Tom Dickerson

1824 Holly St.

Harrisburg, PA 17104
November 20, 2014

Professor Valarie Gray

Technical Writing Instructor
Harrisburg Area Community College
Harrisburg, PA 17110

Dear Professor Gray,

Here is my report, The Cause of Malware and its Proposed Solutions. While creating this report I have
learned a lot out computer malware. This report provides readers with definitions to the different kinds of
malware.
This document also provides the history on computer virus and antivirus software.
While reading this document you gain knowledge on how anti-malware programs operate to detect and
destroy malware. With learning how they work, you will also understand their limitations. There is a
process that is called whole system emulation which is being improved to overcome the anti-malware
software that exists today.
I have conducted my own research on my own computer in a controlled environment to see how effective
3 of the anti-malware programs are being used today.
I have enjoyed working on this project, and I am available to answer any questions. Please reach me at me
phone (717)773-1676 or email tom.dickerson3@gmail.com at your convince.

Sincerely,

Tom Dickerson

The Cause of Malware and its Proposed Solutions

for
Professor Valarie Gray
Technical Writing Instructor
Harrisburg Area Community College
Harrisburg, Pennsylvania

by
Tom Dickerson
English 104 Student

November 20, 2014

In this document you will come to understand the different types of malware, the state of the current
solution to its problem and the proposal for solutions to deter it spread in the future.

Table of Contents

Introduction........................................................................................................................1
Familiarization with Malware............................................................................................1

Problems Caused by Anti-Malware Software

Scope of Report........................................................................................................1
Pan of Development.................................................................................................2
Historical Background.............................................................................................3
First Viruses.................................................................................................3
First Anti-malware Program........................................................................3
Secondary Research Section.............................................................................................4
Current Limitations of Anti Malware Programs......................................................4
New Approach to Creating Anti Malware Programs ..............................................4
Flaws in TEMU........................................................................................................5
How Malware can be Beaten...................................................................................5
Independent Anti-Malware Study....................................................................................6
Anti-Malware Program Research............................................................................6
Malware bytes..........................................................................................................7
AVG Internet Security 2015.....................................................................................8
Kaspersky Pure 3.0..................................................................................................9
Conclusion..........................................................................................................................9
Refrences...........................................................................................................................11
Appendix..........................................................................................................................A-1
Figures
Figure 1 Malewarebytes Full System Scan................................................................................................7
Figure 2 AVG Full System Scan................................................................................................................8
Figure 3 AVG Full System Scan 2.............................................................................................................8

Figure 4 Kaspersky Full System Scan.......................................................................................................9

Introduction

Familiarization with Malware

Malicious software, known as malware, is a problem that can infect any computers operating system;
including Windows, Macintosh, and Linux. Since most people use Windows as an operating system,
most malware is programmed to infect Windows computers. Malware will slow down a computers
performance and some can make a computer completely unusable. Malware leads to security problems
for internet users. These issues include stolen passwords, credit card information, and computer files.
Malware attacks are used by hackers to retrieve information from people, businesses, and governments.
Computer virus is a term that many people misuse to describe malware. While all computer viruses are
malicious software, not all malware are viruses. Peter Gregory says, A virus is nothing more than a set of
instructions, written in a high-level programming language, such as Visual Basic, C, C++, or Java,
translated into native instructions (a long list of ones and zeros) (2004, p. 210).
What separates a virus from other types of Malware on a computer is, a virus attaches itself to existing
files and spreads to the rest of the computer. This means if a file is deleted on the computer the virus can
still live on through preexisting files. The computer virus can from computer to computer if a computer
comes in contact with a corrupted file. Corrupted files can be traded by all forms of physical and digital
media. The other types of Malware are phishing, spyware, trojan horse, spyware, and worm.
Phishing is malicious software that is common on the internet that deceives website visitors into thinking
they are on a legitimate website so that they can receive users personal information. On a phishing
website a computer user would enter information, a credit card, and the creators of the website would use
the information entered. Phishing can also be used to get information on a trusted website. I was the
victim of a phishing attack while visiting the website PayPal. My credit card information was taken after I
transferred money through PayPal to another user, by a user across the country that made purchases and
emptied out my checking account.
Spyware is malicious software that monitors a computer users activity on websites and computer
programs. Spyware will install programs onto a users computer to monitor their activity. The monitoring
of their activities will then be sent back to originator of the malware. Spyware can also create unnecessary
pop-ups to computer users. For instance if a computer user is browsing a website for video game reviews,
the computer user will receive popups to purchase a new video game that will send a portion of the funds
to creator of the spyware.
A trojan horse is malicious software that deceives users into thinking that it is a legitimate computer
program, but is instead used to delete, or retrieve data, or relay information. A trojan horse cannot
replicate like a virus but it can operate the same tasks when it is executed. Trojan horses have the .exe
extension to files, meaning it is an exceptionable file. Like the Trojan Horse from ancient Greece the
malicious file is passed onto a computer as a safe file. Since trojan horses are disguised as safe it is hard
for antivirus programs that protect computers automatically to identify them in time before they

1
compromise the computer. Computers that have trojan horses on them can also be accessed by the person
or persons responsible for the trojan horse. This means all information on the computer is can be accessed

2
by the creators of the malware, and they can also install more malware as well. Trojan viruses were the
most popular form of malicious attacks by accounting for 64% of all malware (cisco).
A worm is malicious software that replicates itself over a computer network to send other types of
malware to computer users. By tainting the computer a worm will have access to all files on that
computers network and will be able to install more dangerous malware onto any computer on the
network. A computer worm will also decrease bandwidth, which allows users to browse the internet and
other files on a network.

Problems Caused by Anti-Malware Software

PandaLabs, an anti-malware company, has report that 30% of the computers scanned with their products
are infected with malware.(2012 p.10) AV-Comparatives, an independent non-for-profit organization, runs
international surveys on computer users and tests anit-malware software for individuals, news
organizations and scientific institutions that is globally recognized. Anti-Malware software vendors look
to gain their stamp of approval to verify that their product does what it says it will. In AV-Comparatives
annual survey 38% of people said that their anti-malware program had blocked a malicious attack within
a week.(2014b p. 14)

The treat of malware is not only limited to computers. Cell phones are also vulnerable to malicious
attacks. 25.8% of smartphone users do not use anti-malware protection on their devices. The most popular
operating system for cyber criminals to attack is Android. 99% of all mobile malware in 2013 was
targeted at Android devices. (Cisco 2013 p. 3)

Anti-malware programs are subject to scrutiny as well. Anti-malware programs allow key loggers and
other form of malware to enter consumer computers if it was created by a government, most notably the
NSA (AV-Comparatives 2014a p. 6). This has been a past issue where anti-malware vendors did not create
detection for commercial businesses that created spyware and key loggers so that they could generate
money (AV-Comparatives 2014a p. 6). Fifteen out of twenty-one of the top anti-malware programs collect
data on all website visited by consumers ( AV-Comparatives 2014a p. 3) The anti-malware programs that
do not collect visited website data are Vipre, AhnLab, and Emsisoft. Some anti-malware programs even
transmit the users ip address to their headquarters. The most popular programs that transmit such data is
Windows, Avast, McAfee and Bitdefender. When choosing an anti-malware program AV-Comparatives
advise consumers, to install only products from reputable manufacturers, and check that the license
agreement does not permit any questionable practices such as allowing any and all user data to be
collected. Users should also avoid being lured into using free products that require submitting personal
data (data mining is a business model too, as well as the inclusion of third-party toolbars which collect
information on their own).

Scope of Report

This analytical report is to inform a computer user, one that can fix problems through research if needed,
that malware is a serious threat. By doing both primary and secondary research I will investigate how
anti-malware programs work, what their flaws are, and how they can be improved.
Pan of Development

In this report I will explain the dangers of malicious software. I will then show why malicious software
needs a stronger defense. Next I will explain solutions to improving the current state of anti-malware
software. Finally I will present my own research on how anti-malware programs were able to work on my
personal computer. The appendix at the end of this report will contain all anti-malware logs, articles, and
charts from research.

Historical Background

First Viruses

The term ``computer virus'' was formally defined by Fred Cohen in 1983, while he performed academic
experiments on a Digital Equipment Corporation VAX system.(Computer Security Resource Center).

Previous computer viruses were created solely for the purpose of research. The first computer virus that
spread throughout public computers was called Elk Cloner. Elk Cloner was created by a 15 year old high
school student, Rich Skrenta, in 1981. Skrenta added the computer virus to a computer floppy disk of a
game, and used it to alter the coding of Apple II systems. Whenever the game would be booted for the
fiftieth time the computer screen would go blank and recite a poem. Any floppy disks that were inserted
into a computer that had downloaded the Elk Cloner virus would carry the virus. .(Computer Security
Resource Center).

The first computer virus to attack IBM pcs was the Brain virus which was created in 1986. The Brain
virus was created by Basit Farooq Alvi and Amjad Farooq Alvi who ran a computer store name Brain
Computer Services. The Brain virus was programmed to make any computer infected with the virus
change the name of all floppy disks to (C) Brain. In 1986 the only way to share computer files were
through floppy disks so many computer were infected with the Brain virus. The Brain virus had made its
way from central Asia to North America(Gregory 2004 p. 211)

First Anti-malware Program

3
The first antivirus program to be released was G Data Software by Andreas Lning and Kai Figge in
1987(G Data Software). G Data Software was created for the Atari ST operating system. The G Data
Software antivirus had codes of previously written viruses in it and was program to delete this code on the
computer if it was found. G Data Software is still in business today and can found in the AVComparatives report.

Secondary Research Section

Current Limitations of Anti Malware Programs

Currently there are two forms of malware analysis static analysis and dynamic analysis. The most
common analysis, static, ordinarily uses disassembler tools. Disassembler tools are computer programs
that deconstruct computer code in order to find out what the code of a file is programmed to do on a
computer. Static analysis methods are bypasses by malware that incorporates code packing, antidebugging, control- flow obfuscation, and other analysis bypasses.(Song & Yin 2013 p. 2)

Dynamic analysis can overcome the short comings of static analysis. In order to overcome these short
comings dynamic analysis run malicious programs in an emulator. This emulation allows the malware to
run and be observed without harming the computer. Dynamic analysis has its own limitations. Dynamic
analysis cannot; emulate malware that has dynamically generate code, malware that accesses a
computers registry or memory, observe behaviors that need triggers, and understand the malware
program. (Song & Yin 2013 p. 2)

New Approach to Creating Anti Malware Programs

Yin and Song offer a brand new approach to malware analysis called whole-system out-of-the-box finegrained dynamic binary analysis. Yin and Songs approach will, run an entire operating system (e.g.,
Windows) inside a whole-system emulator, and then run the binary code in this emulated environment.
During execution of the binary code, we monitor and analyze its behaviors in a fine-grained manner (i.e.,
at instruction level), completely from outside (within the emulator) (2013 p.2). What this means is that
the analysis called whole-system out-of-the-box fine-grained dynamic binary analysis will run an
emulator like the dynamic analysis approach but will emulate an entire operating system. This will allow
the antimalware observe and deconstruct malware that occurs in an operating system registry files, and
will allow antimalware programs to observe all triggers that activate the malware. This technique will
overcome the limitations of dynamic analysis (2013 p.2).

In order to create a new method for antimalware software Yin and Song had to create a platform name
TEMU based around an already existing open-source whole system emulator called QEMU. With TEMU

5
Yin and Song had to create plugins, additional software that will process separate tasks, to create an a
whole system emulator for antimalware. These plugins are Renovo, Panorama, HookFinder, and
MineSweeper. Renovo was created to analyze the unpacking behavior of code and data. Panorama was
developed to monitor any abnormal information access of privacy-breaching malware. Hook Finder was
created identify and understand any attaching to pre-existing files that now contain malware.
Minesweeper was created to identify malware that will uncover by unknown triggers (Song & Yin 2013 p.
30).

Flaws in TEMU

Advanced malware has the ability to detect if it is being run an emulated environment. While malware
detects it is being run in an emulated environment it will evade or subvert itself. Malware is able to detect
whole system emulators by checking the characteristics of the hardware of the system it is being run in. In
whole system emulation the hardware is emulated as well as the software. Although malware has the
ability to identify these hardware emulations, the increase in both popularity and procedure of hardware
emulation programs will make it harder for malware to identify if hardware is being emulated. A way that
malware can identify if hardware is being emulated is by timing how long a process takes. When
hardware is being emulated it takes longer for programs, even malware, to process. The last way that
malware can detect if it is under emulation is by attacking the central processing unit. An emulated
process will not act the same way as a physical processor (Song & Yin 2013 p. 5).

How Malware can be Beaten

John Aycock says, In reality, there is no magic single solution to malware (2006 p 201). Aycock
proposes that paths to beating malware are based on assumptions about "typical" malware behavior, and
assumptions about malware writers which dramatically underestimate them. Aycock further explains that
malware and antimalware is, a technical arms race that, rages on between attackers and defenders.
What Aycock is explaining is that any anti-malware software that will be developed new malware will be
developed to bypass it. Aycock proposes that automatic malware counters are needed even if they dont
stop malware but instead to slow down their attacks (2006 p 201).
Aycock proposes that anti-malwareless soltiuns can be computer users best defense against malware.
Aycock further goes on to saying that computer users should be prepared to use plan b, education, vendor
pressure, minimalism, and avoiding monocultures (2006 p 202).

Plan b would be data recovery or a system restoral after a computer is infected with malware. By doing a
sytem recovery the computer would be restored to the last moment it was able to run without malware.
This will result in loss of any information but it was also remove the Malware. (2006 p 202). A practice to
stopping the loss of data from malware is to only install an operating system on a partition of the hard
drive dedicated to it. If there is ever a need to restore or reinstall an operating system files will not be lost
since they are on another partition of the hard drive.

6
Education is teaching users how to stop social engineering attacks (2006 p 202). Information is not only
being stolen by malicious software, it is being stolen by hackers that obtain users personal information to
gain access to password protected accounts. An example of this is that a hacker is able to reset an email
account password if they know the answer to a users security questions. A way for computer users to
protect themselves is to not use correct security answers and instead use song lyrics as the answers.
Vendor pressure is a way consumers can protect themselves from malicious attacks. Customers should
demand software companies tighten their end of products so hackers will not be able to exploit their
products flaws to attack costumers. By pressuring vendors for more stronger security it will have them
reach out to more educators and software researchers to create better software (2006 p 202).

Minimalism deals with only using software, or computer features that are needed. Aycock gives the
example of using network servers when they are not needed. The allowance of letting a computer
program access the internet without permission or being online when not needed allows computer users to
open themselves up to malicious attacks (2006 p 202).

Avoiding monocultures deals with making it harder for malware to attack all computers, by them not
being the same. Aycock does not mean that all everyone needs a different operating system but it does
help. Aycock states that, Monocultures can be avoided in part just by automatically injecting randomness
into the data locations and code of programs (2006 p 202-203).

Independent Anti-Malware Study

Anti-Malware Program Research

Malwarebytes, the only software program I had at start of my report, said it has been 247 days since my
last virus scan. In order to research three different antivirus programs I installed them onto my computer
and ran a full system scan, and browsed the internet to test their internet security. A full system scan is a
process that searches throughout my computer for malicious threats. Full system scans should be
completed once a week if a person regularly uses the computer. The inclusion of real-time protection in
anti-malware protection software allows users to have websites and files to be scanned when they are
accessed. Anti-malware programs should be updated every few days if they do not have auto-updating
capabilities.

I choose three anti-malware programs to test. Malware-bytes which I currently have on my computer,
AVG Antivirus 2015 which is a program I was recommended, and Kaspersky which has been reviewed as
the industry standard by (Rubenking 2014 ) and AV-Comparatives (2014a & 2014b).

I used the same conditions for all anti-malware software. I ran the software on my home computer
running Windows Vista without running any programs in the background. I wanted to test each pieces of

7
software ability to identify and remove any malicious threats. I did not delete or quarantine any files after
the software ran, so the different software had the same ability to identify and remove any malware. All
anti-malware programs were updated before they were executed to ensure that the latest malware
detection was available.

Malware bytes

Dickerson, Thomas. "Malewarebytes Full System Scan." 2014. JPEG file

Above is a picture of my full system scan using Malwarebytes. When the scan completed no malware was
found on my computer. There were 268 instances of potential dangerous files on my computer. There
were 9 instances when the files were in the registry for Windows. The majority of the files that were
found to be potentially harmful were associated with the web browser Firefox. I had stopped using
Firefox since Ive switched to Google Chrome, no files associated with Chrome were found, since I had a
problem with Firefox running slowly on my computer. Once I switched to Chrome I have not used
Firefox. In order to secure my computer I should delete these files through Malwarebytes that are
potentially dangerous and uninstall Firefox since it is a potential threat and I do not use it. I have included
the logs of the Malwarebytes scan in my appendix.

It took Malwarebytes 51 minutes to run a full system scan of my computer.

8
5

AVG Internet Security 2015

Below I will show the pictures of the result my full system scan using AVG Antivirus 2015.

Dickerson, Thomas. "AVG Full System Scan 1&2." 2014. JPEG file

AVG Internet Security 2015 was able to find 2 malicious threats to my computer. A virus that was able to
attach itself to file in my system32, Windows directory, a winksys and a luhe lock Screen virus. The
winksys virus currently does not have a way to remove itself from my system32. The luhe lockscreen
virus is a virus that AVG can remove. I have added the detail screens of the separate viruses to my
appendix. In my Appendix you will also find the full system scan log for AVG.

9
After installing and running AVG Internet Security I had problems reloading windows. My computer took
15 minutes to load the desktop when it normally only takes 2 minutes. I had to manually close AVG
Internet Security through my task manager for my computer to become responsive. I experienced
computer slow down whenever I opened up AVG. This could be the result of the malware that was found.

It took AVG 2 hours 57 minutes 57 seconds to run a full system scan on my computer.

Kaspersky Pure 3.0

Below I have inserted a picture of the report Kaspersky created for my computer.

Dickerson, Thomas. "Kaspersky Full System Scan." 2014. JPEG file

Above is my computers full system scan of Kaspersky. Kaspersky was able to find 1196 instances of
potentially unsafe data. Kaspersky Pure 3.0 was able to locate the same malware that was found by AVG.
Kaspersky even identified files associated with AVG a potential threat to my computer.

Kaspersky full system scan took 5 hours 5 minutes and 26 seconds.

Conclusion

In this report I have covered the different types of malware, and how they are dangerous.

9
I have given statistics that show how malware can infect a computer and statistics that show the problems
that are associated with current anti-malware programs.

Through the secondary research presented in my paper I was able to explain how current anti-malware
works and how it can be improved.

Then I was able to demonstrate ways to protect a computer in addition to anti-malware programs.

For my primary research I was able to conduct a study on my computer using the three anti-malware
programs, Malwarebytes, AVG Internet Security 2015, and Kaspersky Pure 3.0.

10

References

AV-Comparatives. (2014) Data transmission in Internet security products.

Retrieved from av-comparatives.org

AV-Comparatives. (2014) IT Security Survey 2014.

Retrieved from av-comparatives.org

AVG Technologies. Virus and Malware Information. Retrieved from

http://www.avgthreatlabs.com/virus-and-malware-information/

Aycock, J. (2006) Computer Viruses and Malware. New York, NY Springer: Science+Business Media,
LLC,

AVG Technologies. Virus and Malware Information. Retrieved from

http://www.avgthreatlabs.com/virus-and-malware-information/

Cisco Security (2014) Annual Security Report Retrieved from http://www.cisco.com/

Computer Security Resource Center: History of Viruses. Retrieved from

http://csrc.nist.gov/publications/nistir/threats/subsubsection3_3_1_1.html

G DATA Software, Inc.: About G Data. Retrieved from https://www.gdata-software.com/about-gdata.html

Gregory, P. (2004) Computer Viruses: For Dummies. Indianapolis, IN Wiley Publishing, Inc.,

11
PandaLabs. (2012) Qaurterly Report.
Retrived from pandasecurity.com

Rubenking, N. (2014, October 15) The Best Antivirus for 2014. PC Magazine. Retrieved from
http://www.pcmag.com/article2/0,2817,2372364,00.asp

Song, D &Yin, H. (2013) Automatic Malware Analysis An Emulator Based Approach: An Emulator
based Approach. New York, NY Springer: Science+Business Media, LLC,