Chapter 4: Malware

Insider Attacks
An insider attack is a security breach caused or facilitated by a trusted
member of an organization, such as a programmer.

Such attacks are particularly dangerous due to the betrayal of trust involved.

Malware in Insider Attacks:

Insider attacks often involve malware, which refers to malicious software

with negative and unintended consequences.

Malware embedded by insiders can:

Escalate privileges, gaining unauthorized access to system resources.

Cause damage when triggered by specific events.

Install other malware as part of a larger attack.

Sources of Insider Attack Code:

The malicious code can be embedded in:

Operating system programs, installed as part of the system itself.

User-installed applications, added later by administrators or users.

Insider attacks highlight the critical importance of trust and verification in

software development and deployment processes.

Backdoors
A backdoor, also known as a trapdoor, is a hidden feature or command in a
program.

The program functions normally under regular use but performs unexpected
actions if the backdoor is activated.

Chapter 4: Malware 1
Characteristics:

Backdoors are used to perform actions that violate security policies, such
as privilege escalation.

These hidden features are intentionally embedded by developers or

administrators, making them a type of insider attack.

Nature of Backdoors:

The hidden functionality ensures that backdoors remain undetected during

normal program usage.

Activation of the backdoor leads to unexpected or unauthorized

behaviors.

Key Takeaway:

Backdoors are a significant security risk as they exploit insider

knowledge and trust in the development process.

Easter Eggs

Easter eggs are hidden and undocumented features in software, accessed

using a secret password or an unusual set of inputs.

They are harmless and designed to add an element of fun or surprise.

Characteristics:

Unlike backdoors, Easter eggs are non-malicious and typically intended

as lighthearted features.

They might display jokes, images of the programmers, lists of credits, or

extra content.

Examples:

Early Unix systems displayed a humorous message in response to the

command "make love."

Windows XP's Solitaire game had a cheat allowing a win by pressing Shift
+ Alt + 2.

Chapter 4: Malware 2
DVDs often include hidden content, such as deleted scenes or outtakes,
unlocked through specific keystrokes on menu screens.

Key Takeaway:

While Easter eggs are meant to entertain, they share a similarity with
backdoors in their hidden nature but differ significantly as they are non-
malicious and not intended to breach security.

Logic Bombs
A logic bomb is a program that executes a malicious action when a specific
logic condition is met.

Characteristics:

They remain inactive until triggered by a predefined condition, such as a

specific date or event.

Logic bombs are often hidden within legitimate software, making them
difficult to detect until triggered.

Examples:

A payroll system programmed to crash if it processes two consecutive

payrolls without paying the programmer.

A combination of a logic bomb and a backdoor, where the program

crashes on a particular date unless the programmer disables the bomb
through the backdoor. This is often used for extortion.

Key Takeaway:

Logic bombs are a serious insider threat, as they are usually embedded
by individuals with trusted access, making them both malicious and
covert.

The Omega Engineering Logic Bomb:

In 1996, a logic bomb was triggered on the server of Omega Engineering
Corporation, resulting in millions of dollars in damages and significant
layoffs.

Chapter 4: Malware 3
Incident Details:

The logic bomb destroyed critical manufacturing operation files on July

31, 1996.

Investigators found that the server administrator, Tim Lloyd, was

responsible for the attack.

The company’s backup tapes were discovered at Tim Lloyd’s house, but
they had been erased.

Consequences:

The attack caused severe financial losses and forced the company to lay
off many employees.

Tim Lloyd was convicted for deploying the logic bomb, highlighting the
potential devastation of insider threats.

Key Takeaway:

This case underscores the destructive power of logic bombs and

emphasizes the need for robust access control, auditing mechanisms,
and secure backup systems to mitigate insider threats.

The Logic Behind the Omega Engineering Time Bomb:

The logic bomb used a sequence of specific commands to trigger the
destruction of critical files on the server.

Trigger Mechanism:

7/30/96: The bomb was set to execute only if the date was later than July
30, 1996.

Target Specification:

F:: Focused all commands on volume F, which stored the server’s critical
files.

Malicious Commands:

F:\LOGIN\LOGIN 12345: Logged in with a fictitious user account (12345)

that had supervisory and destroy permissions, but no password.

Chapter 4: Malware 4
CD \PUBLIC: Changed the current directory to the PUBLIC folder, which
stored common programs and public files.

FIX.EXE /Y F:\.:

FIX.EXE was a renamed version of the DELTREE program.

It deleted all files on volume F while displaying "fixing ..." instead of

"deleting ..." to mask its intent.

The /Y option confirmed deletion without user prompts.

PURGE F:/ALL: Ensured deleted files could not be recovered by removing

metadata, making recovery extremely difficult.

Nature of the Attack:

This attack was both a time bomb (executing based on a set date) and a
logic bomb (dependent on a series of logical conditions).

It was meticulously designed to erase critical data and complicate

recovery efforts.

Outcome:

Based on the evidence, Tim Lloyd was convicted of computer sabotage.

The case highlighted the severe risk of insider threats and the
devastating impact of a well-planned logic bomb.

Defenses Against Insider Attacks

Avoid Single Points of Failure:

Ensure no single individual is solely responsible for backups or managing

critical systems.

Use Code Walk-Throughs:

Conduct detailed reviews where programmers present their code line by

line to peers, reducing the chance of hidden backdoors or logic bombs.

Prevent the possibility of "sleight of hand" by ensuring the code reviewed

matches the code installed.

Chapter 4: Malware 5
Use Archiving and Reporting Tools:

Leverage tools like automatic documentation generators and archiving

systems to uncover malicious code while improving software quality.

Archived code creates traceability, making it harder to hide malicious

source code after an attack.

Limit Authority and Permissions:

Follow the least privilege principle, granting only the minimum access
rights necessary for users or programs to perform their tasks.

Physically Secure Critical Systems:

Protect critical systems by keeping them in locked rooms with redundant

HVAC and power systems, and safeguards against floods and fires.

Monitor Employee Behavior:

Pay close attention to disgruntled employees, particularly system

administrators and programmers who could misuse their access.

Control Software Installations:

Restrict installations to vetted software from trusted sources to reduce

the risk of introducing malware.

Computer Viruses
Definition:

A computer virus is a type of malware capable of self-replication by

modifying other files or programs.

It requires user assistance for replication, such as opening an email

attachment or sharing a USB drive.

Distinguishing Properties:

Self-replication: A key feature that differentiates viruses from other

malware like logic bombs.

Chapter 4: Malware 6
Malicious Actions: Often deletes files or steals sensitive information.

Comparison with Biological Viruses:

Computer viruses share similar properties with biological viruses:

Dormancy: Can remain inactive until the right environment or trigger is

found.

Attack and Penetration: Targets vulnerabilities (vectors) in files or

systems to infiltrate.

Replication: Utilizes the system's processes to create multiple copies.

Release: Distributes replicated copies to infect other parts of the

system or network.

The stages mimic biological viruses' attack, penetration, replication, and

release processes (illustrated in Figure 3).

The figure depicts the four stages of a biological virus:

1. Attack: The virus targets a cell.

2. Penetration: The virus breaches the cell's defenses.

3. Replication and Assembly: The virus uses the cell's processes to create
more virus copies.

Chapter 4: Malware 7
4. Release: Newly formed viruses are released to infect other cells.

Virus Classification
Phases of Virus Execution:

1. Dormant Phase:

The virus remains inactive, avoiding detection.

2. Propagation Phase:

The virus replicates itself, infecting new files and systems.

3. Triggering Phase:

A logical condition activates the virus, transitioning it from dormancy

or propagation to perform its designed action.

4. Action Phase:

The virus executes its malicious payload, which can vary from
harmless activities (e.g., displaying images) to destructive ones (e.g.,
deleting essential files).

Classification Criteria:

Viruses can be classified based on:

Method of Spread: How they propagate and infect systems.

File Types Infected: The types of files targeted by the virus.

Types of Viruses

Program Viruses (File Viruses):

Infect program files by modifying their object code.

Activated whenever the infected program is executed.

Targets commonly used programs (e.g., operating system utilities or

popular software).

The infection includes both original program code and the virus code, as
shown in Figure 4(a) for simple injection and Figure 4(b) for complex

Chapter 4: Malware 8
injections using jump instructions.

Macro Viruses (Document Viruses):

Exploit macro systems in document preparation tools (e.g., Microsoft

Word).

Triggered when the infected document is opened.

Spread by:

Infecting other documents.

Embedding in the standard document template, making all new

documents infected.

Propagating through emails containing infected documents.

Boot Sector Viruses:

Infect the boot sector of a drive, executed during computer startup or

reboot.

Difficult to remove because the boot sector loads before any antivirus
software.

Ensure their persistence by infecting other operating system files.

Antiviruses often monitor the boot sector integrity to detect infections.

Overwriting

Pre-pending

Infection of libraries

Image Description:

Chapter 4: Malware 9
Figure 4(a): Demonstrates a virus injected at the beginning of a program.

Figure 4(b): Illustrates a more advanced method where the virus code is
split into parts and spread across the program, with jump instructions
controlling execution flow.

Concealment Viruses

Encrypted Viruses:

Purpose of Encryption:

Virus writers encrypt the main body of their program to hide:

Replication code.

Chapter 4: Malware 10
Payload (e.g., deleting files).

Encryption disguises the virus's distinguishing features, making

signature-based detection by antivirus software more challenging.

Structure of an Encrypted Virus:

Comprises:

Decryption code: Essential for decrypting the virus code.

Encryption key: Used to encode/decode the virus body.

Encrypted virus code: Hides the main functionality (See Figure 5).

Techniques:

A short encryption key (e.g., 16-bit) may be used with brute-force

decryption code.

Decryption code cannot be encrypted and becomes a detectable

pattern, acting as a signature.

Antivirus Defense:

While the virus body is hidden, the decryption code structure reveals
potential virus presence.

Antivirus software evolves to identify the decryption routines of

encrypted viruses.

Image Description:

Figure 5: Shows the structure of an encrypted virus:

Chapter 4: Malware 11
Decryption code and key decrypt the encrypted virus code before it
executes.

This structure aims to evade signature detection but creates a

detectable decryption routine.

Polymorphic and Metamorphic Viruses:

Definition:

Polymorphic Virus: Mutates by encryption, with each copy encrypted

using a different key.

Metamorphic Virus: Mutates using noncryptographic techniques,

such as:

Instruction reordering.

Inclusion of useless instructions.

Both types avoid detection by lacking fixed patterns.

Key Differences:

Polymorphic viruses rely on encryption for mutation.

Metamorphic viruses use code obfuscation and logical reordering.

Detecting Polymorphic Viruses:

Detection focuses on the encryption mechanism:

The virus must include generic encryption code for replication.

This code can act as a signature.

Even if initially encrypted, antivirus software identifies the

decryption code.

Detecting Metamorphic Viruses:

More complex signature schemes are required:

Conjunction Signature: Identifies multiple strings present in any

order.

Chapter 4: Malware 12
Sequence Signature: Identifies strings in a specific sequence.

Probabilistic Signature: Evaluates scores of multiple strings,

flagging infections if scores exceed a threshold.

Malware Attacks

Computer Worms
Definition:

A computer worm is self-replicating malware that spreads

independently, without injecting itself into other programs.

Unlike viruses, worms do not require human interaction or the infection of

other programs to propagate.

Key Characteristics:

Worms are technically distinct from viruses due to their standalone

nature.

They spread autonomously, often exploiting network vulnerabilities.

Typically, they carry a malicious payload, which may include:

Deleting files.

Installing a backdoor for further exploitation.

Common Misconception:

Worms are often confused with viruses because both involve self-
replication, but worms operate without infecting other programs.

Designing a Worm

Development Process:

Identifying an unpatched vulnerability in a widely used application or

operating system.

Chapter 4: Malware 13
Commonly exploited vulnerabilities include buffer overflow
vulnerabilities.

Key Components:

Target List Generation:

Code for creating a list of machines to attack, such as:

Machines on the same local area network.

Machines with randomly generated Internet addresses.

Exploitation Code:

Code to exploit the identified vulnerability, such as a stack-smashing

attack.

Infection Detection:

Code to query or report if a host is already infected.

Payload Installation and Execution:

Code for installing and executing the malicious payload.

Persistence Mechanism:

Code for embedding the worm into the operating system to survive
reboots, e.g.:

Installing it as a daemon in Linux.

Installing it as a service in Windows.

Launching the Worm:

The worm is installed and launched on an initial set of victims, from which
it propagates.

Worm Propagation

Worms exploit vulnerabilities, such as buffer overflows, in applications on

Internet-connected systems.

Propagation Process:

Chapter 4: Malware 14
Infected computers try to infect other machines by connecting to them
over the Internet.

Vulnerable target machines are infected and continue spreading the worm.

Even non-vulnerable machines experience repeated attack attempts.

Infected machines may also face reinfection attempts.

Persistence:

Worms persist on infected machines by modifying the Windows Registry.

Common registry entry:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run .

Malware detection software monitors such registry entries for suspicious

activity.

Mathematical Model of Worm Spread:

Parameters:

N: Total number of vulnerable hosts.

I(t): Number of infected hosts at time t.

S(t): Number of susceptible hosts at time t (hosts vulnerable but not

infected).

β : Infection rate (constant defining propagation speed).

Initial Conditions:

I(0) = 1: Starts with one infected host.

S(0) = N - 1: All other hosts are initially susceptible.

Equations:

I(t + 1) = I(t) + β ⋅ I(t) ⋅ S(t)

S(t + 1) = N − I(t + 1)
dI/dt = β ∗ I(t) ∗ S(t)
Phases of Worm Propagation:

Slow Start: Few infected hosts initially.

Chapter 4: Malware 15
Fast Spread: Rapid increase in infections.

Slow Finish: Most hosts are already infected or not susceptible.

Image Descriptions:

Figure 8: A graph showing the worm propagation curve, with phases labeled
as slow start, fast spread, and slow finish for a population of 10,000 hosts.

Trojan Horses
A Trojan horse in computer security refers to malware that appears to
perform useful tasks but secretly carries out malicious actions, such as
launching a keylogger.

Trojans can be:

Delivered as part of the payload of other malware.

Installed by users or administrators, either deliberately or accidentally.

Chapter 4: Malware 16
Rootkits
Definition: Rootkits are stealthy malware that alter system utilities or the
operating system to avoid detection. For example:

They can modify Windows Process Monitor to hide their presence in the
process list.

They may also infect utilities like Windows Explorer to hide files on the
disk.

Purpose: Rootkits are often used to conceal actions of other malware, such
as Trojan horses or viruses.

Detecting Rootkits:

User-Mode Rootkits:

Detect modifications to files by comparing cryptographic hashes of

system components while the system is offline versus online.

Digital signatures on critical system files can also expose tampering.

Kernel-Mode Rootkits:

These operate on kernel memory rather than modifying files on disk,

making them harder to detect.

Antirootkit software inspects kernel memory for alterations in key

kernel functions.

Scans comparing high-level system calls and low-level disk reads:

If discrepancies exist, it suggests the presence of a rootkit.

Challenges in Detection:

Advanced rootkits may anticipate these detection techniques and infect

both system calls and low-level disk access methods.

Kernel rootkits may detect and disable antirootkit software due to their
high-level privileges.

Best Practices:

Chapter 4: Malware 17
If rootkit infection is suspected, users are often advised to reformat their
hard drive to eliminate the malware completely.

Figure 9 Description:

The figure illustrates the use of a cryptographic hash function to detect

tampered operating system files. A mismatch between offline and online
hash values indicates possible rootkit infection.

Botnets
Definition: Botnets are networks of compromised computers controlled by a
central operator, known as a bot herder.

Purpose:

Used for spam operations and information theft.

Serve as nodes in criminal enterprises for mass-scale illegal activities.

Scale:

Modern botnets can consist of millions of compromised machines.

It is estimated that up to 25% of all Internet-connected computers may

be part of a botnet.

Evolution of Malware:

Initially created for research and destructive pranks.

Transitioned into tools for criminal organizations due to the profit

potential of:

Information theft.

Spam campaigns.

Impact of Botnets:

Botnets enable large-scale attacks and unauthorized data collection.

How Botnet Works

Central Command-and-Control Mechanism:

Chapter 4: Malware 18
Definition: Botnets rely on a centralized mechanism to control infected
machines, referred to as zombies.

Process:

Bot software is installed on a machine using worms, Trojan horses, or

other malware.

The infected machine contacts a central control server to receive

commands.

Purpose: Allows bot herders to control millions of machines collectively

without individual intervention.

Early Botnets:

Hosted command-and-control servers at static IP addresses.

Vulnerability: Authorities could easily track and shut down control

servers, dismantling the botnet.

Evolved Botnets:

Dynamic Control:

Botnets now use dynamically generated domain names, often based

on the current date, for the command-and-control server.

This approach makes it harder to locate and shut down control

servers.

Unconventional Channels:

Zombies receive commands through unexpected platforms such as

Internet Relay Chat (IRC), Twitter, and Instant Messaging services to
avoid detection.

Financial Impacts
Malware often affects a large user population.

Significant financial impact, though estimates vary widely, up to $100B per

year (mi2g).

Examples:

Chapter 4: Malware 19
LoveBug (2000) caused $8.75B in damages and shut down the British
parliament.

In 2004, 8% of emails were infected by W32/MyDoom.A at its peak.

In February 2006, the Russian Stock Exchange was taken down by a virus.

Economics of Malware
New malware threats have grown from 20K to 1.7M in the period 2002–2008.

Most of the growth occurred from 2006 to 2008.

The number of new threats per year appears to be growing at an exponential

rate.

Professional Malware
Growth in professional cybercrime and online fraud has led to demand for
professionally developed malware.

New malware is often custom-designed variations of known exploits, so the

malware designer can sell different “products” to their customers.

Like every product, professional malware is subject to the laws of supply and
demand.

Recent studies put the price of a software keystroke logger at $23 and
botnet use at $225.

Chapter 4: Malware 20
Privacy-Invasive Software

Adware
Adware Definition:

Adware is software that displays advertisements on a user’s screen

without consent.

It is distinct from legitimate ads embedded in software, as malicious

adware operates against user consent.

Adware Installation:

Installed through methods such as:

Visiting infected web pages.

Opening infected email attachments.

Installing shareware or freeware containing adware (often hidden in

Trojan horses).

Being a victim of computer viruses or worms.

How Adware Works:

Once installed, adware operates in the background.

It periodically displays pop-up advertisements on the user’s screen.

Advertisements are requested from an adware agent, which sources

content from advertisers. (See Figure 10 for workflow.)

Image Description:

Chapter 4: Malware 21
The diagram illustrates the adware process:

The adware engine infects a computer.

It requests advertisements from an adware agent.

The agent, connected to advertisers, delivers ad content to the infected

user.

Spyware
Spyware Definition:

Spyware is privacy-invasive software installed without user consent.

It gathers information about the user, their computer, or their usage

patterns without permission.

Spyware Infection:

Spyware typically consists of background-running programs that collect

information.

Chapter 4: Malware 22
Periodically, these programs contact a data collection agent to upload the
gathered data. (See Figure 11.)

Spyware often modifies the operating system to run automatically during

startup, ensuring persistence after reboots.

Signs of Spyware:

Spyware infections are difficult to detect by users.

Possible signs include slower computer performance, especially with

multiple infections.

Spyware employs techniques to hide its presence, such as:

Using rootkit hiding tricks.

Removing competing adware or spyware to avoid detection.

Spyware Actions:

Spyware performs various malicious actions, which can vary depending

on its purpose. These actions will be categorized and discussed further.

Chapter 4: Malware 23
Countermeasures

Signatures as a Countermeasure:
Malware detection systems use scanning methods to compare objects
against a database of signatures.

What is a Signature?:

A signature serves as a virus fingerprint, helping identify specific

malware.

It may include a sequence of instructions unique to each virus.

Chapter 4: Malware 24
Signatures differ from digital signatures, which verify authenticity.

Detection Process:

A file is flagged as infected if its code matches a signature in the

database.

Detection relies on fast pattern matching to locate these signatures

efficiently.

Malware Database:

The malware database contains all the collected signatures.

This database is typically proprietary, maintained by cybersecurity

vendors.

Examples:

Common Malware Enumeration (CME)

Digital Immune System (DIS)

White/Black Listing
A countermeasure involving a database of cryptographic hashes to identify
trusted or malicious files.

Database Content:

Contains hashes for:

Operating system files to ensure integrity.

Popular applications for verification.

Known infected files for detection.

Process:

Compute the hash of each file on the system.

Compare the computed hash with entries in the database:

A match with a trusted hash confirms the file’s authenticity

(whitelisting).

Chapter 4: Malware 25
A match with a known malicious hash identifies the file as infected
(blacklisting).

Database Integrity:

Protect the database from tampering to ensure accurate and reliable

detection.

Heuristic Analysis
A detection method effective for identifying new and zero-day malware that
lacks known signatures.

Code Analysis:

Inspects instructions within a program to determine malicious intent.

Example: Identifies a program as malicious if it includes instructions to

delete system files.

Execution Emulation:

Executes the code in an isolated emulation environment.

Monitors the actions performed by the program during execution.

Flags the program as a virus if it performs harmful actions.

Challenges:

False alarms are possible, as heuristic methods may incorrectly identify

benign programs as malware.

Shield vs On-Demand
Shield:

Runs as a background process (e.g., service or daemon).

Scans whenever a file is touched (opened, copied, or executed).

On-demand:

Performs scans based on explicit user requests or a regular schedule.

Chapter 4: Malware 26
Focuses on specific suspicious files, directories, or drives.

Performance Test of Scan Techniques:

Comparative:

Measures the number of known viruses detected and the time taken
for the scan.

Retrospective:

Evaluates the scanner’s ability to proactively detect unknown viruses

using heuristic methods.

Helps identify which vendor uses better heuristic approaches.

Online vs Offline Antivirus Software

Feature Online Offline

Cost Free Paid annual subscription

Installation Browser plug-in Installed on the operating system

Third-party certificate (e.g., Distributed securely by

Authentication
VeriSign) vendor/retailer

Shielding No Yes

Updates Per scan Scheduled

Configurability Limited Easily configurable

Internet
Required Not required
Connection

Stored locally or shared with

Scan Reports Collected by service provider
vendor

Quarantine
Suspicious files can be isolated in a special folder called quarantine.

Example: When the heuristic analysis flags a file as suspicious, and you
are awaiting a database signature update.

Files in quarantine are not deleted but rendered harmless.

Chapter 4: Malware 27
Users can choose to delete or restore the file in case of a false positive.

Interaction with quarantined files is only allowed through the antivirus

program.

Files in quarantine are encrypted, ensuring they cannot cause harm.

The quarantine technique is typically proprietary, with details kept

confidential.

Static vs. Dynamic Analysis

Static Analysis:
Examines code without executing it.

Key processes:

Quick Scan: Compares with a whitelist.

Filtering: Uses multiple antivirus tools to confirm results (even if labeled

differently).

Weeding: Identifies and removes junk parts of files to better pinpoint the
virus.

Code Analysis: Analyzes binary code to verify if it is executable (e.g.,

Portable Executable - PE).

Disassembling: Reviews byte code for unusual patterns.

Dynamic Analysis:
Observes the behavior of code during execution in a virtual sandbox.

Monitors:

File changes.

Registry modifications.

Processes and threads.

Network port activity.

Chapter 4: Malware 28
Virus Detection is Undecidable
Theoretical Basis:

Proposed by Fred Cohen in 1987.

Demonstrates that virus detection is theoretically undecidable.

Modeling a Virus:

A virus is abstractly modeled as a program that eventually executes the

function infect .

The infect code might be dynamically generated at runtime.

Proof by Contradiction:

The argument follows a method similar to the halting problem proof.

Assume the existence of a program isVirus(P) that determines whether

program P is a virus.

Definition of Program Q :

A new program Q is defined as:

if (not isVirus(Q))
infect
stop

The execution of isVirus on Q leads to a contradiction, as it cannot

definitively determine whether Q is a virus.

Chapter 4: Malware 29