UNIT-IV

Malware (short for malicious software) is any software program or code that is intentionally
designed to disrupt, damage, steal, or gain unauthorized access to computer systems,
networks, or data.
👉 In simple terms: Malware is harmful software created to exploit or harm computers and
users.
Key Points in Definition:
 Intentional: Created with a malicious purpose.
 Types: Includes viruses, worms, trojans, ransomware, spyware, adware, etc.
 Effects: Can steal information, damage files, slow down systems, or give attackers
control over devices.

Introduction to Malware Analysis History

Malware analysis is the process of dissecting malicious software to understand its behavior,
origin, and potential impact

. The history of malware analysis mirrors the evolution of malware itself, progressing from
basic techniques for examining simple programs to sophisticated, multi-layered approaches
for analyzing complex and evasive threats.

Early days (1970s–1990s)

 1971: The first "anti-virus". In response to the experimental, but non-malicious,

Creeper worm on the ARPANET, programmer Ray Tomlinson created Reaper—the
first known program designed to find and delete another program.

 Malware spread via physical media: Before widespread internet access, malware
primarily spread through infected floppy disks. Early malware analysis consisted of
manually investigating the code of these isolated infections.

o 1986: The Brain virus was the first IBM PC virus to spread globally through the
boot sectors of floppy disks.

 Simple static analysis: Analysts studied malware files without executing them. This
involved examining the binary code for unique strings and patterns—the basis for
early signature-based detection.
  Early reverse engineering: As malware became more complex, analysts used basic
debuggers and disassemblers to translate machine code into human-readable
assembly language to understand program logic.

The internet era (1990s–2000s)

 Mass-mailing worms: Malware like the Melissa (1999) and ILOVEYOU (2000) worms,
which spread rapidly via email, forced analysts to develop faster, more automated
methods for processing large numbers of samples.

 Emergence of dynamic analysis: As malware writers developed obfuscation

techniques like polymorphism and encryption to evade signature-based detection,
analysts turned to dynamic analysis. This involved running malware in a safe,
controlled environment, called a "sandbox," to observe its behavior.

 Sandbox technology: Early sandboxes, such as Cuckoo Sandbox (open-source) and

commercial products, automated the monitoring of a malware's actions, including
file and registry changes and network traffic.

 Behavioral analysis: This technique moved beyond simple file signatures to observe
and flag anomalous behavior, such as a process making unusual network connections
or attempting to modify system files.

The modern era (2010s–present)

 Sophisticated and evasive malware: Modern malware often detects if it's running in a
virtual or sandboxed environment and alters its behavior to avoid analysis. This cat-
and-mouse game requires analysts to use more advanced and stealthy techniques.

 Advanced Persistent Threats (APTs) and Nation-state attacks: The discovery of

sophisticated malware like Stuxnet (2010), designed for industrial sabotage, and
Flame (2012), for cyberespionage, showed a shift toward targeted attacks with
specific political or corporate objectives. Analyzing these required advanced reverse
engineering and an understanding of geopolitical motivations.

 Cloud-based automation: The sheer volume of new malware has made manual
analysis impractical. Cloud-based analysis platforms, such as Hybrid Analysis and
VirusTotal, automate the entire analysis process, leveraging artificial intelligence and
machine learning to analyze and report on threats at scale.

 Memory forensics: This advanced technique involves examining memory dumps from
a compromised system to find artifacts of fileless malware, code injection, and
rootkits.

 Integration of AI and machine learning: AI models are now used to rapidly classify
and detect new malware variants by recognizing patterns in code and behavior. This
 has enhanced signature-based techniques and enabled proactive detection of
unknown threats.

The future of malware analysis

The history of malware analysis is one of constant adaptation. As malware continues to

evolve with the use of AI and emerging technologies, analysis techniques must advance to
keep pace. The field will likely continue to emphasize automation, AI-driven analysis, and
threat intelligence sharing to stay ahead of increasingly sophisticated and targeted threats.

1. Virus

 Definition: Malicious code that attaches itself to files or programs and spreads when
the infected file is executed.

 Effect: Can corrupt files, slow down systems, or crash programs.

2. Worm

 Definition: Standalone malware that spreads automatically across networks without

user action.

 Effect: Can consume bandwidth, slow networks, or delete files.

3. Trojan Horse (Trojan)

 Definition: Malware disguised as legitimate software to trick users into installing it.

 Effect: Provides unauthorized access to attackers; may steal data.

4. Ransomware

 Definition: Malware that encrypts files and demands payment to unlock them.

 Effect: Loss of access to important files or systems.

5. Spyware

 Definition: Software that secretly monitors user activity and collects sensitive
information.

 Effect: Passwords, credit card info, and browsing habits can be stolen.

6. Adware

 Definition: Malware that displays unwanted advertisements or pop-ups.

 Effect: Slows system performance; may redirect users to malicious websites.

7. Rootkit

 Definition: Malware designed to gain administrative (root) access and hide its
presence.

 Effect: Enables attackers to control systems stealthily.

8. Keylogger

 Definition: Malware that records keystrokes to capture sensitive information.

 Effect: Can steal passwords, banking details, and private messages.

9. Botnet / Bots

 Definition: Malware that turns infected devices into “bots” controlled by an attacker.

 Effect: Can be used for large-scale attacks like DDoS.

Type of
Definition Effect / Damage Example
Malware

Malicious code attached to Corrupts files, slows

Virus CIH Virus
files/programs system, crashes programs

Self-replicating malware that Consumes bandwidth, WannaCry (also

Worm
spreads across networks deletes files ransomware)

Trojan Horse Malware disguised as Provides unauthorized

Zeus Trojan
(Trojan) legitimate software access, steals data

Encrypts files and demands Loss of access to

Ransomware CryptoLocker
payment files/systems

Monitors user activity Steals passwords,

Spyware Pegasus
secretly banking info

Displays unwanted ads/pop- Slows system, redirects

Adware Fireball
ups to malicious sites

Gains admin access and Gives stealth control over

Rootkit Sony Rootkit
hides presence system

Steals passwords, credit

Keylogger Records keystrokes Ghost Keylogger
card info

Turns devices into remote- Launches DDoS, spam

Botnet / Bots Mirai Botnet
controlled bots campaigns