Unit 5: Malware

Malware, OS Hardening, Tools,

Firewall, Digital Signature

Explanation of Malware

• Malware = Malicious Software

• Malware (Malicious Software) refers to
any software that is intentionally designed
to cause damage to a computer, server,
client, or network.

Contd..

Malware can:
• Steal data
• Spy on users
• Encrypt or destroy files
• Take control of a device
• Disable functions or systems

Types of Malware

A. Virus
• Definition: A computer virus is a type of
malicious code or program that attaches itself
to a clean file or program, replicates itself,
and spreads to other programs or systems.
• Characteristics:
• Needs human action (like opening a file or
running a program) to activate.
• Cannot self-replicate independently.
• Often hidden inside executable files (.exe, .
bat, .com).

Contd..
• Common Behaviors:
• Corrupting files or applications.
• Slowing down system performance.
• Crashing or freezing devices.

• Displaying unwanted messages .

Contd..

• Real Example: Melissa Virus (1999) – Spread through

email attachments and slowed down Microsoft Outlook
servers.
• Prevention & Removal:
• Use reliable antivirus software.
• Do not open suspicious attachments or links.
• Keep software and OS updated.
• Regular backups.

Worm

• Definition: A worm is a type of malware that is

self-replicating and can spread without any human
intervention or the need for a host file.
• Characteristics:
• Exploits vulnerabilities in software or operating
systems.
• Often spreads through network connections, email, or
messaging platforms.
• Once inside, it copies itself to other systems.

Contd..

Common Behaviors:

• Consumes network bandwidth.

• Causes systems to slow down or crash.
• Opens backdoors for other malware.

Real Example: WannaCry Ransomware

Worm (2017) – Exploited a Windows vulnerability,

infected hundreds of thousands of machines globally.

Trojan Horse

• Definition: A Trojan is a type of malware that disguises

itself as legitimate software to trick users into
installing it. Once installed, it can steal data or install
more malware.
• Characteristics:
• Relies heavily on social engineering (tricking the user).
• Does not replicate itself.
• Often used as a “carrier” for more dangerous malware
(like keyloggers, spyware, or ransomware).
• Common Behaviors:
• Steals login credentials or financial data.
• Installs backdoors for remote control.
• Turns a system into part of a botnet.
• Tracks user activity.

Contd..

Real Example: Zeus Trojan – Used to steal banking

credentials from millions of users.
Prevention & Removal:
• Avoid downloading unknown software or pirated
content.
• Use antivirus with behavior monitoring.
• Be cautious with email attachments and links.

Rootkit

• Definition: A rootkit is a collection of software tools that

enable unauthorized access to a computer, usually at
the root or administrative level, and conceal the
presence of other malware.
• Characteristics:
• Designed to remain hidden from users and antivirus
programs.
• Can operate at kernel level (deep within the operating
system).
• Often paired with other malware to maintain
persistence.

Contd
Common Behaviors:
• Hides malicious files, registry entries, or processes.
• Disables security software or system logs.
• Provides long-term remote access to attackers.
Real Example: Sony BMG Rootkit Scandal (2005) – Sony
included a rootkit in music CDs to prevent copying, which
unintentionally created a security vulnerability.
Prevention & Removal:
• Use specialized rootkit detection tools (e.g., GMER,
TDSSKiller).
• Regular system scans and integrity checks.
• Reinstallation of OS in severe cases.

Adware

• Definition: Adware is software that automatically

displays or downloads advertisements, often without
the user's consent.
• Characteristics:
• Usually bundled with free software.
• Displays pop-ups, banners, or redirects web searches.
• Not always harmful but invasive and annoying.
• Common Behaviors:
• Slows down browser performance.
• Tracks user activity for targeted ads.
• May lead to more dangerous malware (malvertising).

Spyware

• Definition: Spyware is a type of malware that secretly

monitors user activity and collects information without
permission.
• Characteristics:
• Often runs silently in the background.
• Captures browsing history, keystrokes, passwords,
etc.
• May be part of a Trojan or fake software.
• Common Behaviors:
• Records sensitive data (keystroke logging).
• Sends data to third parties.
• Slows system performance.

Ransomware

Definition: Ransomware locks or encrypts a user’s data

and demands a ransom payment (usually in
cryptocurrency) to restore access.
Characteristics:
• Often spreads via phishing emails or drive-by
downloads.
• Encrypts files, folders, or entire systems.
• Shows a ransom note demanding payment.
Common Behaviors:
• Locks users out of their data or systems.
• Threatens permanent data loss if ransom isn’t paid.

Zombies / Botnets
Definition:
• A Zombie is a computer infected with malware and
controlled remotely without the user’s knowledge.
• A Botnet (short for Robot Network) is a network of
zombie computers controlled by an attacker
(botmaster).
Characteristics:
• Used in DDoS attacks, spam distribution, and crypto
mining.
• Often infected via Trojans or worms.
• Hard to detect because they operate silently.
Common Behaviors:
• Sends spam or malware to others.
• Participates in large-scale attacks.
• Uses up system and internet resources.

Robots / Bots (Malicious Bots)

• Definition: In this context, bots are automated software
programs that perform repetitive tasks. While some bots
are legitimate (e.g., search engine crawlers), malicious
bots are used for harmful purposes.
• Malicious Bots Can:
• Scrape content from websites illegally.
• Try brute-force attacks to guess passwords.
• Perform click fraud.
• Spread spam or malware.
• Difference from Zombies:
• Bots: Refers more to the software doing the task.
• Zombies: Refers to infected machines controlled by
bots.

OS Hardening
OS Hardening is the process of securing an operating
system by reducing its surface of vulnerability.
This is done by:
• Removing unnecessary software and services,
• Configuring system settings securely,
• Applying updates and patches,
• Enforcing strong user policies and permissions.
The goal is to minimize potential entry points for attackers
and protect the system from malware, exploitation, or
unauthorized access.

Why is OS Hardening Important?

• Prevents unauthorized access to system resources.

• Reduces attack vectors for malware and hackers.
• Ensures compliance with security standards (e.g., ISO,
NIST).
• Protects sensitive data from breaches.
• Increases overall system reliability and performance.

Process management hardening

• Process management hardening" is a part of system

hardening, which involves securing a computer system
by reducing its attack surface.
• Process management hardening means tightening the
control over how processes are created, managed, and
monitored, reducing the risk of unauthorized or malicious
activity.
key strategies:
• Ensure processes run with the minimum privileges they
need.
• Avoid running services as root/administrator unless
absolutely necessary.

Contd..

• Reduce the number of running processes to minimize

attack vectors.
• Review what starts on boot.
• Allow only approved processes to run.
• Limit what resources a process can consume.
• Vulnerable processes can be exploited, so keep all
software updated.

Memory management hardening

• Memory management hardening" typically refers to

techniques and strategies used to make a system more
robust and secure by reducing vulnerabilities related to
memory usage.
• This is especially important in systems programming (like
OS or embedded development), application security, and
even high-level language runtimes.
• Rust, Go, or Swift help eliminate whole classes of
memory bugs (e.g., buffer overflows, use-after-free) by
design.
Memory vulnerabilities like:
• Buffer overflows
• Use-after-free
• Memory Leaks

Task management hardening

• Task management hardening" could refer to strengthening or

securing task management practices, systems, or tools.
Security Hardening for Task Management Systems:
• Access Control: Implement role-based access, enforce least
privilege.
• MFA (Multi-Factor Authentication): Ensure all users enable
MFA.
• Audit Logging: Track who created, modified, or deleted tasks.
• Data Encryption: Ensure data is encrypted in transit and at
rest.
• Backups & Recovery: Regular backups of task data to
recover from breaches or outages.
• Third-Party Integrations: Review and limit integrations with
other tools or APIs.

Windows Registry/ services another

configuration
The Windows Registry is a central database where
Windows stores configuration settings and options for:
• The operating system
• Installed programs
• Hardware devices
• User preferences
It’s organized like a tree structure, with keys and values.
Examples of what the Registry controls:
Startup programs
File Associations(what opens .txt file)
User settings (wallpaper, screensaver)

Windows Services
Windows Services are background programs that
run without user interaction. They often start automatically
with Windows and perform essential tasks.

Examples:
• Windows Update – keeps your system updated
• Print Spooler – manages printing
• Task Scheduler – runs scheduled tasks

Malware Analysis
Malware Analysis is the process of studying malicious
software (malware) to understand:
• What it does
• How it works
• How to detect it
• How to remove or defend against it
This helps cybersecurity professionals respond to threats,
create antivirus signatures, and improve system defenses.

Goals of Malware Analysis

1. Identify the behavior: Does it steal data? Install

backdoors? Spread to other systems?
2. Understand how it runs: What files, registry keys,
services, or scheduled tasks does it create?
3. Detect and classify: Determine if it’s a trojan,
worm, ransomware, etc.
4. Create protection: Make antivirus signatures or
detection rules.

Open Source / Free / Trial Tools

• Antivirus: Avast, AVG, Defender, ClamAV

• Anti-Spywares: Malwarebytes, Spybot
• System Tuning: CCleaner, Glary Utilities
• Anti-Phishing: PhishTank, Netcraft,
browser tools

Firewall
A firewall is a network security device or software that
monitors and filters incoming and outgoing network traffic
based on predefined security rules. ”or”
A firewall is a security system—either hardware, software, or
both—designed to prevent unauthorized access to or from
a private network.
It acts as a barrier between trusted internal networks and
untrusted external networks like the internet.
Firewalls use predefined rules to inspect, allow, or block
network traffic.

Objectives of a Firewall

• Block unauthorized access.

• Allow legitimate communication
• Control traffic based on security rules
• Protect against external threats (e.g., hackers, worms,
viruses)
• Enforce access control policies
• Enable network segmentation
• Log traffic for monitoring and auditing

Type of Firewall

Packet Filters

It is a technique used to control network access by

monitoring outgoing and incoming packets and allowing
them to pass or halt based on the source and
destination Internet Protocol (IP) addresses, protocols,
and ports. This firewall is also known as a static firewall.

Stateful Inspection Firewalls

It is also a type of packet filtering that is used to control

how data packets move through a firewall. It is also
called dynamic packet filtering. These firewalls can
inspect that if the packet belongs to a particular session
or not. It only permits communication if and only if, the
session is perfectly established between two endpoints
else it will block the communication.

Application Layer Firewalls

These firewalls can examine application layer (of OSI

model) information like an HTTP request. If finds some
suspicious application that can be responsible for harming
our network or that is not safe for our network then it gets
blocked right away.

Next-generation Firewalls

These firewalls are called intelligent firewalls. These

firewalls can perform all the tasks that are performed by the
other types of firewalls but it includes additional features
like application awareness and control, integrated intrusion
prevention, and cloud-delivered threat intelligence.

Digital Signature

A digital signature is a mathematical technique used

to validate the authenticity and integrity of a
message, software, or digital document. These
are some of the key features of it.
1. Key Generation Algorithms: Digital signatures are
electronic signatures, which assure that the
message was sent by a particular sender. While
performing digital transactions authenticity and
integrity should be assured, otherwise, the data
can be altered or someone can also act as if he
were the sender and expect a reply.

Contd..
2. Signing Algorithms: To create a digital signature, signing
algorithms like email programs create a one-way hash
of the electronic data which is to be signed.
• The signing algorithm then encrypts the hash value
using the private key (signature key).
• This encrypted hash along with other information like
the hashing algorithm is the digital signature.
• This digital signature is appended with the data and
sent to the verifier. The reason for encrypting the hash
instead of the entire message or document is that a
hash function converts any arbitrary input into a much
shorter fixed-length value. This saves time as now
instead of signing a long message a shorter hash
value has to be signed and hashing is much faster
than signing.

Contd..
3. Signature Verification Algorithms: The Verifier receives a
Digital Signature along with the data.
• It then uses a Verification algorithm to process the
digital signature and the public key (verification key)
and generates some value.
• It also applies the same hash function on the received
data and generates a hash value.
• If they both are equal, then the digital signature is valid
else it is invalid.