DOCSLIB.ORG

Computer Virus and Worms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Scholarly Journal of Mathematics and Computer Science Vol. 7(1), pp. 1-9, December 2018 Available online at http:// www.scholarly-journals.com/SJMCS ISSN 2276-8947 © 2018 Scholarly-Journals Full Length Research Paper A study on malware: Computer virus and worms Rabia Khan MCA, Punjab Technical University, India. Author email :[email protected] Accepted 16 December, 2018 Malware or malicious software is a type of security threat that brings harm to computer system. Most organizations are affecting by malware. Malware steal protected data, by pass access control, delete document or add documents not approved by user. Malware can be in the form of virus, worms Trojan horse, adware, spyware, rootkit, backdoor, and botnet. In this paper, we study the most significant malware: Virus and worms can have a devastating effect on business continuity and profitability. Also this paper describes the timeline of virus, worms and Trojan horse. Key words: Malware, malicious software, data, virus, worms Trojan horse INTRODUCTION Nowadays, a huge variety of cyber-attacks are available of these security threats try to violate confidentially, that can be affect not only big organization but also affect integrity and accessibility. Malicious software (malware in the personal computers such as brute force attack, social short) is software designed to cause harm to computer engineering/cyber fraud attacks, distributed denial of and user (Abhisheck Ranjan (www.geeksforgeeks.org), service attack, phishing attacks and malware attack. All Neil, 2012). Adware biggest threats to security systems. Botnet can be used Adware is one type of malware that automatically delivers for Distributed Denial of Service (DDoS) attacks, as advertisements. This is able to pop-up advertisements on spambots that render advertisements on websites, as websites and advertisements that are displayed by web spiders that scrape server data, and for distributing software. malware disguised as popular search items on download sites. Botnet Rootkit Botnet is another type of malware that is able to perform specific operations automatically. It became one of the A rootkit was designed to remotely access or control a Scholarly J. Math. Comp. Sci. 2 computer without being detected by users or security Philippines (Wajeb, 2011). programs. When a rootkit infected the system then it is possible to the malicious party behind it to remotely execute files, access or steal information, modify system How do Computer Viruses spread in Computer configurations, alter the software, install concealed malware, or take control the computer as part of a botnet. Before intervention of Internet, virus often spread from Rootkit prevention, detection, and removal are difficult. computer to computer via infected removable flash drive. If a flash drive has been infected with a virus from a source computer and when a person boots the Spyware removable flash drive in another computer it will be trigger the spread of the virus from the removable flash Spyware is another type of malware that work as spying drive to the computer. For example, if person purchases on user activity without their knowledge. These spying software that is infected with virus and then install the capabilities can know the activities of user include activity same software in his/her computer the running of the monitoring, collecting keystrokes, account information, software can trigger the virus to spread to his/her logins, financial data and more. computer. The most common way of spreading the virus is through e-mail attachments. Most people send email message with attachments. These attachments often Trojan horse always contain computer virus so that when a computer user downloads the attachment the computer virus is A Trojan horse also known as a “Trojan,” is another type eventually transmitted to the user computer. of malware that disguises itself as a normal file or Now we can say the most common way to spreading program to trick users into downloading and installing the virus is via Internet (Adam, 2010). malware. A Trojan horse can give a malicious party remote access to an infected computer. Once an attacker has access to an infected computer, it is possible for the Harmful Effect of Computer Virus attacker to steal data like as logins, financial data, and even electronic money, install more malware, also modify Virus can create minor damage to major damage. Virus files, monitor user activity like as screen watching, can replicate themselves they can cause damage the keylogging, etc, use the computer in botnets process, computer system by taking up huge memory or disk and anonymize Internet activity by the attacker. space, damaging or corrupting data, changing data, erasing files or locking up the whole computer system (Lynn, 2016). What is Computer Virus The lists of effect of computer viruses are as follows: A computer virus so called a virus because it has similar characteristics with a biological virus. Like biological • Reduce the memory space, damage disks virus, computer virus can also be transformed from one • Increase the startup time and run time computer to another computer. Computer viruses are one • Computer runs slower than usual type of malware, a self-replicating programs designed to • Computer stops responding to the commands spread itself from computer to computer and capable of • Computer hangs frequently reproducing copies of itself and inserting them into other • Computer restarts every few minutes programs of files. We can say computer viruses are • Certain applications are not running frequently computer programs that are designed to spread • Appearance of unusual messages themselves from one file to another on a single file. • Distorting menu and dialog boxes Viruses spread quickly to many files within computer, but • Improper functioning of the anti-virus program it cannot be spread between computers unless people • Appearance of new icon on desktop exchange infected files over a network or share an infected floppy diskette. Viruses can be written in The above points are also indicators that the computer numerous computer programming languages including may have been infected by worms and Trojan horses. assembly language, C, C++, Java, Scripting languages, and macro programming languages. The world was The Characteristics of Computer Virus (Zahri and realized the impact of computer virus in 2000. I LOVE Ahmad, 2003) YOU virus spread throughout the world causing billions of dollars in damages in different countries in 2000. It was The following are some of the characteristics of computer believed that, the source of this virus was traced in viruses: Khan, 3 i. Size: The size of the program code required for from one computer to another computer. Worms are also computer viruses are small. computer programs as computer viruses that are capable ii. Versatility: This is another type of characteristics. This of replicating copies of themselves via network is the ability to generically attack a different variety of connections. The worm can infect as many machines as applications. possible on the network, rather than spreading many iii. Propagation: Once a computer virus has affected a copies of itself on a single computer, as a computer virus program and whenever this affected program is running does. A worm infects a target system only once, after the then the virus is able to spread to other programs and initial infection, the worm attempts to spread to other files accessible to the computer system. machines on the network. Worm can spread much more iv. Effectiveness: Computer viruses have far-reaching rapidly than viruses because computer worms do not and catastrophic effect on their victims, which includes reply on humans to copy them from computer to the total destroy of data, programs and even operating computer. Computer worm can run itself without any systems. human involvement. It is possible that if only one v. Functionality: Computer Viruses have a wide variety computer worm is transferred then there will be of functionality in computer virus program. Some viruses thousands of worms in a computer. Virus need a host are programmed to damage or delete or corrupt files and program to run and the virus runs as port of the host even to destroy operating system and some virus program, a worm can spread even in the absence of a programs are spread themselves to applications without host program. Worms can spread from one computer to attacking data files or operating system activities. another computer without the need of human running a x. Persistence: After detection, the recovery of data and program (Rajesh et al., 2015, Wajeb, 2011). even system operation has been difficult and time consuming. How do Computer Worms Spread in Computer Classification of Computer Viruses (Wajeb, 2011 and There are many ways to spread the computer worms H. Sharvan Kumar) (Available: https://antivirus.comodo.com/blog/comodo- news/computer-worm-virus/). Computer viruses are classified by the type of file or disk that the virus infects: Email: Email is the one of the most common ways for computer worms to spread. Worms can spread through Boot Virus: These viruses attach themselves to floppy email attachment. Once a machine has been infected, diskettes and hard drives. When a user boot from an then worm is able to replicate itself by emailing itself to infected floppy diskette or hard drive, the virus is everyone in your address book or replying to emails in activated and the computers become infected. your inbox automatically. Application virus: These types of viruses spread from Operating System Vulnerabilities: Mostly operating one application to another on the computer system. system has its vulnerabilities and some worms are File Virus: These types of virus infect executable files. specifically coded to take the advantage of these weak These are written in machine code (0 or 1) due to these points. reasons also called binary file virus. They are able to Instant Messaging: Now a day’s Modern chat systems infect over networks.
Recommended publications
  • Statistical Structures: Fingerprinting Malware for Classification and Analysis

    Statistical Structures: Fingerprinting Malware for Classification and Analysis

    Statistical Structures: Fingerprinting Malware for Classification and Analysis Daniel Bilar Wellesley College (Wellesley, MA) Colby College (Waterville, ME) bilar <at> alum dot dartmouth dot org Why Structural Fingerprinting? Goal: Identifying and classifying malware Problem: For any single fingerprint, balance between over-fitting (type II error) and under- fitting (type I error) hard to achieve Approach: View binaries simultaneously from different structural perspectives and perform statistical analysis on these ‘structural fingerprints’ Different Perspectives Idea: Multiple perspectives may increase likelihood of correct identification and classification Structural Description Statistical static / Perspective Fingerprint dynamic? Assembly Count different Opcode Primarily instruction instructions frequency static distribution Win 32 API Observe API calls API call vector Primarily call made dynamic System Explore graph- Graph structural Primarily Dependence modeled control and properties static Graph data dependencies Fingerprint: Opcode frequency distribution Synopsis: Statically disassemble the binary, tabulate the opcode frequencies and construct a statistical fingerprint with a subset of said opcodes. Goal: Compare opcode fingerprint across non- malicious software and malware classes for quick identification and classification purposes. Main result: ‘Rare’ opcodes explain more data variation then common ones Goodware: Opcode Distribution 1, 2 ---------.exe Procedure: -------.exe 1. Inventoried PEs (EXE, DLL, ---------.exe etc) on XP box with Advanced Disk Catalog 2. Chose random EXE samples size: 122880 with MS Excel and Index totalopcodes: 10680 3, 4 your Files compiler: MS Visual C++ 6.0 3. Ran IDA with modified class: utility (process) InstructionCounter plugin on sample PEs 0001. 002145 20.08% mov 4. Augmented IDA output files 0002. 001859 17.41% push with PEID results (compiler) 0003. 000760 7.12% call and general ‘functionality 0004.
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics

    The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics

    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
  • A Taxonomy of Computer Worms ∗

    A Taxonomy of Computer Worms ∗

    A Taxonomy of Computer Worms ∗ † ‡ § ¶ Nicholas Vern Stuart Robert Weaver Paxson Staniford Cunningham UC Berkeley ICSI Silicon Defense MIT Lincoln Laboratory ABSTRACT 1. INTRODUCTION To understand the threat posed by computer worms, it is A computer worm is a program that self-propagates across necessary to understand the classes of worms, the attackers a network exploiting security or policy flaws in widely-used who may employ them, and the potential payloads. This pa- services. They are not a new phenomenon, having first per describes a preliminary taxonomy based on worm target gained widespread notice in 1988 [16]. discovery and selection strategies, worm carrier mechanisms, We distinguish between worms and viruses in that the worm activation, possible payloads, and plausible attackers latter infect otherwise non-mobile files and therefore require who would employ a worm. some sort of user action to abet their propagation. As such, viruses tend to propagate more slowly. They also have more Categories and Subject Descriptors mature defenses due to the presence of a large anti-virus industry that actively seeks to identify and control their D.4.6 [Operating Systems]: Security and Protection—In- spread. vasive Software We note, however, that the line between worms and viruses is not all that sharp. In particular, the contagion worms General Terms discussed in Staniford et al [47] might be considered viruses Security by the definition we use here, though not of the traditional form, in that they do not need the user to activate them, but Keywords instead they hide their spread in otherwise unconnected user activity. Thus, for ease of exposition, and for scoping our computer worms, mobile malicious code, taxonomy, attack- analysis, we will loosen our definition somewhat and term ers, motivation malicious code such as contagion, for which user action is not central to activation, as a type of worm.
  • Automatic Classifying of Mac OS X Samples

    Automatic Classifying of Mac OS X Samples

    Automatic Classifying of Mac OS X Samples Spencer Hsieh, Pin Wu and Haoping Liu Trend Micro Inc., Taiwan TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information Contents and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted 4 upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing Introduction herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy 6 is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to Mac OS X Samples Dataset the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. 10 Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as Classification of Mach-O Files to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. 11 Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, Malware Families indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content 15 thereof.
  • Analyzing Android Adware

    Analyzing Android Adware

    San Jose State University SJSU ScholarWorks Master's Projects Master's Theses and Graduate Research Spring 2018 Analyzing Android Adware Supraja Suresh San Jose State University Follow this and additional works at: https://scholarworks.sjsu.edu/etd_projects Part of the Computer Sciences Commons Recommended Citation Suresh, Supraja, "Analyzing Android Adware" (2018). Master's Projects. 621. DOI: https://doi.org/10.31979/etd.7xqe-kdft https://scholarworks.sjsu.edu/etd_projects/621 This Master's Project is brought to you for free and open access by the Master's Theses and Graduate Research at SJSU ScholarWorks. It has been accepted for inclusion in Master's Projects by an authorized administrator of SJSU ScholarWorks. For more information, please contact [email protected]. Analyzing Android Adware A Project Presented to The Faculty of the Department of Computer Science San Jose State University In Partial Fulfillment of the Requirements for the Degree Master of Science by Supraja Suresh May 2018 ○c 2018 Supraja Suresh ALL RIGHTS RESERVED The Designated Project Committee Approves the Project Titled Analyzing Android Adware by Supraja Suresh APPROVED FOR THE DEPARTMENTS OF COMPUTER SCIENCE SAN JOSE STATE UNIVERSITY May 2018 Dr. Mark Stamp Department of Computer Science Dr. Katerina Potika Department of Computer Science Fabio Di Troia Department of Mathematics ABSTRACT Analyzing Android Adware by Supraja Suresh Most Android smartphone apps are free; in order to generate revenue, the app developers embed ad libraries so that advertisements are displayed when the app is being used. Billions of dollars are lost annually due to ad fraud. In this research, we propose a machine learning based scheme to detect Android adware based on static and dynamic features.
  • The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
  • Strategies of Computer Worms

    Strategies of Computer Worms

    304543_ch09.qxd 1/7/05 9:05 AM Page 313 CHAPTER 9 Strategies of Computer Worms “Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect.” —Concise Oxford English Dictionary, Revised Tenth Edition 313 304543_ch09.qxd 1/7/05 9:05 AM Page 314 Chapter 9—Strategies of Computer Worms 9.1 Introduction This chapter discusses the generic (or at least “typical”) structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a “worm.” We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses1. Let me explain. The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take con- trol of remote systems without any help from the users, usually exploiting a vul- nerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats. Table
  • Paradise Lost , Book III, Line 18

    Paradise Lost , Book III, Line 18

    _Paradise Lost_, book III, line 18 %%%%%%%%%%%%%%%%%%%%%%%% ++++++++++Hacker's Encyclopedia++++++++ ===========by Logik Bomb (FOA)======== <http://www.xmission.com/~ryder/hack.html> ---------------(1997- Revised Second Edition)-------- ##################V2.5################## %%%%%%%%%%%%%%%%%%%%%%%% "[W]atch where you go once you have entered here, and to whom you turn! Do not be misled by that wide and easy passage!" And my Guide [said] to him: "That is not your concern; it is his fate to enter every door. This has been willed where what is willed must be, and is not yours to question. Say no more." -Dante Alighieri _The Inferno_, 1321 Translated by John Ciardi Acknowledgments ---------------------------- Dedicated to all those who disseminate information, forbidden or otherwise. Also, I should note that a few of these entries are taken from "A Complete List of Hacker Slang and Other Things," Version 1C, by Casual, Bloodwing and Crusader; this doc started out as an unofficial update. However, I've updated, altered, expanded, re-written and otherwise torn apart the original document, so I'd be surprised if you could find any vestiges of the original file left. I think the list is very informative; it came out in 1990, though, which makes it somewhat outdated. I also got a lot of information from the works listed in my bibliography, (it's at the end, after all the quotes) as well as many miscellaneous back issues of such e-zines as _Cheap Truth _, _40Hex_, the _LOD/H Technical Journals_ and _Phrack Magazine_; and print magazines such as _Internet Underground_, _Macworld_, _Mondo 2000_, _Newsweek_, _2600: The Hacker Quarterly_, _U.S. News & World Report_, _Time_, and _Wired_; in addition to various people I've consulted.
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics

    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.