10 April 2016


by mo

Notes from CPNT-250 course at SAIT.

Malware = Malicous Software

It is used to:

  • steal personal information.
  • delete files.
  • click fraud.
  • steal software serial numbers.
  • user your computer as relay for other attacks.

Malware types:

  • self-replication
  • population growth
  • parasitic

Logic Bombs

Special code that releases a payload whenever a trigger condition is fulfilled.

  crash_computer if DateTime.now.friday?

Trojan Horses

Malware that appears to perform a desirable function but performs undisclosed malicious functions that ultimately may allow unauthorized access to the victim computer.


Mechanism to bypass security checks. Remote administration tool.

  allow_login if username == "l33t.h4ck0r"


Is a type of malware that tries to replicate into other executable programs.


self replicating computer program. Uses the network to send copies of itself to other nodes and do so without any user intervention. Uses the computer network to spread itself, relying on security failures on the target computer to access it. It does not need to attach itself to an existing program. They almost always cause harm to the network.


Name comes from the idea of quick multiplication. Program consumes all of some system resource. There is usually just one rabbit “hopping” around a network.


Software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data and/or network traffic, or by scanning files on the system for sensitive information. Aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent.


Captures keystrokes on compromised systems.


Malicious code designed to hide the existence of other code. Usually paired with other malware, such as a backdoor, to allow remote access to the attacker and make the code difficult for the victim to detect.


Advertising that is integrated into software. Automatically renders advertisements in order to generate revenue for its author.


Zombies or bots are programs that can be activated on an infected machine allowing the attacker to perform tasks without the users knowledge, including attacks on other machines.

A botnet is a collection of internet connectec programs communicating with other similar programs in order to perform tasks. it could be used to send spam email or articipate in distributed denial-of-service attacks.

A downloader is malicious code that exists only to download other malicious code. Downloaders are commonly installed by attackers when they first gain access to a system.

Information stealing malware collects information from a victims computer and usually sends it to the attacker.

Scareware is malware designed to frighten an infected user into buying something. It usually has a user interface that makes it look like an antivirus or other security program.


Two approaches to malware analysis.

  • Static: involves examining the malware without running it.
  • Dynamic: involves running the malware and observing its behaviour on the system in order to remove the infection producing signatures, or both.
  • Advanced Static Analysis: consists of reverse-engineering the malware internals by loading the executable into a disassembler and looking at the program instructions in order to discover what the program does.
  • Advanced Dynamic Analysis: uses a debugger to examine the internal state of running malicious executable.


Allows you to upload a file for scanning by mulitiple antivirus engines. VirusTotal generates a report that provides the total number of engines that marked the file as malicious, the malware name, and additional information.

using objdump


#include <stdio.h>

int ultimate_question() {
  return 0x2a;

int main() {
  printf("The answer is %d\n", ultimate_question());
$ gcc answer.c
$ ./a.out
The answer is 42
$ objdump -d a.out > answer.dump