Ryan is enjoying his holiday at home. It’s a perfect Sunday evening. He decides to turn on his computer.

He inserts his flash drive in his machine to copy some movies his friend had given to him. Only some of the many viruses the flash drive contained get detected and cleaned by his AV software. The rest carry out their sinister job of destroying some of his very critical documents. He is unaware!

Next, he opens his Firefox browser considered to be more secure than IE. An add-on update dialogbox shows up before opening the browser. Ryan allows for the updation. A previously installed add-on which was legitimate till now turns malicious after this updation. This was a dormant malware waiting for this update to arrive! It is now ready to do the evil!

He then opens a legitimate website that he frequently visits, to catch up with the latest news. But this website had gotten compromised only a couple of hours ago and it now has some malicious scripts running in the background. Ryan simply reads the news. Not a single time does he click on any of the links present there. Yet he falls prey to the drive by download attack.

The drive by download attack infects his machine with a portentous trojan.

The AV on Ryan’s machine does not detect it. The trojan launches a keylogger and uses the latest rootkit technology to hide itself. There is no way he can detect it!

Ryan decides to check his mails and opens his gmail account. The trojan had launched a keylogger just minutes before. It now has Ryan’s password, which it sends to a remote attacker. Ryan has no idea!
Ryan finds a mail from his bank. He is aware of the phishing attack and decides not to click on the link provided in the mail for providing his credit card details even though the mail claimed that it was for the client’s security purpose. He feels happy as well as proud of his safe computing habits.

He now decides to log on to his bank website to carry out some online transactions. So he types the bank website url himself. A good practice indeed! The evil add-on is still active, however! It’s adept in the art of carrying out man-in-the- browser phishing attack! So when Ryan types the bank’s url, the malicious add-on instead directs him to a fake webpage. The phished webpage is an exact replica of the original one with proper url, ssl padlock in place, and seemingly nothing amiss.

Ryan with full confidence types his username and password. He is then directed to the original webpage, courtesy his browser add-on, giving him no chance to suspect. Meanwhile, his credentials have been grabbed. He has no clue of what he just did!

The keylogger in the background too is doing its job!

He now decides to play some online games. The online gaming website is malicious. It makes Ryan’s computer a part of the botnet family. But Ryan is happy basking in the pleasure of gaming!

He gets a call from his office reminding him of his work to be accomplished. He looks for his important documents. But wait a minute.. Where are they?

He panics a little before he remembers that he had mailed them to his colleague, so could recover them from his mails and attempts to open his mail account. In vain.. It’s hacked! Thanks to the trojan and the keylogger!

On getting a tinge of suspicion now he decides to check if his bank account is safe. With his eyes wide open, skin flushed and wrinkles on his forehead, he now attempts to log-on to his bank account. The rest you can guess!

This is not fiction anymore. It could just happen to you anytime!

Some Terminology


First ever form of malware, a computer virus is a piece of code that is designed to replicate by attaching itself to a host program. The behaviour of attaching itself to another file is key to the distinction of a virus from other malware. A virus also requires some type of user interaction such as running an infected program or opening an infected file. Once a virus is executed it will attempt to spread to other files.

Dormant Malware

This class of malware plunges into action only when a specific environmental or temporal condition is met. Until then, the malware behaves as any other legitimate program.

In this article we gave the example of an add-on/firefox extension as a dormant malware. This add-on might have been downloaded by Ryan earlier sometime, when he might have just stumbled upon some site showcasing this add-on along with many others. He obviously must have been convinced that it would be of some good to him, say would serve as an online dictionary. So he naively downloads it. But later when an update arrives for the add-on, it actually turns malicious.


A drive-by-download attack is one in which malware is downloaded and possibly installed onto the victim’s machine without his knowledge. In most cases it only requires the user to visit a malicious website or a good website at the wrong time when it got attacked by some hackers.


A Trojan is a malware type that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user’s computer system.


A program that records the keystrokes of the user. It could be a hardware or software program. In this article we have spoken about the software one which can be remotely installed on the user’s machine unlike the hardware counterpart which requires physical presence.


Rootkits are among the biggest challenges faced by the security researchers and providers today. The shortest definition of a rootkit is software that allows an attacker to mask his presence on a system while allowing the attacker access to the system at a later time.

Man-in-the- browser phishing attack

Man in the browser is also called a proxy Trojan or a password pinching Trojan. It combines the use of phishing approaches with a Trojan horse technology, inserted into a customer’s browser, to modify, capture, and/or insert an additional information on web pages without the customer’s and the host’s knowledge.


The term bot is short for robot. Criminals distribute malware that can turn your computer into a bot (also known as a zombie). When this occurs, your computer can perform automated tasks over the Internet, without you knowing it. Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet. Criminals use botnets to send out spam e-mail messages, spread viruses, attack computers and servers, and commit other kinds of crime and fraud. If your computer becomes a part of a botnet, your computer might slow down and you might be inadvertently helping criminals.


One Response to See What Malware Did to Ryan

  1. anonymous says:

    nice article and waiting for the detailed description of working of each of these topics

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <p>

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 52425 items have been purified.