DOCSLIB.ORG

Global Threat Report 2007

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

we protect your digital worlds Global Threat Report 2007 Sales Hotline: (852) 2893 8860 www.eset.comwww.eset.hk ESET Global Threat Report for 2007 1 As another year draws to a close, few can have failed to notice the plagues of malicious software, floods of fraudulent emails and the generally increased pestilence of our online world, marking out 2007 as one of the most remarkable in the history of malware. Since ESET was founded in 1992, all sorts of threats have appeared, evolved, and in some cases disappeared again. 2007 was no exception, and as a company, we’ve had to grow and evolve to find innovative ways to meet those threats. To tie up what was an exciting year - perhaps too exciting in some ways - we’ve taken a look back to consider the trials and triumphs of the past months. ESET has a unique store of data to mine, gathered through our ThreatSense.Net® technology, which automatically collects data about malware threats, and particularly about newly-discovered, heuristically detected threats. Information is constantly fed back from our customers (with their explicit consent of course!) to our Threat Laboratory, enabling us to recognize new threats instantly and gather statistics on the effectiveness of our detection, and so to get a ‘real-world’ view of the evolving threatscape. Not only does ThreatSense.Net allow us to constantly improve our products through analysis of the data, leading to enhanced detection, but it allows us to share our view of the year’s trends and developments with the wider world. There is no prize for guessing that the year ahead of us will be another challenging one. One clear trend is that more and more people are realizing that proactive detection of malware, when dealing with the huge volumes and rapid spread that we see today, is an essential component of a defense strategy. At ESET we know that simply predicting and following trends is not enough to ensure the protection of our customers, and we will continue to pursue our core values, staying ahead of the curve by the consistency of our technological innovation. As successful pioneers of heuristic techniques, you can be sure that we’ll be looking to ensure that we can meet the challenge of the unpredictable! As you read this report, bear in mind that the information is not only limited to ESET’s own unique view, but also reflects what has happened globally over the past twelve months. As with stocks and shares, past threat trends are not a sure predictor of future developments: however, we can be certain of one thing. Although the threats may change and new ones will appear, there will continue to be malicious software threats as long as there are computers to attack and exploit, and computer users to fall victim. Furthermore, as more platforms become mainstream, they will inevitably be used as a medium for exploitation. It’s worth remembering that many malware threats exploit the user, rather than a particular platform, Phishing, for instance, is not unique to a single operating system environment. We hope that you find this report interesting reading and we would love to hear from you with feedback on this report. Please write to [email protected] We wish you a safe journey through 2008, rest assured, we will be doing all we can to protect your digital worlds. The ESET Research Team Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 2 Table of Contents Page Introduction and Overview 3 Top Ten Email-Borne Threats 4 Figure 1: Relative Proportions of the Top Ten E-mail-Borne Threats 4 Table 1: What the Names Mean 5 Proportion of Infected E-mails to Total Messages Monitored 5 Threat Descriptions 6 • Win32/Stration 6 • “Probably unknown NewHeur_PE virus” 6 • Win32/Netsky.Q 6 • Win32/Nuwar.gen 6 • Win32/Fuclip 7 • Win32/Nuwar 7 Figure 2: Top 10 Virus Radar Listings by Detection Type 8 2007 Threat Trend Summary 9 • Malware Top 10 for January 2007 10 • Other Events in January 12 • Malware Top 10 for February 2007 13 • Other Events in February 13 • Malware Top 10 for March 2007 14 • Other Events in March 14 • Malware Top 10 for April 2007 15 • Other Events in April 16 • Malware Top 10 for May 2007 17 • Other Events in May 17 • Malware Top 10 for June 2007 18 • Other Events in June 18 • Malware Top 10 for July 2007 20 • Other Events in July 20 • Malware Top 10 for August 2007 21 • Other Events in August 21 • Malware Top 10 for September 2007 22 • Other Events in September 23 • Malware Top 10 for October 2007 24 • Other Events in October 25 • Malware Top 10 for November 2007 26 • Other Events in November 26 • Malware Top 10 for December 2007 27 • Other Events in December 27 More Malware of Interest 29 Conclusion 30 Resources and Further Reading 31 Glossary 32 About ESET 35 About ESET Nod32 Antivirus and ESET Smart Security 35 About Threatsense® 35 Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007 3 Introduction & Overview ESET’s product line has, traditionally, been focused on the detection and removal of viruses and other forms of malicious software, though you’ll notice as you read through this document that we do rather more than that, and that our product range is increasing in versatility. Still, the data resources that we’ve mined so as to bring you this summary are still focused on malware, so we won’t make more than a fleeting reference to other fascinating security-related phenomena and issues that have dominated this year, such as: • The use of Acrobat PDF files and other graphics-friendly objects such as Excel spreadsheets in spam and scams, such as pump and dump fraud • The rise of Microsoft’s Vista and some heated discussion about its security enhancements • The increasing attention paid to Web 2.0 technologies (collaborative technologies and platforms, such as wikis, blogs, moodle and so on), to virtual worlds like Second Life, and to social networks like Facebook, MySpace, Ning, and LinkedIn by security specialists and blackhats alike • The ongoing diversification and increasing sophistication of botnet technology and topology • The continuing shift away from replicative malware (viruses and worms) to other forms of malware (backdoors, keyloggers, banking Trojans), and from hobbyist virus creation to professional crimeware development • The recognition by anti-malware developers, researchers and testers that comparative testing and certification has to move away from testing with known malware to more demanding methodologies designed to test a product’s ability to make use of behavior analysis, heuristics and other forms of proactive and dynamic detection, rather than focusing entirely on malware-specific detection by signature. To produce this summary, we’ve drawn on some of the data resources we use continuously to maintain and improve our product range. In particular, Virus Radar collects data on email-borne malware, while our ThreatSense.Net® technology automatically collects data on all sorts of incoming new and old threats trapped by our heuristics, and immediately forwards information to our Threat Laboratory. These data are primarily intended to give us an edge in the security market by allowing us to improve the detection capabilities of our products, so that we continue to detect not just known malware, but brand new threats, by continuing to improve our sophisticated proactive detection technologies. We hope that you’ll find this peek into the innards of our technology and what it’s picked up over the past 12 months interesting, informative and useful. Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 4 Top Ten Email-Borne Threats “Virus Radar On-line” is a project initiated by ESET and partners for the monitoring and statistical analysis of malware spread via electronic mail. The top ten email-borne threats of 2007, as reported by Virus Radar, are as follows. The figures represent the number of instances recorded as of 10th December 2007, and an explanation of the names used is given below: Name by which Malware is Detected by ESET Number of Detections “A variant of Win32/Stration.XW” 11,608,228 “Probably unknown NewHeur_PE virus” 4,184,672 Win32/Netsky.Q worm 3,355,513 Win32/Nuwar.gen worm 2,965,119 Win32/Fuclip.B trojan 1,740,631 Win32/Stration.XW worm 1,300,049 “A variant of Win32/Stration.WL worm” 760,689 “Probably a variant of Win32/Nuwar worm” 745,021 Win32/Stration.WC worm 668,624 “A variant of Win32/Stration.QQ worm” 585,736 Other malware instances recorded: 5,895,524 Figure 1: Relative Proportions of the Top Ten Email-Borne Threats Note: At the time of data capture, 1,142 individual threats were identified by Virus Radar. More up-to-date and detailed information is available at http://www.virusradar.com/stat_01_current/index_all_c12m_enu.html Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007 5 Table 1 What the Names Mean “A variant of Win32/Stration.XW worm” † Malware closely resembling Win32/Stration.XW has been detected. “Probably unknown NewHeur_PE virus” Heuristic (see glossary) detection of unknown malware. Win32/Netsky.Q †† Threat-specific detection of a common internet worm Win32/Nuwar.gen worm ††† Generic detection of a Nuwar variant Win32/Fuclip.B trojan †††† Threat-specific detection of the Fuclip.B Trojan. Win32/Stration.XW worm † Threat-specific detection of a particular Stration variant. “A variant of Win32/Stration.WL worm” † Malware has been identified generically as closely resembling a Stration variant “Probably a variant of Win32/Nuwar worm” ††† Malware has been identified as
Recommended publications
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A

    Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A

    BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A. Alahmadi Enrico Mariconti Riccardo Spolaor University of Oxford, UK University College London, UK University of Oxford, UK [email protected] [email protected] [email protected] Gianluca Stringhini Ivan Martinovic Boston University, USA University of Oxford, UK [email protected] [email protected] ABSTRACT through DDoS (e.g. DDoS on Estonia [22]), email spam (e.g. Geodo), Botnets continue to be a threat to organizations, thus various ma- ClickFraud (e.g. ClickBot), and spreading malware (e.g. Zeus). 10,263 chine learning-based botnet detectors have been proposed. How- malware botnet controllers (C&C) were blocked by Spamhaus Mal- ever, the capability of such systems in detecting new or unseen ware Labs in 2018 alone, an 8% increase from the number of botnet 1 botnets is crucial to ensure its robustness against the rapid evo- C&Cs seen in 2017. Cybercriminals are actively monetizing bot- lution of botnets. Moreover, it prolongs the effectiveness of the nets to launch attacks, which are evolving significantly and require system in detecting bots, avoiding frequent and time-consuming more effective detection mechanisms capable of detecting those classifier re-training. We present BOTection, a privacy-preserving which are new or unseen. bot detection system that models the bot network flow behavior Botnets rely heavily on network communications to infect new as a Markov Chain. The Markov Chains state transitions capture victims (propagation), to communicate with the C&C server, or the bots’ network behavior using high-level flow features as states, to perform their operational task (e.g.
  • Symantec Report on Rogue Security Software July 08 – June 09

    Symantec Report on Rogue Security Software July 08 – June 09

    REPORT: SYMANTEC ENTERPRISE SECURITY SYMANTEC REPORT: Symantec Report on Rogue Security Software July 08 – June 09 Published October 2009 Confidence in a connected world. White Paper: Symantec Enterprise Security Symantec Report on Rogue Security Software July 08 – June 09 Contents Introduction . 1 Overview of Rogue Security Software. 2 Risks . 4 Advertising methods . 7 Installation techniques . 9 Legal actions and noteworthy scam convictions . 14 Prevalence of Rogue Security Software . 17 Top reported rogue security software. 17 Additional noteworthy rogue security software samples . 25 Top rogue security software by region . 28 Top rogue security software installation methods . 29 Top rogue security software advertising methods . 30 Analysis of Rogue Security Software Distribution . 32 Analysis of Rogue Security Software Servers . 36 Appendix A: Protection and Mitigation. 45 Appendix B: Methodologies. 48 Credits . 50 Symantec Report on Rogue Security Software July 08 – June 09 Introduction The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs. This includes an overview of how these programs work and how they affect users, including their risk implications, various distribution methods, and innovative attack vectors. It includes a brief discussion of some of the more noteworthy scams, as well as an analysis of the prevalence of rogue security software globally. It also includes a discussion on a number of servers that Symantec observed hosting these misleading applications. Except where otherwise noted, the period of observation for this report was from July 1, 2008, to June 30, 2009. Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network.
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals

    2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals

    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
  • Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It

    Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It

    by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new vulnerabilities. Attackers have interest in identifying networks and hosts to expose vulnerabilities : . Network scans . Worms . Trojans . Botnet Complicated methods of attacks make difficult to identify the real attacks : It is not simple as filtering out the traffic from some sources Security is implemented like an “add on” module for the Internet. Understanding nature behavior of malicious sources and targeted ports is important to minimize the damage by build strong specific security rules and counter measures Help the cyber security policy-making process, and to raise public awareness Questions : . Do malicious sources generate the attacks uniformly ? . Is there any pattern specific i.e. recurrence event ? . Is there any correlation between the number of some attacks over specific time ? Many systems and phenomena (events) are distributed according to a “power law” When one quantity (say y) depends on another (say x) raised to some power, we say that y is described by a power law A power law applies to a system when: . large is rare and . small is common Collection of System logs from Networked Intrusion Detection System (IDS) The NIDS contains 11 sensors installed in different core networks in Indonesian ISP (NAP) Period : January, 2012 - September, 2012 . Available fields : ▪ Event Message, Timestamp, Dest. IP, Source IP, Attacks Classification, Priority, Protocol, Dest. Port/ICMP code, Source Port/ICMP type, Sensors ID Two quantities x and y are related by a power law if y is proportional to x(-c) for a constant c y = .x(-c) If x and y are related by a power law, then the graph of log(y) versus log(x) is a straight line log(y) = -c.log(x) + log() The slope of the log-log plot is the power exponent c Destination Port Distribution .
  • 1.Computer Virus Reported (1) Summary for This Quarter

    1.Computer Virus Reported (1) Summary for This Quarter

    Attachment 1 1.Computer Virus Reported (1) Summary for this Quarter The number of the cases reported for viruses*1 in the first quarter of 2013 decreased from that of the fourth quarter of 2012 (See Figure 1-1). As for the number of the viruses detected*2 in the first quarter of 2013, W32/Mydoom accounted for three-fourths of the total (See Figure 1-2). Compared to the fourth quarter of 2012, however, both W32/Mydoom and W32/Netsky showed a decreasing trend. When we looked into the cases reported for W32/Netsky, we found that in most of those cases, the virus code had been corrupted, for which the virus was unable to carry out its infection activity. So, it is unlikely that the number of cases involving this virus will increase significantly in the future As for W32/IRCbot, it has greatly decreased from the level of the fourth quarter of 2012. W32/IRCbot carries out infection activities by exploiting vulnerabilities within Windows or programs, and is often used as a foothold for carrying out "Targeted Attack". It is likely that that there has been a shift to attacks not using this virus. XM/Mailcab is a mass-mailing type virus that exploits mailer's address book and distributes copies of itself. By carelessly opening this type of email attachment, the user's computer is infected and if the number of such users increases, so will the number of the cases reported. As for the number of the malicious programs detected in the first quarter of 2013, Bancos, which steals IDs/Passwords for Internet banking, Backdoor, which sets up a back door on the target PC, and Webkit, which guides Internet users to a maliciously-crafted Website to infect with another virus, were detected in large numbers.
  • Detecting Botnets Using File System Indicators

    Detecting Botnets Using File System Indicators

    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
  • Transition Analysis of Cyber Attacks Based on Long-Term Observation—

    Transition Analysis of Cyber Attacks Based on Long-Term Observation—

    2-3 nicterReport —TransitionAnalysisofCyberAttacksBasedon Long-termObservation— NAKAZATO Junji and OHTAKA Kazuhiro In this report, we provide a statistical data concerning cyber attacks and malwares based on a long-term network monitoring on the nicter. Especially, we show a continuous observation report of Conficker, which is a pandemic malware since November 2008. In addition, we report a transition analysis of the scale of botnet activities. Keywords Incident analysis, Darknet, Network monitoring, Malware analysis 1 Introduction leverages the traffic as detected by the four black hole sensors placed on different network We have been monitoring the IP address environments as shown by Fig. 1. space that is reachable and unused on the ● Sensor I : Structure where live nets and Internet (i.e. darknets) on a large-scale to darknets coexist in a class B understand the overall impact inflicted by network infectious activities including malware. This ● Sensor II : Structure where only darknets report analyzes the darknet traffic that has exist in a class B network been monitored and accumulated over six ● Sensor III : Structure where a /24 subnet years by an incident analysis center named in a class B network is a dark- *1 the nicter[1][2] to provide changing trends of net cyber attacks and fluctuation of attacker host ● Sensor IV : Structure where live nets and activities as obtained by long-term monitor- darknets coexist in a class B ing. In particular, we focus on Conficker, a network worm that has triggered large-scale infections The traffic obtained by these four sensors since November 2008, and report its impact on is analyzed by different analysis engines[3][4] the Internet and its current activities.
  • Malware to Crimeware

    Malware to Crimeware

    I have surveyed over a decade of advances in delivery of malware. Over this daVid dittRich period, attackers have shifted to using complex, multi-phase attacks based on malware to crimeware: subtle social engineering tactics, advanced how far have they cryptographic techniques to defeat takeover gone, and how do and analysis, and highly targeted attacks we catch up? that are intended to fly below the radar of current technical defenses. I will show how Dave Dittrich is an affiliate information malicious technology combined with social security researcher in the University of manipulation is used against us and con- Washington’s Applied Physics Laboratory. He focuses on advanced malware threats and clude that this understanding might even the ethical and legal framework for respond- ing to computer network attacks. help us design our own combination of [email protected] technical and social mechanisms to better protect us. And ye shall know the truth, and the truth shall make you free. The late 1990s saw the advent of distributed and John 8:32 coordinated computer network attack tools, which were primarily used for the electronic equivalent of fist fighting in the streets. It only took a few years for criminal activity—extortion, click fraud, denial of service for competitive advantage—to appear, followed by mass theft of personal and financial data through quieter, yet still widespread and auto- mated, keystroke logging. Despite what law-abid- ing citizens would desire, crime does pay, and pay well. Today, the financial gain from criminal enter- prise allows investment of large sums of money in developing tools and operational capabilities that are increasingly sophisticated and highly targeted.
  • System Center Endpoint Protection for Mac

    System Center Endpoint Protection for Mac

    System Center Endpoint Protection for Mac Installation Manual and User Guide Contents Context menu 19 System Center Endpoint Protection 3 System requirements 3 Advanced user 20 Import and export settings 20 Installation 4 Import settings 20 Typical installation 4 Export settings 20 Proxy server setup 20 Custom installation 4 Removable media blocking 20 Uninstallation 5 21 Beginners guide 6 Glossary Types of infiltrations 21 User interface 6 Viruses 21 Checking operation of the system 6 Worms 21 What to do if the program does not work properly 7 Trojan horses 21 Work with System Center Endpoint Adware 22 Spyware 22 Protection 8 Potentially unsafe applications 22 Antivirus and antispyware protection 8 Potentially unwanted applications 22 Real-time file system protection 8 Real-time Protection setup 8 Scan on (Event triggered scanning) 8 Advanced scan options 8 Exclusions from scanning 8 When to modify Real-time protection configuration 9 Checking Real-time protection 9 What to do if Real-time protection does not work 9 On-demand computer scan 10 Type of scan 10 Smart scan 10 Custom scan 11 Scan targets 11 Scan profiles 11 Engine parameters setup 12 Objects 12 Options 12 Cleaning 13 Extensions 13 Limits 13 Others 13 An infiltration is detected 14 Updating the program 14 Update setup 15 How to create update tasks 15 Upgrading to a new build 15 Scheduler 16 Purpose of scheduling tasks 16 Creating new tasks 16 Creating user-defined task 17 Quarantine 17 Quarantining files 17 Restoring from Quarantine 17 Log files 18 Log maintenance 18 Log filtering 18 User interface 18 Alerts and notifications 19 Alerts and notifications advanced setup 19 Privileges 19 System Center Endpoint Protection As the popularity of Unix-based operating systems increases, malware authors are developing more threats to target Mac users.
  • Effective Malicious Features Extraction and Classification for Incident Handling Systems

    Effective Malicious Features Extraction and Classification for Incident Handling Systems

    EFFECTIVE MALICIOUS FEATURES EXTRACTION AND CLASSIFICATION FOR INCIDENT HANDLING SYSTEMS CHO CHO SAN UNIVERSITY OF COMPUTER STUDIES, YANGON OCTOBER, 2019 Effective Malicious Features Extraction and Classification for Incident Handling Systems Cho Cho San University of Computer Studies, Yangon A thesis submitted to the University of Computer Studies, Yangon in partial fulfillment of the requirements for the degree of Doctor of Philosophy October, 2019 Statement of Originality I hereby certify that the work embodied in this thesis is the result of original research and has not been submitted for a higher degree to any other University or Institution. …..…………………………… .…………........………………………… Date Cho Cho San ACKNOWLEDGEMENTS First of all, I would like to thank Hist Excellency, the Minister for the Ministry of Education, for providing full facilities support during the Ph.D. course at the University of Computer Studies, Yangon. Secondly, my profound gratitude goes to Dr. Mie Mie Thet Thwin, Rector of the University of Computer Studies, Yangon, for allowing me to develop this research and giving me general guidance during the period of my study. I would like to express my greatest pleasure and the deepest appreciation to my supervisor, Dr. Mie Mie Su Thwin, Professor, the University of Computer Studies, Yangon, for her excellent guidance, caring, patient supervision, and providing me with excellent ideas throughout the study of this thesis. I would also like to extend my special appreciation to Dr. Khine Moe Nwe, Professor and Course-coordinator of the Ph.D. 9th Batch, the University of Computer Studies, Yangon, for her useful comments, advice, and insight which are invaluable through the process of researching and writing this dissertation.
  • Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57