1) Threat Landscape, Malware Types, Lab Setup & Static Analysis

Question 1

What are the three core categories of hackers? State the difference in motivation, and also state the target group most likely to be affected by their actions.

Answer 1

• *Hacktivist**: Politicaly / Idealogy motivated; Big companies / Government / Big media coverage; Examples=Anonymous/LulzSec/Sony hack.
• *Cybercriminals**: Hacks for money; Companies / Home Users; Examples=Ransomware/FakeAV/BankTrojans.
• *Nation State**: Espionage/Sabotage/Political; Gov/Big Companies/Core Infrastructure; Examples=Stuxnet/APT attacks/Regin.

Question 2

What is CyberWar and what is CyberEspionage?

Answer 2

CyberWar: Attacks against core infrastructure, very short attack duration.
CyberEspionage: Uses hacking attacks to gain knowledge. Attack can take several months.

Question 3

How does the Future Cybercrime Landscape looks like?

Answer 3

IoT malware, Crypto malware, Mininig malware, CyberWarfare, APT attacks, Public Opinion Manipulation, DDOS

Question 4

What are DDOS attacks?

Answer 4

Distributed Denial of Service attacks. A lot of infected hosts (botnet) send request at the same time to the same target. The goal is to massivly flood the target in a way, that it can not response anymore. Service of target will be unavailable.

Question 5

Explain Trojans

Answer 5

Malware that allows an attacker to remotely access the infected systems and/or send tasks. Trojans are normally disguised itself as a regular user program.

Question 6

Explain Backdoors

Answer 6

Is a type of malware that opens a gate for attackers to access the infected system.

Question 7

Explain RAT

Answer 7

Malware that allows an attacker to remotely access the infected systems and/or send tasks. Trojans are normally disguised itself as a regular user program.

Question 8

Explain Computer Worms

Answer 8

Self-contained programs that are able to spread functional copies of itself to other computer systems across a network, normally via Email or other methods.

Question 9

Explain Downloaders

Answer 9

Malware that downloads the actually payload after it gets executed.

Question 10

Explain Droppers

Answer 10

Extract malware from own code.

Question 11

Explain Botnets

Answer 11

Multiple infected systems that can be controlled by the bot owner.

Question 12

Explain Spyware

Answer 12

Malware that collects sensitive data.

Question 13

Explain Adware

Answer 13

Makes money from serving ads. Often tracks user behaviour.

Question 14

Explain FakeAV

Answer 14

Fake anti-virus that cleans systems for money.

Question 15

Explain Rootkits/Bootkits

Answer 15

Two types (user mode/kernel mode). Malware that hides itself from the OS. Compromisation is not clearly visible.

Question 16

Explain File Infector Virus

Answer 16

Copies malicious code into excecutable files like COM, BAT, CMD

Question 17

Explain Ransomware

Answer 17

Trojan malware that encrypts documents on the victims machine, or otherwise threatens the user in an attempt to extort money via blackmail.

Question 18

Explain Cryptojacking malware

Answer 18

Steals crypto wallets

Question 19

Explain Cryptomining malware

Answer 19

Steals CPU power to mine crypto currencies

Question 20

Explain Modular / Blended Threat

Answer 20

A mixture whereby different components of the malware fall into different categories, all working together

Question 21

What does a malware lab needs to be?

Answer 21

Easy to setup, easy to maintain, easy to restore, isolated, easy to monitor, equipped with correct analysis tools

Question 22

What are the five W’s of malware analysis?

Answer 22

WHY, WHEN, WHAT, WHO, WHERE

Question 23

Describe the main steps, in order, for extracting malware from an infected machine. For each stage simply give a 1-2 line description of what is carried out.

Answer 23

• Run AV, Search for rootkits => GMER or Rootkit Buster
• Run Loki for IOC
• Run YARA
• Look for suspicious processes
• Look for suspicious network connections
• Look for system startup procedures
• Run ATTK tool

Question 24

What is Blackboxing? What W’s are covered?

Answer 24

Find as much out as possible about malware by executing the malware and run monitoring tools. WHAT, WHERE, WHEN

Question 25

What is Whiteboxing? What W’s are covered?

Answer 25

Reverse engineer code of malware. WHO, WHY

Question 26

What are the main stages of malware analysis?

Answer 26

• 0 - Extracing malware
• 1 - Static Analysis
• 2 - Blackboxing
• 3 - Internet Search
• 4 - Whiteboxing
• 5 - Result Presentation

Question 27

What are the five main ways to get infected?

Answer 27

• Network,
• email
• IM
• data transfer via USB
• Internet surfing

Question 28

What are symptoms of infection?

Answer 28

Slow system, disk usage, CPU power, network activity

Question 29

What is the payload?

Answer 29

Payload is the name of the code that contains the malware.

Question 30

What is the first step before extracting malware?

Answer 30

Create an image of HDD

Question 31

What are the two key behaviours of modern malware

Answer 31

Networking, Survival of reboot