REVIEW RELATED LITERATURE

“The Level of Awareness and Prevention on Malware as

viewed of CPG Students in UMAK”
Malware is malignant software that is specially built to assail mobile phone or keenly
intellective phone systems, botnets, worms, and Trojan horses. Initially, malware merely
highlighted a software system’s security susceptibilities, but the motivations behind it gradually
transmuted, and its authors now use malware to gain financial benefits on a more sizably
voluminous scale. Malware aimed at Android smart phones alone has grown 76% over the last
few months, threatening Android security, and other platforms are additionally coming under
attack. In additament to malware, the other two major categories of threats to mobile
contrivances are personal spyware and grayware. Spyware amasses information such as utilizer
location,SMS messages, and call history without the victim’s cognizance.Spyware can’t be
labeled as illicit because it doesn’t send information to the application’s author, but installing
personal spyware on a mobile phone without the contrivance owner’s sanction could be
considered unethical.

Malware is a general term that encompasses viruses, Trojans, spywares and other invasive code
is widespread today. Malware analysis is a multistep process providing insight into malware
structure and functionality, facilitating the expansion of remedy. According to researcher
(Christodorescu et al., 2005) described a malware instance as a program whose objective is
malevolent. (McGraw and Morrisett,2000) defined malicious code as “any code added,
changed, or removed from a software system in order to intentionally cause harm or subvert
the intended function of the system.” The description given by (Vasudevan and Yerraballi,
2006) which described malware as “a generic term that encompasses viruses, trojans, spywares
and other intrusive code.” (Aycock, 2006) defined malware as “software whose intent is
malicious, or whose effect is malicious”. The term “malware” here is being used as the generic
name for the class of code that is malicious, including viruses, trojans, worms, and spyware.
Malware authors use generators, incorporate libraries, and borrow code from others—there
exists a robust network for exchange, and some malware authors take time to read and
understand prior approaches by (Arief & Besnard ,2003.) (Fred Cohen's) original definition of a
computer virus as of 1983 was: "a program that can 'infect' other programs by modifying them
to include a possibly evolved copy of itself." He updated this definition a year later in 1984 in his
paper entitled: "Computer Viruses – Theories and Experiments”. According to BBC News
online, 2004 malware is a general term for a piece of software inserted into an information
system to cause harm to that Aparna Verma et al A LITERATURE REVIEW ON MALWARE AND ITS
ANALYSIS Int J Cur Res Rev, Aug 2013/ Vol 05 (16) Page 72 system or other systems, or to
subvert them for use other than that intended by their owners. (Skoudis and Zeltser, 2003)
Malware is a set of instructions that run on your computer and make your system do something
that an attacker wants it to do.

The term computer virus was first used in a science fiction novel by (Gerrold, 1972), which
includes a description of a fictional computer program called virus and was able to self-
replicate. The first academic use of the term was claimed by (Cohen, 1983). The first published
account of the term can be found a year later by (Cohen, 1984) in his paper Experiments with
Computer Viruses. Though Cohen first used the term, some early accounts of viruses can be
found. According to (Ferbrache, 1992), the first reported incidents of true viruses were in 1981
and 1982 on the Apple II computer. Elk Cloner is considered to be the first documented
example of a virus in mid-1981. The first PC virus was a boot sector virus called Brain in 1986,
(Hoffman, 1990). Worm also owes their existence to science fiction literature. (Brunner’s, 1975)
Shockwave Rider introduced us to worm, a program that propagates itself on a computer
network. (Shoch, 1982) claimed the first use of the term in academic circles. Much has been
written about viruses, worms, trojans and other malwares since then, but now we shift our
focus, from fiction to the real world where both malware and anti-malware are big commercial
industries now (Gutmann, 2007).

Malware is growing increasingly sophisticated. Malware authors seek to make their tools
undetectable. Virtually every known offensive technique has been incorporated into malware
to make it more difficult to defend against. Malware authors often seek to deliver several
components in a single malware payload. Such additional components can include kernel level
drivers designed to hide the presence of the malware, and malware client and server
components to provide proxy services through an infected computer. One technique for
embedding these additional components within Windows malware is to make use of the
resource sections within Windows binaries. Malware may choose to create its own installation
directory deep within the install program’s hierarchy in an attempt to hide from curious users.
Various techniques also exist to prevent installed antivirus programs from detecting a newly
infected computer. A crude yet effective method is to modify a system’s hosts file to add
entries for hosts known to be associated with antivirus updates. A hosts file is a simple text file
that contains mappings of IP address to hostnames. The modifications go so far as to insert a
large number of carriage returns at the end of the existing host entries before appending the
malicious host entries in the hopes that the casual observer will fail to scroll down and notice
the appended entries. By causing antivirus updates to fail, new generations of malware can go
undetected for long periods. Malware authors are increasingly turning to the use of rootkit
techniques to hide the presence of their malware. Most malware takes steps to ensure that it
will continue to run even after a system has been restarted. The most basic forms of
persistence are achieved by adding commands to system start up scripts that cause the
malware to execute. On Windows systems this evolved to making specific registry modifications
to achieve the same effect. Other registry manipulations include installing malware
components as extensions to commonly used software such as Windows Explorer or Microsoft
Internet Explorer. More recently, malware has taken to installing itself as an operating system
service or device driver so that components of the malware operate at the kernel level and are
launched at system start up.

This work reviews some of the related works in malware analysis. There have been many new
and powerful malware analysis methods and techniques reported in many literatures.
Previously, (Distler, D.) has used static and dynamic analysis for malware analysis. Meanwhile,
(Ari, H.N.) also have been doing malware analysis with reverse engineering techniques using
biscuit apt1 as a malware sample. Another malware analysis research also done by (Flores, H.)
with win32.Kryptic. In the meantime, (Daoud, E. et al) has research regarding technique used by
malware to avoid detection from antivirus. Research conducted by (Uppal, D. et al) focus more
on technique and tools used in malware analysis. Most of the literature we came across during
our research was either focused on static analysis method or technique used for analysis
malware without running the application directly. Whereas our work combines two methods of
malware analysis, static and dynamic analysis method to get more detail information for
characteristics of malware (Kruegel, C. et al and Tang Yanjun, L. N. et al). According to [Park, Y.]
in malware detection and analysis - The traditional approach for the detection of malicious
code is based on signature matching of various complexity. A signature can be a sequence of
bytes that identifies pieces of data or code of the malicious program, but even very complex
algorithms that test whether a particular program satisfies certain properties. The advantage of
using sophisticated detection methods is that signatures become more generic and thus a
single signature can be used to detect multiple variants derived from the same family. On the
other hand, from the remediation point of view, excessively generic signatures do not allow to
distinguish variants. If single variants cannot be told apart, the remediation procedure cannot
take variant-specific behaviors into account and cannot perform a complete cleanup (Nazario, J.
and Holz, T.). Purely signature-based approaches have demonstrated their weaknesses when
packed, polymorphic and metamorphic malware appeared. The research community started to
move toward behavior-based solutions. Behavior-based detection [Lorenzo, M. et al,] and
analysis [Andreas, M., Christopher, K. et al] approaches do not focus on the syntactic structure
of the analyzed program, but try to consider its semantics. Because these solutions work by
observing a concrete execution of the malicious sample, they could provide much more
accurate remediation procedures. Recently [Kolbitsch, et al.] proposed and effective and
efficient malware detection method that can be used at the end host replacing or
complementary to traditional antivirus software. This method is based on fine-grained models
obtained by executing the malware program in a controlled environment, monitoring and
observing its interactions with the OS resources; detection is done by matching extracted
behavior models against the runtime behavior of unknown programs.

TYPES OF THREAT
In mobile threat model includes main two types of threats: grayware, and Anti-spyware. We
distinguish between the three predicated on their distribution method, licit-ity, and notice to
the utilizer. This paper focuses Specially on malware; personal spyware and grayware use
different attack vectors, have different motivations, and require different bulwark mechanisms .
Grayware Greyware refers to a malignant software or code that is considered to fall in the
"grey area" between mundane software and a virus. Greyware is a term for which all other
maleficent or exasperating software such as adware, spyware, trackware, and other maleficent
code and malevolent shareware fall under. Anti-spyware , Anti-spyware is a type of software
that is designed to detect and abstract unwanted spyware programs. Spyware is a type of
malware that is installed on a computer without the utilizer's cognizance in order to amass
information about them. This can pose a security risk to the utilizer, but more frequently
spyware degrades system performance by taking up processing puissance, installing
supplemental software, or redirecting users' browser activity.

Types of Malware
This section gives a brief overview of the different classes of malware programs that have been
observed in the wild. Literature Analysis on Malware Detection 719 A.

Viruses:
Computer virus refers to a small program with harmful intent and has ability to replicate self.
When file is run, virus code gets executed. A virus may spread from an infected computer to
other through network or corrupted media such as floppy disks, USB drives.

Worms:
Worms are self replicating programs. It uses network to send copies of itself to other systems
invisibly without user authorization. Worms may cause harm to network by consuming the
bandwidth. Unlike virus the worms do not need the support of any file. It might delete files,
encrypt files in as crypto viral extortion attack or send junk email. Example Sasser, My Doom,
Blaster, Melissa etc .
Spyware:
Spyware is a collective term for software which monitors an gathers personal information
about the user like the pages frequently visited, email address, credit card number, key pressed
by user etc. It generally enters a system when free or trial software is downloaded.

Adware:
Adware or advertising-supported software automatically plays, displays, or downloads
advertisements to a computer after malicious software is installed or application is used. This
piece of code is generally embedded into free software. The most common adware programs
are free games, peer-to-peer clients like KaZaa, BearShare etc [4].

Trojans:
Trojan horses emulate behavior of an authentic program such as login shell and hijacks user
password to gain control of system remotely. Other malicious activities may include monitoring
of system, damages system resources such as files or disk data, denies specific services [4].

Specification-based malware detection

Designation predicated detection makes utilization of certain rule set of what is considered as
mundane in order to decide the maleficence of the program contravening the predefined rule
set. Thus programs transgressing the rule set are considered as maleficent program. In
designation-predicated malware detection, where a detection algorithm that addresses the
deficiency of pattern-matching was developed. This algorithm incorporates ordinant dictation
semantics to detect malware instances. The approach is higer resilience to prevalent
obfuscation techniques. It used template T to describe the malevolent demeanors of a
malware, which are sequence of ordinant dictations represented by variables and special
symbolic constants. The circumscription of this approach is that the attribute of a program
cannot be accurately designated. Designation-predicated detection is the derivate of anomaly
predicated detection. Instead of approximating the implementation of a system or application,
specification based detection approximates the requisites of application or system. In
designation-predicated system there subsists a training phase which endeavors to learn the all
valid comportment of a program or system which needs toinspect. The main constraint of
designation predicated system is that it if very arduous to accurately designate the deportment
the system or program. One such implement is Panorama which captures the system wide
information flow of the program under inspection over a system, and checks the deportment
against a valid set of rule to detect malevolent activity.

Malware analysis is a multi-step process providing insight into malware structure and
functionality. Behavior monitoring, an important step in the analysis process, is used to observe
malware relations with respect to the system and is achieved by employing dynamic coarse-
grained binary-instrumentation on the target system. Initial examination of collected malware
is called profiling, (Aquilina et al., 2008).Dataflow analysis examines the way data is moved and
changed throughout the execution of a program (Chess et al., 2007). (Skoudis, 2004) outlined a
model where analysis tools are distributed on a local victim machine and on an external
machine, to capture behavioral aspects of the malware on the local machine and its interaction
with external services over a network. External services as outlined by (Arnold et al., 2000) can
be setup on the external monitoring segment. (Rieck et al.) experimented with different
heterogeneous test data collected over several months using honeypots demonstrated the
effectiveness of the method, especially in detecting novel instances of malware families
previously not recognized by commercial antivirus software. A number of analysis tools are
utilized by malware forensic analysts, with static and dynamic analysis representing two
significant methodologies that can be used to analyse malware (Aquilina et al., 2008). Software
disassemblers and debuggers such as IDA Pro (Hex-Rays, 2008) and OllyDBg (Yuschusk, 2008)
can be used to perform a detailed analysis of the malware code and provide an internal view of
the malwares functionality (Valli & Brand, 2008). This is referred to as static analysis. In
contrast, dynamic analysis runs the malware and observes the interaction of the running
malware with the computer from a behavioural point of view. A number of plug-ins that extend
the functionality of IDA Pro and OllyDBg include IDA Stealth (Newger, 2008) and Olly Advanced
(MaRKuS, 2006) respectively to work with malicious code that employ anti-analysis techniques.
The intention of such plug-ins is to provide functionality to hide their associated tools. Extensive
literature exists on static analysis of malicious binaries, e.g. (Christodorescu et al., 2005; Kirda
et.al, 2006; Kruegel et.al, 2004). Moreover, recent work of (Moser et al., 2007) presents
obfuscation techniques that are provably NP-hard for static analysis. Dynamic malware Aparna
Verma et al A LITERATURE REVIEW ON MALWARE AND ITS ANALYSIS Int J Cur Res Rev, Aug
2013/ Vol 05 (16) Page 73 analysis techniques have previously focused on obtaining reliable and
accurate information on execution of malicious programs (Bayer et al., 2006; Moser et al.,
2007; Willems et al., 2007). Two techniques for behavior-based malware analysis using
clustering of behavior reports have been recently proposed (Lee et al., 2006; Bailey et al.,
2007). (Moser et al., 2007) proposed a system that dynamically monitors a suspicious program
to identify the execution points where the application makes control flow decisions based on
inputdependent values.
Static Anomaly Detection (Wagner, 2011) proposed a technique that created a control
flow graph (CFG) for a program representing its system call trace. At execution time this CFG
was compared with the system call sequences to check for any violation. Hybrid Anomaly
Detection (Rabek, 2003) proposed an anomaly based technique where static analysis was
assisted by dynamic analysis to detect injected, dynamically generated and obfuscated code.
Within the program static analysis was used to identify the location of system calls. The
programs can be dynamically monitored later to verify that each realistic system call is made
from the same location well-known using the static analysis. Static Misuse Detection
(Bergeron et al., 1999) used a static misuse detection scheme where they used program slicing
to extract program regions that are critical from a security point of view. In a related work
(Bergeron et al., 2001) extracted an API call graph instead of the program slices to test against
the security policy. (Lo et al., 1995) proposed the idea of tell-tale signs which were heuristic
signatures of malicious program. Dynamic Anomaly Detection (Hofmeyr et al., 1998)
proposed anomaly detection based upon sequence of system calls. A normal profile was
composed of short sequence of system calls. In a similar approach (Sekar et al. 2001) used
Finite State Automata (FSA) to represent system call sequences. Similarly (Ko et al., 1997)
proposed an idea of trace policy which was essentially a sequence of system calls in time (Masri
et al,. 2005) presented a tool called Dynamic Information Flow Analysis (DIFA) to monitor
method calls at runtime for Java applications (Sekar et al., 1999) created a system call detection
engine that compares system calls modeled previously with the system calls made at runtime.
Hybrid Misuse Detection (Mori, 2004) presented an approach to detect encrypted and
polymorphic viruses using static analysis and code emulation. Dynamic Misuse Detection
(Debbabi, 2001) proposed a dynamic monitoring system that enforces a security policy. The
approach was implemented in a system called DaMon. Schneider 1998 presented enforceable
security policies in the form of Finite State Automata. (Vasudevan et al.) have developed a new
dynamic coarse-grained binary-instrumentation framework codenamed SPiKE, that aids in the
construction of powerful malware analysis tools to combat malware that are becoming
increasingly hard to analyze. Goal is to present a binaryinstrumentation framework that is
unremarkable, moveable, capable, easy-to-use and reusable, supporting multithreading and
SM-SC code, both in user- and kernel-mode. (Valli et al.) laid an establishment for a Malware
Analysis Body of Knowledge (MABOK) which is required to analyse the malware forensically.
This body of knowledge has been the outcome of several years of study into malware
categorization. Debuggers such as OllyDbg (Yuschuk, 2008) and IDA Pro (Hex-Rays, 2008) are
commonly used for the analysis of malware. Plugins such as Olly Advanced (MaRKuS, 2006) for
OllyDbg and IDA Stealth (Newger, 2008) for IDA Pro focus on Aparna Verma et al A LITERATURE
REVIEW ON MALWARE AND ITS ANALYSIS Int J Cur Res Rev, Aug 2013/ Vol 05 (16) Page 74
hiding the presence of the tool from the software under investigation, in an effort to avoid
detection. (Christodorescu et al.) presented a unique viewpoint on malicious code detection.
Attacker who writes the malicious code tries to conceal the malicious code to threaten the
malicious code detectors such as Anti- virus software.

Malware analysis is the process of determining the purpose and characteristics of a given
malware sample such as a virus, worm, or Trojan horse. This process is a necessary step to be
able to develop effective detection techniques for malicious code. The tools used for malware
analysis can basically be broken into two categories: static and dynamic (live). The static
analysis tools attempt to analyze a binary without actually executing the binary. Live analysis
tools will study the behaviour of a binary once it has been executed. Static and Dynamic
analysis are described in detail in next sections. Automated malware analysis is a virtually
intractable problem. It is simply not possible for one program to determine the exact behaviour
of another program.

Antivirus software plays, still now, a key role in protecting systems from malicious codes;
however, it should not be the only instrument used to determine malware attacks, because, as
recently seen, it can fail. Finally, if a system has been compromised, there must be a common
known way to handle such a situation, being able to minimize the damage and try to remediate
it as soon as possible and in the best way. As computer attacks and malware evolve, as quickly
as possible new responses and solutions are essential (Miller, T. et al, Cai S. et al).

1.1 Malware Propagation Techniques according to (Bayer, U. et al).

The following gives us different ways malware are being propagated in our computer
system:’ Malware Analysis And Mitigation In Information Preservation DOI: 10.9790/0661-
2004015362 www.iosrjournals.org 55

a. Web browsing - The easiest way of getting infected is through drive-by-download. Malware
often spreads through unwanted software downloads, malicious PDF documents, word
documents, orfake software.Usingthis technique, malware authors have no target other than to
infect as many computers as possible. Modern browsers like Chromium (the open source
project on which Google developed Chrome) include two mechanisms that are designed with
security in mind. One component is the browser kernel that interacts with the operating system
and the other isthe rendering engine that runs inside a sandbox with restricted privileges. This
design helps to improve browser security and mitigate attacks from malicious websites (Krugel,
C. et al).

b. USB thumb drives - Thumb drives are also used to spread malicious software. This method
uses the AutoRun feature to launch malware when the storage device is mounted by the
operatingsystem. A common attack scenario is performed by intentionally dropping USB drives
in front of targeted organisations (Kirda, E. et al).
c. Email Spear Phishing - Spear phishing is an e-mail spoofing fraud attempt that targets a
specific organization, seeking unauthorized access to confidential data. Spear phishing attempts
are not initiated by random attackers, but are more likely to be conducted by perpetrators out
for financial gain, trade secrets or military information. Similarto e-mail messages used in
regular phishing expeditions,spear phishing messages appear to come from a trusted source.
Phishing messages usually appear to come from a large and well-known company or Web site
with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however,
the apparent source of the eobserve frequently visited websites that they visit and trust,
afterwards theyinfect these websites with malware in the hope that a person from the targeted
group will get infected (Andreas, M. et al).

PREVENTION
Malicious software (malware) has a wide range of analysis avoidance techniques that it can
employ to hinder forensic analysis. Although Rolegal software can incorporate the same
analysis avoidance techniques to provide a measure of protection against reverse engineering
and to protect intellectual property, malware invariably makes much greater use of such
techniques to make detailed analysis labour intensive and very time consuming. (Brand et al.)
suggested that the discovery of the intent of deception may be a very good indicator of an
underlying malicious objective of the software under investigation. A review of the literature on
malware analysis methodologies found that the most effective methodologies take the
presence of analysis avoidance techniques into account (Skoudis et al., 2004; Zeltser, 2007).
(Zeltser, 2007) presented an incremental, static and dynamic spiral analysis methodology for
analysing malware which additionally moulds the analysis environment as understanding of the
malware is attained. Software with a malicious intent may be considered to be far more likely
to employ antianalysis techniques than legitimate software (Vuksan et al., 2009), to the extent
that, detection of the presence of anti-analysis techniques may indicate the presence of
malware (Wysopal, 2009). To deter digital forensic examination a number of lessons learned
from the techniques employed for the malicious executable software during investigation.
Detection of malware signature has been recognized by researchers to be far less than ideal.
Thus to manually analyse the suspicious files there’s a requirement of forensic analyst. To avoid
detection & hide its true intent, the attacker make use of packers, protectors or cryptors to
obstruct the forensic analyst. Therefore the analyst must understand the limitations of tools,
antianalysis techniques & how to employ proper analysis methodology to uncover the aim of
the malware (Brand et al). Modern malware incorporates stealth techniques to hide it from the
analyst, deception techniques to hide its true intent, and active techniques to defeat common
analysis tools in their default configurations (Grugq, 2003; Harbour, 2007; Rutkowska, 2006a,
2006b). Such techniques are commonly referred to as anti-forensics and are becoming a very
important consideration for the digital forensic analyst, as the majority of modern malware
employs these analysis avoidance techniques (Falliere, 2007; Ferrie, 2008; Yason, 2007). For the
analysis of malicious network honeypots is used which is a rising forensic tool. Generally
research lab and security firm use honeypots to capture new variant of malware. (Kumar et al.)
used honeypots for generating and propagating direct cures for unknown and new malware in a
network in the form of on-the-fly antimalware signature which spread in a way similar to the
spread of malware in network. The remarkable gain of implementing this technique is that for
new malware which has not been discovered by researcher and security firm the above
proposed system would be capable of providing an effective cures.

REFERENCES:

https://pdfs.semanticscholar.org/b57a/0b7c8833fd358ead47e36f73cf54cd1bb3f6.pdf

https://www.researchgate.net/publication/269399065_A_LITERATURE_REVIEW_ON_MALWAR
E_AND_ITS_ANALYSIS

file:///D:/551ca2235d373f7ed5e5cca074ecf738cbeb.pdf

file:///D:/MalwareAnalysis.pdf

http://www.iosrjournals.org/iosr-jce/papers/Vol20-issue4/Version-1/H2004015362.pdf