1.1 Given a scenario, analyze indicators of compromise and determine the type of malware. Flashcards
Malware
Malicious software
Gather information - Keystrokes
Virus
Malware that can reproduce itself through file systems or the network
Program viruses
It’s part of the application
• Boot sector viruses - Who needs an OS?
• Script viruses - Operating system and browser-based
• Macro viruses - Common in Microsoft Office
Boot sector viruses
Virus type that undermines OS
Script viruses
Operating system and browser-based
Macro viruses
Common in Microsoft Office
Worms
• Malware that self-replicates
• Doesn’t need you to do anything
• Uses the network as a transmission medium
• Self-propagates and spreads quickly
• Firewalls and IDS/IPS can mitigate many worm infestations
BAD when they get inside
Worms Process
1. Infected computer searches for vulnerable system 2. Vulnerable computer is exploited 3. Backdoor is installedand downloads worm
• Personal data
- Important documents
* Family pictures and videos
• Organization data
- Planning documents
- Employee personally identifiable information (PII)
- Financial information
- Company private data
Ransomware
Hold your computer, data hostage
could be fake
security professional can help get rid of this type of malware
• Crypto-malware
New generation of ransomware
• Your data is unavailable until you provide cash
• Malware encrypts your data files
• Pictures, documents, music, movies, etc.
• Your OS remains available
• They want you running, but not working
• You must pay the bad guys to obtain the decryption key
• Untraceable payment system
• An unfortunate use of public-key cryptography
Ransomware Protection
an offline backup, ideally
• Patch those vulnerabilities operating system , applications security patches
antivirus/anit-malware signatures are up to date
Trojan horse
- Software that pretends to be something else
- Circumvents your existing security
- The better Trojans are built to avoid and disable AV
Backdoors
- Often placed on your computer through malware
- Some malware software can take advantage of backdoors created by other malware
- Some software includes a backdoor
Remote Access Trojans (RATs)
- Remote Administration Tool
- Malware installs the server/service/host - Bad guys connect with the client software
- Control a device -• Key logging, screen recording /screenshots, copy files
- Embed more malware
Rootkits
- Modifies core system - kernel
- Can be invisible to the operating system
- Won’t see it in Task Manager or anti-virus utilities
- If you can’t see it, you can’t stop it
Kernel drivers
- Zeus/Zbot malware
- Famous for cleaning out bank accounts
- Now combined with Necurs rootkit
- Necurs is a kernel-level driver
- Necurs makes sure you can’t delete Zbot
- Access denied
- Trying to stop the Windows process?
- Error terminating process: Access denied
Keyloggers
• Your keystrokes contain-Web site login URLs, passwords, email messages and Save all of your input • Send it to the bad guys • Circumvents encryption protections • Your keystrokes are in the clear • Other data logging • Clipboard logging, screen logging, instant messaging, search engine queries
Preventing Keyloggers
- Use anti-virus/anti-malware
- Keep your signatures updated
- Block unauthorized communication
- Run a keylogging scanner
Adware
- Pop-ups with pop-ups
- May cause performance issues
- May be included with other software installations
Spyware
- Malware that spies on you
- Advertising, identity theft, affiliate fraud
- Can trick you into installing
- Peer to peer, fake security software
- Browser monitoring - Capture surfing habits
- Keyloggers
- Capture every keystroke, send it back to the mother ship
Protecting against adware/spyware
- Maintain your anti-virus / anti-malware
- Always have the latest signatures
- Always know what you’re installing
- And watch your options during the installation
- backup?•
- Cleaning adware by Run some scans
- Malwarebytes for example
Botnets
• Robot networks
• Once your machine is infected, it becomes a bot
• from • OS or application vulnerability
or Trojan Horses - You run a program or click an ad you THOUGHT was legit, but…
• Distributed Denial of service (DDoS)
• Botnets are for sale
Prevent Bots
• OS and application patches Anti-virus/anti-malware and updated signatures Prevent command and control (C&C) • Block at the firewall • Identify at the workstation with a host-based firewall or host-based IPS
Logic bomb
Waits for a predefined event • Often left by someone with grudge • Time bomb - Time or date • User event - Logic bomb • Difficult to identify • Difficult to recover if it goes of
Preventing a logic bomb
- Process and procedures
- Formal change control
- Electronic monitoring
- Alert on changes
- Host-based intrusion detection, Tripwire, etc.
- Constant auditing
- An administrator can circumvent existing systems
Phishing
• Social engineering with a touch of spoofing
• Vishing
done over the phone
• Fake security checks or bank updates
Spearfishing
Spearfishing
whaling
• Spear phishing the CEO is
