ABSTRACT

Malware is a malevolent code, program, or software. It refers to a program that is

introduced into a system, often in a hidden (covert) manner, with the aim of compromising the
secrecy, probity, or accessibility of the victim’s information, data, applications, software, or
operating system(OS) or as well as hinder the proper function of the victim’s system as well
as hinder good user experience. They are usually created to carry out various delictuous and
crimeful functions in such a way that their existence is of total negligence, at a minimum
initially when they were introduced into the victim’s system. Malware infestations and
inhibition before year 2000 centered on system attack, denial of service, and so on. However,
beyond year 2000 till date, individuals, corporate bodies, and government of nations have
been involved with malicious code design and propagation for distributed network
breakdown, as well as, cyberwars. Shared ignorance about the nature of malware’s
development and propagation has resulted in colossal loss for both individuals and corporate
organizations. With new malwares emerging daily to join the thousands in existence, it is
evident that the virus issue will not go away any time soon. This paper details the history of
malwares and their categories, obfuscation techniques, identification and recommendations
for preventing malware incidents to all computer users.
INTRODUCTION
During the 1980s, the malware was sporadically an annoyance or bother to people and
associations; yet today, malware is the main outer danger to most frameworks, causing
inescapable harm and disturbance and requiring broad recuperation endeavors inside most
associations. Malware expected to disregard a client's protection has likewise turned into a
significant worry to associations. Despite the fact that protection disregarding malware has
been in need for a long time, its utilization turned out to be substantially more
inescapable in 2003 and 2004, with spyware attacking numerous frameworks to screen
individual exercises and
direct monetary extortion.
Shared ignorance about the nature of malware’s development and propagation has resulted
in the colossal loss for both individuals and corporate organization. With new malwares
emerging daily to join the thousands in existence, it is evident that the virus issue will not go
away any time soon. In fact, the Institute of Chartered Secretaries and Administrators
(ICSA) annual surveys since 1995 suggest that the problem has actually been getting worse.
Over 99% of responding companies reported a virus incident in 2000, while nearly 67%
experienced file problems and 40% suffered data losses from virus attacks. Most companies
estimated annual losses from virus attacks between US$100,000 and US$1,000,000 [1].

OVERVIEW OF MALWARES
Malware is a generic term used to describe all of the hostile and intrusive program codes
including viruses, spywares, Trojan, worms, or anything that is designed to perform any
malicious operations on a computer [5]. The meaning of any of these words has changed
over time. Some refer to how the malware infects your system, while others are used to
describe what the malware does once it is active in a machine.
A. History of Malwares
The idea of the PC infection was really conceived at the beginning of computing. The
earliest created viruses appeared as benign pranks; it was written in the late 1970s with the
aim of assisting in system maintenance. Malevolent Malware didn't surface freely and
become widely known until the early 1980s when the most well-known structure was
arranged infections, commonplace among these are boot sector infections. Around then,
virus writers likewise devised a number of obscurity strategies so that their viruses could
keep away from discovery. In 1988, the disreputable Morris worm was launched, disrupting
countless computer networks. Trojan horses equally surfaced in the mid-1980s. At the early
1990s, the malware state remained largely unchanged, when compiled viruses continued to
be the endemic form of malicious code. Nevertheless, in the latter half of the 1990s, quite a
lot of changes in computing produced new opportunities for malware. Virus writers began
production of interpreted viruses and circulating them through e-mail, with developing
independent worms with related potential.
Worms have been the common form of malware since 2000. Virus writers have
preference for worms against viruses since worms multiply more rapidly. In 2001, Nimda
was released and it became the first blended attack which caused prime disruptions. Nimda
combined the attributes of viruses, worms, and malicious mobile code. Malicious mobile
code attacks have recently become ever more common, chiefly due to the dominance of
Web browsers and HTML-based e-mail; but, malicious mobile code is yet not as familiar as
worms. More malware, such as worms, Trojan horses, and harmful, malevolent mobile
code, causes a critical drift, present attacker tools, like rootkits, keystroke loggers, and
backdoors, to infected computer systems [5]. As quicker techniques for file sharing
communication, transmission became more widespread, for example, email and file-sharing
programming, assailants created different kinds of malware that exploited these quicker
techniques to spread substantially more quickly.
Malware infestations and inhibition before year 2000 centered on system attack, denial of
service, and so on. However, beyond year 2000 till date, individuals, corporate bodies, and
government of nations have been involved with malicious code design and propagation for
distributed network breakdown, as well as, cyberwars. Anonymous sources within the U.S.
government of late revealed that the United States and Israel were indeed the authors of
the Stuxnet worm and related malware, whose primary aim was to sabotage Iran’s attempts
to make weapons-grade nuclear material [7].
B. Obfuscation Techniques of Malware
If a virus is hard to detect, it is likely to spread more widely and rapidly [6]. To obfuscate
is to deliberately make more confusing in order to conceal the truth. Most malwares are
created using one or more obfuscation techniques outlined below.

Self-Encryption and Self-Decryption: Some infections have the ability to encode

furthermore, unscramble their virus code bodies, hiding them from direct assessment or
inspection. Viruses that utilize encryption may utilize or employ different layers of
encryption or irregular cryptographic keys, which make each example of the infection, have
all the earmarks of being unique, despite the fact that the basal and fundamental code is
something very similar.

Polymorphism: Polymorphism is an exceptionally strong type of self-encryption. A

polymorphic virus for the most part alters the default encryption settings, just as adjusting
the decoding code. In a polymorphic virus, the subject of the fundamental virus code body
doesn't change; encryption just modifies its appearance as it were.

Metamorphism: Rather than concealing the virus's content using encryption,

metamorphism aims to change the virus's content. The virus can be changed in a variety of
ways, such as, by adding unnecessary code groupings to the source code or by changing the
order in which sections of the source code are executed. After that, the modified code is
recompiled to make a virus executable that appears to be essentially unique from the
original.
  Stealth: A stealth virus utilizes different methods and strategies to avoid detection,
hide the attributes of contamination from antivirus or antimalware. It has the ability
to conceal itself in genuine files, boot sectors, and disk sections and segments without
alarming the framework (system) or client (user) about its essence. For instance,
numerous stealth infections meddle with OS file postings so the detailed record sizes
reflect the first qualities and do exclude the size of virus added to each tainted file.

 Armoring: The purpose of armoring is to compose an infection with the goal that it
endeavors to forestall antivirus software and program or human specialists from
breaking down or examining the infection's capacities and functions through
dismantling, traces, and different means.

 Tunneling: An infection that utilizes burrowing embeds itself into a low level of the
operating system with the goal that it can capture or intercept low-level OS calls. The
virus endeavors to alter the OS in order to avoid detection by antivirus software by
setting itself beneath it. Antivirus programming merchants plan their items to
endeavor to make up for the utilization of any blend of obscurity strategies.
C. Malware Identification
A virus is a computer program that acts when an infected program is executed. As a result,
just executable files are susceptible to infection. These files commonly have the extensions
.EXE, .COM, .BAT, or.SYS on MS-DOS platforms. Overlay files are another class of files
that can likewise be contaminated. These documents frequently have an extension .OVL,
albeit different augmentations, for example, .OV1 is some of the time utilized.
The vast majority of the cases, infections, and worms change their file extensions from
".exe" to some different extensions like ".pif", ".scr" or then again ".jpeg" and so on to
deceive its casualty into downloading and running such files from the internet or over email.
Since, as a rule, these files are executables, when the user(s) click on them, they are
executed and infect the user's or client’s system.

CATEGORIES OF MALWARES
Viruses, malevolent mobile code, worms, and Trojan horses are some of the categories of
malware, as are hybrid or blended attackers that combine many types of malware.
Backdoors, tracking cookies, rootkits, and keystroke loggers, utilized as spyware are all
examples of malware. Each category's discussion clarifies how it affects the system.
A. Viruses
By definition, computer virus is a self-duplicating computer program that spreads from
computer to computer, interfering with data and software. It has the ability to clone itself,
with the goal that it can duplicate, continually looking for new host surroundings. Just as
biological viruses infect people, dispersing from person to person; computer viruses infect
personal computers (PCs) and servers [2], [3].
Some viruses are mere annoyances, but others can do serious damage. The content of the
virus payload is the code for the infection's goal, which might be anything from harmless to
deadly. Viruses can delete or change files, steal important information, load and run
unwanted applications, send documents via electronic mail (e-mail), or even cripple a
machine’s operating system (OS). Numerous viruses feature a trigger, which is a condition
that triggers the payload to be executed, which for the most part includes client’s or user’s
interaction (for example, opening a document, running a program or software, tapping on an
email attachment).
Virus programs, like the infectious microorganisms, are quite minute in size. A basic virus
can be written using only a few lines of program code. Once composed, a virus can be
transmitted or transferred to other computers across telephone lines or dispersed systems via
infected disks, where it can replicate in microseconds and result in damage to the largest
systems millions of kilometers distant. Owing to these two realities, tracing a virus back to
its source has become nearly difficult. There are two major types of viruses; the compiled
viruses, and the interpreted viruses. The two are expatiated briefly.

1. Compiled Viruses
A compiled virus is one that has had its source code changed over by a compiler program
into a format that can be straightforwardly executed by an OS. Compiled viruses normally
fall into three classes:

 File Infector: A file infector infection joins itself to executable programs, for example,
word processors, accounting page applications, also, PC games. At the point when the
infection has tainted a program, it spreads to debase different projects on the system,
as well as, different frameworks or systems that utilization a common tainted
program. Two of the most well-known file-infector viruses are Jerusalem and
Cascade.

 Boot Sector: A boot sector virus invades the master boot record (MBR) or boot sector,
as well as portable media such as floppy diskettes. The boot sector is a region at the
start of a drive or disk where data about the drive or disk structure is put away. Boot
sectors contain boot programs that are run at have a startup to boot the OS. In order
to taint the system, removable media such as floppy disks do not need to be bootable.
In the event that a contaminated disk is in the drive when the PC boots, the virus
could be executed. Boot sector viruses are handily covered, have a high pace of
accomplishment, and can render a machine utterly unusable. An error message during
booting or the inability to boot is a sign of a boot sector virus infection on a computer.
Instances of boot sector viruses are Form, Michelangelo, and Stoned.
 Multipartite: A multipartite infection utilizes different contamination techniques,
regularly tainting the two files and boot sectors. As needs are, multipartite infections
incorporate the attributes of file infectors furthermore, boot sector infections.
Instances of multipartite infections incorporate Flip and Invader. Compiler viruses, in
addition to infecting files, can also reside in the memory of infected systems,
 infecting new programs each time they are run.

2. Interpreted Viruses
In contrast to compiled infections, deciphered viruses are made out of source code that can
be executed simply by a specific program or administration. Because they are significantly
easier to develop and change than other forms of viruses, interpreted viruses have become
increasingly popular. A somewhat incompetent assailant can obtain a deciphered infection,
audit and alter its source code, and disperse it to others. Macro viruses and scripting viruses
are the two most common types of interpreted viruses.

 Macro viruses: These are the most pervasive and effective kinds of viruses. These
viruses infect application documents like word processing papers and spreadsheets
and make use of the app's macro scripting language to run and proliferate. Many
popular software suites, such as Microsoft Office, have macro programming
capabilities that can be used by macro viruses to robotize perplexing or dull
assignments. Because users routinely share documents from applications with macro
capabilities, these viruses spread swiftly. Likewise, when a macro virus infection
happens, the virus contaminates the format and templates that the program uses to
make and open records, files, and documents. Well-known instances of Macro viruses
include the Concept, Marker, and Melissa viruses.

 Scripting viruses: Scripting viruses are similar to macro viruses in that they employ
scripting to carry out their actions. A macro virus is written in a language that is
understood by a specific program, such as a word processor, whereas a scripting virus
is written in a language that is understood by an OS service. First Stages and Love
Stages are two well- known scripting viruses.
B. Worms
Worms are self-duplicating programs that are totally independent, implying that they may
infect a victim without the help of host software. Worms additionally are self- spreading;
unlike viruses, they can make completely utilitarian duplicates and execute themselves
without clients' mediation. As a result, attackers are increasingly turning to worms, on the
ground that a worm can possibly contaminate a lot more computers in a brief timeframe
than a virus.
Although some worms are designed to waste systems and network resources, many worms
cause damage by installing backdoors that allow them to launch distributed denial of service
(DDoS) attacks on other hosts or carry out other malicious behaviors. Worms are divided
into two types: network service worms and bulk mailing worms.

1. Network Service Worms

Network service worms propagate by exploiting a flaw in a network service that is part of
an operating system or an application. Once a worm has infected a system, it will o utilize it
to examine for additional systems that are running the targeted service and afterward
endeavors to infect them as well. Network service worms spread more swiftly than other
types of malware because they operate totally without human interaction. Sasser and Witty
are two examples of network service worms.

2. Mass Mailing Worms

The main distinction between mass-mailing worms and e- mail borne viruses is that mass-
mailing worms are independent rather than tainting an existing file, as e-mail borne viruses
do. When a mass-mailing worm has tainted a system, it often looks for e-mail addresses and
afterward sends duplicates of itself to those locations, utilizing either the system's e-mail
client or by an independent mailer incorporated inside the worm. A mass-mailing worm
normally sends out a single copy of itself to numerous beneficiaries without a moment's
delay. Mass-mailing worms frequently create genuine execution difficulties for infected
computers, in addition to overloading email servers and networks with enormous numbers of
e-mails. Beagle, Mydoom, and Netsky are examples of mass-mailing worms.
C. Trojan Horses
Trojan horses are non-duplicating programs that give an impression of being harmless be
that as it may, really have concealed malevolent function. They are named after the wooden
horse from Greek folklore. Some Trojan horses are designed to supplant existing files, such
as computer and application executables, with malevolent ones; others, instead of
overwriting existing files, add another program to computers. Trojan horses usually follow
one of the three types below:

1. Continuing to execute the original program's function while also engaging in a different,
unrelated harmful activity (for example, a game that gathers application passwords).

2. Proceeding to fill the role of the original program's function but altering it to perform a
malignant activity (for example, a Trojan horse adaptation of a login program that gathers
passwords) or to hide other malevolent action (for example, a Trojan horse form of a
process-listing program that hides other malicious processes).

3. Executing a malicious role that entirely supplants the original program's functionality
(for example, a file that purports to be a game however in reality deletes all system files
when played).

Trojan horses can be hard to identify in light of the fact that they are explicitly intended to
hide their existence on computers while still performing the original program's function.
The utilization of Trojan horses to disperse spyware applications has become progressively
normal. Spyware is frequently packed with software, like peer-to-peer file sharing client
applications; when the user runs the ostensibly innocent software, spyware programs are
installed clandestinely. Other forms of attacker tools, like Trojan horses, are frequently
delivered onto computers, allowing illegal access and unapproved admittance to or
utilization of contaminated computers and systems. These instruments might be included
with the Trojan horse, or they could be downloaded by the Trojan horse after it has been
installed and operated. SubSeven, Back Orifice, and Optix Pro are among well- known
Trojan horses.
D. Malicious Mobile Code
Mobile code is programming that is communicated from a distant computer or system to
be executed on a local system, ordinarily without the client's express permission. It has
turned into a well-known method of building programs that may run on a variety of
operating systems as well as, applications, for example, Web programs and e-mail
customers. Albeit portable code is ordinarily innocuous, aggressors have learned that
malevolent mobile code can be a powerful tool of assaulting computers, just as, a decent
component for dispersing viruses, worms, and Trojan horses to clients. Malicious mobile
code contrast fundamentally with viruses and worms in that it doesn’t infect files or
endeavor to spread itself. It frequently impacts systems by taking benefit of the default
privileges allowed to mobile codes, rather than exploiting specific vulnerabilities. Java,
ActiveX, JavaScript, and VBScript are all popular languages for malicious mobile code.
Nimda, which employed JavaScript, is one of the most well-known instances of malicious
mobile code.
E. Blended Attack
A blended assault/attack is a type of malware that employs various means of infection or
propagation. Nimda, the well- known blended assault, is an example of this. It employs four
techniques of distribution:
 E-mail: Nimda exploited a weakness in the Web browser used to display HTML-
based e-mail when a user on a susceptible computer opened an infected email
attachment. Nimda sought e-mail addresses on the host after infecting it and then
transmits duplicates of itself to those locations.

 Windows Shares: Nimda filtered hosts for insecure Windows file sharing and
afterward, infected files on those hosts utilize NetBIOS as a delivery method. Nimda
would be activated on a host if a user launched an infected file.

 Web Servers: Nimda checks Web servers searching for known Microsoft Internet
Information Services vulnerabilities (IIS). If it finds a susceptible server, it tries to
infect the server and its data by transferring a copy of itself to the server.

 Web Clients: If a susceptible Web client hits a Nimda-infected Web server, the client's
workstation will be infected as well.
Blended assaults can propagate through services like instant messaging and peer-to-peer
file sharing, in addition to the techniques listed above. Nimda is a virus that combines the
traits of worms, viruses, and pernicious mobile programs. Bugbear, which worked as both a
mass-mailing worm and a network service worm, is another example of a blended assault.
 Blended assaults are extensively harder to produce than single-method malware since they
are more complicated.
F. RootKits
A rootkit is a set of files that are installed on a computer in order to change the system's
basic operation in a harmful and covert manner. To disguise its presence, a rootkit often
makes several modifications to a system, making it extremely difficult to verify whether the
rootkit is there and what the malware has altered.
G. Backdoors
A backdoor is a malicious application that monitors a specific TCP or UDP port for
commands. The majority of backdoors enable an attacker to carry out a certain set of
operations on a system; obtaining passwords or running arbitrary commands are only a few
examples. Types Zombies (sometimes known as bots) are a type of backdoor placed on a
computer to have it attack other computers tools for remote administration. They are
installed on a system to enable a remote attacker to gain access to the needed systems’
functions and data.

PREVENTION AND OTHER INHIBITING OPERATION OF MALWARES

Policies addressing malware prevention must provide a basis for implementing preventive
controls. Wide-range malware awareness programs for all computer users should be
installed, as well as particular awareness training for IT employees directly involved in
malware protection. Some probable attack routes can be eliminated by putting effort into
vulnerability mitigation. Using a mix of threat-mitigation strategies, as well as, tools like the
use of antivirus software and firewalls, can help prevent threats from successfully attacking
systems and networks.
When devising a malware protection strategy, clients ought to be aware of the assault
vectors that are probably going to be utilized presently and soon. They ought to likewise
think about how well-controlled their computers are (e.g., overseen environment, non-
oversaw environment). Computer users ought to know that no matter how hard they try to
prevent malware occurrences, they will still happen (for example, previously unknown sorts
of threats or human mistakes). As a result, computer users and, in particular, companies
ought to have effective malware event handling skills in order to limit the harm malware
might wreak and quickly recover data and services.
A. Policy
To enable flexibility in policy execution and avoid the need for frequent policy
modifications, malware protection policies should be as broad as possible. The following
are some common malware protection policy considerations:
 Before they may be used, media from outside the organization is scanned for viruses.
 File attachments from e-mails, especially compressed files (.zip files), should be
saved to local disks or media and inspected before being accessed.
 In response to an impending malware threat, prohibiting the transmission or receiving
 of certain sorts of files (e.g., .exe files) through e-mail and permitting specific other
file types to be restricted for a period of time.
 Users' access to administrator-level rights is limited, and systems must be kept up to
date with OS and application upgrades and fixes and patches.
 Removable media (e.g., floppy disks, compact discs (CD), and Universal Serial Bus
(USB) flash drives) should be limited, especially on systems that are at high risk of
infection.
 For each type of system (e.g., file server, e-mail server, and proxy server), indicating
which sorts of preventative software (e.g., antivirus software, spyware detection, and
removal programs) are necessary.
 Allowing admittance to external networks (including the Internet) only through
secure procedures permitted by the organization;
 Changes to firewall configuration should go via a formal approval process;
 Clarifying which types of mobile code from a variety of sources (e.g., internal Web
servers, Web servers from external businesses) may be utilized;
 Allowing only trustworthy networks to use mobile devices.
Albeit these contemplations are expected to aid associations to forestall malware attacks, a
large number of them could likewise be useful in detecting or containing incident.
B. Vulnerability Mitigation
Malware frequently assaults computers by taking advantage of flaws in operating systems,
apps, and services. In that capacity, mitigating weaknesses/ vulnerabilities is critical to
preventing malware outbreaks, especially when malware is distributed soon after a new
vulnerability is declared or before the vulnerability is freely and publicly recognized. One or
more solutions, such as applying patches to update the software or changing the software,
can frequently mitigate vulnerability (e.g., disabling a vulnerable service).
The strategies outlined here can be used to secure practically any system, although they
are especially useful in securing against malware.

Patch Management: : Assessing the criticality of the patches and the effect of applying or
not applying them, extensively testing the patches, implementing the patches in a controlled
way, and documenting the patch evaluation and decision process are all elements in the
patch management process. It's becoming more difficult to release patches rapidly enough to
avoid accidents. Patching is one of the most effective strategies for diminishing the risk of
malware attacks, and many malware attacks have been successful because systems were not
patched in a timely manner. Patch management is also essential for incident response.

Least Privilege: The notion of least privilege alludes to setting hosts to only give the
relevant users, processes, and hosts the bare minimum of rights. Because malware frequently
requires administrator-level access to successfully exploit weaknesses, least privilege can be
useful in preventing malware problems. In an event that an incident does occur, using the
least privilege ahead of time may help to limit the amount of harm that the malware might
wreak. The least privilege is typically used on an association’s servers and network devices,
although it is also utilized by consumers. The least privilege can be resource-intensive to
establish and maintain; for example, users without administrative capabilities may not be
able to install OS or application upgrades.

Other Host Hardening Measurement: In extension to keeping hosts patched and following
the standard of least privilege when appropriate, companies ought to likewise consider
carrying out other host solidifying and strengthening measures that can help minimize the
risk and chance of malware attacks. The following are some examples of such measures:
 Unwanted services (especially network services and administrations) that may contain
vulnerabilities and flaws should be disabled or removed.
 Remove insecure file shares, which are a typical source of worm infestation;
 Eliminate unsecured file shares, which are a common infection means for worms;
 Default usernames and passwords for operating systems and apps should be removed
or changed since malware can use them to gain illegal unapproved access to systems;
 Authentication/verification is required before a network service may be accessed;
 Incapacitating the execution of binaries and scripts automatically.
Organizations ought to likewise conduct frequent vulnerability assessments to uncover
unaddressed system vulnerabilities and establish plans to resolve them. Periodic
vulnerability assessments are still important even if all known vulnerabilities on a system
have been addressed.
Threat Mitigation: Organizations should execute threat prevention in addition to
vulnerability mitigation to detect and stop malware before it attacks its targets. Antivirus
software, spyware identification, and removal programs, intrusion prevention systems (IPS),
firewalls, and routers are all examples of security products that can help minimize malware
threats. The section also explains typical characteristics, the types of malware and attack
vectors that the tools handle, and the methods they employ to recognize and stop malware
for each of these categories.
C. Eradication of Malware
Albeit the fundamental objective of eradication is to eliminate malware from affected
systems, it is usually a much more involved process. If an infection was successful due to a
system vulnerability or other security weakness, such as unsecured file sharing, eradication
comprises the removal or mitigation of that vulnerability, which should keep the system
from becoming re-infected or infected by a variant of the initial malware. Containment
operations are frequently combined with eradication efforts. Computer users may, for
example, run a tool that detects affected hosts, installs patches to fix vulnerabilities, and
runs antivirus software to clean up infestations.
Containment actions often limit eradication choices; when an issue is controlled by
separating infected computers from the main network, the computers should either be linked
to a different VLAN so that they may be updated remotely, or fixed and rebuilt
physically. Because the hosts are no longer connected to and disengaged from the main
network, the incident reaction team will be feeling the squeeze to complete eradication
activities on the hosts as soon as possible so that the users may restore full access to their
systems. Various scenarios need the use of a variety of eradication tactics. Antivirus
software, spyware detection, and removal programs are the most typical instruments for
eradication. Manual eradication procedures are significantly less effective than automated
eradication techniques, such as remotely activating antivirus scans. Automated approaches,
on the other hand, are not appropriate in all instances.
For instance, a contaminated host that is endeavoring to do
significant harm to other systems or consume enormous amounts of bandwidth should most
likely be disconnected from networks and dealt with manually. As part of elimination
operations, it may be essential to reconstruct contaminated hosts in some malware
occurrences. Reconstructing encompasses reinstalling and protecting the operating system
and apps, as well as restoring data from known good backups. Because reconstructing a host
consumes more resources than other eradication procedures, it should only be used when no
other eradication technique or combination of approaches is effective.
Because of the large number of systems to clean up and the likelihood for further
infections and re-infections to develop for days, weeks, or months after big outbreaks,
eradication can be frustrating. Incident handlers ought to perform recognizable actions on a
regular basis to identify contaminated hosts and measure eradication success. A decrease in
the number of infected hosts would show that the incident response team was making
progress, and it would aid the team in determining the best approach for dealing with the
remaining hosts and allocating adequate time and assets.
D. Antivirus Software
The most widely utilized technological measure for malware threat reduction is antivirus
software. Antivirus software has become a need for preventing malware attacks on operating
systems and apps that are regularly attacked by malware. Antivirus software comes in a
variety of flavors, but most offer similar protection through the following suggested features:
 Examining important system components including startup files and boot data;
 Monitoring real-time system activity for suspicious behavior; for example, screening
all e-mail attachments for known viruses as they are delivered and received is a
frequent example. Antivirus software ought to be set up to scan each file in real- time
as it is being downloaded, opened, or run. On- access scanning is what it's called.
 Antivirus software should keep an eye on the programs that are most likely to be used
to infect computers or distribute malware to other computers (e.g. e-mail clients, Web
browsers).
 Files are scanned for known viruses. Antivirus software on computers should be set to
scan all hard drives and, potentially, other storage devices on a regular basis to detect
any file system infections. On- demand scanning means that users should be able to
start a scan manually whenever they need it.
 Viruses, worms, Trojan horses, malicious mobile code, and hybrid threats, as well as
attacker tools like keyboard loggers and backdoors, are all popular forms of malware.
 Disinfecting files entails eradicating malware from within a file, whereas quarantining
files entails storing malware-infected files in isolation for later disinfection or
analysis. Because the virus is eradicated and the original file is restored, disinfecting a
 file is by and large desirable over quarantining it. However, many contaminated files
are unable to be cleaned.
 As a result, antivirus software ought to be set up to try to disinfect infected data
while quarantining or deleting files that cannot be disinfected.
E. Recovery from Malware Incidents
The restoration of infected systems' functionality and data, as well as the removal of
temporary containment measures, are the two most important parts of malware recovery.
Most malware instances that involve minor system harm (for example, an infection that just
changed a few data files and was totally removable with antivirus software) do not
necessitate additional procedures to repair computers. Malware incidents that are undeniably
more harmful, such as Trojan horses, rootkits, or backdoors, which corrupt thousands of
computer and data files or wipe out hard drives, are often best rebuilt or restored from a
known good backup, and then secured so that the system is no longer vulnerable to the
malware threat.
Computer users ought to carefully analyze worst-case scenarios, such as a new malware
attack that sweeps out the hard disks of a big percentage of the organization's desktops, and
figure out how the systems would be restored in these situations. This should involve
establishing who will carry out the recovery duties, calculating how many hours of labor
will be required, and prioritizing the recovery efforts. During severe malware occurrences,
deciding whether to remove interim containment measures like halted services (e.g., e-
mail) or connection (e.g., Internet access, VPN for telecommuters) can be challenging. The
impact of a fresh malware outbreak, on the other hand, should be limited if almost all
computers have been patched and cleansed
CONCLUSION
“Prevention is better than cure” is the aged adage. Malwares’ infestation can be regularly
inhibited or totally prevented through conscious ameliorative measures. There should be
caution against accepting external drive(s); access to unauthorized users; opening of mail
from sources. Routine check for any invasion via antivirus (AV) scanning is imperative;
especially after intensive internet search or when a trace of malfunction is observed. While
on network security, use of license software is highly recommended. Besides, regular
update (auto-update box should be checked) is indispensable. With all these in place,
malwares crisis could be alleviated. While losses in terms capitals could equally be
curtailed.
 REFERENCES
[1] Micro World Technologies Inc. “White Paper”, www.mwti.net
[2] Eddy Willems, “VIRUS (COMPUTER)”, Microsoft ® Encarta ® 2009.
© 1993-2008 Microsoft Corporation
[3] Michael Smith (Veshengro): "the Way Out of the menace, by, © M Smith
(Veshengro), April 2008
[4] Micro World Technologies Inc. “HISTORY OF VIRUS 2”, www.mwti.net
[5] Micro World Technologies Inc. “HISTORY OF VIRUS 3”, www.mwti.net
[6] Microsoft® Encarta® 2009. © 1993-2008 Microsoft Corporation
[7] Willie D. Jones “What the revelations about the U.S.-Israeli origin of Stuxnet mean for
warfare” Tech Alert, ieee spectrum, August 2012.
[8] Robert Charette, "Spectacular Cyber Attack Gains Access to France's G20 Files”,
March 08, 2011
http://spectrum.ieee.org/riskfactor/telecom/internet/spectacular-cyber- attack-gains-
access-to-frances-g20-files
[9] Robert Charette, “Smartphones Becoming Gateways to Identity Theft” Fri, February
24, 2012
http://spectrum.ieee.org/riskfactor/telecom/wireless/smartphones- becoming-
gateways-to-identity-theft
[10] Computer Viruses: The Disease, the Detection, and the Prescription for Protection:
Hearing ...by United States, Congress House Co. 2003
http://www.valorebooks.com/textbooks/computer-viruses-the-disease- the-detection-
andtheprescription-hearing-before-the-subcommittee-on- telecommunications-and-the-
internetofthe-committee-on-energy-and- commerce-hous/9780160715648.