: When malware is recognized action needs to be taken. The anti-malware program
may want to eradicate the malware but there is always the possibility of a false positive. In other
words, the program that was identified as malware may, in fact, be a legitimate program.
Instead of taking the drastic action of deleting the identified files, they are moved to a separate
and safe area (the vault) instead. In this way the files can be restored to their original position if
they are deemed safe after all.
• The Shield: This component resides in the memory of your computer and scans files as they
arrive. The shield works in real time and if it detects an infected or malicious file it will isolate it
and alert you to the fact.

Heuristic Detection
One problem with fighting a virus is that it may have never been seen before. A brand new virus won’t
have a signature in any database which makes it difficult to identify, much less eradicate. The heuristic
algorithm used by many anti-virus programs analyzes a file’s characteristics and behavior to determine if
it is malicious. The only way to see what a file does is to run it but this would be dangerous for a
malicious file. In order to run the file a virtual machine is used, called a sandbox, so that the outcome is
kept to the restricted area.

Heuristic detection takes some time so it is not fast. Another problem is false positives because
analyzing the files can lead to inaccurate results. Despite this, it is a valuable technique to use against
files that do not have a signature in the database.

How Does Malware Evade Detection or Eradication?

Malware developers have developed many techniques to try to hide from anti-malware scanners. Here
is a short list:

• Compressed Files: Malware files that are normal will be detected by the anti-malware software
but when compressed, they are often missed. Theoretically the anti-malware software should
decompress a file to try to find the signature but many don’t.
• Multipartite Virus: This type of virus attacks in multiple ways in order to avoid eradication. For
example, it might infect the boot files, system files, and other executables. Removing the virus
from the multiple vectors has to proceed in tandem if the eradication is to be successful.
• Evasion and Hiding: Naming the files of the malicious software with strange names or hiding
them is a common ploy. Rootkits are notorious for using system file names and hiding their size.
 It is also common to create multiple copies of files and place them in multiple, strange locations,
so that finding one does not guarantee finding them all.
• Zero Day Attack: Zero day refers to the first day that a brand new attack is launched. This may
refer to new malicious software or it can refer to an attack on a weakness in the operating
system or application that has never been identified before. Anti-malware software doesn’t
know how to respond because there is no signature in the database. This type of attack may be
countered by heuristic analysis but in any case will always be dangerous.
• Time-Based Evasion: Instead of loading as soon as the computer boots or the malware is
downloaded, the malware stays dormant until: 1) a predetermined time has arrived or 2) some
action/activity on the computer is initiated. This may fool the shield if the action is not expected.
• Loaded in Memory: Once the malware is loaded in memory, it is more difficult to eradicate and,
in fact, modifying memory while the computer is running can result in a crash. Even if the
malicious software’s files can be identified and deleted, the software in memory can often just
recreate them. It is prudent to reboot the Windows OS in safe mode and then try to eradicate
the malicious software. In safe mode only the most basic system software is loaded which
usually precludes the malicious software from activating.
• Disabling Anti-Malware Software: Some malicious software can detect if anti-malware software
is running and deactivate it.

Polymorphic Code
A polymorphic virus or worm uses a polymorphic engine to change its code while maintaining its
function. The code may change each time it propagates. This approach foils anti-malware software that
uses signatures to detect the software.

A polymorphic malware changes constantly and many variations of it will ultimately be produced so this
is the most difficult type of malware to detect. This type of malware can be detected but each one must
have an algorithm developed for it individually. Because of the time and effort to develop solutions
older malware is well known and reliably found but newer infections may not be detected fast.

Managing Anti-Malware Software

Keeping individual workstations, servers, and the network free of malware requires constant vigilance
and the appropriate use of the tools. Some general considerations will help to keep your network
malware free.

Do you use an active shield?

If a shield is memory resident it continually scans the applications running and files being transferred
and attempts to identify malicious software before it can be installed. Since this is obviously a great
benefit why not always use this feature?

This is a microprocessor intensive function and can lead to degradation in performance. In addition
memory is being used which can prevent applications from running and also degrades performance. If
these are concerns then avoid loading the shield and instead do scans on a scheduled basis.

Which drives should be scanned?

Scanning drives can take a long time. Should all of them be scanned or just some? Executable files can
be infected but data files won’t be unless they contain macros. So scanning drive C: is a must; consider
which other drives to scan.

Will you scan removable media?

It is hard to believe that a commercial DVD could be infected but there have indeed been such cases. A
USB memory stick could definitely harbor an infected file so should be scanned.

Will you do a full or quick scan?

A full scan can take an extremely long time and maybe should be scheduled for overnight. A quick scan
usually scans the most likely files to contain malware particularly executable and boot files.

How will you schedule scans?

Even if an active shield is in place it doesn’t monitor files that you copy onto your computer. You need to
instigate a scan if you suspect that the computer is infected. You should also do a scan if there has been
a major change to the computer such as a new program has been installed. You should also schedule a
regular scan at set intervals. The anti-malware program may have a scheduling feature or you can use
the schedule utility built into the Windows OS.

Keeping Your Systems Malware Free

The first line of defense in keeping your environment malware free is user education. A user must avoid
risky behavior and although this might seem to be common sense it often is not.

Here is a list of risky behavior that users must be educated about:

• Do not download utilities/software unless you are absolutely sure of the provenance of the
program and are able and willing to deal with the consequences if you are wrong.
• Do not proceed to a web site if your browser flags it as suspicious.
• Do not click on the link on a web page if you are suspicious.
• Do not go to a secured web site if the digital certificate is flagged as unverifiable by the
browser.
• Never send personal or financial information to a web site that is not secured, that is the URL
must start with HTTPS.
• Do not open email if it has been flagged as spam by your browser unless you are certain of the
sender.
• Do not click on any links in email unless you are absolutely sure that the email is bona fide.
• Scan a USB memory stick when you plug it into your computer particularly if you received it
from someone else.

The next most important task in keeping your system free is keeping the signature file up-to-date. This is
made easier because anti-malware software is alerted when signature files become available and can
download them automatically.

Scan your computer frequently or on a regular schedule.

Keep the firewall on the computer enabled. All modern Windows desktops enable the firewall by default
when the OS is installed. The firewall can prevent malware from replicating across the network and
infecting other machines.

Always be logged into the computer as a standard user and never as administrator. Malware can attack
additional components of the computer if you have administrator privileges.

Cleaning Your Computer of Malware

If you believe that you have been infected you need to take the following steps:

1. Disable the network interface or pull the network cable so that you don’t infect any additional
computers on your network. If the firewall was doing its job it may have prevented this but of
course malware has many ways around this.
2. Boot the Windows OS into safe mode. Only basic services load in safe mode and therefore the
malware will not load and prevent the anti-malware from working.
3. Scan the machine thoroughly with the anti-malware program.
4. If this doesn’t work download from Microsoft the Microsoft Malicious Software Removal Tool.
This is a tool that removes specific malware that Microsoft knows about and knows how to
remove. It is not a general purpose anti-malware program and needs to be run manually. You
must download it every time you want to run it because new malware fixes are constantly being
added to it.
5. Download another anti-malware program at another computer, transfer it to a USB memory
stick and run it on the infected computer from the USB key. Because no anti-malware program
can cover every possible type of malicious code, it is useful to have an alternative program and
try again.

Module Summary
In this module we have explored:

1. How malicious software is a great risk to any operating system because of the serious damage it
can do.
2. The many categories of malware including viruses, worms, rootkits, Trojans, adware, and
spyware.
3. The importance of having a user who has been educated against risky behaviors such as
downloading suspicious files and clicking on links in email.
4. Having a good anti-malware software which needs to be kept up-to-date.
5. How to disinfect a computer.

Knowledge Check
The following questions provide an opportunity for you to see what you remember and understand so
far. Answer the questions to the best of your ability.

1. Which type of malware would you download because it looked like a useful program?
a. Rootkit.
b. Trojan.
 c. Spyware.
d. Useful Utility.

2. Which type of malware modifies itself in order to avoid detection?

a. Heuristic software.
b. Rootkit.
c. Shape shifting worm.
d. Polymorphic virus.

3. Which of the following statements is true?

a. Windows Defender is anti-spyware in Windows 7.
b. Windows Security Essentials is anti-malware in Windows 10.
c. Windows Defender is anti-malware in Windows Vista.
d. Windows Security Essentials is anti-spyware in Windows 8.1.

4. How does a multipartite virus avoid being deleted?

a. It disguises its size.
b. It keeps changing its signature.
c. It infects multiple locations.
d. It uses a system file name.

5. Which component of anti-malware software will protect you in real time?

a. The scanner.
b. The heuristic engine.
c. The signature database.
d. The shield.

6. Why is it important to boot your computer into safe mode before trying to clean an infection?
a. Viruses do not load into memory when you are in safe mode.
b. The virus cannot infect other computers on the network when you are in safe mode.
c. You can scan protected system areas of the hard drive when you are in safe mode.
d. Scanning is quicker when you are in safe mode.

7. What technique might prevent a virus from infecting the rest of your network?
a. Do not log into the network.
b. Keep the firewall enabled.
c. Run anti-malware software on the server.
d. Use encryption on all traffic on the network.

8. What step should you take if your anti-malware software cannot eradicate the infection?
a. Update the signature database.
b. Reformat the hard drive and reinstall the operating system.
c. Download and try a second anti-malware software.
d. Try again by scanning all your data files.
 9. When trying to access a secured web site your browser warns you that the digital certificate
can’t be verified, what should you do?
a. Contact the administrator of the web site and ask him to reissue the digital certificate.
b. Do not enter the web site.
c. Enter the web site because it was only a warning.
d. Lookup the Certificate Revocation List and see if the digital certificate is listed.

10. After you install a new anti-malware program your system becomes sluggish and unresponsive.
What could the problem be?
a. You installed a virus along with the program.
b. The signature database needs to be updated.
c. The signature database is too big and is taking up too much memory.
d. The active shield is taking up too much CPU time.

Answers:

1. B) Trojan.
2. D) Polymorphic virus.
3. A) Windows Defender is anti-spyware in Windows 7.
4. C) It infects multiple locations.
5. D) The shield.
6. A) Viruses do not load into memory when you are in safe mode.
7. B) Keep the firewall enabled.
8. C) Download and try a second anti-malware software.
9. B) Do not enter the web site.
10. D) The active shield is taking up too much CPU time.

You have completed Protecting Against Malware

Remember to check the timeline before you proceed to the next module to ensure you have completed
any assignments as required. Check with your instructor if you have any questions.