Introduction to cyber security – Week 3, Malware


Inserts copies of itself onto crucial parts of hard disk in applications and data.
They are self-replicating and either start when the infected application starts each time or after starting once copy themselves and start each time the computer starts.
Mainly written to harm users by destroying data, creating backdoors which can be exploited.


Self-replicating standalone applications that seek access via networks to uninfected computers where they can replicate and spread further.

  1. Probes for vulnerabilities to exploit
  2. Penetrate vulnerable machine by performing exploit
  3. Download and store itself on machine. ‘Persist’ stage.
  4. Propagation – picks new machines to start process over.


Disguised as a useful, legitimate application then reply on people using them.
They contain other types of malware used to capture key strokes, destroy information, gain control or copy sensitive information assets.
Mostly rely on networks so that either data can be passed to the owner of the Trojan or to allow that person to remotely control the compromised machine.

What is malware for?

Why is it created?

  • Intellectual curiosity
  • Financial gain
  • Corporate espionage

Conficker work – infected MS Windows machines in almost every country. Apparently had no malicious payload. Writers evolved the worm to correct weaknesses in original. Digitally signed to prevent hijacking of their worm.


Attempt to obtain valuable information by pretending to be trustworthy source.
AOHell, mid 1990s, application to spoof users.
Legitimate looking email providing either link or telephone number for recipient to use which then begins the process of obtaining sensitive information.
Social media phising is a common practise, same principal as email phising but using a new medium for delivery.


Simple Mail Transport Protocol (SMTP).
Spammers can change information in the email ‘envelope’ itself to make it appear that the email has come from a legitimate source.
SMTP servers do not authenticate the emails but simply pass them on.


Technologies allow for genuine senders to authenticate emails which are then verified on the recipients email server.
Only about half of the mailboxes have protection against spoofing though.
If a spammer has access to a fast network they can send so many that it costs next to nothing and with over seven trillion spam mails (85% of all email mail) sent in 2011 it only takes a small percentage to engage to make it worthwhile for the spammer.

Spotting a phising email

  • Spelling mistakes.
  • Not a personalised address, e.g. Dear valued customer.
  • Poor quality images.
  • Content of email. Banks wouldn’t email if there is an issue.
  • Links. The actual URL can be different to the text.

Spreading malware

Malware does not just spread through email, can be via illegal copies of software, games and movies.
Links on websites (or ads) supplying illegal files or pornography.
Direct messages in social media. Can exploit vulnerabilities in the client software.

Malware and click fraud

$32 billion spent on online advertising in 2011.
Click fraud is when botnets are used either to fake clicks or hijacking the clicks, this accounts for about 20% of all clicks.
In 2011, FBI broke a click fraud ring in Estonia which had stolen in excess of $14 million.


Group of computers that coordinate their activity via the internet.
Harmless botnets include Internet Relay Chat (IRC).
They spread through viruses and worms and use internet to make contact to their controller.
Infected computer is known as a zombie. Periodically checks for instructions from controller.
Botnet could contain tens of thousands of computers.
Controller then issue command for computers to perform some activity. The creator of the botnet may sell it to another party who want to use it.
Can be used for spamming, DOS attacks, committing fraud (click-fraud).

Protect yourself

  • Install antivirus software
  • Keep software up to date
  • Be aware of phising emails
  • Implement new security developments

Antivirus software

Two most common methods of detection:

  • Signatures
    • Malware has a signature (distinctive pattern of data)
    • AV software has library of signatures to detect viruses
    • Weaknesses
      • ‘zero day’ vulnerability – period when malware is released before AV signature library is updated
      • Malware can be polymorphic or metamorphic – changes its program to disguise itself
  • Heuristics
    • Use of rules to identify viruses based on previous experience
    • May execute suspicious program in virtual machine to evaluate behaviour
    • Flags file as potentially dangerous if it exhibits virus-like behaviour
    • Does not require specific knowledge – evaluates behaviour
    • Weakness
      • Only evaluates on past experience – radical new malware may go undetected

Up to date software

Over time software becomes out of date, manufacturers stop supporting it and no further patches are issued.
Malware creators are aware of unpatched bugs and target these.
Windows XP and Vista are two oldest Windows Oss have highest rates of infection, significantly more than Windows 8.
Users should move to supported software which is sometimes cheap if not free.

Technological innovations

  • Sandboxing
    • Programs can run in an isolated environment.
    • Very limited access to computer resources.
    • IE10, Chrome and Adobe PDF viewer use sandboxing.
  • Signed programs
    • Digital signing to ensure authenticity of software.
    • Three main OSs (Windows, Mac & Linux) digitally sign updates.
    • Apple App Store, from Mac OS X 10.8, only allows certified software to run.


Introduction to Cyber Security: further resources
Infrastructure Cyber Security
Keep a clean machine





Leave a Reply

Your email address will not be published. Required fields are marked *