Others

Virus Hoax

A virus hoax is a false virus warning, usually in the form of an email message. It suggests the reader to forward the message to others, resulting in a rapidly growing proliferation of emails that may overload systems.

Mobile Device Virus / Worms

Like any computing platform, mobile devices are also susceptible to malicious code attacks. Although at present, malicious codes for handheld devices and smart phones are not that common, there is likely to be an increase as the functionality of mobile applications increase and with the wider deployment of these devices.

The open architecture of mobile application development environments, often with extensive software development documentation and tools, also allow attackers to create malicious code for these platforms quite easily.

Malicious code can infect mobile devices in several ways. These include:

• Via email SMS or MMS: a message containing a hyperlink to a malicious code is sent to entice a user to select the link and download the code. Alternatively, the code can be sent in an email as an attached file and infect the device when executed. Similarly, malicious code can also be propagated via MMS messages. SymbOS / Commwarrior.M is a worm that is capable of spreading via MMS messages on Symbian Series 60 devices.

• Via desktop synchronisation: the worm Cxover is one such an example. Cxover is a proof-of-concept worm that can affect both Windows PC and Windows Mobile devices. If it is executed on a Windows Mobile device, it will copy itself to the computer over an ActiveSync connection. If it is executed on a Windows PC, it will search for any handled devices connected over ActiveSync and copy itself to the device.

• Via Bluetooth, Infra-red or Wi-Fi: the first worm capable of spreading via Bluetooth was discovered in June 2004 and was named Cabir. It was a proof-of-concept worm for Symbian OS Series 60 smart phones but it has not been found in the wild since then. The worm required several interactive steps on the part of the recipient in order to execute. An attacker who intentionally sends a malicious program to trick the recipient into accepting it can also exploit the potential weakness of Bluetooth.

Logic Bombs

A logic bomb is a program code which is embedded in another program, and can be activated when a certain predefined criteria are met.

For instance, a time bomb will attack a system and erase all data if a licence key or another program code is not found in the system. In some cases, a logic bomb will inform the attacker via the Internet that the bomb is ready to attack the victim.

Trap Door

A trap door is a secret entry point into a program that is intentionally included in the program code. While it can facilitate debugging during program development, it may be used for malicious purposes as well.

Common Obfuscation Techniques

The following are common obfuscation techniques used by malicious code developers and writers to evade detection and destruction:

• Binders and Packers
  Most virus signature files are created based on the checksum value which makes use of the file properties and first few bytes of the malicious code binaries. The binders technique is to bind the virus and malicious code file on to another file, which changes its form. The packers technique is to compress the virus code before it is embedded.

• Self-Encryption and Self-Decryption
  Malicious code may encrypt and decrypt itself, even using several layers of encryption and decryption and/or using random keys in encryption and decryption. This makes them harder to examine directly.

• Polymorphism
  Malicious code can change its default encryption settings as well as the decryption code during self-encryption. These make it much more difficult to detect.

• Metamorphism
  Malicious code change its form by, for instance, rearranging its code fragments or/and by adding useless lines of code into its source, and recompiling itself into a new form.

• Code conversion to a VB (Visual Basic) script
  This method converts an executable program (.exe) into a visual basic script (.vbs) file that can be attached to a document, data files or email messages.

• Stealth
  The technique is designed to evade anti-virus software detection by hiding the code itself. One example is to monitor system calls to files; the malicious code then modifies the return information to the process call by returning only original information.