Encrypted viruses. Encrypted viruses make use of a variable key to encipher their code and also consist of a small decrypting module. Due to the use of variable key for encryption of the virus, it becomes difficult for the antivirus software to detect such viruses. The only thing that may be suspicious to antivirus software is the decrypting module.
Polymorphic viruses. Similar to encrypted viruses, polymorphic viruses use an encrypted copy of themselves. In addition, polymorphic viruses modify decryption module on each infection. Such viruses pose serious problems to antivirus software by changing their signature every time they infect a new host. Thus it becomes very difficult to detect such viruses using signatures. However, these viruses can be detected using statistical pattern analysis.
Metamorphic viruses. A metamorphic virus attempts to defeat antivirus software by rewriting itself completely each time it infects a new executable file. For this purpose, a metamorphic engine is used that consists of large bytes of code.
A computer worm is a self-replicating standalone program that independently spreads without attaching itself to an existing program. Worms often use a computer network to spread themselves very rapidly and cause a lot of damage (Fig. 2). Some worms only spread themselves without causing any harm to the system they pass through and thereby consume bandwidth up to a large extent.
Some worms, depending on the type of payload carried by them, can encrypt files or send important information via e-mail. The worm scans the infected computer for files such as address books and temporary webpages that contain e-mail addresses. It then uses the addresses to send an infected e-mail, often spoofing the address line in subsequent e-mail messages so that those infected messages appear to be from someone known.
Many worms are used to install backdoor programs on the targeted machines to take control of these machines for sending malicious mails or spam. In this way, attackers hide themselves under the group of such networked machines called ‘botnets.’
Computer worms can also be used for good purposes, such as to fix vulnerabilities in the host system while exploiting the same vulnerability to download and install patches from the legitimate software manufacturer. Many worms take advantage of a vulnerability in the operating system to spread. If the vulnerability is disclosed and patched by the vendor before attack, a zero-day cyber attack is possible.
Trojan horse, or Trojan, is a malicious software program that does not replicate itself and is technically not a virus. It is spread by viruses, worms or downloaded software. It enters a computer by hiding itself inside a legitimate program—often a game, a screen saver or a utility. It then puts malicious code into the operating system, which enables the attacker to gain access or control of the compromised computer.
Some Trojan horses may be used by the attacker/hacker to spy on the user’s activities. The attacker can use the machine as part of a botnet and send spam e-mail, distribute pornography, launch distributed denial-of-service attacks, install third-party malware, download/upload files on the machine, log keystrokes, modify or delete files, steal important data, crash the machine, etc.
Hackers use port scanner to find compromised machines on the network and, once found, they install malicious program on such compromised machines to use these networked machines as botnets. Due to the popularity of botnets among hackers, Trojan horse malware is on the rise, accounting for the largest percentage of the global malware detected in the computer network world.
Backdoors in a computer system are remote administration programs that allow hackers to access and control the user’s computer while attempting to remain undetected. Common examples of backdoors are BackOrifice, Netbus and SubSeven. Some backdoors rewrite the compiler and piggy-back themselves during the compilation process. Such compromised compiler includes backdoors in the compiled output, keeping the source code of a program intact.
Phishing attack is a way to trick computer users into divulging personal authentication data such as username, password and credit card number through a fraudulent e-mail message or website. These attacks involve mass distribution of spoofed e-mail messages that have links to the fraudulent websites and seem to come from a trusted source, such as a bank, big reputed merchant and trusted service provider. Upon access by the recipient, these fraudulent websites ask to provide personal information, which is later used for identity theft.
Cross-site scripting attacks
Security of the Web is somewhat based on the same origin policy that states that “if it is learnt that content from a trusted website is granted permission to access resources on a user’s system, then any content from that website will share the same resources, while content from some other website will have to get permission separately to access the resources.”