A malicious program is designed to replicate itself across a system while…

2026

A malicious program is designed to replicate itself across a system while evading detection by rewriting its own code on every copy, such that each copy produces a different sequence of machine instructions but computes the exact same result.

(i) A malicious program hides by injecting its code into the memory space of a legitimate process already running in the operating system. Explain precisely how a process’s virtual memory is structured, and at what point during execution this injection becomes possible without the operating system raising an alert.

(ii) The malicious program rewrites its own instruction sequence on every copy while preserving identical behaviour. Using the concept of semantic equivalence in computation, explain how two syntactically different instruction sequences can produce the same output, and why comparing files by their binary content alone is not fundamentally sufficient as a detection strategy.

(iii) The program ensures it runs automatically every time the machine restarts, without the user’s knowledge. Describe the general mechanism by which an operating system determines which programs to launch at startup, and how a program with sufficient privileges can silently insert itself into this mechanism.

(iv) A fraudulent email is constructed so that the receiving mail server believes it was sent from a legitimate, trusted address. Explain the three-layer technical verification system used by modern mail servers to authenticate a sender’s identity, and identify precisely where a well-crafted fraudulent email can exploit a gap in this verification chain.

Show answer & explanation

(i) A process uses virtual memory divided into code, stack, heap, and data sections. Code injection becomes possible when a malicious program gains access to another process’s writable memory and executes code inside it without triggering protection mechanisms.

(ii) Two programs can look different internally but still produce the same output. This is called semantic equivalence. Malware changes instruction patterns while keeping behaviour identical, so comparing only binary contents is not enough for detection because each copy may look different.

(iii) Operating systems automatically start programs using startup folders, registry entries, boot services, or scheduled tasks. Malware with administrator privileges can secretly add itself to these startup mechanisms and run automatically after every reboot.

(iv) Modern email servers verify senders using three techniques:

  • SPF checks sender IP address

  • DKIM verifies message signature

  • DMARC combines SPF and DKIM policies

Fraudulent emails exploit weak or incorrectly configured SPF, DKIM, or DMARC settings to appear legitimate.

A video solution is available for this question — log in and enroll to watch it.

Explore the full course: Up Lt Grade Assistant Teacher 2025