1 - 1: Malware Flashcards
The two components of malware
Propagation method and payload
What defines a virus?
Spreads based on human action
What defines a worm?
Spreads by finding vulnerabilities without human interaction
The RTM worm
Written by Robert Tappen Morris, a Cornell grad student, infected 10% of the Internet in 1988
Stuxnet
Infected Iranian nuclear enrichment centrifuges in 2010, crossing the virtual/physical barrier
What defines a Trojan horse?
Disguised as helpful programs that spread a payload while also working as intended
How do you protect from Trojan horses?
Application control limiting apps to only approved ones
Remote Access Trojans
Provide hackers remote access to and control of compromised systems
Adware
Malware designed to display ads but generates revenue for the malware author
Adware mechanisms
Changing default search engine, displaying pop-ups, replacing legitimate ads with malicious ads
Spyware
Malware that gathers information without user consent
Spyware mechanisms
Keylogging, monitor web browsing, searching hard drives and cloud storage
Potentially unwanted programs (PUPs)
Apps that are slipped in or bundled with other software installers
Ransomware
Encrypts files with a secret key, preventing access
WannaCry
A ransomware variant that spreads with EternalBlue in 2017 demanding Bitcoin
Cryptomalware
Malware that takes over victim computing power to mine for cryptocurrency
Top 3 ways to prevent malware
Anti-malware software, applying patches, educating users
Backdoor
A workaround to accessing a system
Backdoor Mechanisms
Hardcoded accounts, default passwords, unknown access channels
Logic bombs
Malware designed to execute a payload once certain conditions are met
Logic bomb conditions
Date and time, file contents, API call results
Root account
A special superuser account that provides unrestricted access to system resources
Rootkits
Originally designed for privilege escalation that would provide root privileges to a regular account or escalate to root account
Rootkit payloads
Backdoors, botnet agents, adware/spyware, OR anti-theft mechanisms for copyrighted content
Ring protection model
Levels of user privileges, including user and kernel mode
User mode rootkits
Run with normal user privileges, are easy to write and difficult to detect
Kernel mode rootkits
Run with system privileges, are difficult to write and easy to protect
Fileless Viruses
Malware that remains completely within memory and are not written to disk
Fileless techniques
Microsoft Office macros, JavaScript code, Windows Registry persistence by copying itself
Botnets
A network of infected computers delivered through malware, then awaits commands
Botnet uses
Renting out computing power, delivering spam, engaging in DDoS, mining cryptocurrency, waging brute force attacks
Botnet command and control
Indirect and redundant communication from a hacker to its network of botnet infected computers, including IRC, Twitter, and P2P within the botnet
Script
Sequence of instructions written in a programming language to automate work
Shell Scripts
Scripts run at the command line and integrate with the operating system
Application scripts
Run within a software application and integrate with that application
Programming languages
Allow for the creation of general purpose code
Bash
A scripting language commonly used on Linux and Mac systems
PowerShell
A scripting language allowing for automation on Windows systems
Macros
Scripts that run within an application environment
Visual Basic for Applications
A macro scripting language for Microsoft Office
Python
A general purpose scripting language
