WORLDWIDE

BITDEFENDER
INTRODUCTION
TO MALWARE
Andrei Rublenco
Enterprise Technical Trainer
Introduction to malware
1.1 What is malware
1.2 Malware history
1.3 Malware propagation
1.4 Malware types
1.5 Common malware characteristics
1.6 Prevention
1.7 Removal tools
INTRODUCTION TO MALWARE

WHAT IS MALWARE?
WHAT IS MALWARE?
Introduction to malware

The term “malware” stands for malicious software and defines a broad range of intrusive, hostile
software applications.

adware viruses
backdoors

MBR infector keyloggers

worms trojans
rootkits
spyware
script viruses
ransomware
INTRODUCTION TO MALWARE

MALWARE HISTORY
WHERE DID IT ALL START?
MALWARE HISTORY

o First Worm <Creeper> 1971

 Experimental self-replicating program
 Infected TENEX operating system

o First Virus <Wabbit> 1974

 Made multiple copies of itself
 Crashed the system

o First Trojan <Animal> 1974

 Program used to guess what animal was the user thinking of
 Created a copy of itself in every directory

o First Macro virus <Concept> 1995

 The virus displays a dialog box with the number “1” and an OK button
 It does absolutely nothing but it was used as a concept
MOST KNOWN THREATS
MALWARE HISTORY

o Brain 1986
 Infected floppy disks
 Slowed down floppy disk transfer
 Replaced original boot sector

o Melissa 1999
 Macro virus
 Targeted office documents
 Destroyed Excel documents
 Ransomware techniques to recover lost data

o Sasser 2003
 Exploited LSASS.EXE (Local Security Authority Subsystem Service)
 Caused system shutdown caused by faulty code used in the worm
INTRODUCTION TO MALWARE

MALWARE PROPAGATION
MALWARE PROPAGATION
INTRODUCTION TO MALWARE

o WWW (World wide web)

o E-mail (attachments, Spam and Phishing E-mails)

o Removable media (Flash drives, memory cards, CD/DVD, external HDD)

o Instant messaging

o Bluetooth (worms for mobile devices)

o WLAN (Wireless Local Area Network)

o Peer-to-peer (torrents, file sharing)

o System vulnerabilities (weak or no passwords, updates not installed, unpatched systems)

INTRODUCTION TO MALWARE

MALWARE TYPES
MALWARE TYPES
INTRODUCTION TO MALWARE

o Viruses
 Self replicating program
 Spreads by inserting copies of itself into other executables or documents

o Boot sector viruses (bootkits)

 A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows Kernel, and thus
getting unrestricted access to the entire computer
 Starts together with the operating system
 Drops one or more malware “buddies”
 Dropped files are recreated if deleted

o Trojans (general)
 Programs that appear to be legitimate, but in fact does something malicious

o Backdoor Trojans
 Remote access tool (RAT) that allows a remote “operator” to control a system as if he has physical access to the
system
 Usually works in client-server model (server – infected PC; client – remote operator)
MALWARE TYPES
INTRODUCTION TO MALWARE

o Trojan keylogger
 Program that records the real time activity from a computer user (may include keystrokes, mouse
movements, entire session)

o Worms
 Self-replicating program that stealthy spreads across computer networks and portable media

o Spyware
 Software that collects computer users personal information (browsing especially) without the users ‘ willing
consent or knowledge and sending it to a third-party

o Adware
 Primary function is to make revenue through advertising
 Helps recover programming development costs and helps to hold down the cost for the user
 Gives annoying pop-ups

o Botnet
 A number of infected computers under the control of one or more attackers used for malicious purposes
MALWARE TYPES
INTRODUCTION TO MALWARE

o Ransomware
 A form of malware in which rogue software holds a user’s data or entire computer “hostage” until a “ransom” fee is
paid

o Rogue software
 Software that warns the users of infections or computer problems that do not exist in order to trick them into buying
the “full version” of the product
 Sometimes installs other “trial” rogue software without the users consent

o Rootkits
 Method of hiding different files (especially malware) from the Windows API so it can’t be detected / seen

o Polymorphic viruses
 Virus capable of mutating itself when replicating, making it more difficult to identify the infection
 Some mutate with each infections while others change with each generation

o Metamorphic viruses
 Virus capable of rewriting its own code with each infection or generation of infections, while maintaining the same
functionality
INTRODUCTION TO MALWARE

COMMON MALWARE
CHARACTERISTICS
MALWARE CHARACTERISTICS
INTRODUCTION TO MALWARE

o The application doesn’t usually have a Description, a Company Name or a Publisher

o The file doesn’t usually have an icon

o The file doesn’t usually have a valid Digital Signature

o The files are usually packed (encrypted or compressed) – they have a high entropy
INTRODUCTION TO MALWARE

PREVENTION
HOME PREVENTION
PREVENTION
o Use anti-virus, anti-spyware, antispam and firewall software on your computer and maintain them
updated with latest signatures.
o Do not install unknown software on your computer
o Do not download software or programs from unknown websites
o Do not click inside pop-up windows demanding you to install software or clean your infected computer,
even for closing them
o Do not download or use illegal or pirated software (when using double check the source)
o Scan all the removable media before using it on your system
o Do not read E-mails received from unknown persons (OK,everybody will read them but do not open the
attachments where we have: salary.exe or your-meeting-minutes.exe)
o Set your Internet Browser so that you are notified anytime a program attempts to download
o Always install operating system patches and critical updates
HOME PREVENTION
PREVENTION

o Investigate before providing personal information (the requester is really entitled to request this type of
information? Why? Where will he use it?)
o Avoid pubs and coffee shops for Internet usage (usually unsecured Internet connection)
o Use strong passwords for your accounts (letters, numbers, special characters)
o Avoid opening attachments or links from spam messages
o Always use passwords and encryption when configuring wireless networks
o Stay informed about the latest vulnerabilities
o Encrypt important and sensitive data, especially private information!
o Files with more than 1 extension (ex: .txt.vbs) are potentially harmful
o Recommended to only have only 1 antivirus program running at the same time
CORPORATE PREVENTION
PREVENTION

o Organizations should have specific policies for prevention of malware incidents

o Organizations should use antivirus, antispam, antispyware, together with firewall security software,
always up to date, to prevent malware infections (all the systems should be updated with latest patches)
o Organizations should have security awareness programs for their employees who should NOT:
 open suspicious E-mails or attachments from unknown senders
 use administrator-level accounts for basic computing tasks
 disable the security software if they are allowed to through policies
 provide passwords, IDs by answering E-mails or following pop-ups indications
 forward chain letters
 download executables directly from Internet
SAFE BROWSING TIPS
PREVENTION

Internet Browsers are saving pieces of information while you are surfing the Internet (images, words used
for searches, even websites visited). This can be useful for cyber criminals to detect your browsing habits.

o Configure your Web Browser to allow cookies only for the site visited, not for web sites of the advertisers
o Block the Web Browser popup windows
o Do not install software within Web Browser (ex. Web Browser plugins)
o Always use upgraded Web Browser when surfing the Internet
o When performing online transactions use https:// not http:// websites
o Clean your browser temporary files and history after each session
o Don’t download free software advertised on web sites
o Toolbars often record the key words used for searches – clear the history
o Before you click on a link, hover over it see the URL to find out if it is pointing to the desired website.
INTRODUCTION TO MALWARE

REMOVAL TOOLS
REMOVAL TOOLS
INTRODUCTION TO MALWARE

o If a tool doesn't run, rename it to either random name or explorer.exe

o Always run the tools as Administrator

PROCESS EXPLORER
REMOVAL TOOLS

Ever wondered which program has a particular file or directory open? Now you can find out. Process
Explorer shows you information about which handles and DLLs processes have been opened or loaded.

Features:
 Displays a list of all running processes
 Highlights packed executables
 Can check digital signature and Virus Total database for running executables / libraries
 Shows command line and autostart location (if available)
 Find a window’s process
AUTORUNS
REMOVAL TOOLS

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor,
shows you what programs are configured to run during system bootup or login and shows you the entries in
the order that Windows processes them.

Features:
 Shows all auto start entries and their path (except rootkits – those are hidden)
 Verifies the digital signatures of the entries and highlights unsigned files
 Shows application parameters (e.g. malware running through rundll.exe)
 Displays entries for all users on a computer
 Can analyze an offline system
GMER
REMOVAL TOOLS

GMER is an application that detects and removes rootkits and other malware.

It scans for:
 Hidden processes
 Hidden threads
 Hidden modules
 Hidden services
 Hidden files
 Hidden disk sectors (MBR)
 Hidden alternate data streams
 Hidden registry keys
 Drivers hooking SSDT, IDT and IRP calls
 Inline hooks
BDSYS LOG
REMOVAL TOOLS

BDSYS LOG is an application that generates a report packed in a password protected archive on the user’s
desktop. The tool is not used for malware removal, but only to identify threats.
BITDEFENDER RESCUE CD
REMOVAL TOOLS

Bitdefender Rescue CD is a free bootable antivirus scanner based on XUbuntu Linux OS.

Features:
 Virus definitions update
 Virus scanner
 Offline system analysis without any restrictions
 Integrated TeamViewer