Managing Malware In Higher Learning Institutions 2010-11

Chapter-1

Introduction

As the Internet becomes increasingly critical to HLI, students will be accessing

more and more content while exposing the network to new and potentially dangerous
network security threats. Educational institutions face a particular set of challenges in
fighting malware infiltration. HLI IT departments must balance between enabling a
highly collaborative, non-restrictive environment and ensuring the confidentiality,
integrity, and availability of data and computing resources. Additionally, administrators
are challenged to make sense of the explosion of intrusion detection system (IDS) alerts, a
critical yet daunting task given the fact that hackers are infiltrating HLI networks to build
botnet command and control servers and exploiting student Web surfing habits for botnet
propagation.

Preventing malware infiltration in this advanced open‖ network environment

needs a multilayered approach. This approach can help HLI to strengthen security across
wireless and wired LAN networks. It can also streamline and automate analysis to
manage the constant barrage of IDS alerts, and collect crucial malware and botnet
intelligence. Honeypots (decoy) can be used to proactively detect and manage infiltration
while enabling network managers and users alike to be more effective. Not only can
decoy systems be useful to study and protect against malware and exploitation, but they
also can be useful in attracting spammers using a variety of techniques. E-mail received
on decoy accounts is likely to be originated from spammers especially if the same (or
similar) e-mail is received on more than one or a very large number of decoy accounts.
The system can collect the data from the decoy accounts and use it directly to generate
spam filter rules, effectively preventing classified spam from being transmitted at major
Internet service providers (ISPs) around the world. As a result, the motives and the tactics
of the attacker can be learned.

Department of Information Science and Engineering, AMCEC 1

Managing Malware In Higher Learning Institutions 2010-11

Malware
Malware, short for malicious software, (sometimes referred to as pestware) is a
software designed to harm or secretly access a computer system without the owner's
informed consent. The expression is a general term used by computer professionals to
mean a variety of forms of hostile, intrusive, or annoying software or program code.

Software is considered to be malware based on the perceived intent of the creator

rather than any particular features. Malware includes computer viruses, worms, trojan
horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other
malicious and unwanted software or program. In law, malware is sometimes known as a
computer contaminant, for instance in the legal codes of several U.S. states, including
California and West Virginia.

Preliminary results from Symantec published in 2008 suggested that "the release
rate of malicious code and other unwanted programs may be exceeding that of legitimate
software applications."[6] According to F-Secure, "As much malware was produced in
2007 as in the previous 20 years altogether." Malware's most common pathway from
criminals to users is through the Internet: primarily by e-mail and the World Wide Web.

The prevalence of malware as a vehicle for organized Internet crime, along with
the general inability of traditional anti-malware protection platforms (products) to protect
against the continuous stream of unique and newly produced malware, has seen the
adoption of a new mindset for businesses operating on the Internet: the acknowledgment
that some sizable percentage of Internet customers will always be infected for some
reason or another, and that they need to continue doing business with infected customers.
The result is a greater emphasis on back-office systems designed to spot fraudulent
activities associated with advanced malware operating on customers' computers.

On March 29, 2010, Symantec Corporation named Shaoxing, China, as the

world's malware capital.

Malware is not the same as defective software, that is, software that has a
legitimate purpose but contains harmful bugs. Sometimes, malware is disguised as
genuine software, and may come from an official site.

Department of Information Science and Engineering, AMCEC 2

Managing Malware In Higher Learning Institutions 2010-11

Purposes

Many early infectious programs, including the first Internet Worm and a number of MS-
DOS viruses, were written as experiments or pranks. They were generally intended to be
harmless or merely annoying, rather than to cause serious damage to computer systems.
In some cases, the perpetrator did not realize how much harm his or her creations would
do. Young programmers learning about viruses and their techniques wrote them simply
for practice, or to see how far they could spread. As late as 1999, widespread viruses such
as the Melissa virus and the David virus appear to have been written chiefly as pranks.
The first mobile phone virus, Cabir, appeared in 2004.

Hostile intent related to vandalism can be found in programs designed to cause harm or
data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to
destroy files on a hard disk, or to corrupt the file system by writing invalid data to them.
Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the
same category. Designed to vandalize web pages, worms may seem like the online
equivalent to graffiti tagging, with the author's alias or affinity group appearing
everywhere the worm goes.

Since the rise of widespread broadband Internet access, malicious software has been
designed for a profit, for examples forced advertising. For instance, since 2003, the
majority of widespread viruses and worms have been designed to take control of users'
computers for black-market exploitation. Infected "zombie computers" are used to send
email spam, to host contraband data such as child pornography, or to engage in
distributed denial-of-service attacks as a form of extortion.

Another strictly for-profit category of malware has emerged in spyware programs

designed to monitor users' web browsing, display unsolicited advertisements, or redirect
affiliate marketing revenues to the spyware creator. Spyware programs do not spread like
viruses; they are, in general, installed by exploiting security holes or are packaged with
user-installed software, such as peer-to-peer applications.

Department of Information Science and Engineering, AMCEC 3

Managing Malware In Higher Learning Institutions 2010-11

Chapter-2
Infectious malware: viruses and worms

The best-known types of malware, viruses and worms, are known for the manner
in which they spread, rather than any other particular behavior. The term computer virus
is used for a program that has infected some executable software and, when run, causes
the virus to spread to other executable. Viruses may also contain a payload that performs
other actions, often malicious. On the other hand, a worm is a program that actively
transmits itself over a network to infect other computers. It too may carry a payload.

These definitions lead to the observation that a virus requires user intervention to
spread, whereas a worm spreads itself automatically. Using this distinction, infections
transmitted by email or Microsoft Word documents, which rely on the recipient opening a
file or email to infect the system, would be classified as viruses rather than worms.

Some writers in the trade and popular press misunderstand this distinction and use
the terms interchangeably.

Fig.1. Malware by categories on March 16, 2011.

Department of Information Science and Engineering, AMCEC 4

Managing Malware In Higher Learning Institutions 2010-11

Capsule history of viruses and worms

Before Internet access became widespread, viruses spread on personal computers

by infecting the executable boot sectors of floppy disks. By inserting a copy of it into the
machine code instructions in this executable, a virus causes itself to be run whenever a
program is run or the disk is booted. Early computer viruses were written for the Apple II
and Macintosh, but they became more widespread with the dominance of the IBM PC and
MS-DOS system. Executable-infecting viruses are dependent on users exchanging
software or boot-able floppies, so they spread rapidly in computer hobbyist circles.

The first worms, network-borne infectious programs, originated not on personal

computers, but on multitasking UNIX systems. The first well-known worm was the
Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus,
this worm did not insert itself into other programs. Instead, it exploited security holes
(vulnerabilities) in network server programs and started itself running as a separate
process. This same behavior is used by today's worms as well.

With the rise of the Microsoft Windows platform in the 1990s, and the flexible
macros of its applications, it became possible to write infectious code in the macro
language of Microsoft Word and similar programs. These macro viruses infect documents
and templates rather than applications (executable), but rely on the fact that macros in a
Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a few
like Mare-D and the Lion worm are also written for Linux and Unix systems. Worms
today work in the same basic way as 1988's Internet Worm: they scan the network and
leverage vulnerable computers to replicate. Because they need no human intervention,
worms can spread with incredible speed. The SQL Slammer infected thousands of
computers in a few minutes.

Concealment: Trojan horses, rootkits, and backdoors

I. Trojan horses

For a malicious program to accomplish its goals, it must be able to run without
being shut down, or deleted by the user or administrator of the computer system on which

Department of Information Science and Engineering, AMCEC 5

Managing Malware In Higher Learning Institutions 2010-11

it is running. Concealment can also help get the malware installed in the first place. When
a malicious program is disguised as something innocuous or desirable, users may be
tempted to install it without knowing what it does. This is the technique of the Trojan
horse or Trojan.

In broad terms, a Trojan horse is any program that invites the user to run it,
concealing a harmful or malicious payload. The payload may take effect immediately and
can lead to many undesirable effects, such as deleting the user's files or further installing
malicious or undesirable software. Trojan horses known as droppers are used to start off a
worm outbreak, by injecting the worm into users' local networks.

One of the most common ways that spyware is distributed is as a Trojan horse,
bundled with a piece of desirable software that the user downloads from the Internet.
When the user installs the software, the spyware is installed alongside. Spyware authors
who attempt to act in a legal fashion may include an end-user license agreement that
states the behavior of the spyware in loose terms, which the users are unlikely to read or
understand.

II. Rootkits

Once a malicious program is installed on a system, it is essential that it stays

concealed, to avoid detection and disinfection. The same is true when a human attacker
breaks into a computer directly. Techniques known as rootkits allow this concealment, by
modifying the host's operating system so that the malware is hidden from the user.
Rootkits can prevent a malicious process from being visible in the system's list of
processes, or keep its files from being read. Originally, a rootkit was a set of tools
installed by a human attacker on a UNIX system, allowing the attacker to gain
administrator (root) access. Today, the term is used more generally for concealment
routines in a malicious program.

Some malicious programs contain routines to defend against removal, not merely
to hide them, but to repel attempts to remove them. An early example of this behavior is
recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V time sharing
system:

Department of Information Science and Engineering, AMCEC 6

Managing Malware In Higher Learning Institutions 2010-11

Each ghost-job would detect the fact that the other had been killed, and would
start a new copy of the recently slain program within a few milliseconds. The only way to
kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash
the system.

Similar techniques are used by some modern malware, wherein the malware starts
a number of processes that monitor and restore one another as needed. In the event a user
running Microsoft Windows is infected with such malware, if they wish to manually stop
it, they could use Task Manager's 'processes' tab to find the main process (the one that
spawned the "resurrector process(es)"), and use the 'end process tree' function, which
would kill not only the main process, but the "resurrector(s)" as well, since they were
started by the main process. Some malware programs use other techniques, such as
naming the infected file similar to a legitimate or trustworthy file (expl0rer.exe VS
explorer.exe).

III. Backdoors

A backdoor is a method of bypassing normal authentication procedures. Once a

system has been compromised (by one of the above methods, or in some other way), one
or more backdoors may be installed in order to allow easier access in the future.
Backdoors may also be installed prior to malicious software, to allow attackers entry.

The idea has often been suggested that computer manufacturers preinstall
backdoors on their systems to provide technical support for customers, but this has never
been reliably verified. Crackers typically use backdoors to secure remote access to a
computer, while attempting to remain hidden from casual inspection. To install backdoors
crackers may use Trojan horses, worms, or other methods.

Malware for profit: spyware, botnets, keystroke loggers,

and dialers

During the 1980s and 1990s, it was usually taken for granted that malicious
programs were created as a form of vandalism or prank. More recently, the greater share
of malware programs has been written with a profit motive (financial or otherwise) in

Department of Information Science and Engineering, AMCEC 7

Managing Malware In Higher Learning Institutions 2010-11

mind. This can be taken as the malware authors' choice to monetize their control over
infected systems: to turn that control into a source of revenue.

Spyware programs are commercially produced for the purpose of gathering

information about computer users, showing them pop-up ads, or altering web-browser
behavior for the financial benefit of the spyware creator. For instance, some spyware
programs redirect search engine results to paid advertisements. Others, often called
"stealware" by the media, overwrite affiliate marketing codes so that revenue is redirected
to the spyware creator rather than the intended recipient.

Spyware programs are sometimes installed as Trojan horses of one sort or another.
They differ in that their creators present themselves openly as businesses, for instance by
selling advertising space on the pop-ups created by the malware. Most such programs
present the user with an end-user license agreement that purportedly protects the creator
from prosecution under computer contaminant laws. However, spyware EULAs have not
yet been upheld in court.

Another way that financially motivated malware creators can profit from their
infections is to directly use the infected computers to do work for the creator. The
infected computers are used as proxies to send out spam messages. A computer left in this
state is often known as a zombie computer. The advantage to spammers of using infected
computers is they provide anonymity, protecting the spammer from prosecution.
Spammers have also used infected PCs to target anti-spam organizations with distributed
denial-of-service attacks.

In order to coordinate the activity of many infected computers, attackers have

used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to
an Internet Relay Chat channel or other chat system. The attacker can then give
instructions to all the infected systems simultaneously. Botnets can also be used to push
upgraded malware to the infected systems, keeping them resistant to antivirus software or
other security measures.

It is possible for a malware creator to profit by stealing sensitive information from

a victim. Some malware programs install a key logger, which intercepts the user's
keystrokes when entering a password, credit card number, or other information that may
be exploited. This is then transmitted to the malware creator automatically, enabling
Department of Information Science and Engineering, AMCEC 8
Managing Malware In Higher Learning Institutions 2010-11

credit card fraud and other theft. Similarly, malware may copy the CD key or password
for online games, allowing the creator to steal accounts or virtual items.

Another way of stealing money from the infected PC owner is to take control of a
dial-up modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a
premium-rate telephone number such as a U.S. "900 number" and leave the line open,
charging the toll to the infected user.

Department of Information Science and Engineering, AMCEC 9

Managing Malware In Higher Learning Institutions 2010-11

Chapter-3

Data-stealing malware

Data-stealing malware is a web threat that divests victims of personal and

proprietary information with the intent of monetizing stolen data through direct use or
underground distribution. Content security threats that fall under this umbrella include
keyloggers, screen scrapers, spyware, adware, backdoors, and bots. The term does not
refer to activities such as spam, phishing, DNS poisoning, SEO abuse, etc. However,
when these threats result in file download or direct installation, as most hybrid attacks do,
files that act as agents to proxy information will fall into the data-stealing malware
category.

Characteristics of data-stealing malware

Does not leave traces of the event

 The malware is typically stored in a cache that is routinely flushed

 The malware may be installed via a drive-by-download process
 The website hosting the malware as well as the malware is generally temporary or
rogue

Frequently changes and extends its functions

 It is difficult for antivirus software to detect final payload attributes due to the
combination(s) of malware components
 The malware uses multiple file encryption levels

Thwarts Intrusion Detection Systems (IDS) after successful installation

 There are no perceivable network anomalies

 The malware hides in web traffic
 The malware is stealthier in terms of traffic and resource use

Thwarts disk encryption

 Data is stolen during decryption and display

Department of Information Science and Engineering, AMCEC 10

Managing Malware In Higher Learning Institutions 2010-11

 The malware can record keystrokes, passwords, and screenshots

Thwarts Data Loss Prevention (DLP)

 Leakage protection hinges on metadata tagging, not everything is tagged

 Miscreants can use encryption to port data

Examples of data-stealing malware

 Bancos, an info stealer that waits for the user to access banking websites then
spoofs pages of the bank website to steal sensitive information.
 Gator, spyware that covertly monitors web-surfing habits, uploads data to a server
for analysis then serves targeted pop-up ads.
 LegMir, spyware that steals personal information such as account names and
passwords related to online games.
 Qhost, a Trojan that modifies the Hosts file to point to a different DNS server
when banking sites are accessed then opens a spoofed login page to steal login
credentials for those financial institutions.

Data-stealing malware incidents

 Albert Gonzalez (not to be confused with the U.S. Attorney General Alberto Gonzalez) is
accused of masterminding a ring to use malware to steal and sell more than 170 million
credit card numbers in 2006 and 2007—the largest computer fraud in history. Among the
firms targeted were BJ's Wholesale Club, TJX, DSW Shoe, OfficeMax, Barnes & Noble,
Boston Market, Sports Authority and Forever 21.
 A Trojan horse program stole more than 1.6 million records belonging to several hundred
thousand people from Monster Worldwide Inc’s job search service. The data was used by
cybercriminals to craft phishing emails targeted at Monster.com users to plant additional
malware on users’ PCs.
 Customers of Hannaford Bros. Co, a supermarket chain based in Maine, were victims of a
data security breach involving the potential compromise of 4.2 million debit and credit
cards. The company was hit by several class-action law suits.

Department of Information Science and Engineering, AMCEC 11

Managing Malware In Higher Learning Institutions 2010-11

Chapter-4

Controversy about assignment to spyware

There is a group of software (Alexa toolbar, Google toolbar, Eclipse data usage collector,
etc.) that send data to a central server about which pages have been visited or which features of
the software have been used. However differently from "classic" malware these tools document
activities and only send data with the user's approval. The user may opt in to share the data in
exchange to the additional features and services, or (in case of Eclipse) as the form of voluntary
support for the project. Some security tools report such loggers as malware while others do not.
The status of the group is questionable. Some tools like PDF Creator are more on the boundary
than others because opting out has been made more complex than it could be (during the
installation, the user needs to uncheck two check boxes rather than one). However also PDF
Creator is only sometimes mentioned as malware and is still subject of discussions.

Vulnerability to malware

In this context, as throughout, it should be borne in mind that the ―system‖ under
attack may be of various types, e.g. a single computer and operating system, a network or
an application.

Various factors make a system more vulnerable to malware:

 Homogeneity: e.g. when all computers in a network run the same OS, upon
exploiting one, one can exploit them all.
 Weight of numbers: simply because the vast majority of existing malware is
written to attack Windows systems, then Windows systems, ipso facto, are more
vulnerable to succumbing to malware (regardless of the security strengths or
weaknesses of Windows itself).
 Defects: malware leveraging defects in the OS design.
 Unconfirmed code: code from a floppy disk, CD-ROM or USB device may be
executed without the user’s agreement.
 Over-privileged users: some systems allow all users to modify their internal
structures.

Department of Information Science and Engineering, AMCEC 12

Managing Malware In Higher Learning Institutions 2010-11

 Over-privileged code: some systems allow code executed by a user to access all
rights of that user.

An oft-cited cause of vulnerability of networks is homogeneity or software

monoculture.[22] For example, Microsoft Windows or Apple Mac have such a large share
of the market that concentrating on either could enable a cracker to subvert a large
number of systems, but any total monoculture is a problem. Instead, introducing
inhomogeneity (diversity), purely for the sake of robustness, could increase short-term
costs for training and maintenance. However, having a few diverse nodes would deter
total shutdown of the network, and allow those nodes to help with recovery of the
infected nodes. Such separate, functional redundancy would avoid the cost of a total
shutdown, would avoid homogeneity as the problem of "all eggs in one basket".

Most systems contain bugs, or loopholes, which may be exploited by malware. A

typical example is the buffer-overrun weakness, in which an interface designed to store
data, in a small area of memory, allows the caller to supply more data than will fit. This
extra data then overwrites the interface's own executable structure (past the end of the
buffer and other data). In this manner, malware can force the system to execute malicious
code, by replacing legitimate code with its own payload of instructions (or data values)
copied into live memory, outside the buffer area.

Originally, PCs had to be booted from floppy disks, and until recently it was
common for this to be the default boot device. This meant that a corrupt floppy disk could
subvert the computer during booting, and the same applies to CDs. Although that is now
less common, it is still possible to forget that one has changed the default, and rare that a
BIOS makes one confirm a boot from removable media.

In some systems, non-administrator users are over-privileged by design, in the

sense that they are allowed to modify internal structures of the system. In some
environments, users are over-privileged because they have been inappropriately granted
administrator or equivalent status. This is primarily a configuration decision, but on
Microsoft Windows systems the default configuration is to over-privilege the user. This
situation exists due to decisions made by Microsoft to prioritize compatibility with older
systems above security configuration in newer systems and because typical applications
were developed without the under-privileged users in mind. As privilege escalation

Department of Information Science and Engineering, AMCEC 13

Managing Malware In Higher Learning Institutions 2010-11

exploits have increased this priority is shifting for the release of Microsoft Windows
Vista. As a result, many existing applications that require excess privilege (over-
privileged code) may have compatibility problems with Vista. However, Vista's User
Account Control feature attempts to remedy applications not designed for under-
privileged users, acting as a crutch to resolve the privileged access problem inherent in
legacy applications.

Malware, running as over-privileged code, can use this privilege to subvert the
system. Almost all currently popular operating systems and also many scripting
applications allow code too many privileges, usually in the sense that when a user
executes code, the system allows that code all rights of that user. This makes users
vulnerable to malware in the form of e-mail attachments, which may or may not be
disguised.

Given this state of affairs, users are warned only to open attachments they trust,
and to be wary of code received from untrusted sources. It is also common for operating
systems to be designed so that device drivers need escalated privileges, while they are
supplied by more and more hardware manufacturers.

Eliminating over-privileged code

As malware attacks become more frequent, attention has begun to shift from
viruses and spyware protection, to malware protection, and programs have been
developed to specifically combat them.

Anti-malware programs can combat malware in two ways:

1. They can provide real time protection against the installation of malware software
on a computer. This type of spyware protection works the same way as that of
antivirus protection in that the anti-malware software scans all incoming network
data for malware software and blocks any threats it comes across.
2. Anti-malware software programs can be used solely for detection and removal of
malware software that has already been installed onto a computer. This type of
malware protection is normally much easier to use and more popular.[citation needed]
This type of anti-malware software scans the contents of the Windows registry,

Department of Information Science and Engineering, AMCEC 14

Managing Malware In Higher Learning Institutions 2010-11

operating system files, and installed programs on a computer and will provide a
list of any threats found, allowing the user to choose which files to delete or keep,
or to compare this list to a list of known malware components, removing files that
match.

Real-time protection from malware works identically to real-time antivirus

protection: the software scans disk files at download time, and blocks the activity of
components known to represent malware. In some cases, it may also intercept attempts to
install start-up items or to modify browser settings. Because many malware components
are installed as a result of browser exploits or user error, using security software (some of
which are anti-malware, though many are not) to "sandbox" browsers (essentially babysit
the user and their browser) can also be effective in helping to restrict any damage done.

Academic research on malware: a brief overview

The notion of a self-reproducing computer program can be traced back to when

presented lectures that encompassed the theory and organization of complicated
automata.[23] Neumann showed that in theory a program could reproduce itself. This
constituted a plausibility result in computability theory. Fred Cohen experimented with
computer viruses and confirmed Neumann's postulate. He also investigated other
properties of malware (detectability, self-obfuscating programs that used rudimentary
encryption that he called "evolutionary‖ and so on). His 1988 doctoral dissertation was on
the subject of computer viruses.[24] Cohen's faculty advisor, Leonard Adleman (the A in
RSA) presented a rigorous proof that, in the general case, algorithmically determining
whether a virus is or is not present is Turing undecidable. This problem must not be
mistaken for that of determining, within a broad class of programs, that a virus is not
present; this problem differs in that it does not require the ability to recognize all viruses.
Adleman's proof is perhaps the deepest result in malware computability theory to date and
it relies on Cantor's diagonal argument as well as the halting problem. Ironically, it was
later shown by Young and Yung that Adleman's work in cryptography is ideal in
constructing a virus that is highly resistant to reverse-engineering by presenting the notion
of a cryptovirus. A cryptovirus is a virus that contains and uses a public key and
randomly generated symmetric cipher initialization vector (IV) and session key (SK). In
the cryptoviral extortion attack, the virus hybrid encrypts plaintext data on the victim's
machine using the randomly generated IV and SK. The IV+SK are then encrypted using
Department of Information Science and Engineering, AMCEC 15
Managing Malware In Higher Learning Institutions 2010-11

the virus writer's public key. In theory the victim must negotiate with the virus writer to
get the IV+SK back in order to decrypt the cipher text (assuming there are no backups).
Analysis of the virus reveals the public key, not the IV and SK needed for decryption, or
the private key needed to recover the IV and SK. This result was the first to show that
computational complexity theory can be used to devise malware that is robust against
reverse-engineering.

A growing area of computer virus research is to mathematically model the

infection behavior of worms using models such as Lotka–Volterra equations, which has
been applied in the study of biological virus. Various virus propagation scenarios have
been studied by researchers such as propagation of computer virus, fighting virus with
virus like predator codes, effectiveness of patching etc.

Behavioral malware detection has been a particularly lively research area lately.
Most approaches to behavioral detection are based on analysis of system call
dependencies. The executed binary is traced using strace or more precise taint analysis to
compute data-flow dependencies among system calls. The result is a directed graph G =
(V, E) such that nodes are system calls, and edges represent dependencies. For example,

if a result returned by system call s (either directly as a result or indirectly

through output parameters) is later used as a parameter of system call t. The origins of the
[29]
idea to use system calls to analyze software can be found in the work of Forrest et al.
Christodorescu et al. point out that malware authors cannot easily reorder system calls
without changing the semantics of the program, which makes system call dependency
graphs suitable for malware detection. They compute a difference between malware and
goodware system call dependency graphs and use the resulting graphs for detection,
achieving high detection rates. Kolbitsch et al. precompute symbolic expressions and
evaluate them on the syscall parameters observed at runtime. They detect dependencies
by observing whether the result obtained by evaluation matches the parameter values
observed at runtime. Malware is detected by comparing the dependency graphs of the
training and test sets. Fredrikson et al. describe an approach that uncovers distinguishing
features in malware system call dependency graphs. They extract significant behaviors
using concept analysis and leap mining Babic et al. recently proposed a novel approach
for both malware detection and classification based on grammar inference of tree

Department of Information Science and Engineering, AMCEC 16

Managing Malware In Higher Learning Institutions 2010-11

automata. Their approach infers an automaton from dependency graphs, and they show
how such an automaton could be used for detection and classification of malware.

Securing open academic networks

Fast-flowing networks and ready access to high-end computing infrastructures are

critical for students, faculty, and staff, if they are to succeed in their pursuits. By its very
nature, HLIs’ must refrain from imposing too many restrictions, so as to best support
uninhibited academic research and discovery. Another unique characteristic of academic
networks is that while the university owns the network infrastructure, individuals
frequently own the endpoint devices such as laptops, Personal Digital Assistant (PDA)
and smart phones. This creates very real challenges to maintain the desired level of
security within the infrastructure. Given the broad range of platforms and applications in
use among students, faculty, staff, and guests, there are few commonalities that can be
leveraged in implementing new physical and logical security controls. And taking into
account the sheer volume and variety of users and devices accessing university resources,
plus the reality that IT has limited visibility into those endpoints, means that deploying
and provisioning (let alone enforcing) any new agent-based security controls are difficult
at best. Attackers are exploiting these very shortcomings to launch botnet and other
malware attacks like phishing. HLI need to acknowledge antivirus, intrusion prevention
systems and other logical and physical measures alone cannot detect the emerging
network security threat that is the result of increasingly sophisticated methods of attack
and the blending of once distinct types of attack into more complexes, covert and
damaging forms of attacks which are happening every day. A multilayered approach is
needed to provide robust protection with emphasis on non technical measures against
Malware while at the same time balancing the ―open‖ environment and security goals. A
multilayered approach ensures complete security viz. availability, confidentiality and
integrity, each layer corresponding to one aspect of security. The layers are sequential and
overlapping i.e. layer one followed by layer two followed by layer three, where each layer
has some unique features and some features from its previous layers. This ensures that
each layer is stand alone and is able to effectively block the type of attack which it is
meant to block.

Department of Information Science and Engineering, AMCEC 17

Managing Malware In Higher Learning Institutions 2010-11

Malware Analysis for Administrators

Background, goals, assumptions and tools
I. Background

There are basically two broad categories of techniques that are used for analyzing
malware: code analysis and behavior analysis. In most cases, a combination of both these
techniques is used. We will consider code analysis first.

Code analysis is one of the primary techniques used for examining malware. The
best way of understanding the way a program works is, of course, to study the source
code of the program. However, the source code for most malware is not available.
Malicious software is more often distributed in the form of binaries, and binary code can
still be examined using debuggers and disassemblers. However, the use of these tools is
often beyond the ability of all but a small minority because of the specialized knowledge
required and the very steep learning curve needed to acquire it. Given sufficient time, any
binary, however large or complicated, can be reversed completely by using code analysis
techniques.

On the other hand, behavior analysis is more concerned with the behavioral
aspects of the malicious software. Like a beast kept under observation in a zoo, a binary
can be kept in a tightly controlled lab environment and have its behavior scrutinized.
Things like changes it makes to the environment (file system, registry, network, etc.), its
communication with the rest of the network, its communication with remote devices, and
so on are closely observed and information is collected. The collected data is analyzed
and the complete picture is reconstructed from these different bits of information.

The best thing about behavior analysis is that it is within the scope of an average
administrator or even a power user. The learning curve is very small and existing
knowledge can be leveraged to make the learning process faster. This makes it ideal for
teaching newbies the art of malware reverse engineering. These reasons are consistent
with our stated goals, focused on the typical administrator, and therefore this paper is
mostly concerned with behavior analysis.

Though reverse engineering using behavior analysis does not lead to the complete
reversing of a binary, it is sufficient for most users' needs. For instance, it is not sufficient

Department of Information Science and Engineering, AMCEC 18

Managing Malware In Higher Learning Institutions 2010-11

for an antivirus researcher but for most other users, behavior analysis can fulfill all their
needs.

II.Goals in the analysis

As stated before, our goal is to provide a set of behavior analysis techniques for
reverse engineering malware. Also, the learning curve should be small so that it is within
the scope of most people.

Using these methods, people should be able to analyze an unknown binary and
determine whether it is malicious or not. Those who require more in-depth knowledge
should be able to reverse engineer the binary, understand and document its workings
completely.

III.Assumptions and definitions

This paper makes a few assumptions for the sake of convenience and clarity.
These are:

1. We assume that the malware under consideration is a Win32 based binary on an

Intel x86 machine. This is just for the sake of clarity. The basic principles can be
just as easily applied to any other platform.
2. We sometimes refer to the malware as "the binary". This does not however mean
that the principles are applicable only to a malicious application that is composed
of a single binary.
3. The host machine on which the binary is executed is referred to as the "victim
host" or the "victim machine".
4. The other machine on the test network is referred to as the "sniffer machine".

IV.Tools

Since the goal of this paper is to propose a generic set of techniques, the tools
mentioned in this paper are just "proposed" tools and are available as references at the
end of this document. Any other tool that has the same or similar functionality can be
used in place of the proposed ones.

Department of Information Science and Engineering, AMCEC 19

Managing Malware In Higher Learning Institutions 2010-11

Methodology
The framework proposed is broadly divided into six stages. They are:

1. Creating a controlled environment

2. Base lining the environment
3. Information collection
4. Information analysis
5. Reconstructing the big picture
6. Documenting the results

I. Creating a controlled environment

The setting up of a controlled and sanitized environment is absolutely essential for

analyzing malware. A special "test lab" is created for this purpose. Some essential
features of the test lab are:

 At least two machines should be used. One machine is for hosting the malicious
binary (victim machine) and the other is for base lining and sniffing the network
traffic (sniffer machine). They should be networked in such a way that each of
them is able to sniff the other's network traffic.
 The two networked lab machines should be isolated from the rest of the network.
 Fresh copies of Operating Systems should be installed on each of the two
machines. It is preferable to have a WinNT kernel family OS on one machine and
a *nix based OS on the other. Since we are assuming a Win32 binary, the WinNT
machine acts as the "victim host" and the *nix machine is used as the "sniffer
machine".
 Tools should be transferred to the relevant machines.
 The binary that is to be examined should be transferred to the relevant machine.
Since we are assuming a Win32 binary, it is transferred to the Win32 machine in
this case.
 It is highly preferable not to install any other application upon the "victim host"
apart from the tools required for analysis.

This is the most basic setup for a malware analysis lab. Apart from this and
depending on the situation, more modifications can be carried out. For instance, if the
Department of Information Science and Engineering, AMCEC 20
Managing Malware In Higher Learning Institutions 2010-11

malicious binary tries to communicate with a remote server xyz.com, a DNS server has to
be setup in one of the lab machines and a DNS entry for xyz.com has to be created. An
excellent paper that discusses the creation of a malware analysis lab is "An Environment
for Controlled Worm Replication and Analysis".

We may have to return to this "creating a controlled environment" stage many

times during the analysis process. Sometimes, in the light of new information generated
during the later stages, the lab will have to be tweaked and modified.

II. Base lining the environment

Base lining the environment is the next major step. "Base lining" means taking a
snapshot of the current environment. This is the most vital stage in our analysis. If base
lining is not done properly, it has a serious effect on the information gathering stage,
which in turn seriously affects our understanding of the binary. If base lining is done
efficiently, the information generated during the next stage becomes very accurate and the
rest of the stages become easy to execute.

To accomplish our goals, the binary which is to be analyzed is executed in a

controlled environment and the changes it makes to that environment are captured. Before
executing the binary, a snapshot of the environment is created (baseline) and then after
execution another snapshot is created. In theory, the difference between the baseline and
the final snapshot gives the changes made by the binary.

The elements of the environment that have to be baseline are:

A. Network traffic

Sniffing software that is installed on our "sniffer machine" is used for this
purpose. Any sniffing software running in verbose mode is sufficient for our purposes.
However, to make our task easier, it is preferable to use a protocol analyzer like Ethereal.

B. External view

Some of the elements that are to be baselined in the Victim Machine are:

 File system: The file system on the victim host has to be baselined. There
are many programs that can create a snapshot of the file system and after a

Department of Information Science and Engineering, AMCEC 21

Managing Malware In Higher Learning Institutions 2010-11

few changes occur, they can point out the modifications. Some of the
programs we can use are Winalysis and Installrite.

 Registry: The registry is the next component that is to be baselined. Most

malware applications rely on registry entries. Therefore it is crucial to
capture registry modifications. Winalysis as mentioned above is one of the
available programs that can be used for registry base lining.
 Running processes: A snapshot of the running processes can be created
using a number of programs. Some of them are available from
Sysinternals.
 Open Ports: A snapshot of the open ports can be created using the 'netstat'
utility. However, it does not list the name of the process that is tied to the
port. For this, we can use Fport available from Foundstone.
 Users, Groups, Network Shares and Services are some of the other
elements that should be baselined.

The next element that has to be baselined is the network traffic. Even when there
is no application running on either of the test machines, there will still be some network
traffic. This traffic has to be recorded and the "normal traffic" in our test network has to
be defined. This is because when deviations occur in the "normal traffic" pattern, we can
assume it to be generated by the binary and perform further testing on it. Although we
have created a snapshot of the open ports in the victim machine, it is always better to
create one more snapshot from an external machine. A port scanner running on our
"sniffer machine" can achieve this task for us. It goes without saying that will be the port
scanner of choice for most users.

III. Information collection

Now that the preparations are over, we can go ahead with our task. This is the
only stage where we have an actual interaction with the binary. A lot of raw information
about the binary is collected during this stage which is analyzed in the next stage.
Therefore, it is very important to carefully record all the information generated in this
stage. The steps in the information collection stage are:

Department of Information Science and Engineering, AMCEC 22

Managing Malware In Higher Learning Institutions 2010-11

A. Static analysis

Human-readable strings are extracted from the binary and these strings are
recorded. A program like Binary Text Scan can be used for this purpose. These strings
reveal a lot of information about the function of the binary.

Resources that are embedded in the binary are extracted and recorded. A program
like Resource Hacker can be used for this purpose. The resources that can be discovered
through this process include GUI elements, scripts, HTML, graphics, icons, and more.

B. Dynamic analysis

After taking a snapshot of all the changes the binary performs in the system, the
binary process is terminated. Now, the differences between the new snapshot and the
baseline snapshot are determined. The dynamic analysis step is very similar to the
baselining the environment stage. Therefore, the tools are reused for this stage. Winalysis
and InstallRite can be used for this purpose. Apart from these tools, Filemon and Regmon
from Sysinternals can be used for monitoring the file system and the registry dynamically.
These tools are used for observing the changes to the file system and the registry.

This information is recorded and forms the input for the next stage of our analysis.
The information generated here can be new files, registry entries, open ports, etc.

During the static analysis stage, we collect as much information about the binary
as possible, without executing it. This involves many techniques and tools. Static analysis
reveals the scripts, HTML, GUI, passwords, commands, control channels, and so on.
Simple things like the file name, size, version string (right-click>properties>version in
Win32), are recorded. During this stage, we actually execute the binary and observe its
interaction with the environment. All monitoring tools including the sniffing software are
activated. Different experiments are done to test the response of the running malware
process to our probes. Attempts to communicate with other machines are recorded.
Basically a new snapshot of the environment is created like in the baselining the
environment stage.

Sometimes, the static analysis step has to be repeated once more after doing a
dynamic analysis.

Department of Information Science and Engineering, AMCEC 23

Managing Malware In Higher Learning Institutions 2010-11

IV.Information analysis

This is the stage where we can finally reverse engineer the binary based on all the
information collected during the previous stages. Each part of the information is analyzed
over and over and the "jigsaw puzzle" is completed. Then the big picture automatically
begins to appear and the reverse engineering process is finished. However, before this is
achieved, we may have to repeat the previous stages (See figure) several times.

The goals of the individual or organization evaluating the binary determine the
type of analysis and because the goals differ, no standard methodology is provided for
this stage. Looking for deviations from the stated security policy of an organization based
on the information can be the determining factor in some cases.

V. Documenting the results

Documenting the results of the malware analysis and reverse engineering exercise
is essential. One of the main advantages is that the knowledge incorporated into the
documentation can be leveraged for later analysis exercises. The documentation needs
differ from individual to individual and organization to organization. The method
preferred by the concerned party can be used here.

Literature review

Based on the literature research done, this study has its roots in two previous
studies Jones et al. 1993 Schmidt and Arnett, 2005. Both of these had a goal of examining
relatively new malware as it emerged on the computing landscape. In this study both
malware and the current antimalware measures will be compared and analyzed.
Thereafter in-depth studies of several security models will be undertaken to investigate
and evaluate organizational network security.

Current solutions of defense for network security are mostly reactive and static
methods, which are used to collect, analyze and extract evidences after attacks. This
approach includes virus detection, frangibility evaluation, and firewalls and more. They
rely upon collecting and analyzing the viruses’ specimens or intrusion signatures with
some traditional techniques, such as statistical analysis, characteristics analysis, neural

Department of Information Science and Engineering, AMCEC 24

Managing Malware In Higher Learning Institutions 2010-11

network, and data mining. However, these approaches result in a slow reaction time to
new threats. This is largely due to the lack of self-learning and self-adapting abilities as
they can only prevent those known network intrusions, and can do very little or nothing
for the unknown intrusions.

In the real network environment, the incursion threat has raised as well as the
attack class numbers. As a result, HLIs are constantly investing in new information
technology and in business information systems security in particular. These security
expenditures have constantly increased over the last few years. The expenditure is mostly
on widely used security tools such as firewalls, antivirus, Virtual Private Networks
(VPNs), encrypted channels, and more. Although the tools are effective to a certain
extent, there are objective shortcomings related to all existing security tools and
mechanisms. They solve just the technical side of the security problem and fail to address
most of the nontechnical side.

In this study we propose a conceptual framework (Fig.3) which focuses on the non
technical measures, basically dealing with the social layer. This has been compounded by
the trends toward mobility, increasing Web traffic and the rising popularity of e-
commerce, search and social networking applications (e.g. Facebook, MySpace and
twitter) which have all significantly impacted HLI security. Security of networked
systems requires both technical and administrative foundations. Technical foundations
like those based on cryptographic measures and access control models, are well
understood. However the administrative foundation which is based on several non-
technical layers added on top of technical ones has taken a back sit. Clearly for malware
to be effectively managed there must be a marriage between the technical and
nontechnical layers.

Due to the scarcity of Network Security models specifically addressing HLIs with
an emphasis on nontechnical measures, the study will be based on four security models,
which will help in providing some guidance in the development of the proposed network
security framework (Fig. 3). This framework can be applied not only to HLIs but also any
other type of organization.

Department of Information Science and Engineering, AMCEC 25

Managing Malware In Higher Learning Institutions 2010-11

Fig 2. Network Security Model.

Department of Information Science and Engineering, AMCEC 26

Managing Malware In Higher Learning Institutions 2010-11

Fig. 3. Proposed Conceptual Framework.

In this research in progress study we intend on using both qualitative and

quantitative (mixed) methods in the gathering of information in order to enhance
reduction of malware on networks. For the qualitative, we shall interview key technical
staff from the HLIs’ IT departments to establish the control measures in use. We shall
then conduct a survey (quantitative) at three educational institutions to make a
comparative analysis of malware landscape by analyzing students’ perceptions on
combating malware. The three HLIs were selected for the survey because they are
technologically innovated and publicly funded. The unit of analysis to be used will be IT
students from the selected HLIs. In order to refine our survey a pilot study will be
undertaken at one of the HLIs. There after we shall propose a framework with emphasis
on non technical measures using a multilayered approach. In order to validate the
proposed framework we shall focus on HLI’s students’ perceptions towards malware,
network security and the existing defense measures.

Department of Information Science and Engineering, AMCEC 27

Managing Malware In Higher Learning Institutions 2010-11

CONCLUSION

Overall this study examines malware as it affects HLIs and thereafter conducts a
survey and comparative analysis of several security models. From the preliminary study,
we believe that the malware threat poses a significant and increasing problem for HLIs.
Different types of attackers usually attempt different attacks depending on their position,
privileges and knowledge. Although there is a wide range of technological security
measures, there are still very few solutions which largely focus on non technical
measures.

Therefore a well structured multilayered Network Security Framework will give

the information security community a way to study, implement, and maintain network
security that can be applied to any HLI.

Department of Information Science and Engineering, AMCEC 28

Managing Malware In Higher Learning Institutions 2010-11

REFERENCES

[1] MYCERT. Malaysia bonnet drones and malware statistics, 2009.

[2] Moses Garuba, Chunmei Liu and Nicki Washington.A comparative analysis of anti-
malware software,patch management, and host- based firewalls in preventing malware
infections on client computers.IEEE Computer Society. 2008. Washington, DC, USA.
[3] Mikko Siponen. Designing secure informations systems and software: Critical
evaluation of the existing approaches and a new paradigm. 2002. Oulu University Library
[4]Kapil Kumar Gupta, Baikunth Nath (Sr. Member IEEE) and Kotagiri
Ramamohanarao. Network security framework, IJCSNS International Journal of
Computer Science and Network Security, VOL.6 No.7B, 2006 151
[5] Jones, M.C, Arnett K.P, Tang, J.T.E, and Chen, N.S, Perceptions of computer virus
and cross cultural assessment, Computers and Security article 1993.12/19.
[6] Schmidt, Mark B. and Kirk P. Arnett Spyware: A little knowledge is a wonderful
thing. Communications of the ACM, 2005. 48(8), 67-70.
[7] Malaysia KPMG fraud Survey Report. Nature of Malware changes in 2001/2002.
2004
[8] Elmarie Kritzinger, S.H. von Solms, Five nontechnical pillars of network information
security management, IFIP International Federation for Information Processing,
Communications and Multimedia Security Boston Springer (Pages 277-287); 2005.
[9] Siponen, M.T. and Baskerville, R. A new paradigm for adding security into IS
development methods. Reprinted from: In: Eloff Labuschagne L, Von Solms R & Dhillon
G.ed. Advances in information security management and small systems security.
KluwerAcademic Publishers,Norwell, MA. 99-111; 2001.
[10] Joshua Backfield. Network Security Model. SANS Institute InfoSec Reading Room.
2008.
[11] Peter G Neumann. Practical architectures for Survivable systems and networks.
Phase two final report, SRI International. 2000.
[12] Clive Blackwell. Multi-layered security architecture for modeling complex systems:
Proc ACM CSIIRW 2008. Vol.288 archive.
[13] Microsoft. Defense in Depth, Microsoft TechNet library. 2008
[14] Julie Bort. Security: Defending the extended enterprise. Network World White
Papers. 2002.

Department of Information Science and Engineering, AMCEC 29