1 - IOC | Malware Types

Question 1

Where to look to determine if system is infected?

Answer 1

Memory, Registries, and Macros

Question 2

Characteristics of a Virus?

Answer 2

• Attaches itself to other code and replicates - Replicates when an infected file executes and launches. Then it attaches to other files, adds its code to the application’s code, and spreads. - Infects other machines only if a user an another machine accesses an infected object and launches the code.

Question 3

Resident Virus?

Answer 3

• Resides in memory
• Loaded each time the system starts
• Can remain active even after any host program terminates

Question 4

Non-Resident Virus

Answer 4

• Once executed, this virus looks for target locally and across the network
• Infects and exits

Question 5

Boot sector virus

Answer 5

• Placed into the first sector of the hard drive
• Loads into memory when the computer boots

Question 6

Macro virus

Answer 6

• Inserted into a Microsoft Office document
• Uses the macro language and executes when the document opens

Question 7

Program and File Infecting Virus

Answer 7

• Many common viruses are this
• Infects executable program files and becomes active in memory
• Seeks other files to infect
• Easily indentified by their binary pattern, or signature, which works like a fingerprint.

Question 8

Polymorphic Virus

Answer 8

• Can change its form or signature each time its executed to avoid detection.
• Can be hard to detect without an identifiable pattern or signature to match it.
• Usually identified by heuristics

Question 9

Heuristic Scanning

Answer 9

Examines the instructions running within a program.

Question 10

Armored Virus

Answer 10

• Has a layer of protection that it can use against the person who tries to analyze it; it will thwart attempts by analysts to examine its code.
• Tricks the program into thinking that it is located in a different place from where it actually resides.

Question 11

Stealth Virus

Answer 11

• Resides in memory
• Uses various techniques to go unnoticed by antivirus programs.
• Avoids detection by temporarily removing itself from an infected file or masking a file’s size.

Question 12

Multipartite Virus

Answer 12

• Infects executable files and also attacks the MBR (Master Boot Record) of the system.
• If both tbe boot sector is not cleaned along with the infected files | the files can easily be infected again.

Question 13

Characteristics of Worms

Answer 13

• Self replicating
• Doesn’t need a host file or user intervention
• Commonly spreads through email, network, and Internet

Question 14

Characteristics of Ransomware

Answer 14

• Attempts to hold a user’s information for monetary gain.
• An evolved and more demanding form of “scareware”

Question 15

Characteristics of Trojan Horses

Answer 15

• Programs disguised as useful applications
• Its capability to spread depends on the popularity of the software and a user’s willingness to download and install the software.
• Can perform actions without the user’s knowledge or consent
• Often classified by their payload or function.
• Trojans can download other Trojans
• Associated with backdoors

Question 16

RAT

Answer 16

• Remote Access Trojan
• Allow a remote attacker to take control of the targeted system.
• When executed, a remote access Trojan provides a remotely accessible backdoor for an attacker to covertly monitor the system or easily gain entry

Question 17

RootKits

Answer 17

• Piece of software than can be installed and hidden on a computer mainly to compromise the system and gain escalated privileges
• Hard to detect since it runs in the background
• Can spot it by looking for memory proccesses, monitoring outbound communications, and checking for installed programs

Question 18

Kernel Rootkits

Answer 18

• Modify the kernel component of an OS
• Can intercept system calls passed to the kernel and filter out queries that the rootkit software generates
• Can use encryption to protect outbound communications
• Often piggyback on commonly used ports to communicate without interrupting other applications.
• You can avoid rootkit by running Windows from an account with lesser privileges

Question 19

Logic Bombs

Answer 19

• Virus or Trojan horse designed to execute malicious actions when a certain event occurs or after a certain period of time.

Question 20

Bot

Answer 20

• An automated computer program that needs no user interaction.
• Systems that outside sources can control.
• otnet masters can perform tasks, gather information, and commit crimes while remaining undetected.

Question 21

Spyware

Answer 21

• Software that communicates information from a user’s system to another party without notifying the user.
• Spyware monitors user activity on the system, potentially including keystrokes typed, and sends this logged information to the originator.

Question 22

Adware

Answer 22

• Type of spyware that pops up advertisements based on what it has learned about the user

Question 23

Social Engineering

Answer 23

• The process by which an attacker seeks to extract useful information from users, often by just tricking them into helping the attacker.

Question 24

Reverse Social Engineering

Answer 24

An attacker provides information to the legitimate user that causes the user to believe the attacker is an authorized technical assistant.

Question 25

Phishing

Answer 25

• An attempt to acquire sensitive information by masquerading as a trustworthy entity via electronic communication, usually email.
• In most cases, the phisher must persuade the victim to intentionally perform a series of actions that provide access to confidential information.

Question 26

Spear Phishing

Answer 26

• Targeted version of phishing.
• Whereas phishing often involves mass emailing, spear phishing might go after a specific individual.

Question 27

Whaling

Answer 27

• Whaling employs spear phishing tactics but goes after high-profile targets such as an executive within a company.

Question 28

Vishing

Answer 28

• Also known as voice phishing.
• The attacker uses fake caller ID to appear as a trusted organization and attempts to get the individual to enter account details via the phone.

Question 29

Smishing

Answer 29

Also known as SMS phishing, this attack uses phishing methods through text messaging.

Question 30

Pharming

Answer 30

• This term is a combination of farming and phishing.
• Pharming does not require the user to be tricked into clicking a link. Instead, pharming redirects victims to a bogus website, even if the user correctly entered the intended site.
• To accomplish this, the attacker employs another attack, such as DNS cache poisoning.

Question 31

Tailgating

Answer 31

• Involves piggybacking or following closely behind someone who has authorized physical access within an environment.
  
  • Tailgating involves appearing to be part of an authorized group or capitalizing on people’s desire to be polite.

Question 32

Impersonation

Answer 32

• Impersonation is simply a method in which someone assumes the character or appearance of someone else.
• The attacker pretends to be something he or she is not.
• Impersonation is often used in conjunction with a pretext or invented scenario.

Question 33

Shoulder Surfing

Answer 33

• Means looking over someone’s shoulder to obtain information.
• Shoulder surfing includes any method of direct observation.
  
  • This could include, for example, locating a camera nearby or even using binoculars from a distance.

Question 34

Hoaxes

Answer 34

• The attempt at deceiving people into believing something that is false.
• Although they present a threat, the threat doesn’t actually exist

Question 35

Watering Hole

Answer 35

• Where an attacker attacks a site that the target frequently visits.
  
  • The goal is often to compromise the larger environment—for example, the company the target works for.

Question 36

Principles of Influence (Reasons for Effectiveness)

Answer 36

• Authority
  
  • Job titles, uniforms, symbols, badges, and even specific expertise
• Intimidation
  
  • Not complying might have a negative impact
• Consensus/Social Proof
  
  • Doing or believing what others around us believe
• Scarcity | Urgency
  
  • Attempt to spur someone to act quickly on a request before giving the request more thought.
• Familiarity | Liking
  
  • People tend to comply with requests from those whom they like or have common ground with.
• Trust
  
  • Exposing trust

Question 37

IP Spoofing

Answer 37

• Accomplished by modifying the source address of traffic or the source of information

Question 38

Spoofing

Answer 38

Method of providing false identity information to gain unauthorized access.

Question 39

MAC Spoofing

Answer 39

Spoofing the MAC address in order to gain access to a network.

Question 40

Blind Spoofing

Answer 40

The attacker sends data and only makes assumptions of responses.

Question 41

Informed Spoofing

Answer 41

The attacker can participate in a session and can monitor the bidirectional communications.

Question 42

Buffer Overflow

Answer 42

• Causes disruption of service and data lost.
• This condition occurs when the data presented to an application or service exceeds the storage space allocation that has been reserved in memory for that application or service.

Question 43

Integer Overflow

Answer 43

• Integer overflow is another type of overflow
• Programs that do not carefully account for integer overflows can result in undesirable behaviors and consequences.
• Overflows present an opportunity for compromise using privilege escalation.

Question 44

Zero-Day Attack

Answer 44

A computer threat that tries to exploit computer app vulternabilities that are unknown to others or even the software developer

Question 45

Cross-Site Scripting (XSS)

Answer 45

• Places a malicious client-side script on a website
• Causes an unknowing browser user to conduct unauthorized access activities, expose confidential data, and log successful attacks back to the attacker without users being aware of their participation
• XSS vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A.

Question 46

Cross-Site Request Forgery (CSRF)

Answer 46

• This attack causes end users to execute an unwanted action on a site they are already logged into.

Question 47

SQL Injection

Answer 47

• Malicious code is inserted into strings that are later passed to a database server.
• The SQL server then parses and executes this code.