Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Today, I would like to introduce to you about toxic software on the computer, also known
as Malware
Slide 2
Targets
Content
1. Definition of malware
2. Classification of malware
3. Anti-malware
4. Method of finding and removal of malware
Concepts
Tr 4
Most of you are surely unfamiliar with the concept of Malware, we use a more familiar
term as Computer Virus. So, what do two concepts means?
Computer Virus: ….
Malware:…..
Based on two above definitions, Virus is a type (subset) of Malware, naming of special
malware strain having the ability to spread. And most users usually confuse these
concepts, they usually call all programs that cause the dangers and harm on the
computer is virus.
Slide 5
Tr 5
Most malware are installed into the compute, it shall affect operation of such computer,
so when the computer is infected malware, some the following characteristic signs shall
appear:
Tr 6
* Appear the unknown files (in USB or file .exe , but similar to folder)
* Cannot use printer
* Known sound appears automatically
* The computer restarts
* Size of files of system increases
* Appear the unknown connections out Interrnet
* …
Slide 7
Classification of malware
According to purpose
- Spyware, Adware, Backdoor, Botnet, FakeAV,
Ransomware, Rootkit
Tr 7
Here, I classified according to 2 criteria, those are mode of spread and purpose of
malware.
According to mode of spread:…
According to purpose of malware:
Please note, this classification should not be too rigid, one malware sample can be
classified into several groups, such as spyware, backdoor, botnet…this depends entirely
on element of integration distributed to malware by disperser.
Slide 8
Virus
Virus Boot: Viruses injects with Boot Sector. Boot Sector will be
implemented when injected computer starts up, prior to operating
system is loaded
Read Load
Open
boot operating
source
sector system is
Read Load
Open Load
injected operating
source virus
boot sector system is
Tr 8
We are going to delve into the first type classified according to mode of spread is Virus.
Virus is divided into two main types, the first type is Virus boot
Virus boot:…
The first figure: This is normal start-up process of computer.
The second figure: After infecting the virus boot, virus shall be loaded to memory in
advance, and then it is just loaded to operating system.
Slide 9
Because virus boot is loaded to RAM early (sooner than anti-virus – AV), we shall have
the following cases
- AV cannot be loaded.
- After removing virus from the computer, virus is re-appeared after such computer is
restarted.
- Use the recovery software of Boot Sector, but after restarting, Boot Sector is still
infected.
If we want to remove virus boot, we should boot the computer from CD drive, USB.
Then, recovering boot sector, rebooting by hard drive and use AV to sweep repetitively
the whole of computer.
Slide 10
Virus
Tr 10
First command
Original program
Tr 12
Normal virus
Polymorphic virus
Tr 13
Normally, code snippet that virus attaches to other file is not modified after each of
spreading, however, some types of virus can change their code snippet (“Figure”) after
each of spreading to avoid detection and be difficult to remove.
The first figure descripts the spread process of normal virus. We can see code snippet
of virus attaching to files is exactly alike.
As for polymorphic virus as in the figure below, whenever injection, virus change code
snippet itself when attaching to injected file.
The polymorphic virus has normally only several tens of forms, metamorphic virus can
produce the millions of forms when injecting.
Identification of remove thoroughly polymorphic virus and metamorphic virus is very
difficult and complex, clear understanding of code generation algorithm and code
change of virus is required because virus shall inject again the whole of computer in
case we can only leave out one form.
Slide 14
Macro
Tr 14
Macro Virus: The virus which uses macro language to infect document files like Word,
Excel, Powerpoint, cad files of AutoCAD, etc.
Macro virus does not infect files right upon its infection, but waits for them to be opened
to insert a macro code into such files. This causes the files’ size to increase. This is also
the sign to detect the infection of macro virus.
Macro virus can cause all document files to corrupt, their sizes continually increase, and
can use emails to send the files to hackers.
Slide 15
Worm
Worm – worm of Internet: Worm is a program having
the ability to inject by self-replicating itself (virus
attaches to other object differentiating from the worm).
Worm combines both destroy of virus and silent feature
of Trojan, and most importantly, worm has terrified
spread speed.
Popular spread forms of worm
- Worm injects via email
- Worm injects via software vulnerabilities (Windows,
MS office)
- Worm injects via chat, social networks
- Worm injects via LAN network
- Worm injects via USB
Tr 15
Thus, I introduced completely to you 02 types of Malware as Virus and Macro. Then, I
am going to would like to present a Malware having the most horrible spread is Worm.
Worm – worm of Internet: Worm is a program having the ability to inject by self-
replicating itself (virus attaches to other object differentiating from the worm). Worm
combines both destroy of virus and silent feature of Trojan, and most importantly, worm
has terrified spread speed.
Popular spread forms of worm
- Worm injects via email
- Worm injects via software vulnerabilities (Windows, MS office)
- Worm injects via chat, social networks
- Worm injects via LAN network
- Worm injects via USB
Slide 16
Tr 16
Macro Virus: The virus which uses macro language to infect document files like Word,
Excel, Powerpoint, cad files of AutoCAD, etc.
Macro virus does not infect files right upon its infection, but waits for them to be opened
to insert a macro code into such files. This causes the files’ size to increase. This is also
the sign to detect the infection of macro virus.
Macro virus can cause all document files to corrupt, their sizes continually increase, and
can use emails to send the files to hackers.
Slide 17
Emails breading worm mainly fake address of sender and reply address to reliable
address. This information is easy to fake, so if you want to know exactly what this
information is, you have to see in Mail Header.
Header and content of such fake email are stimulated and encouraged readers to open
attachment. As shown in above figure, we can see that this is fake email of Paypal
online transaction website and trick users into opening attachment and fill up their
personal information on it.
Attachment is normally executable file with icons of Word, Pdf, Excel or files exploiting
Microsoft office vulnerability
Slide 18
Tr 18
Then, Worm injects via services of chatting such as yahoo, Skype, msn,..
Slide 19
Tr 19
This worm shall send attractive chat section to us and attach to 01 link. When we click
this link, worm shall be downloaded automatically to our computer and perform.
When the computer is injected this worm, we shall continue sending harmful link to all
accounts of our friend lists.
Therefore, when appearing links to 01 such unknown address, you should not
absolutely click, even though in case sender is your friend because that account was
able to be stolen and taken advantages by hackers.
Slide 20
Tr 20
Tr 21
Next, Worm injects via USB, mobile hard drive. It can be said that worm is the most
common and the fastest spreading.
Worm injects via USB using 03 key methods
Autorun when plugging USB (Autorun.inf)
Fake icons (fake folders, image files, and text files)
Fake shortcut of USB drive
Slide 22
AutoRun Worm
From Windows Vista and earlier, windows support
AutoRun feature (when double-click on any folder,
Windows shall read autorun.inf file in such folder and
perform specified file in autorun.inf file)
This worm shall create autorun.inf file to perform virus
at USB drive (hidden autorun and virus files). Thus,
when we open this USB, virus is operated immediately.
This feature shall not be activated in case we open
folder by selecting the folder in left folder tree of
Explorer.
On Win Vista, this feature removed and on Win 7 or
later, this feature only exists on drives of CD/DVD.
Tr 22
Worm AutoRun
- From Windows Vista and earlier, windows support AutoRun feature (when double-
click on any folder, Windows shall read autorun.inf file in such folder and perform
specified file in autorun.inf file)
- This worm shall create autorun.inf file to perform virus at USB drive (hidden autorun
and virus files). Thus, when we open this USB, virus is operated immediately.
- This feature shall not be activated in case we open folder by selecting the folder in left
folder tree of Explorer.
On Win Vista, this feature removed and on Win 7 or later, this feature only exists on
drives of CD/DVD.
Slide 23
AutoRun Worm
Tr 23
Tr 24
Because from Win Vista or earlier has disabled this feature when plugging USB, as
presented by me in the slide, so spread of Worm through USB has forced to switch to
other forms of attack. It is the trick users into running worm. There are two popular
tricking ways as follows:
First, fake Icon (folder, document files ...)
As executable file but containing the icons of folder, word, excel, pdf ...
They often hide folders, text files in USB, and then create one executable file with name
is similar to hidden file, users mistakenly believe that it is real folder and text. When you
open the fake file, the worm will open again the original file, so users do not know that
their computer has been infected with worm.
Slide 25
When opening USB injected with a virus, user shall find a drive
another in such USB and have to continue opening the second
drive, they can see data. In essence, the second drive is a
shortcut file containing virus.
Tr 25
We can see that all spreads of worm that I have just mentioned above, if we are more
careful during the use of our computer, worm is difficult to inject into our computer.
However, there is 01 type of worm that is too difficult for us to find out and although we
are very careful, our computer is still able to be injected with this worm. It is a worm
exploiting software vulnerability.
- Sometimes, software on computer for serious programming errors that lead to
malicious codes can exploit and install malware on the computer.
- Normally exploit errors of MS office, Adobe Flash, Java, even though Windows
operating system.
- If not updating the patches of the software, the risk of being infected with malware
strains is extremely large, even the computer has installed AV.
Slide 27
Tr 27
Trojan
Trojan Horse: Different from virus, Trojan is a program
code snippet containing ABSOLUTELY NO THE SPRAEAD
FEATURE.
Trojan is usually used in targeted attacks.
They are installed into the computer through the path
such as:
- Download software of crack, keygen, the software
from websites, unknown forums that are not address of
provider producing such software.
- Be generated from worm when they inject into the
computer.
Tr 28
We are going to learn the final Malware in classification section according to spread
form. It is Trojan.
- Trojan Horse: Different from virus, Trojan is a program code snippet containing
ABSOLUTELY NO THE SPRAEAD FEATURE.
- Trojan is usually used in targeted attacks.
- They are installed into the computer through the path such as:
+ Download software of crack, keygen, the software from websites, unknown
forums that are not address of provider producing such software.
+ Be generated from worm when they inject into the computer.
Thus, we completed types of malware according to spread form; it is a little too much,
right? Well, let’s review of these types.
Slide 29
Backdoor
Opens the door allowing hackers to remotely
access and control the victim
Tr 29
Now, we are going to learn types of malware classified according to the purpose of
attack. The first is Backdoor Now.
- Open connected gateway so that hacker’s computer can access and control remotely
your computer (browse file, send file, follow-up process, open camera, record, take
keyboard status…). It is worth mentioning here when hacker controls your computer,
you cannot feel it unless you are running the monitoring instruments on the computer.
Slide 30
Botnet
Tr 30
Next, a malware type used for attacking DDoS is botnet. Computer network is the same
as traffic system that we see every day. Each information package flows on the network
line is the same as a person taking part in traffic. And, perhaps, traffic jam while
participating is the most hated thing, most of traffic jam reasons are the excess of
number of participants in the route, and this makes traffic junctions of the route become
obstructive.
With a large number of IP queries continuously to the server, thus it is difficult to prevent
this attack.
Slide 31
Spyware
Tr 31
Spyware: Spyware is a type of software that collects mainly information from the
servers, personal computer without the recognition or permission of the computer
ownership. The information may be information about account, password, personal or
business information, confidential documents of the Government or technology secret of
large production units (industrial information)…
Adware
Adware: change browsers settings, continually display ad pop-
ups, etc.
Tr 32
Most of malwares usually operate silently on the computer, but some types when
installed in the computer operate openly, even attraction of user. It is Adware.
Adware usually is attached to free software, or trial versions. When installing a software,
most of user is not paying attention to agreements of use (license and agreement) and
selections in case of installing (they usually click next until finish), so adware is easy to
install additionally.
Slide 33
FakeAV
Tr 33
Next, we are going to forward malware impacting directly your wallet. It is Fake AV.
Fake AV: fake anti-virus software to trick users into buying copyright.
When injected this malware, user shall receive continuously caution that system is
being injected the dangerous virus, and should buy the copyright to remove. However,
in fact, the cautions are fraudulent and software showing this caution is malware.
Slide 34
FakeAV
Tr 34
If Fake AV can only stop at the tricking of gullible users, there is other type of malware
with manner to take money stronger. It is Ransomware.
Slide 35
Ransomware
Ransomware
Tr 35
If Fake AV can only stop at the tricking of gullible users, there is other type of malware
with manner to take money stronger. It is Ransomware.
Slide 36
Ransomware
When a computer is infected with ransomware, a notice
occupies its entire lock screen. Users cannot close it or
run other programs.
The notice requires users to send money to a pre-
assigned account to get a key which allows users use
their own computer.
Besides, ransomware can encrypt all data on the victim
computer. Then, even when users can bypass the lock
screen, they cannot recover their data if not pay money
for hackers.
Tr 36
- When the computer is injected with ransomware, a bulletin board shall appear,
capturing the entire screen (screen lock), we cannot turn off it or turn on other
programs.
- Content of said bulletin board shall force us pay to appointed account; the victim shall
receive a key so that the computer can be reused.
- In addition, ransomware can code entire data existing on the computer, thereby we
find out how to unlock screen, we cannot restore data. We have to pay amount to them
in order to decode the data.
Slide 37
Rootkit
Rootkit: A software that interfere deeply in the system to hide
its existence
Tr 37
And final malware that I would like to introduce to you in today’s lesson as Rootkit
Rootkit is a type of software that interferes deeply the operating system to hide
information. It can be said that rootkit malware is difficult to detect and remove the most
because they place in the low level in the system (almost in driver manner). When
removing an element in such deep level, if we are not careful, we shall cause errors to
entire system, leading to green screen. Main effect of rootkit is to protect malware on
the computer, prevent them from detection and removal.
Content
1. Definition of malware
2. Classification of malware
3. Anti-malware
38
We are going to continue with the third section of today’s lesson. It is how to prevent
malware.
Slide 39
Anti-malware – System
Consolidating system
Firewall
39
In system level.
- Equip copyrighted Antivirus Software
- Equip Firewall
- Ensure the software as well as Operating system always are updated the last patches.
- For enterprises, general methods should be applied (divide network system, assign
the right to access to employees…)
Slide 40
Anti-malware – Humans
Enhance users’ awareness
Nội dung
1. Definition of malware
2. Classification of malware
3. Anti-malware
41
Tr 42
Check tools
Available on Windows:
1. File: Explorer
2. Process: TaskManager
3. Startup Folder: Msconfig, Registry Editor
4. Network: netstat
Tr 43
Check tools
Available on Windows:
- File: Explorer
- Process: TaskManager
- Startup Folder: Msconfig, Registry Editor
- Network: netstat
Slide 44
Check Tools
Tr 44
Ways to check
Use check tools to find strange processes (files
generating such processes), strange startup files,
strange files:
Files with strange icons (folder, Word, Excel, PDF, etc.)
Files without version info, description
Files with names similar to system processes (svhost.exe,
explore.exe, etc.) or identical to system processes but located in a
different directory
Files with strange names (for example txxcxv.exe), meaningless
names or names including numbers only.
Processes of which files are located with temp folder, Application
Data
And so on
Tr 45
Ways to check
Tr 46
In many cases, when the virus has already been executed and has hidden relating
details. Then, checking cannot help us find out anything strange. If so, we should restart
computer in safemode before checking the startup components as well as the file stored
on the computer
Slide 47
Tr 47