ICT ch6.pptx

# Understanding malware Malware is a pervasive threat to computer systems, designed to cause harm or gain unauthorized access without user consent. ## 1. Understanding malware Malware is a portmanteau derived from "malicious" and "software." It represents software intentionally designed to cause damage to computer systems, disrupt operations, or gain unauthorized access without the explicit agreement of the system's owner. This category encompasses a wide array of malicious programs, including viruses, worms, Trojan horses, spyware, and adware. ### 1.1 The lifecycle of malware Malware typically progresses through several phases: * **Dormancy phase:** In this initial stage, the malware remains inactive, often designed to build a sense of trust or avoid immediate detection. * **Propagation phase:** The malware replicates itself to spread to other systems or locations within the infected system. During this phase, it usually avoids causing overt damage. * **Triggering phase:** The malware becomes active upon encountering specific conditions. These triggers can include: * A predetermined date or time. * A specific number of replications having occurred. * A particular sequence of user actions, such as a specific keystroke pattern. * **Damaging phase:** This is the final and destructive phase where the malware carries out its malicious intent. The actions can range from minor annoyances to catastrophic data loss and system incapacitation. ### 1.2 Common types of malware There are three primary categories of malware: #### 1.2.1 Virus A computer virus is a type of malware that attaches itself to a legitimate program or file. It spreads from one computer to another by infecting other files. A virus typically requires a human action, such as executing or opening the infected program, to activate and spread. **Categories of viruses:** * **Macro viruses:** These viruses infect application software that uses macros, such as Microsoft Word and Excel documents. * **Network viruses:** They multiply by exploiting shared resources on a network. * **Logic bombs:** These are segments of malicious code designed to activate only when specific predefined conditions are met. * **Companion viruses:** Instead of modifying the original file, these viruses create a new file with the same name but a different extension. For instance, they might create a `.exe` file that matches a `.com` file. * **Boot sector viruses:** These viruses target and destroy the boot sector of a hard disk, which is essential for starting the operating system. Historically, they spread through floppy disks, but this method is uncommon today. * **Multipartite viruses:** These viruses are adept at spreading through infected media and often hide in the system's memory. From memory, they can gradually move to infect the boot sector of the hard drive. #### 1.2.2 Worm Worms are self-replicating malware programs that can spread autonomously from computer to computer without requiring human intervention to propagate. Unlike viruses, worms do not need to attach themselves to existing programs. **Impact of worms:** * **System resource consumption:** Worms can replicate extensively, consuming significant system memory and network bandwidth, which can lead to severe performance degradation. This can cause web servers, network servers, and individual computers to become unresponsive. * **Remote control:** Some worms are designed to create backdoors, allowing malicious users to gain remote control over the infected computer. * **System slowdown:** The extensive replication and resource consumption by worms often result in the infected computer running extremely slowly. #### 1.2.3 Trojan horse A Trojan horse, often shortened to "Trojan," is a type of malware that disguises itself as legitimate or useful software. Upon installation or execution, it performs malicious actions without the user's knowledge. **Functions of Trojan horses:** * **System alteration:** They can change desktop configurations, add unwanted icons, or perform more destructive actions like deleting files and corrupting data. * **Backdoor creation:** Trojans are notorious for creating backdoors on infected systems. These backdoors grant unauthorized access to malicious users, potentially compromising confidential or personal information. * **Lack of self-replication:** Unlike viruses and worms, Trojan horses do not typically reproduce by infecting other files or self-replicate. Their spread relies on users being tricked into downloading and running them. ### 1.3 Symptoms of an infected computer Several indicators can suggest that a computer may be infected with malware: * The computer consistently runs slower than its normal performance. * The system frequently stops responding or locks up. * The computer crashes and restarts unexpectedly every few minutes. * The computer restarts on its own and then fails to boot or run properly. * Applications do not function as expected or fail to launch. * Disks or disk drives become inaccessible. * Printing operations do not work correctly. * Unusual error messages appear on the screen. * Menus and dialog boxes are distorted or appear incorrectly. ### 1.4 Protecting your computer Implementing robust security measures is crucial for defending against malware: * **Use antivirus software:** Employ up-to-date antivirus software and ensure it is regularly updated with the latest definitions. * **Utilize an internet firewall:** A firewall acts as a barrier, preventing unauthorized access to and from your computer. Modern operating systems, such as Windows XP with Service Pack 2, often include a built-in, active firewall. Firewalls can be implemented as either hardware or software solutions. * **Be cautious with email attachments:** Never open email attachments from unknown senders. Additionally, exercise caution even with attachments from known contacts, as their email accounts might be compromised, and they may be unaware that the attachment contains malware. * **Keep software updated:** Regularly update all software applications, especially operating systems and productivity suites like Microsoft Office, as updates often include security patches that address vulnerabilities. --- # Phases of malware operation Malware progresses through distinct phases from its initial infiltration to its ultimate objective, typically involving disruption or data compromise. Understanding these phases is crucial for recognizing and defending against malicious software. ### 2.1 Dormancy phase The dormancy phase is a strategic period where the malware remains inactive, designed to evade detection and build user trust. During this stage, the software does not perform any overtly malicious actions, allowing it to coexist on the system without immediate suspicion. > **Tip:** The primary goal of the dormancy phase is to avoid triggering security measures and to remain undetected until conditions are favorable for activation. ### 2.2 Propagation phase In the propagation phase, the malware focuses on replicating itself and spreading to other systems or locations. Crucially, during this phase, the malware's duplication occurs without actively causing damage to the infected system. This allows it to increase its reach and potential impact before the destructive phase begins. ### 2.3 Triggering phase The triggering phase involves the activation of the malware's payload, initiating the malicious actions. This activation is typically contingent upon specific conditions being met. Common triggers include: * **Date or time:** The malware may be programmed to activate on a particular date or at a specific time. * **Number of replications:** Activation can occur after the malware has successfully duplicated itself a predetermined number of times. * **Specific user actions:** Certain sequences of keystrokes or other user interactions can serve as triggers. * **Environmental conditions:** The presence or absence of specific files, registry keys, or network connections can also initiate the payload. ### 2.4 Damaging phase The damaging phase, often referred to as the payload execution phase, is where the malware achieves its destructive or disruptive objectives. This is the stage where the user experiences the full impact of the malicious software. Actions taken during this phase can vary widely and include: * **Data destruction:** Deleting files, corrupting data, or rendering storage devices unusable. * **System disruption:** Causing the computer to crash, freeze, or become unresponsive. * **Information manipulation:** Transposing characters in data files, altering configurations, or displaying unwanted messages on the screen. * **Resource consumption:** Overwhelming system memory, leading to slow performance or service unavailability, particularly for worms. * **Remote access creation:** Establishing backdoors that allow unauthorized users to gain control of the compromised system and potentially steal sensitive information. > **Example:** A Trojan horse might appear to be a legitimate software update (dormancy), then replicate itself to other accessible drives (propagation), activate when a specific banking website is visited (triggering), and finally record keystrokes to steal login credentials (damaging). --- # Types and characteristics of malware This section explores common forms of malicious software, detailing their distinct methods of propagation, behavior, and potential impact on computer systems. ### 3.1 Overview of malware Malware, a portmanteau of "malicious" and "software," refers to any software designed to cause harm to a computer system without the owner's explicit consent. This broad category includes viruses, worms, Trojan horses, spyware, adware, and other harmful or unwanted programs. Malware typically progresses through distinct phases: * **Dormancy phase:** This phase is designed to build user trust and avoid early detection. * **Propagation phase:** During this phase, the malware replicates itself without necessarily causing immediate damage. * **Triggering phase:** The malware activates when specific conditions are met, such as a certain date, a particular number of replications, or a sequence of keystrokes. * **Damaging phase:** This is the destructive phase where the malware carries out its intended harmful actions, which can include corrupting data, preventing file storage, altering data content, or displaying messages. ### 3.2 Common types of malware #### 3.2.1 Viruses A computer virus attaches itself to a program or file and spreads from one computer to another, infecting systems as it travels. A virus typically requires a human action, such as running or opening an infected program, to execute and spread. **Virus categories include:** * **Macro Viruses:** These viruses target application software, particularly those using macro languages like Microsoft Word and Excel. * **Network Viruses:** These viruses multiply through shared resources, leveraging network connections to spread. * **Logic Bombs:** Malicious code designed to activate only when specific predefined conditions are met. * **Companion Viruses:** These viruses do not modify the original file but create a new file with the same name but a different extension. For example, creating a `.EXD` file alongside a `.COM` file. * **Boot Sector Viruses:** These viruses infect the boot sector of a hard disk. Historically, they were widespread through floppy disks but are uncommon today. * **Multipartite Viruses:** These viruses spread through infected media and often hide in the computer's memory. They can gradually move to infect the boot sector of the hard drive. #### 3.2.2 Worms Worms are designed to spread from computer to computer autonomously, without requiring human intervention. They possess the capability to replicate themselves within a system. * **Behavior and Impact:** Worms consume excessive system memory, which can lead to web servers, network servers, and individual computers becoming unresponsive. They can also allow malicious actors to gain remote control over infected systems, significantly slowing down computer performance. #### 3.2.3 Trojan horses A Trojan horse initially appears to be legitimate or useful software. However, once installed or run, it performs malicious actions. * **Behavior and Impact:** Trojans can alter a user's desktop, add unwanted icons, or cause severe damage by deleting files and destroying system information. A significant characteristic of Trojans is their ability to create a "backdoor" on the infected computer. This backdoor grants unauthorized access to malicious users, potentially leading to the compromise of confidential or personal information. * **Distinction from Viruses and Worms:** Unlike viruses and worms, Trojan horses do not reproduce by infecting other files or self-replicate. ### 3.3 Symptoms of an infected computer Several indicators can suggest a computer may be infected with malware: * Consistent reduction in system performance compared to normal operation. * Frequent unresponsiveness or system lock-ups. * Sudden crashes and restarts occurring at short intervals. * Unplanned restarts followed by a failure to boot or run normally. * Inability to access applications or data on disks. * Incorrect printing functionality. * Appearance of unusual error messages. * Distorted menus and dialog boxes. > **Tip:** Recognizing these symptoms is crucial for early detection and mitigation of malware threats. ### 3.4 How to protect your computer Implementing robust security measures is essential to safeguard computer systems from malware: * **Use the latest updates:** Ensure all operating systems and software are kept up-to-date with the latest security patches. * **Utilize an Internet firewall:** Firewalls act as a barrier, preventing unauthorized access to and use of a computer. They can be implemented as hardware or software solutions. * **Install and maintain antivirus software:** Use a reputable antivirus program and ensure its definitions are regularly updated to detect and remove the latest malware threats. * **Exercise caution with email attachments:** Never open email attachments from unknown senders. Even if the sender is known, avoid opening attachments unless you are certain of their content, as the sender may be unaware the attachment contains malware. * **Keep applications updated:** For users of Microsoft Office applications, it is advisable to keep them updated to patch potential vulnerabilities. --- # Identifying and protecting against malware This section details the common indicators of a malware infection on a computer and outlines essential protective measures, focusing on software updates and firewalls. ### 4.1 Symptoms of a malware infection A computer infected with malware may exhibit several observable symptoms, often indicating a compromise in its normal operation. These signs suggest that malicious software is actively running and impacting the system's performance and integrity. * **Performance degradation:** The computer consistently runs slower than its usual operational speed. * **System instability:** The computer frequently stops responding (freezes) or unexpectedly restarts. This can occur every few minutes. * **Application malfunction:** Software applications do not function as expected or may fail to launch altogether. * **Accessibility issues:** Disks or disk drives become inaccessible, preventing users from accessing stored data. * **Peripheral failures:** Devices like printers may not work correctly. * **Unusual system messages:** The computer displays unexpected error messages. * **Visual anomalies:** Menus and dialog boxes may appear distorted on the screen. ### 4.2 Protecting your computer from malware Preventing malware infections is crucial for maintaining the security and functionality of computer systems. Implementing a layered approach to security, combining up-to-date software with vigilant user practices, is the most effective strategy. #### 4.2.1 Software updates and antivirus Keeping software up-to-date is a primary defense against malware, as updates often patch security vulnerabilities that malware exploits. * **Antivirus software:** Utilize the latest versions of antivirus software and ensure they are regularly updated. Antivirus programs detect, quarantine, and remove known malware. * **Application updates:** Keep all applications, especially those from Microsoft Office, updated. These applications can be targets for certain types of malware. #### 4.2.2 Internet firewall A firewall acts as a barrier between a computer system and external networks, controlling incoming and outgoing network traffic based on predetermined security rules. * **Functionality:** Firewalls prevent unauthorized access and usage of your computer. * **Types:** Firewalls can be implemented as either hardware devices or software applications. * **Availability:** Note that operating systems like Windows XP with Service Pack 2 (SP2) often include a built-in firewall that is active by default. > **Tip:** Always ensure your operating system and all installed software are configured to download and install updates automatically. This minimizes the window of vulnerability for known security flaws. #### 4.2.3 Email security practices Email remains a common vector for malware distribution, making cautious email handling essential. * **Attachment caution:** Never open email attachments from unknown senders. * **Known sender vigilance:** Even if an email is from someone you know, exercise caution with attachments. The sender might be unaware that their email has been compromised and contains a virus. > **Example:** If you receive an unexpected email from a colleague containing a `.zip` file, it's best to verify the legitimacy of the attachment with them via a separate communication channel before opening it. --- ## Common mistakes to avoid - Review all topics thoroughly before exams - Pay attention to formulas and key definitions - Practice with examples provided in each section - Don't memorize without understanding the underlying concepts

| Term | Definition | |------|------------| | Malware | Software designed to harm a computer system without the owner's explicit consent. It is a portmanteau of "malicious" and "software" and encompasses a broad category of harmful programs. | | Computer Virus | A type of malware that attaches itself to an executable file or program. It spreads by replicating itself when the infected program is run, and can infect other files or computers. | | Worm | A standalone malware program that replicates itself to spread to other computers, often through networks. Unlike viruses, worms do not require human action to spread and can consume significant system resources. | | Trojan Horse | Malware that disguises itself as legitimate or useful software. Once installed or executed, it performs malicious actions, such as deleting files, stealing data, or creating backdoors for remote access. | | Spyware | Software that secretly monitors and collects information about a user's activities on a computer without their knowledge or consent. This information can include browsing habits, keystrokes, and personal data. | | Adware | Software that displays unwanted advertisements, often in the form of pop-ups or banners. While sometimes bundled with legitimate software, excessive or intrusive adware can be considered malware. | | Dormancy phase | The initial stage of malware where it remains inactive, often to build trust with the user or to avoid immediate detection. This phase is critical for setting up the subsequent stages of infection. | | Propagation phase | The stage during which malware duplicates itself and spreads to other systems or files without necessarily causing damage. This is a key mechanism for the malware's expansion. | | Triggering phase | The point at which malware becomes active and initiates its malicious payload. This can be activated by specific events, such as a predetermined date, a certain number of replications, or a user's action. | | Damaging phase | The final stage of malware where it performs its intended destructive actions. This can include deleting files, corrupting data, or rendering the computer system unusable. | | Macro Virus | A type of virus that infects applications that use macros, such as Microsoft Word or Excel. It operates by embedding malicious code within the macro functionality of these applications. | | Logic Bomb | Malicious code designed to be embedded within software and activated only when specific predefined conditions are met. If these conditions are not satisfied, the code remains dormant. | | Boot sector Virus | A virus that infects the boot sector of a hard disk or other storage media. It can interfere with the computer's startup process, making the system unbootable. | | Multipartite Virus | A complex type of virus that can infect both the boot sector and executable files. These viruses often spread through infected media and can reside in both memory and on disk. | | Internet Firewall | A security system, either hardware or software-based, designed to monitor and control incoming and outgoing network traffic. It acts as a barrier between a trusted internal network and untrusted external networks, preventing unauthorized access. |