Lecture 10: Malwares

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/20

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

21 Terms

1
New cards

What is malicious software (malware) and how does it spread?

  • Definition:

    • Software deliberately designed to harm or disrupt computer systems.

    • Causes undesired actions within information systems.

  • Common Spread Methods:

    • Email (especially attachments)

    • Infected USB drives

    • Downloading or exchanging corrupted files

    • Embedded in computer games

    • Included in cracked/pirated software

2
New cards

History of Malwares

  • The Creeper Program (1971)

    • No malicious intent

  • 🐰 The Rabbit Virus (1974)

    • Had malicious intent

    • Repeatedly replicated until the system crashed

  • 🐴 The First Trojan (1975)

    • Copied itself with the game "ANIMAL"

    • Not malicious, but demonstrated Trojan behavior

  • 💾 The Brain – First Boot Sector Virus (1986)

    • Infected floppy disks

    • Aimed to track software piracy, not harm users

    • First known Stealth Virus

  • 💌 The Love Letter (2000)

    • First virus spread via email

    • Subject: “I love you”

    • Attachment: Love-Letter-for-you.txt.vbs

    • Overwrites/replaces user files

3
New cards

Types of Malwares

  • Viruses

  • Rabbit

  • Hoaxes

  • Trojan Horse

  • Spyware

  • Trapdoor (Backdoor)

  • Worms

4
New cards

Viruses

Programs that spread by copying themselves into other software

Typically require user interaction to activate

Two major categories:

  1. Boot Sector Virus:

    • Infects the boot sector of a system

    • Spreads via physical media (e.g., USBs, floppy disks)

    • Activates during system boot

    • BIOS improvements now reduce risk

    • Examples: Brain, Stoned

  1. File Virus:

    • Infects application/game files

    • Activates when the infected file is run

    • Often memory-resident (stays in memory)

    • Examples: Jerusalem, Cascade, Melissa

5
New cards

Polymorphic Virus

  • A complex virus that creates modified copies of itself each time it replicates

  • Encrypts its code and changes encryption keys each time

  • Very difficult to detect and remove due to its constant mutation

6
New cards

Stealth Virus

  • Hides in legitimate files and partitions to avoid detection

  • Renames itself and copies into new locations

  • Redirects antivirus scans to uninfected files

  • May cause:

    • System crashes

    • Slow performance

    • Unidentified icons

7
New cards

Armored Virus

  • Designed to resist analysis and reverse engineering

  • Returns false data to programs trying to inspect it

  • Adds confusing and complex code to trick analysts

  • Makes malware analysis significantly harder

8
New cards

Companion Virus

  • Mimics a legitimate file by using the same name but a different extension

  • Typically requires human interaction to execute

  • Popular in the MS-DOS era

  • Example: creates example.com to run instead of example.exe

9
New cards

Rabbit

  • A type of malware that replicates itself uncontrollably

  • Consumes system resources like:

    • CPU time

    • Memory

    • Disk space

  • Key effects:

    • Repeatedly re-attacks infected systems, making recovery hard

    • Exhausts all system resources, leading to system slowdowns or crashes

    • Causes denial of access by locking out the user from essential resources

10
New cards

Hoaxes

  • False virus alerts meant to trick users into spreading fake information

  • Commonly seen as chain letters or alarming messages

  • Tricks recipients into forwarding the message, causing it to spread

  • Leads to:

    • Flooded network traffic (bandwidth wastage)

    • System/network slowdown due to message volume

    • Denial of access from network congestion

  • Examples: Irina and Deeyanda (famous virus-related hoaxes)

11
New cards

Trojan Horse

  • A malicious program that pretends to be legitimate but has hidden harmful features

  • Does something different from what it claims (e.g., steals passwords instead of opening a file)

  • Not self-replicating or self-propagating

  • Needs user action to be installed (e.g., downloading and running it)

  • Infections occur when the user installs and executes the infected program

  • Types of Trojan Horses:

    • RAT (Remote Access Trojan) – gives attacker full remote control

    • Keylogger – records keyboard input

    • Password Stealer (PSW) – grabs stored credentials

    • Logic Bomb – executes when certain conditions are met

  • Transmitted via:

    • Spam or malicious emails

    • Downloaded files (even from trusted-looking websites)

    • Infected USB drives (even from trusted sources)

    • Legitimate-looking programs that are Trojan-infected

12
New cards

Worms

  • A stand-alone program that spreads copies of itself across a network

  • Does irrecoverable damage to systems

  • Doesn’t need user interaction to spread

  • Unlike viruses, it doesn’t attach to files — it spreads independently

  • Attacks by Worms:

    • Deletes files and performs other malicious tasks

    • Steals data and sends it back to the attacker (e.g., passwords)

    • Disrupts system operations, causing Denial of Service (DoS)

    • Can carry viruses along with them to worsen the infection

13
New cards

Virus Vs Worm

  • Virus:

    • Needs a host file or program to infect

    • Requires user action (e.g., running a file) to activate

    • Spreads by attaching itself to other files

    • Spreads more slowly

    • Damages or deletes files

  • Worm:

    • Does not need a host — standalone malware

    • Spreads automatically through networks

    • Replicates by self-copying to other systems

    • Spreads very quickly

    • Can cause system disruption, data theft, and DoS attack

14
New cards

Ransomware

  • Malicious software that encrypts files or locks systems and demands a ransom payment to restore access

  • Uses strong encryption algorithms

  • Motives:

    • Primarily financial gain

  • Delivery Methods:

    • Email attachments

    • Vulnerable websites

    • Exploiting software vulnerabilities

  • Mitigation Techniques:

    • User awareness & education

    • Regular system/software updates

    • Antimalware tools

    • Frequent backups of important data

15
New cards

Malware Detection

  • Malware is unique and inserts itself in a predictable (deterministic) way

  • Its behavior leaves a signature — a recognizable pattern in the object code

  • Anti-virus scanners use this signature to detect and identify malware

  • Evasion Techniques Used by Malware:

    • Inserting random patterns in meaningless places

    • Using self-modifying code (e.g., polymorphic viruses)

    • Encrypting their code and changing keys frequently

16
New cards

Effects of Malware on a Computer System

  • Overwrites user's data in memory

  • Overwrites user programs, leading to software malfunction

  • Corrupts system data or programs, disrupting normal operations

  • Causes “Smashing the Stack”:

    • A buffer overflow attack

    • Redirects execution flow to malicious virus code

17
New cards

Bot & Botnets

  • Bot:

    • A malware that runs automatically and autonomously on a compromised computer (zombie)

    • Operates without user consent

    • Often profit-driven and professionally written

  • Botnet:

    • A network of bots controlled by a cybercriminal (botmaster)

    • Controlled via Command and Control (C&C) channels

    • Can have:

      • Centralized architecture (e.g., IRC, HTTP)

      • Distributed architecture (e.g., P2P)

18
New cards

What Are Botnets Used For

  • DDoS attacks – overwhelming websites or servers

  • Spam campaigns

  • Click fraud – fake ad clicks to generate revenue

  • Information theft – passwords, files, credentials

  • Phishing attacks – tricking users into giving personal data

  • Distributing other malware, like spyware

19
New cards

Botnet Structures

  • Centralized Botnet:

    • All bots communicate with a single central server

    • C&C (Command and Control) through:

      • IRC channels

      • HTTP

    • Easier to control but also easier to shut down (single point of failure)

  • Distributed Botnet (P2P):

    • Bots communicate peer-to-peer (P2P)

    • No central server — every bot acts as both client and server

    • Harder to detect or take down due to decentralized control

20
New cards

Command and Control (C&C) Channel

  • The C&C channel is used by a botmaster to:

    • 📡 Send commands to bots

    • 🎯 Coordinate fraudulent or malicious activities

  • It acts as the control hub through which:

    • Bots receive instructions

    • Bots form a functional botnet

    • Malicious actions (like DDoS, scanning, data theft) are launched

21
New cards

BotMiner

BotMiner is a botnet detection framework that analyzes suspicious behavior across two different "planes" of activity. Its goal is to detect bots in a network by monitoring their communications and actions.

  • C-Plane (Communication Plane):
    ➤ Tracks who is talking to whom, and how
    ➤ Focuses on network flow logs (e.g., IPs, ports, protocols)

  • A-Plane (Activity Plane):
    ➤ Tracks who is doing what
    ➤ Looks at behaviors like scanning, spamming, downloads, and exploitation

  • Key Components:

    1. C-Plane Monitor – captures network flows

    2. A-Plane Monitor – logs system activity

    3. C-Plane Clustering – groups bots with similar communication

    4. A-Plane Clustering – groups bots with similar actions

    5. Cross-Plane Correlator – correlates both planes to find overlapping patterns
      ➤ If a device talks like a bot and acts like a bot, it probably is a bot.