MALWARE

MALWARE

INTRODUCTION

“Malware” is short for “malicious software” - computer programs designed to

infiltrate and damage computers without the users consent. “Malware” is the
general term covering all the different types of threats to your computer safety
such as viruses, spyware, worms, trojans, rootkits and so on.

The story of malware:

Virus creators, or “virus writers”, started off writing viruses in the early 1980’s.
Until the late 1990’s most of the viruses were just pranks made up in order to
annoy users and to see how far a virus could spread. The writers were often
young programmers, some still in their teens, who didn’t always understand the
vast consequences of their actions.
In the late 1990’s and early 2000’s, virus writers and hackers began to put their
talents to more professional and sometimes criminal use. The internet
had become everyone’s tool for information and businesses and banks were
beginning to use it for commerce and transactions. As practical as online
shopping and banking are, they also opened a world of opportunities for
economic exploitation of both corporations and the ordinary computer user.
Today many experts believe the amount of malicious software being released on
the web might actually surpass the release of valid software.

Different types of malware:

The term malware includes viruses, worms, Trojan Horses, Rootkits, spyware,
keyloggers and more. To get an overview of the difference between all these
types of threats and the way they work, it makes sense to divide them into
groups:

Viruses and worms – the contagious threat:

Viruses and worms are defined by their behaviour – malicious software

designed to spread without the user’s knowledge. A virus infects legitimate
software and when this software is used by the computer owner it spreads the
virus – so viruses need you to act before they can spread. Computer worms, on
the other hand, spread without user action. Both viruses and worms can carry a
so-called “payload” – malicious code designed to do damage.

pg. 1
 MALWARE

Trojans and Rootkits – the masked threat:

Trojans and Rootkits are grouped together as they both seek to conceal attacks
on computers. Trojan Horses are malignant pieces of software pretending to be
benign applications. Users therefore download them thinking they will get a
useful piece of software and instead end up with a malware infected computer.
Rootkits are different. They are a masking technique for malware, but do not
contain damaging software. Rootkit techniques were invented by virus writers
to conceal malware, so it could go unnoticed by antivirus detection and removal
programs.

Spyware and keyloggers – the financial threat:

Spyware and keyloggers are malware used in malicious attacks like identity
theft, phishing and social engineering - threats designed to steal money from
unknowing computer users, businesses and banks.

The latest security reports for the first quarter of 2011 put Trojan infections at
the top of the malware list, with more than 70% of all malicious files detected
on computer systems, followed by the traditional viruses and worms.

The popularity of rogue antiviruses has been decreasing over the end of 2010
and beginning of 2011, but the number of downloader Trojans significantly
increased. The detection rates of new malware have increased 15% in the first
quarter of 2011 compared to the last quarter of 2010.

pg. 2
 MALWARE

USES OF ANTIVIRUS
Antivirus Software is data security utility which is installed in a computer
system/PC with a purpose of protection from viruses, spyware, malware,
rootkits, Trojans, phishing attacks, spam attack and other online cyber threats.

With an increased use of computer system across the world, there are many
threats which are also increasing along with it resulting in risk of data security
for individual and organizations.

Data is the most crucial and essential component of every organization, and no
one would want to risk the confidential data to the viruses approaching the
computer system.

Antivirus are recommended for every computer system to keep it secure from
any unknown threats approaching your computer system from the internet,
external drives, CD/DVDs, etc. and keeps your confidential data secured.

Protection from Viruses & Spyware

Antivirus has the primary job of detecting any sought of viruses, spyware,
malware and other unknown threats and removing the same before they can do
any harm to the data present in a computer system.

Protection from Phishing Attacks

pg. 3
 MALWARE

Phishing is termed as an unauthorized attempt by any third person or hacker to

access the data present in Nowadays with the intention of stealing the same or
infect the data so that it can’t be usable to the user.

Provides Robust Web Protection

With the increased use of the internet, various online cyber threats are affecting
the data security of the computer. Antivirus software takes control of the web
activities limiting unauthorized access of any online threat.

Provides quick scan of removable device

Antivirus Software provides the advantage of quick scanning of any removable

device connect to the computer system and scans it for any unknown threats.
The external drives are opened automatically after complete scanning of the
removable devices and removing any unknown threats present in it.

Two-Way Firewall

Antivirus Software provides two-way firewall protection which puts a check in

every incoming and outgoing data/mail through the internet and blocks the same
if it finds something suspicious during transmission.

Block Ads and Spam Website

At present, most of the viruses and spam attacks are executed from the pop-up
ads and other spam website whose original intention is to steal confidential
information from user’s computer which could result in big financial losses.

Provides Password Protection

Some a significant antivirus software provides the feature of password
protection which protects them from getting stolen by any third person or
hackers.
Parental Control

Antivirus Software also works as a monitoring tool for parents to monitoring

what their children are doing on their computer. They can get the activity logs
of their children‘s activities and according talk to them. This monitoring tool

pg. 4
 MALWARE

could be a big advantage for all the employers and allows their employee’s
efficiency to be increased by up to 30%.

Speed Up Your PC

Now days, antivirus software are developed in such a way that they don’t
hamper the system performance. Rather they come with built in modules which
automatically deleted unwanted files and folders from the computer system,
thus increasing its performance speed.

Malware Analysis is of FOUR types. They are

 Basic Static Malware Analysis

 Basic Dynamic Malware Analysis
 Advanced Static Malware Analysis
 Advanced Dynamic Malware Analysis

Basic Static Malware Analysis

Basic static analysis consists of examining the executable file without viewing
the actual instructions. Basic static analysis can confirm whether a file is
malicious, provide information about its functionality, and sometimes provide
information that will allow you to produce simple network signatures. Basic
static analysis is straightforward and can be quick, but it’s largely ineffective
against sophisticated malware, and it can miss important behaviours .

Basic Dynamic Analysis

Basic dynamic analysis techniques involve running the malware and observing
its behaviour on the system in order to remove the infection, produce effective
signatures, or both. However, before you can run malware safely, you must set
up an environment that will allow you to study the running Malware Analysis
Primer without risk of damage to your system or network. Like basic static
analysis techniques, basic dynamic analysis techniques can be used by most
people without deep programming knowledge, but they won’t be effective with
all malware and can miss important functionality.

pg. 5
 MALWARE

Advanced Static Analysis

Advanced static analysis consists of reverse-engineering the malware’s internals

by loading the executable into a disassembler and looking at the program
instructions in order to discover what the program does. The instructions are
executed by the CPU, so advanced static analysis tells you exactly what the
program does. However, advanced static analysis has a steeper learning curve
than basic static analysis and requires specialized knowledge of disassembly,
code constructs, and Windows operating system concepts.

Advanced Dynamic Analysis

Advanced dynamic analysis uses a debugger to examine the internal state of a

running malicious executable. Advanced dynamic analysis techniques provide
another way to extract detailed information from an executable. These
techniques are most useful when you’re trying to obtain information that is
difficult to gather with the other techniques.

The basic steps of Malware Analysis are:

 Using antivirus tools to confirm maliciousness.
 Using hashes to identify malware.
 Gleaning information from a file’s strings, functions, and headers. Each
technique can provide different information, and the ones you use depend
on your goals. Typically, you’ll use several techniques to gather as much
information as possible.

Antivirus Scanning: A Useful First Step

When first analyzing prospective malware, a good first step is to run it through
multiple antivirus programs, which may already have identified it. But antivirus
tools are certainly not perfect. They rely mainly on a database of identifiable
pieces of known suspicious code (file signatures), as well as behavioural and
pattern-matching analysis (heuristics) to identify suspect files. One problem is
that malware writers can easily modify their code, thereby changing their
program’s signature and evading virus scanners. Also, rare malware often goes
undetected by antivirus software because it’s simply not in the database.
Finally, heuristics, while often successful in identifying unknown malicious
code, can be bypassed by new and unique malware. Because the various

pg. 6
 MALWARE

antivirus programs use different signatures and heuristics, it’s useful to run
several different antivirus programs against the same piece of suspected
malware. Websites such as VirusTotal (http://www.virustotal.com/) allow you
to upload a file for scanning by multiple antivirus engines. VirusTotal generates
a report that provides the total number of engines that marked the file as
malicious, the malware name, and, if available, additional information about the
malware.

Hashing: A Fingerprint for Malware

Hashing is a common method used to uniquely identify malware. The malicious

software is run through a hashing program that produces a unique hash that
identifies that malware (a sort of fingerprint). The Message-Digest Algorithm 5
(MD5) hash function is the one most commonly used for malware analysis,
though the Secure Hash Algorithm 1 (SHA-1) is also popular. Once you have a
unique hash for a piece of malware, you can use it as follows:
 Use the hash as a label.
 Share that hash with other analysts to help them to identify malware.
 Search for that hash online to see if the file has already been identified.

Finding Strings

A string in a program is a sequence of characters such as “the.” A program

contains strings if it prints a message, connects to a URL, or copies a file to a
specific location. Searching through the strings can be a simple way to get hints
about the functionality of a program. For example, if the program accesses a
URL,
then you will see the URL accessed stored as a string in the program. You can
use the Strings program, to search an executable for strings, which are typically
stored in either ASCII or Unicode format. Both ASCII and Unicode formats
store characters in sequences that end with a NULL terminator to indicate that
the string is complete. ASCII strings use 1 byte per character, and Unicode uses
2 bytes per character. When Strings searches an executable for ASCII and
Unicode strings, it ignores context and formatting, so that it can analyze any file
type and detect strings across an entire file (though this also means that it may
identify bytes of characters as strings when they are not). Strings searches for a
three-letter or greater sequence of ASCII and Unicode characters, followed by a
string termination character.

pg. 7
 MALWARE

2. FEASIBILITY STUDY

Feasibility study assesses the operational, technical and economic merits of the
proposed project. The feasibility study is intended to be a preliminary review of
the facts to see it if it is worthy of proceeding to the analysis phase. From the
systems analyst perspective, the feasibility analysis is the primary tool for
recommending whether to proceed to the next phase or to discontinue the
project.

Feasibility is analysis of the ability to complete a project successfully, taking

into account legal, economic, technological, scheduling and other factors.
Rather than just dividing into a [project and hoping for the best, a feasibility
study allows the project managers to investigate the possible negative and
positive outcomes of a project before investing too much time and money.
Feasibility studies are almost always conducted where large sums are at stake.

The feasibility study is a management-oriented activity. The objective of a

feasibility study is to find out if an information system project can be done and
to suggest possible alternative solutions.

pg. 8
 MALWARE

A feasibility study should provide management with enough information to

decide:

• Whether the project can be done

• Whether the final product will benefit its intended users and organization
• What are the alternatives among which a solution will be chosen?
• Is there a preferred alternative?

2.1 TECHNICAL FEASIBILITY

A Large part of determining resources has to do with assessing technical

feasibility. It considers the technical requirements of the proposed project. The
technical requirements are then compared to the technical capability of the
organization. The systems project is considered technically feasible if the
internal technical capability is sufficient to support the project requirements.
The analyst must find out whether current technical resources can be upgraded
or added to in a
manner that fulfills the request under consideration. This is where the expertise
of system analyst is beneficial, since using their own experience and their
contact with vendors they will be able to answers the question of technical
feasibility.

Technical feasibility is attainability of a system using currently existing

technology. Technical feasibility takes into account whether the required
technology is available or not whether the required resources are available in
terms of manpower and equipment. The essential questions that help in testing
the technical feasibility of a system include the following:
• Is the project feasible within the limits of current technology?.
• Does the technology exist at all?
• Is it available within given resource constraints?
• Is it a practical proposition?
• Manpower-programmers, testers& debuggers
• Software and hardware
• Can they be upgraded to provide the level of technology necessary for the new
system?
• Do we possess the necessary technical expertise, and is the 'schedule
reasonable?
• Can the technology be easily applied to current problems?
• Does the technology have the capacity to handle the solution?
• Do we currently possess the necessary technology?

2.2 OPERATIONAL FEASIBILITY:

pg. 9
 MALWARE

Operational feasibility is dependent on human resources available for the

project and involves projecting whether the system will be used if it is
developed and implemented: asibility is a measure of how well a proposed
system solves the Operational fe problems, and takes advantage of the
opportunities identified during scope definition and how it satisfies the
requirements identified in the requirements inalysis phase of system
development. operational feasibility reviews the willingness of the organization
to support the i proposed system. This is probably the most difficult of the
feasibilities to gauge. In order to determine this feasibility, it is important to
understand the management commitment to the proposed project. If the request
was initiated by management, it is likely that there is a management support and
the system will be accepted and used, However, it is also important that the
employee base will be accepting of the change. Theessential questions that help
in testing the operational feasibility of a system include the following:
• Does current mode provide end users and managers with timely, pertinent,
accurate and useful formatted information?
• Does current mode of operation provide adequate throughput and response
time?
• Does current mode of operation offer effective controls to protect against fraud
and to guarantee accuracy and security of data and information?
• Does current mode of operation make maximum use of available resources,
including people, time, flow of forms?
• Does current mode of operation provide reliable services
• Are the services flexible and expandable?
• Are the current work practices and procedures adequate to support the new ?
• If the system is developed, will it be used?
• Are the users not happy with current business practices?
• Will it reduce the time considerably?
• Will the proposed system really benefit the organization?
• Does the overall response increase?
• How do the end-users feel about their role in the new system?
• What end-users or managers may resist or not use the system?
• How will the working environment of the end-user change?

pg. 10
 MALWARE

2.3 ECONOMIC FEASIBILITY

Economic analysis could also be referred to as cost/benefit analysis. It is the

most frequently used method for evaluating the effectiveness of a new system.
In economic analysis the procedure is to determine the benefits and savings that
are expected from a candidate system and compare them with costs. If benefits
outweigh costs, then the decision is made to design and implement the system.
An entrepreneur must accurately weigh the cost versus benefits taking an
action.
Possible questions raised in economic analysis are:

• Is the system cost effective?

• Estimated cost of software/software development
• Is the project possible, given the resources constraints?
• Cost of packaged software/software development

The economic feasibility will review the expected costs to see if they are in-line
with the projected budget or if the project has an acceptable return on
investment. At this point, the projected costs will only be a rough estimate. The
exact costs are not required to determine economic feasibility. It is only
required to determine if it is feasible that the project costs will fall within the
target budget or return on investment. A rough estimate of the project schedule
is required to determine if it would be feasible to complete the systems project
within a required timeframe.

2. FEASIBILITY STUDY

Feasibility study assesses the operational, technical and economic merits of the
proposed project. The feasibility study is intended to be a preliminary review of
the facts to see it if it is worthy of proceeding to the analysis phase. From the
systems analyst perspective, the feasibility analysis is the primary tool for
recommending whether to proceed to the next phase or to discontinue the
project.

Feasibility is analysis of the ability to complete a project successfully, taking

into account legal, economic, technological, scheduling and other factors.
Rather than just dividing into a [project and hoping for the best, a feasibility
study allows the project managers to investigate the possible negative and
positive outcomes of a project before investing too much time and money.
Feasibility studies are almost always conducted where large sums are at stake.

pg. 11
 MALWARE

The feasibility study is a management-oriented activity. The objective of a

feasibility study is to find out if an information system project can be done and
to suggest possible alternative solutions.

A feasibility study should provide management with enough information to

decide:

• Whether the project can be done

• Whether the final product will benefit its intended users and organization
• What are the alternatives among which a solution will be chosen?
• Is there a preferred alternative?

2.1 TECHNICAL FEASIBILITY

A Large part of determining resources has to do with assessing technical

feasibility. It considers the technical requirements of the proposed project. The
technical requirements are then compared to the technical capability of the
organization. The systems project is considered technically feasible if the
internal technical capability is sufficient to support the project requirements.
The analyst must find out whether current technical resources can be upgraded
or added to in a
manner that fulfills the request under consideration. This is where the expertise
of system analyst is beneficial, since using their own experience and their
contact with vendors they will be able to answers the question of technical
feasibility.

Technical feasibility is attainability of a system using currently existing

technology. Technical feasibility takes into account whether the required
technology is available or not whether the required resources are available in
terms of manpower and equipment. The essential questions that help in testing
the technical feasibility of a system include the following:
• Is the project feasible within the limits of current technology?.
• Does the technology exist at all?
• Is it available within given resource constraints?
• Is it a practical proposition?
• Manpower-programmers, testers& debuggers
• Software and hardware
• Can they be upgraded to provide the level of technology necessary for the new
system?
• Do we possess the necessary technical expertise, and is the 'schedule
reasonable?
• Can the technology be easily applied to current problems?
• Does the technology have the capacity to handle the solution?
pg. 12
 MALWARE

• Do we currently possess the necessary technology?

2.2 OPERATIONAL FEASIBILITY:

Operational feasibility is dependent on human resources available for the

project and involves projecting whether the system will be used if it is
developed and implemented: asibility is a measure of how well a proposed
system solves the Operational fe problems, and takes advantage of the
opportunities identified during scope definition and how it satisfies the
requirements identified in the requirements inalysis phase of system
development. operational feasibility reviews the willingness of the organization
to support the i proposed system. This is probably the most difficult of the
feasibilities to gauge. In order to determine this feasibility, it is important to
understand the management commitment to the proposed project. If the request
was initiated by management, it is likely that there is a management support and
the system will be accepted and used, However, it is also important that the
employee base will be accepting of the change. Theessential questions that help
in testing the operational feasibility of a system include the following:
• Does current mode provide end users and managers with timely, pertinent,
accurate and useful formatted information?
• Does current mode of operation provide adequate throughput and response
time?
• Does current mode of operation offer effective controls to protect against fraud
and to guarantee accuracy and security of data and information?
• Does current mode of operation make maximum use of available resources,
including people, time, flow of forms?
• Does current mode of operation provide reliable services
• Are the services flexible and expandable?
• Are the current work practices and procedures adequate to support the new ?
• If the system is developed, will it be used?
• Are the users not happy with current business practices?
• Will it reduce the time considerably?
• Will the proposed system really benefit the organization?
• Does the overall response increase?

pg. 13
 MALWARE

• How do the end-users feel about their role in the new system?
• What end-users or managers may resist or not use the system?
• How will the working environment of the end-user change?

2.3 ECONOMIC FEASIBILITY

Economic analysis could also be referred to as cost/benefit analysis. It is the

most frequently used method for evaluating the effectiveness of a new system.
In economic analysis the procedure is to determine the benefits and savings that
are expected from a candidate system and compare them with costs. If benefits
outweigh costs, then the decision is made to design and implement the system.
An entrepreneur must accurately weigh the cost versus benefits taking an
action.
Possible questions raised in economic analysis are:

• Is the system cost effective?

• Estimated cost of software/software development
• Is the project possible, given the resources constraints?
• Cost of packaged software/software development

pg. 14
 MALWARE

The economic feasibility will review the expected costs to see if they are in-line
with the projected budget or if the project has an acceptable return on
investment. At this point, the projected costs will only be a rough estimate. The
exact costs are not required to determine economic feasibility. It is only
required to determine if it is feasible that the project costs will fall within the
target budget or return on investment. A rough estimate of the project schedule
is required to determine if it would be feasible to complete the systems project
within a required timeframe.

pg. 15