UNIT - 4 MALICIOUS CODE

SELF REPLICATING MALICIOUS CODE

Self-replicating malicious code refers to a type of malware (malicious software) that can copy
itself and spread to other systems without human intervention. The main goal of this type of
code is to propagate itself, infecting as many systems as possible, often causing damage or
exploiting resources.

Working
Replication Cycle
1. Infection – Malware enters through infected files, emails, USBs, or vulnerabilities.
2. Replication – It makes copies of itself on the system.
3. Payload Execution – It performs harmful actions like stealing or deleting data.
4. Propagation – It spreads to other systems automatically.
5. Persistence – It hides itself to avoid detection and stay active.

WORMS
A worm is a type of malicious software (malware) that can replicate itself and spread
automatically across systems, usually through networks, emails, or shared drives.
1. Worms are standalone malware that don’t need to attach to files or programs.
2. They spread on their own through emails, networks, USBs, or system weaknesses.
3. Once inside a computer, they copy themselves and infect other connected systems.
4. Worms can steal data, delete files, slow down systems, or install more malware.
5. They spread quickly and often stay hidden, making them hard to detect and very dangerous.

Working
Same working as SELF REPLICATING MALICIOUS CODE

VIRUS
A virus is a type of malicious software (malware) that attaches itself to files or programs and
spreads when the infected file or program is run.
1. A virus needs a host file or program to spread.
2. It activates only when the infected file is opened or executed.
3. It can delete files, corrupt data, slow down systems, or even crash them.
4. Viruses often spread through email attachments, USBs, downloads, or pirated software.
5. They can remain hidden, making detection difficult without antivirus tools.

Working
Replication Cycle of a Virus
1. Infection – Virus enters through infected files, email attachments, USBs, or downloads.
2. Activation – It becomes active only when the host file is opened or run.
3. Replication – Makes copies of itself and attaches to other files.
4. Payload Execution – Performs harmful actions like deleting files or slowing down the system.
5. Propagation – Spreads to other systems via shared files or networks.
6. Persistence – Hides in the system to avoid detection and stay active.

EVADING DETECTION
Evading detection means using techniques to hide malicious activity from security tools like
antivirus software, firewalls, or intrusion detection systems (IDS).
Techniques
1. Obfuscation – Hiding the real code using encryption or confusing names.
2. Polymorphic Malware – Changes its code every time it runs to avoid signature-based
detection.
3. Steganography – Hiding malicious code inside images, videos, or files.

ELEVATING PRIVILEGES
Privilege escalation is when an attacker gains higher access rights (like admin or root) than they
are supposed to have.
Types
1. Vertical Privilege Escalation – Gaining access to higher-level permissions (e.g., from user to
admin).
2. Horizontal Privilege Escalation – Accessing data or functions of another user with the same
level of privilege.
Techniques
1. Exploiting software vulnerabilities
2. Misconfigured permissions
3. Using stolen credentials
4. Exploiting weak access controls
OBFUSCATION
Obfuscation is the technique of making code, data, or communication difficult to understand or
analyze, mainly to hide its true purpose. It is used to avoid detection by security tools and to
protect information from attackers.
Purpose
1. Used by Attackers:
• To hide malicious code in malware.
• To evade antivirus and security tools.
• To prevent reverse engineering of malware.
2. Used by Defenders (Legitimate Use):
• To protect source code and sensitive logic.
• To secure applications from tampering or theft.
• To make reverse engineering harder.
Common Techniques
1. Code Obfuscation – Making source code complex and unreadable.
2. Data Obfuscation – Hiding or replacing sensitive data with fake values.
3. Control Flow Obfuscation – Altering code logic to confuse analyzers.
4. Encoding/Encryption – Converting readable data into unreadable formats.
5. Packing/Compression – Compressing files to mask actual content.

VIRTUAL OBFUSCATION
Virtual Machine Obfuscation is an advanced malware hiding technique used by attackers to
make their malicious code extremely hard to understand, analyze, or detect — even by antivirus
software.
1. In this method, malware is originally written in normal programming languages (like C,
Python, etc.), which can usually be reverse-engineered.
2. Instead of running directly, the malware is translated into custom bytecode that runs on
a custom-made virtual machine (VM) built by the attacker.
3. This makes the malware look like gibberish or meaningless code to antivirus tools and
reverse engineers, making analysis very difficult.
Working
1. Malware is written in a normal language (like C or Python).
2. Instead of compiling to regular machine code, it is converted into custom bytecode
(special instructions).
3. A custom virtual machine (VM) is built into the malware that can understand and
execute this bytecode.
4. When the malware runs, the VM interprets the bytecode instead of executing native
instructions.
5. To antivirus tools and reverse engineers, the code looks like random or unreadable
instructions.
6. This makes it very hard to analyze or detect what the malware is really doing.

PERSISTENT SOFTWARE TECHNIQUES

Persistent software techniques are methods used by attackers to ensure that malicious software
remains on a system and runs continuously, even after system restarts or user logouts.
1. Startup Persistence –
Malware adds itself to startup folders, services, or registry to run automatically when the system
starts.
2. Scheduled Tasks / Cron Jobs –
Attacker creates tasks that execute malicious code at regular intervals.
3. Registry Modifications (Windows) –
Malware changes Windows Registry keys to relaunch itself after reboot.
4. Service Installation –
Malware installs itself as a background service that auto-runs and blends in with system
processes.
5. DLL Injection –
Injects code into trusted programs, making it harder to detect.
6. Fileless Malware –
Resides in memory instead of files, often using tools like PowerShell.
7. Bootkits –
Malware that infects the boot process, executing before the OS loads.
ROOTKIT
A rootkit is a type of malware designed to hide its presence on a system and give an attacker
unauthorized, hidden control over a computer — especially with root (admin-level) access.
1. They hide themselves and other malware (like keyloggers or trojans).
2. They give attackers full control of the infected system.
3. They can stay undetected for a long time, even by antivirus software.

Types of Rootkits
1. User-mode Rootkit:
This type hides inside normal applications or programs. It works at the user level and is
easier to detect and remove compared to deeper rootkits.
2. Kernel-mode Rootkit:
It hides inside the core part of the operating system (called the kernel). This makes it
very powerful and hard to detect, as it can control how the system works.
3. Bootkit:
A bootkit infects the bootloader, which runs before the operating system starts. This
allows the rootkit to take control early, before security software is active.
4. Firmware Rootkit:
This rootkit hides inside hardware firmware, like the BIOS or hard drive firmware. It can
survive even if you reinstall the operating system, making it very dangerous.
5. Virtual Rootkit:
It creates a fake virtual environment that looks like the real system. The operating system
runs inside this fake layer, so the rootkit can hide all its activities easily.
Why Rootkits Are Dangerous:
• Very hard to detect and remove.
• Attackers can spy, steal data, or take full control.
• Can disable antivirus or system tools.
Detection and Prevention:
• Use specialized rootkit scanners.
• Keep OS and antivirus updated.
• Use behavior-based detection tools.
• In severe cases, reinstall the OS or firmware.
SPYWARE
Spyware is a type of malicious software (malware) that secretly monitors user activities and
sends the collected information to attackers without the user’s knowledge.
1. Spyware gets secretly installed through fake apps, pop-ups, or bundled with other software.
2. It runs in the background without the user knowing.
3. It monitors user activity like typing, browsing, or app usage.
4. It collects sensitive information such as passwords or card numbers.
5. The stolen data is sent to the attacker over the internet.
6. Spyware often stays on the system even after a restart.
Types of Spyware
1. Keylogger – Records everything typed on the keyboard.
2. Infostealer – Collects files, credentials, and system data.
3. Screen Capturer – Takes screenshots secretly.
4. Tracking Cookies – Tracks user’s online behavior.

ATTACKS AGAINST PRIVILEGED USER ACCOUNTS AND ESCALATION OF

PRIVILEGES
Privileged User Accounts
These are special accounts like Admin or Root that have full control over a system.
Attackers try to gain access to these accounts to steal data or take control of systems.
Why Attackers Target Them
• Access to all files and settings
• Can install or delete programs
• Can disable security tools
• Can hide their activities
How Attackers Get In
1. Phishing – Fake emails to steal passwords
2. Weak Passwords – Easily guessable passwords
3. Unpatched Software – Bugs that allow entry
4. Malware Tools – Like keyloggers or password stealers
Common Attack Techniques
1. Phishing Attacks:
Fake emails or websites to trick users into giving away login credentials.
2. Brute Force Attacks:
Guessing passwords using automated tools.
3. Credential Dumping:
Extracting passwords from memory or system files

TOKEN KIDNAPPING
Token Kidnapping is a Windows privilege escalation attack where a normal user steals a security
token from a higher-privileged process (like an admin) to gain unauthorized access or control.
In Windows, a security token is like an identity badge. It tells the system who you are and what
you’re allowed to do (your privileges).
When you log in, Windows gives a token to your session. If you're an admin, your token has
admin rights; if you're a normal user, your token has limited rights.

Working
1. An attacker runs a process as a normal user.
2. They look for another process running with higher privileges (like SYSTEM or Administrator).
3. They steal or impersonate that process's token.
4. Now, the attacker’s process pretends to be the higher-privileged one.
5. They can perform admin-level actions without being an admin.

VIRTUAL MACHINE DETECTION

Virtual Machine Detection is a technique used by malware (or sometimes software) to check if it
is running inside a virtual machine (VM) instead of a real physical computer.
1. Security analysts often run malware in VMs to analyze it safely.
2. Malware detects the virtual environment and then:
• Stops running to avoid detection.
• Changes its behavior to hide its real purpose.
• Delays execution to avoid sandbox detection.
Virtual Machine Detection Methods
1. Checking system hardware – VMs often use virtualized hardware like “VirtualBox” or
“VMware” that can be identified.
2. Looking at running processes or drivers – Malware may scan for processes like
vboxservice.exe or drivers like vmtools.
3. Timing tests – VMs are slower; malware may test response time to detect this.
 4. BIOS or registry checks – VM names often appear in system info or registry keys.
5. CPUID instruction – Some CPU instructions reveal if a virtual CPU is being used.
Working
• Malware runs on a system.
• It checks for VM clues like virtual drivers, processes (VBoxService, vmtoolsd), or hardware
names.
• It may use CPU instructions or timing tests to detect a virtual environment.
• If a VM is detected, the malware hides, exits, or delays its real behavior to avoid being
caught.

STEALING INFORMATION AND EXPLOITATION

Stealing Information
This refers to when attackers gain unauthorized access to sensitive or confidential data from a
user, system, or network.
Examples of stolen data:
• Personal details (name, address, passwords)
• Financial data (credit card, bank info)
• Business secrets (trade secrets, documents)
Exploitation
Once the attacker gains access, they take advantage of vulnerabilities to control systems or
perform harmful activities.

FORMGRABBING
Formgrabbing is a type of cyberattack where malware captures data typed into online forms
(like login pages or payment forms) before it gets encrypted and sent over the internet.
Unlike keyloggers that record everything you type, formgrabbers only target data typed into web
forms, so they are more focused and harder to notice.
This method is often used by banking malware or spyware to steal data before it gets encrypted
(even on secure websites using HTTPS).
It’s very dangerous because:
• It runs silently in the background.
• The website looks and works normally.
• People don’t realize their data was stolen.
Hackers use this method to collect large amounts of personal or financial data and either sell it
or use it for fraud or identity theft.

Working
1. Malware enters the user’s computer, usually through fake emails, bad websites, or unsafe
downloads.
2. After installing, the malware connects itself to the web browser (like Chrome or Firefox).
3. When the user opens a website and types something into a form (like a username,
password, or card number), the malware catches that information before it's sent or
protected.
4. The stolen data is secretly saved in the background without the user knowing.
5. Finally, the malware sends this data to the attacker, who may use it or sell it online.

DLL INJECTION
A Man-in-the-Middle (MITM) attack is when a hacker secretly gets in between two people or
systems talking to each other, and reads, steals, or changes the information they send, without
them knowing.

Working
1. Attacker sets up a fake Wi-Fi or intercepts the network connection.
2. User connects to it unknowingly and starts sending data.
3. Attacker captures the data sent between user and server.
4. The data may be read or modified by the attacker.
5. Communication continues normally, but the attacker stays hidden in between.

Techniques
1. Wi-Fi Eavesdropping:
The attacker uses a fake or open Wi-Fi to capture users’ data.
2. DNS Spoofing:
The attacker redirects users to fake websites by altering DNS responses.
3. HTTPS Stripping:
The attacker forces a connection from HTTPS to HTTP to remove encryption.
4. Session Hijacking:
The attacker steals session tokens to take over a logged-in session.
DLL INJECTION
DLL Injection is a technique mainly used by attackers to insert malicious code into a running
process by loading a fake or harmful DLL (Dynamic Link Library) file. This lets the attacker run
their code inside another program, usually without being noticed.
In Windows, most programs use DLLs to perform common tasks — like saving files, printing, or
using the internet. These DLLs are loaded into memory when the program runs.
Hackers take advantage of this by injecting their own DLL, which contains dangerous code. This
makes the target program unknowingly run the attacker’s code.
This method is often used by:
• Hackers – to spy on users or steal data
• Game cheaters – to hack or modify games
• Malware – to hide inside trusted programs
Since the harmful code runs inside a trusted program, it's very hard to detect. It looks like the
real program is doing everything — but secretly, the hacker's code is running in the background.

Working
1. The attacker finds a target process (like a browser or game).
2. They use tools or scripts to inject a malicious DLL into that process’s memory.
3. The target process loads the malicious DLL thinking it’s normal.
4. The malicious code runs inside the trusted program, often with its permissions.
5. The attacker now controls or manipulates the process, steals data, or performs spying
actions — without alerting the user.

BROWSER HELPER OBJECTS

Browser Helper Objects (BHOs) are small programs or add-ons made to add extra features to
Internet Explorer on Windows. These are loaded automatically when the browser starts and can
interact with web pages, toolbars, and even the browser’s main functions.
1. BHOs are DLL files (Dynamic Link Libraries) that Internet Explorer uses.
2. They can help with things like managing toolbars, downloading files, or improving search
options.
3. But some BHOs are harmful, created by spyware or adware to track users, show ads, or
steal information.
Working
1. A BHO gets installed on the system (either by the user or silently by some
software/malware).
2. When Internet Explorer is opened, it automatically loads all installed BHOs.
3. The BHO runs inside the browser, sharing its memory and access.
4. This means a malicious BHO can see everything — what you type, what you browse, and
even redirect or track your activity.