1) Threat Landscape, Malware Types, Lab Setup & Static Analysis Flashcards
What are the three core categories of hackers? State the difference in motivation, and also state the target group most likely to be affected by their actions.
- *Hacktivist**: Politicaly / Idealogy motivated; Big companies / Government / Big media coverage; Examples=Anonymous/LulzSec/Sony hack.
- *Cybercriminals**: Hacks for money; Companies / Home Users; Examples=Ransomware/FakeAV/BankTrojans.
- *Nation State**: Espionage/Sabotage/Political; Gov/Big Companies/Core Infrastructure; Examples=Stuxnet/APT attacks/Regin.
What is CyberWar and what is CyberEspionage?
CyberWar: Attacks against core infrastructure, very short attack duration.
CyberEspionage: Uses hacking attacks to gain knowledge. Attack can take several months.
How does the Future Cybercrime Landscape looks like?
IoT malware, Crypto malware, Mininig malware, CyberWarfare, APT attacks, Public Opinion Manipulation, DDOS
What are DDOS attacks?
Distributed Denial of Service attacks. A lot of infected hosts (botnet) send request at the same time to the same target. The goal is to massivly flood the target in a way, that it can not response anymore. Service of target will be unavailable.
Explain Trojans
Malware that allows an attacker to remotely access the infected systems and/or send tasks. Trojans are normally disguised itself as a regular user program.
Explain Backdoors
Is a type of malware that opens a gate for attackers to access the infected system.
Explain RAT
Malware that allows an attacker to remotely access the infected systems and/or send tasks. Trojans are normally disguised itself as a regular user program.
Explain Computer Worms
Self-contained programs that are able to spread functional copies of itself to other computer systems across a network, normally via Email or other methods.
Explain Downloaders
Malware that downloads the actually payload after it gets executed.
Explain Droppers
Extract malware from own code.
Explain Botnets
Multiple infected systems that can be controlled by the bot owner.
Explain Spyware
Malware that collects sensitive data.
Explain Adware
Makes money from serving ads. Often tracks user behaviour.
Explain FakeAV
Fake anti-virus that cleans systems for money.
Explain Rootkits/Bootkits
Two types (user mode/kernel mode). Malware that hides itself from the OS. Compromisation is not clearly visible.
Explain File Infector Virus
Copies malicious code into excecutable files like COM, BAT, CMD
Explain Ransomware
Trojan malware that encrypts documents on the victims machine, or otherwise threatens the user in an attempt to extort money via blackmail.
Explain Cryptojacking malware
Steals crypto wallets
Explain Cryptomining malware
Steals CPU power to mine crypto currencies
Explain Modular / Blended Threat
A mixture whereby different components of the malware fall into different categories, all working together
What does a malware lab needs to be?
Easy to setup, easy to maintain, easy to restore, isolated, easy to monitor, equipped with correct analysis tools
What are the five W’s of malware analysis?
WHY, WHEN, WHAT, WHO, WHERE
Describe the main steps, in order, for extracting malware from an infected machine. For each stage simply give a 1-2 line description of what is carried out.
- Run AV, Search for rootkits => GMER or Rootkit Buster
- Run Loki for IOC
- Run YARA
- Look for suspicious processes
- Look for suspicious network connections
- Look for system startup procedures
- Run ATTK tool
What is Blackboxing? What W’s are covered?
Find as much out as possible about malware by executing the malware and run monitoring tools. WHAT, WHERE, WHEN
What is Whiteboxing? What W’s are covered?
Reverse engineer code of malware. WHO, WHY
What are the main stages of malware analysis?
- 0 - Extracing malware
- 1 - Static Analysis
- 2 - Blackboxing
- 3 - Internet Search
- 4 - Whiteboxing
- 5 - Result Presentation
What are the five main ways to get infected?
- Network,
- IM
- data transfer via USB
- Internet surfing
What are symptoms of infection?
Slow system, disk usage, CPU power, network activity
What is the payload?
Payload is the name of the code that contains the malware.
What is the first step before extracting malware?
Create an image of HDD
What are the two key behaviours of modern malware
Networking, Survival of reboot