Malware

Done by : Laith mkarem

Hassan obeid
Class: 8C
 Lesson Aims

• To know :
• What malware are
• How do they infect hosts
• How do they hide
• How do they spread
• About Worms
 What is a malware ?

• A Malware is a set of instructions that

run on your computer and make your
system do something that an attacker
wants it to do.
 What it is good for ?

• Steal personal information

• Delete files
• Steal software serial numbers
• Use your computer as relay
 The Malware Zoo

• Virus
• Bomb
• Trojan horse
• Spyware
• Adware
• Worm
 What is a Virus ?

• a program that can infect other programs by

modifying them to include a, possibly
evolved, version of itself
 Some Virus Type

• Polymorphic : uses a polymorphic

engine to mutate while keeping the
original algorithm intact (packer)
• Methamorpic : Change after each
infection
 What is a trojan

A trojan describes the class of malware that appears

to perform a desirable function but in fact performs
undisclosed malicious functions that allow
unauthorized access to the victim computer
 What is Spyware

• A Spyware is a component that uses

stealth to maintain a persistent and
undetectable presence on the machine
 What is a worm

A computer worm is a self-replicating computer

program. It uses a network to send copies of itself
to other Devices and do so without any user
intervention.
Almost 30 years of Malware

• From Malware fighting malicious code

 History
• 1981 First reported virus : Elk Cloner (Apple 2)
• 1983 Virus get defined
• 1986 First PC virus MS DOS
• 1988 First worm : Morris worm
• 1990 First polymorphic virus
• 1998 First Java virus
• 1998 Back orifice
• 1999 Melissa virus
• 1999 Zombie concept
• 1999 Knark Spyware
• 2000 love bug
• 2001 Code Red Worm
• 2001 Kernel Intrusion System
• 2001 Nimda worm
• 2003 SQL Slammer worm
Number of malwares
Malware Repartition

Panda Q1 report 2009

Infection methods
 What to Infect

• Executable
• Interpreted file
• Kernel
• Service
• MBR
• Hypervisor
 Overwriting malware

Targeted Malware
Malware
Executable
 prepending malware
Malware

Infected
Targeted
Malware host
Executable
Executable
 appending malware

Infected
Targeted
Malware host
Executable
Executable

Malware
 Cavity malware

Malware
Targeted
Malware Infected
Executable
host
Executable
 Multi-Cavity malware

Malware

Targeted
Malware
Executable Malware

Malware
 Packers

Packer Infected host

Malware
Executable
 Packer functionalities

• Compress
• steal
• Randomize (polymorphism)
• Add-junk
• Virtualization
 Document based malware

• MS Office
• Open Office
 Spyware can
• Perform

• login

• password

• Hide activity

• find
 Kernel Spyware
P1 P2
PS
P3 P3

Spyware KERNEL

Hardware :
HD, keyboard, mouse, NIC, GPU
Hypervisor Spyware

App App

Target OS

Hardware
 Hypervisor Spyware

App App

Rogue app Target OS

Host OS Virtual machine monitor

Hardware
spreading
Shared folder
Email spreading

• from pandalab
blog
Fake antivirus

• from pandalab
blog
Hijack you browser

• from pandalab
blog
Fake page !

• from pandalab
blog
P2P Files
spyware
 Basic

Infected
Attacker
Host
 Reverse

Infected
Attacker
Host
 Advanced

RDV
Point

Infected
Attacker
Host
Adware
 Adware

Injects ads and files to your computer

Adware
Detection
 Anti-virus
• Analyze system
behavior
• Analyze binary to
decide if it a virus
• Type :

• Scanner

• Real time
monitor
Worms
 Worm
A worm is self-replicating software designed to
spread through the network
 Can cause enormous damage
 Launch DDOS attacks, install bot networks

 Access sensitive information

 Cause confusion by corrupting the sensitive information

Worm vs Virus vs Trojan horse

 A virus is uneditable in a file or program
 Viruses and Trojan horses rely on human intervention
 Worms are self-contained and may spread autonomously
How do worms spread ?
 Need for automation
Current threats can spread faster than defenses can reaction
Manual capture/analyze/signature/rollout model too slow
Contagion Period

Program

Response Period
months
Viruses Macro
Viruses E-mail

Signature
Worms Network
days
Pre- Worms Post-
automation automation
hrs
Flash
mins
Contagion Period Worms
secs Signature Response Period

1990 2005
Time
 The basic algorithm
Detector in
network
B
A

E D

Address Dispersion Table

Prevalence Table Sources Destinations
 Detector in
network
B
A

E D

Address Dispersion Table

Prevalence Table Sources Destinations

1 1 (A) 1 (B)
 Detector in
network
B
A

E D

Address Dispersion Table

Prevalence Table Sources Destinations

1 1 (A) 1 (B)
 Detector in
network
B
A

E D

Address Dispersion Table

Sources Destinations

2 2 (A,B) 2 (B,D)
 Detector in
network
B
A

E D

Address Dispersion Table

Sources Destinations

3 3 (A,B,D) 3 (B,D,E)