Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

Viruses, Trojans, Backdoors, Steganography & DoS/DDoS

Lesson 8 of 15 in the free Cyber Security notes on Siksha Sarovar, written by Rohit Jangra.

Viruses, Trojans, Backdoors, Steganography & DoS/DDoS

This lesson covers the full malware taxonomy and denial-of-service attacks — the core offensive tools detailed in Unit II. Each attack type has distinct mechanisms, propagation methods, and defense strategies that appear frequently in BCA examinations.

---

Computer Viruses — Structure and Lifecycle

A computer virus is malicious code that attaches itself to legitimate files or programs and replicates when those files are executed. Like biological viruses, computer viruses require a host program to survive and spread.

Virus Lifecycle:

  1. Infection: Virus code attaches to an executable file or boot sector
  2. Dormancy: Virus may wait for a trigger condition (date, user action, file count)
  3. Triggering: Condition met; virus activates its payload
  4. Execution: Virus payload executes (deletes files, corrupts data, displays message, downloads more malware)
  5. Propagation: Infected files copied to other systems, new systems infected

Types of Viruses:

Virus TypeTargetInfection MethodExamplePayload
File InfectorExecutable files (.exe, .com)Appends to or overwrites filesJerusalem virusDeletes files every Friday 13th
Boot Sector VirusMBR/boot sectorReplaces boot code before OS loadsStone, BrainCorrupts boot, disables OS startup
Macro VirusOffice documents (.doc, .xls)VBA macros in documentsMelissa, ConceptSends itself to Outlook contacts
Polymorphic VirusVariousChanges its code signature each replicationMarburg virusEvades signature-based AV
Metamorphic VirusVariousCompletely rewrites its own codeSimile virusVery hard to detect
Multipartite VirusFiles + boot sectorInfects both files and boot sectorsInvader, GhostballCombined damage
Resident VirusOS memoryLoads itself into RAMCMC, RandexPersists even after infected file closed
Stealth VirusOS hooksIntercepts OS calls to hide itselfBrain virusHides infection from AV scans

---

Trojan Horse — Deception as a Weapon

A Trojan horse (Trojan) is malware disguised as legitimate, useful software. Unlike viruses, Trojans do NOT self-replicate — they rely entirely on the user to install them voluntarily, deceived by their appearance.

How Trojans Work:

  1. Attacker packages malware inside apparently useful software (game, utility, codec, crack)
  2. User downloads and executes the software
  3. The visible functionality works as advertised (to avoid suspicion)
  4. Hidden malware component executes simultaneously: opens backdoor, installs keylogger, joins botnet

Trojan Categories:

Trojan TypePrimary FunctionExampleTargetMechanism
Remote Access Trojan (RAT)Full remote control of victim machineDarkComet, njRAT, BlackShadesDesktop systemsOpens reverse shell to attacker
Banking TrojanSteal online banking credentialsZeus, TrickBot, EmotetWindows usersForm grabber + Man-in-Browser
Downloader TrojanDownload additional malwareTrickBot, Emotet (dropper function)Initial accessDownloads ransomware after infection
Rootkit TrojanHide malware and attacker presenceNTRootkit, AzazelSystem levelHooks OS kernel to hide processes
DDoS TrojanEnlist device into DDoS botnetVariousIoT, WindowsConnects to C2, awaits flood command
Ransomware TrojanEncrypt files for ransomWannaCry delivery chainAll platformsEncrypts files, demands Bitcoin
Exam Tip: Key difference: Virus = self-replicating, attaches to files. Trojan = disguised as legitimate software, does NOT self-replicate. Worm = self-replicating but does NOT need a host file; spreads autonomously across networks.

---

Backdoors and Remote Access

A backdoor is a hidden method for bypassing normal authentication to gain access to a system. Backdoors can be:

  • Intentional (developer backdoor): Programmer-inserted "maintenance" access (controversial)
  • Malicious: Installed by attacker after initial compromise (RAT payload, web shell)

Types of Backdoors:

TypeAccess MethodInstalled ByDetection DifficultyExample
RAT (Remote Access Trojan)Reverse TCP/HTTPS shellTrojan malwareHighDarkComet, Cobalt Strike beacon
Web ShellHTTP requests to hidden PHP/ASPX fileExploiting web vulnerabilityMediumChina Chopper, WSO
RootkitKernel-level hidden process/portAdvanced malwareVery HighAzazel, Necurs
SSH BackdoorUnauthorized SSH key addedPost-exploitationMediumAdding to ~/.ssh/authorized_keys
Scheduled Task/CronPeriodic re-infectionPost-exploitationMediumWindows Task Scheduler persistence

---

Steganography — Hiding Data in Plain Sight

Steganography is the practice of concealing secret information within ordinary, non-secret data (images, audio, video, text) in a way that the presence of the hidden message is not apparent. Unlike encryption (which hides the meaning), steganography hides the very existence of the message.

Steganography Techniques:

TechniqueCarrier MediumMethodCapacityDetectability
LSB (Least Significant Bit)Images (BMP, PNG)Replaces least significant bits of pixel values~12.5% of image sizeLow (imperceptible to human eye)
DCT DomainJPEG imagesModifies DCT coefficients during JPEG compressionLowVery Low (survives compression)
Audio SteganographyWAV, MP3 filesEncodes data in inaudible frequency rangesLow–MediumVery Low
Video SteganographyMP4, AVIHides data in individual video framesHighLow
Text SteganographyText documentsModifies whitespace, uses invisible charactersVery LowVery Low
Network SteganographyNetwork packetsUses reserved header fields or timingVariesLow (requires deep packet inspection)

Steganography in Cybercrime:

  • Malware uses LSB steganography to hide C2 server addresses inside image files (bypasses DLP and firewall rules)
  • Criminals use steganographic channels on social media (posting images with hidden instructions)
  • In cyber forensics, investigators use steganalysis tools (StegDetect, SteghideDetect) to find hidden data

---

DoS vs DDoS — Comparison and Mechanics

FeatureDoS (Denial of Service)DDoS (Distributed DoS)
SourceSingle machineHundreds to millions of machines (botnet)
Traffic VolumeLimited (single source)Massive (100s of Gbps possible)
MitigationBlocking one IP addressRequires CDN, anycast, scrubbing center
AttributionEasier (one source IP)Very difficult (traffic from worldwide IPs)
Cost for AttackerLow (one system)Higher (needs botnet or amplification)
Real ExamplePing of deathMirai botnet (620 Gbps)

DDoS Attack Categories:

CategoryMechanismExample AttackAmplification FactorTarget Layer
VolumetricConsumes bandwidth with traffic floodUDP flood, ICMP flood1x–50xLayer 3/4 (Network)
AmplificationUses open servers to amplify trafficDNS amplification (NTP 556x)Up to 556xLayer 3/4
ProtocolExploits network protocol weaknessesSYN flood, Ping of DeathN/ALayer 3/4
Application LayerTargets specific application endpointsHTTP GET/POST flood, SlowlorisN/ALayer 7 (Application)

---

Study Deep: Malware and DoS Analysis

  1. Emotet was the world's most dangerous malware: Emotet began as a banking Trojan in 2014 but evolved into a sophisticated malware delivery platform (malware-as-a-service). It infected millions of systems via malicious Word documents, then delivered TrickBot, QakBot, and ultimately Ryuk ransomware. Europol dismantled Emotet in January 2021 in a landmark multinational operation, but variants re-emerged by late 2021.
  1. Steganography bypasses DLP tools: Traditional Data Loss Prevention (DLP) tools scan for obvious patterns (credit card numbers, SSNs in documents). They cannot detect data hidden using LSB steganography in an image. A malicious insider could exfiltrate gigabytes of data through seemingly innocent image uploads. Next-gen DLP tools use statistical analysis to detect abnormal image entropy indicating steganographic content.
  1. Application-layer DDoS is hardest to stop: Volumetric DDoS can be scrubbed by upstream providers. But an application-layer attack sends legitimate-looking HTTP requests that consume server CPU (complex database queries, file operations). Rate limiting, CAPTCHA challenges, and web application firewalls with behavioral analysis are required. Cloudflare, Akamai, and AWS Shield Advanced provide application-layer DDoS protection.
  1. Polymorphic malware defeats signature-based AV: Traditional antivirus compares files against a database of known malware signatures (MD5/SHA-1 hashes). Polymorphic malware changes its signature with every infection. Modern EDR (Endpoint Detection and Response) solutions use behavioral detection — detecting what the malware DOES, not what it IS. This catches polymorphic and metamorphic malware.
  1. DNS amplification is the most powerful DDoS: An attacker sends small DNS queries (60 bytes) with spoofed source IP (victim's IP) to open DNS resolvers. The resolver sends large DNS responses (3000+ bytes) to the victim. This creates a 50x+ amplification factor. The 2018 GitHub DDoS attack (1.35 Tbps) used memcached amplification (51,000x factor). Mitigation: BCP38 anti-spoofing, disabling open DNS resolvers.