Viruses, Trojans, Backdoors, Steganography & DoS/DDoS
This lesson covers the full malware taxonomy and denial-of-service attacks — the core offensive tools detailed in Unit II. Each attack type has distinct mechanisms, propagation methods, and defense strategies that appear frequently in BCA examinations.
---
Computer Viruses — Structure and Lifecycle
A computer virus is malicious code that attaches itself to legitimate files or programs and replicates when those files are executed. Like biological viruses, computer viruses require a host program to survive and spread.
Virus Lifecycle:
- Infection: Virus code attaches to an executable file or boot sector
- Dormancy: Virus may wait for a trigger condition (date, user action, file count)
- Triggering: Condition met; virus activates its payload
- Execution: Virus payload executes (deletes files, corrupts data, displays message, downloads more malware)
- Propagation: Infected files copied to other systems, new systems infected
Types of Viruses:
| Virus Type | Target | Infection Method | Example | Payload |
|---|---|---|---|---|
| File Infector | Executable files (.exe, .com) | Appends to or overwrites files | Jerusalem virus | Deletes files every Friday 13th |
| Boot Sector Virus | MBR/boot sector | Replaces boot code before OS loads | Stone, Brain | Corrupts boot, disables OS startup |
| Macro Virus | Office documents (.doc, .xls) | VBA macros in documents | Melissa, Concept | Sends itself to Outlook contacts |
| Polymorphic Virus | Various | Changes its code signature each replication | Marburg virus | Evades signature-based AV |
| Metamorphic Virus | Various | Completely rewrites its own code | Simile virus | Very hard to detect |
| Multipartite Virus | Files + boot sector | Infects both files and boot sectors | Invader, Ghostball | Combined damage |
| Resident Virus | OS memory | Loads itself into RAM | CMC, Randex | Persists even after infected file closed |
| Stealth Virus | OS hooks | Intercepts OS calls to hide itself | Brain virus | Hides infection from AV scans |
---
Trojan Horse — Deception as a Weapon
A Trojan horse (Trojan) is malware disguised as legitimate, useful software. Unlike viruses, Trojans do NOT self-replicate — they rely entirely on the user to install them voluntarily, deceived by their appearance.
How Trojans Work:
- Attacker packages malware inside apparently useful software (game, utility, codec, crack)
- User downloads and executes the software
- The visible functionality works as advertised (to avoid suspicion)
- Hidden malware component executes simultaneously: opens backdoor, installs keylogger, joins botnet
Trojan Categories:
| Trojan Type | Primary Function | Example | Target | Mechanism |
|---|---|---|---|---|
| Remote Access Trojan (RAT) | Full remote control of victim machine | DarkComet, njRAT, BlackShades | Desktop systems | Opens reverse shell to attacker |
| Banking Trojan | Steal online banking credentials | Zeus, TrickBot, Emotet | Windows users | Form grabber + Man-in-Browser |
| Downloader Trojan | Download additional malware | TrickBot, Emotet (dropper function) | Initial access | Downloads ransomware after infection |
| Rootkit Trojan | Hide malware and attacker presence | NTRootkit, Azazel | System level | Hooks OS kernel to hide processes |
| DDoS Trojan | Enlist device into DDoS botnet | Various | IoT, Windows | Connects to C2, awaits flood command |
| Ransomware Trojan | Encrypt files for ransom | WannaCry delivery chain | All platforms | Encrypts files, demands Bitcoin |
Exam Tip: Key difference: Virus = self-replicating, attaches to files. Trojan = disguised as legitimate software, does NOT self-replicate. Worm = self-replicating but does NOT need a host file; spreads autonomously across networks.
---
Backdoors and Remote Access
A backdoor is a hidden method for bypassing normal authentication to gain access to a system. Backdoors can be:
- Intentional (developer backdoor): Programmer-inserted "maintenance" access (controversial)
- Malicious: Installed by attacker after initial compromise (RAT payload, web shell)
Types of Backdoors:
| Type | Access Method | Installed By | Detection Difficulty | Example |
|---|---|---|---|---|
| RAT (Remote Access Trojan) | Reverse TCP/HTTPS shell | Trojan malware | High | DarkComet, Cobalt Strike beacon |
| Web Shell | HTTP requests to hidden PHP/ASPX file | Exploiting web vulnerability | Medium | China Chopper, WSO |
| Rootkit | Kernel-level hidden process/port | Advanced malware | Very High | Azazel, Necurs |
| SSH Backdoor | Unauthorized SSH key added | Post-exploitation | Medium | Adding to ~/.ssh/authorized_keys |
| Scheduled Task/Cron | Periodic re-infection | Post-exploitation | Medium | Windows Task Scheduler persistence |
---
Steganography — Hiding Data in Plain Sight
Steganography is the practice of concealing secret information within ordinary, non-secret data (images, audio, video, text) in a way that the presence of the hidden message is not apparent. Unlike encryption (which hides the meaning), steganography hides the very existence of the message.
Steganography Techniques:
| Technique | Carrier Medium | Method | Capacity | Detectability |
|---|---|---|---|---|
| LSB (Least Significant Bit) | Images (BMP, PNG) | Replaces least significant bits of pixel values | ~12.5% of image size | Low (imperceptible to human eye) |
| DCT Domain | JPEG images | Modifies DCT coefficients during JPEG compression | Low | Very Low (survives compression) |
| Audio Steganography | WAV, MP3 files | Encodes data in inaudible frequency ranges | Low–Medium | Very Low |
| Video Steganography | MP4, AVI | Hides data in individual video frames | High | Low |
| Text Steganography | Text documents | Modifies whitespace, uses invisible characters | Very Low | Very Low |
| Network Steganography | Network packets | Uses reserved header fields or timing | Varies | Low (requires deep packet inspection) |
Steganography in Cybercrime:
- Malware uses LSB steganography to hide C2 server addresses inside image files (bypasses DLP and firewall rules)
- Criminals use steganographic channels on social media (posting images with hidden instructions)
- In cyber forensics, investigators use steganalysis tools (StegDetect, SteghideDetect) to find hidden data
---
DoS vs DDoS — Comparison and Mechanics
| Feature | DoS (Denial of Service) | DDoS (Distributed DoS) |
|---|---|---|
| Source | Single machine | Hundreds to millions of machines (botnet) |
| Traffic Volume | Limited (single source) | Massive (100s of Gbps possible) |
| Mitigation | Blocking one IP address | Requires CDN, anycast, scrubbing center |
| Attribution | Easier (one source IP) | Very difficult (traffic from worldwide IPs) |
| Cost for Attacker | Low (one system) | Higher (needs botnet or amplification) |
| Real Example | Ping of death | Mirai botnet (620 Gbps) |
DDoS Attack Categories:
| Category | Mechanism | Example Attack | Amplification Factor | Target Layer |
|---|---|---|---|---|
| Volumetric | Consumes bandwidth with traffic flood | UDP flood, ICMP flood | 1x–50x | Layer 3/4 (Network) |
| Amplification | Uses open servers to amplify traffic | DNS amplification (NTP 556x) | Up to 556x | Layer 3/4 |
| Protocol | Exploits network protocol weaknesses | SYN flood, Ping of Death | N/A | Layer 3/4 |
| Application Layer | Targets specific application endpoints | HTTP GET/POST flood, Slowloris | N/A | Layer 7 (Application) |
---
Study Deep: Malware and DoS Analysis
- Emotet was the world's most dangerous malware: Emotet began as a banking Trojan in 2014 but evolved into a sophisticated malware delivery platform (malware-as-a-service). It infected millions of systems via malicious Word documents, then delivered TrickBot, QakBot, and ultimately Ryuk ransomware. Europol dismantled Emotet in January 2021 in a landmark multinational operation, but variants re-emerged by late 2021.
- Steganography bypasses DLP tools: Traditional Data Loss Prevention (DLP) tools scan for obvious patterns (credit card numbers, SSNs in documents). They cannot detect data hidden using LSB steganography in an image. A malicious insider could exfiltrate gigabytes of data through seemingly innocent image uploads. Next-gen DLP tools use statistical analysis to detect abnormal image entropy indicating steganographic content.
- Application-layer DDoS is hardest to stop: Volumetric DDoS can be scrubbed by upstream providers. But an application-layer attack sends legitimate-looking HTTP requests that consume server CPU (complex database queries, file operations). Rate limiting, CAPTCHA challenges, and web application firewalls with behavioral analysis are required. Cloudflare, Akamai, and AWS Shield Advanced provide application-layer DDoS protection.
- Polymorphic malware defeats signature-based AV: Traditional antivirus compares files against a database of known malware signatures (MD5/SHA-1 hashes). Polymorphic malware changes its signature with every infection. Modern EDR (Endpoint Detection and Response) solutions use behavioral detection — detecting what the malware DOES, not what it IS. This catches polymorphic and metamorphic malware.
- DNS amplification is the most powerful DDoS: An attacker sends small DNS queries (60 bytes) with spoofed source IP (victim's IP) to open DNS resolvers. The resolver sends large DNS responses (3000+ bytes) to the victim. This creates a 50x+ amplification factor. The 2018 GitHub DDoS attack (1.35 Tbps) used memcached amplification (51,000x factor). Mitigation: BCP38 anti-spoofing, disabling open DNS resolvers.