A1) Explain the working of the types of malware in computer machines.

Malware is any software intentionally designed to cause damage to a computer, server, client, or
computer network. It can take many forms, each with a different mechanism for causing harm.

1. Virus:

● Definition: A computer virus is a type of malware that attaches itself to legitimate

programs and spreads when the infected program is executed.
● Working: Viruses spread by attaching themselves to files (such as executable
programs), and once a file is opened or executed, the virus is activated. It can replicate,
modify system files, or corrupt data. Viruses rely on user action to propagate, such as
sharing infected files via email or external storage devices.

2. Worm:

● Definition: A worm is a standalone malware that replicates itself to spread to other

computers, usually without needing to attach to a host program.
● Working: Worms spread through networks by exploiting vulnerabilities in software or
operating systems. Unlike viruses, worms do not require user interaction and can
propagate across networks, consuming bandwidth and slowing down systems. They can
also deliver payloads, such as installing backdoors or deleting files.

3. Trojan Horse:

● Definition: A Trojan horse disguises itself as legitimate software but contains malicious
instructions that can compromise security.
● Working: Trojans are often spread through phishing emails or downloaded from infected
websites. Once installed, they can execute a range of malicious activities, including
stealing information, creating backdoors, or monitoring user activity. Trojans do not
replicate themselves like viruses or worms but can cause severe harm by opening the
system to further attacks.

4. Spyware:

● Definition: Spyware is a type of malware that secretly gathers information about a

user’s activity without their knowledge.
● Working: Spyware typically runs in the background and collects data such as browsing
habits, keystrokes (keyloggers), and login credentials. This information is then sent back
to the attacker. Spyware often comes bundled with free software or is installed through
malicious websites. It can lead to identity theft or the compromise of sensitive data.

5. Ransomware:
 ● Definition: Ransomware encrypts the user's data or locks them out of their system,
demanding a ransom to restore access.
● Working: Ransomware typically spreads through phishing emails, drive-by downloads,
or network vulnerabilities. Once inside a system, it encrypts files or locks the user out. A
ransom message is displayed, demanding payment (usually in cryptocurrency) in
exchange for the decryption key. Even after paying, there is no guarantee that the
attackers will restore access to the data.

6. Adware:

● Definition: Adware is software that automatically delivers advertisements, often in the

form of pop-ups or browser redirections.
● Working: Adware is often bundled with legitimate software, and users may unknowingly
install it. Once installed, it displays unwanted advertisements on the system. It can slow
down the machine and lead to malicious websites if the user clicks on the ads. Some
adware also collects user data to display targeted ads.

7. Rootkit:

● Definition: A rootkit is a set of software tools used by an attacker to hide malicious

activity on a system.
● Working: Rootkits can modify system files, hide processes, and prevent the user or
security software from detecting the presence of malware. They typically require
administrator-level access and are used to maintain long-term control over the system
without being detected. They are often installed through social engineering or by
exploiting vulnerabilities in the system.

A2) What are Hash code generation algorithms, describe their

operations/algorithm in detail (any 5).

Hashing algorithms take an input (or "message") and return a fixed-size string of bytes. The
output is typically a "digest" that is unique for different inputs, used to verify data integrity.

1. MD5 (Message Digest Algorithm 5):

● Operation: MD5 takes a message of any length and produces a 128-bit hash value. It
processes the message in 512-bit chunks by dividing it into 16-word blocks. After
padding the input message and appending the length, MD5 goes through four rounds of
operations that mix and scramble the data. The final hash is a 32-character hexadecimal
string.
● Application: MD5 is used for checksums to verify data integrity, but it is no longer
considered secure against collisions (two different inputs that produce the same hash).

2. SHA-256 (Secure Hash Algorithm 256-bit):

 ● Operation: SHA-256 is part of the SHA-2 family of algorithms. It processes data in
512-bit blocks, padding the input to ensure its length is a multiple of 512. Each block
undergoes 64 rounds of operations using a set of logical functions and constants. The
output is a 256-bit (64-character hexadecimal) digest.
● Application: SHA-256 is widely used in blockchain, digital signatures, and SSL/TLS
encryption. It provides stronger security than MD5, making it resistant to brute-force
attacks.

3. SHA-1 (Secure Hash Algorithm 1):

● Operation: SHA-1 processes data in 512-bit blocks and produces a 160-bit hash value.
It follows a similar approach to MD5 but uses a larger output size and more rounds of
operations. SHA-1 is designed to provide a secure checksum for verifying the integrity of
files or messages.
● Application: SHA-1 was widely used in digital certificates and integrity checking but has
been deprecated due to vulnerabilities that allow for collisions.

4. CRC32 (Cyclic Redundancy Check):

● Operation: CRC32 is a non-cryptographic hash function primarily used to detect

accidental changes to data. It treats data as a large polynomial and divides it by a fixed
polynomial. The remainder from this division is the CRC32 value, a 32-bit hash. CRC32
is much faster than cryptographic hashes but is not secure for authentication.
● Application: CRC32 is used for error-checking in file transfers, ZIP file integrity, and
network communication.

5. Blake2:

● Operation: Blake2 is a cryptographic hash function designed to be faster and more

secure than MD5 and SHA algorithms. It uses a large message input (up to 2^128 bytes)
and produces a hash digest of any size, although 256-bit and 512-bit outputs are
common. It employs a modified Merkle-Damgård construction and uses 12 rounds of
mixing for Blake2b (for 64-bit platforms) and 10 rounds for Blake2s (for 32-bit platforms).
● Application: Blake2 is used in password hashing, file integrity verification, and digital
signatures. It is known for its speed and efficiency compared to SHA-3.

A3) What do you mean by static, dynamic, and run-time linking? Elaborate
examples of each.

Linking refers to the process of combining various modules of a program (object files or
libraries) into a single executable or resolving external references. There are three types of
linking: static linking, dynamic linking, and run-time linking.

1. Static Linking:
 ● Definition: In static linking, all the code from the required libraries is combined into the
final executable at compile time. Once the executable is generated, it contains all the
necessary dependencies within itself.
● How it works: When the program is compiled, the linker takes the object files and
libraries, merges them into one large binary (executable), and resolves all the function
calls.
● Advantages:
○ The executable does not require external libraries to be present on the system at
runtime.
○ Faster execution as everything is contained within the executable.
● Disadvantages:
○ Larger file size because all library code is included in the executable.
○ Updates to libraries require recompilation of the program.
● Example:
○ Suppose a C program uses a math library for some mathematical operations.
When static linking is used, the functions from the math library (libm.a) are
copied directly into the executable.
○ Command: gcc -static program.c -o program

2. Dynamic Linking:

● Definition: In dynamic linking, the library code is not included in the executable. Instead,
references to the libraries are included, and the actual library is loaded at runtime when
the program is executed. The libraries are typically shared among multiple programs.
● How it works: The executable contains stubs or placeholders for the library functions.
When the program runs, the operating system loads the required shared libraries (like
.dll or .so files) into memory and binds the references to the library functions at
runtime.
● Advantages:
○ Reduced file size because the libraries are not included in the executable.
○ Easier library updates, as updating a shared library doesn't require recompiling
the program.
● Disadvantages:
○ The program requires the correct version of the shared library to be present on
the system at runtime.
○ Slightly slower startup due to dynamic loading of libraries.
● Example:
○ On a Linux system, dynamic linking is common with shared libraries like
libm.so (the math library).
○ Command: gcc program.c -o program -lm

3. Run-time Linking:
 ● Definition: Run-time linking is a form of dynamic linking where the libraries are loaded
explicitly by the program during execution using system calls. The linking happens after
the program has started running.
● How it works: The program uses functions like dlopen (on Linux) or LoadLibrary (on
Windows) to load shared libraries during execution. This is useful when a program may
need to load different libraries based on user input or configuration.
● Advantages:
○ Flexibility to load libraries conditionally based on runtime decisions.
○ The program can choose which version of a library to load or delay loading until
necessary.
● Disadvantages:
○ More complex to implement, as the programmer must handle loading,
error-checking, and unloading the library.
○ The overhead of loading the library during execution.

A4) Describe and enlist any 5 DLLs.

Dynamic Link Libraries (DLLs) are files that contain code and data that can be used by multiple
programs at the same time. A single DLL can be shared across various applications, allowing
code reuse and memory efficiency. DLLs in Windows have the extension .dll.

Here are five commonly used DLLs in Windows systems:

1. kernel32.dll

● Description: This DLL provides core functions to manage system resources, such as
memory management, file handling, process and thread creation, and input/output
operations.
● Functions:
○ CreateFile(): Opens a file or I/O device.
○ CreateProcess(): Creates a new process and its primary thread.
○ VirtualAlloc(): Reserves or commits memory.
● Used by: Most Windows applications, as it provides fundamental system-level
functionality.

2. user32.dll

● Description: Contains functions for handling the user interface, including window
management, input from the keyboard and mouse, and message handling.
● Functions:
○ MessageBox(): Displays a modal dialog box.
○ CreateWindowEx(): Creates an overlapped, pop-up, or child window.
○ DispatchMessage(): Dispatches a message to a window procedure.
 ● Used by: GUI-based Windows applications to create and manage user interface
elements.

3. gdi32.dll

● Description: The Graphics Device Interface (GDI) library provides functions for
representing graphical objects and transmitting them to output devices like printers and
monitors.
● Functions:
○ BitBlt(): Performs a bit-block transfer of the color data from one device
context to another.
○ CreateFont(): Creates a logical font with the specified characteristics.
○ Ellipse(): Draws an ellipse.
● Used by: Applications that perform 2D graphics rendering, such as drawing shapes and
fonts.

4. advapi32.dll

● Description: This DLL provides advanced Windows API services related to security,
registry management, and system shutdown functions.
● Functions:
○ RegOpenKeyEx(): Opens the specified registry key.
○ RegQueryValueEx(): Retrieves the type and data for a specified value name
associated with an open registry key.
○ InitiateSystemShutdown(): Shuts down the system.
● Used by: Applications that need access to the Windows registry or require advanced
security features, such as permission handling.

5. shell32.dll

● Description: Provides functions to access and manage the Windows shell (the graphical
user interface), including launching programs, handling file associations, and managing
system-wide file dialogs.
● Functions:
○ ShellExecute(): Executes a specified file, typically used to launch
applications or open files with their associated programs.
○ SHGetFolderPath(): Retrieves the path of a special folder (e.g., Desktop,
Documents).
○ SHFileOperation(): Performs file operations such as copy, move, delete, or
rename.
● Used by: Applications that interact with the file system, launch external programs, or
open standard file dialogs.