Reading Assignment (Ch 6)
Phases of operation of virus:
1. Dormant Phase: This is an idle phase of virus. Virus will get activated later by events like disk size limit, time and date, presence of another file.
2. Propagation Phase: In this phase virus replicates itself and places a copy of itself in another program or another place. Virus might morph to avoid the detection, i.e.
3. virus change itself to so that it has different content.
4. Triggering Phase: The virus is activated in this phase by a means stated above, to perform the functions for which it was built.
5. Execution Phase: The malicious function is performed in this phase, it can be harmless like displaying messages or it can be destructive for other programs and the data.
2. Below is the classification of the viruses based on concealing mechanism:
1. Encrypted virus: In this type the virus encrypts its content to hide or obscure.
Some part of virus is used to generate the random key, which is used to encrypt the remaining part of the virus. Whenever the infected program runs the virus decrypts itself to perform the malicious activity. When the encrypted virus is propagated it uses the different random key for encryption to avoid the same bit pattern.
2. Stealth Virus: Virus designed to hide it self entirely from the anti-viruses. It uses mutation, compression and rootkit techniques to attain the stealth mode.
3. Polymorphic virus: In this type the virus when copying itself makes changes to its own code so that the functionality remains the same, but the signature is different for each copy. The best way to achieve this is encryption and with different keys for each copy. The part which performs this is called mutation engine, this mutation code itself is also changed after every use.
4. Metamorphic virus: This type rewrites itself completely at each iteration. So metamorphic viruses may change their behavior and signature.
3. Backdoors are the viruses that somehow bypasses the normal security checks on the system by gaining the unauthorized access. Bots are the programs used to spread itself by using the infected machine itself acting as a clone. In this way the creator of bot is hidden. Spyware are the codes used to spy the information, key strokes, network traffic, system sensitive information to another system. Keyloggers are type of spyware where it captures the keystrokes from the infected system. Rootkit is a program installed on a system in a highly stealth mode and has a root privilege of the system.
A malware can have all the above types in it. Assume a malicious code, entered in the system using a vulnerability which gives unauthorized access. This unauthorized access is the root access of the system. So, it is acting as a rootkit now. This rootkit can observe the keystrokes on the system and send it to any another machine by hiding the transfer. This rootkit can propagate itself to another machines in the network by using their vulnerabilities and act as the bot.
4. As mentioned, even when we close the possible programs consuming the internet traffic are being closed, there is still high-level network activity. This shows there is a malware program un a system using the system resources. This kind of malwares can be called as bots, worms, or flooders, spammers. The system might be infected with the flooders and spammers and acting as a machine generating spam traffic. This can be categorized as s denial of service attack.
Another possibility might be that, the system contains the bot malware and performs some malicious activity on our system and propagating itself using internet to another systems.
These types would get into your system if you visit a malicious website and download a malware directly or the website injects it proactively. If you receive an email with a corrupt attachment.
Also, if you connect an external device to your system which has a malware already in it.
This can be cleaned by installing the antivirus in the system and scanning it for viruses.
This can be reverted by observing the processes running on the system and looking for the process generating the large traffic and locating it and deleting it.
If the damage is large, then the system can be restored to the recent state by using the backups.
5. The game asking for the SMS and address book access permission is suspicious.
Also, the fact that it is available on the free market place, it is not verified by the authorized market place of your native phone. By providing the access to SMS and address book, you can install a spammer or flooder in your phone. So, it can spam the contacts in your phone by flooding them with advertisements and install links. This can be categorized in to adware as well.
So, we shouldn’t install it as it is asking the irrelevant permissions and is not provided by authorized app markets.