1.1 Given a scenario, analyze indicators of compromise and determine the type of malware. Flashcards
Virus
A virus is a piece of software designed to infect a computer system. Under the best of circumstances, a virus may do nothing more than reside on the computer, but it may also damage the data on your storage devices, destroy your operating system, and possibly spread to other systems. Viruses get into your computer in one of three ways:
+ On contaminated media (DVD, USB drive, or other)
+ Through email and social networking sites
+ As part of another program
Crypto-malware
The term malware is used to refer to software that does harm—intentionally (such as a virus) or unintentionally (such as poorly written code). If the malware incorporates cryptography, then it can be referred to as crypto-malware, which is simply a subset of malware.
Ransomware
With ransomware, software—often delivered through a Trojan (discussed in a moment)—takes control of a system and demands that a third party be paid. The “control” can be accomplished by encrypting the hard drive, by changing user password information, or via any of a number of other creative ways. Users are usually assured that by paying the extortion amount (the ransom), they will be given the code needed to revert their systems to normal operations.
Worm
A worm can do various roguish things once it is on a system, but its primary purpose is to replicate. It functions as a stand-alone piece of software in that it can spread without intervention by another program (or human), and it focuses on spreading from an infected
system to as many unaffected systems as possible, placing that objective above all others. A piece of malware can act as a Trojan, as spyware, as a worm, and so forth. As long as it has a primary focus on spreading and can function as a stand-alone entity, it is classified as a worm.
Trojan
A Trojan, or Trojan horse, is a program that enters a system or network under the guise of another program. A Trojan horse may be included as an attachment or as part of an installation program. The Trojan horse could create a backdoor or replace a valid program during installation. It would then accomplish its mission under the guise of another program. Trojan horses can be used to compromise the security of your system, and they can exist on a system for years before they’re detected.
Rootkits
A rootkit is software installed on the system by the hacker that is typically hidden from the administrator and that gives the hacker privileged access to the system. The five major types of rootkits are the following:
Application-level
An application-level rootkit is a user mode executable file that gives the hacker access to the system. Examples of application-level rootkits are Trojan viruses.
Library-level
A library-level rootkit is not an executable file, but rather is a library of code that can be called by an application. Library-level rootkits are DLL files that run in user mode and typically will replace a DLL on the system in order to hide.
Kernel-level
A kernel-level rootkit is a rootkit loaded by the operating system kernel and is typically planted on a system by replacing a device driver file on the system. A kernel-level rootkit runs in kernel mode as opposed to user mode, which means it runs with more privileges than a user mode rootkit and, as a result, has greater access to the system and could cause more damage.
Virtualized
A virtualized rootkit is a rootkit that loads instead of the
operating system when a system starts. This rootkit then loads the real operating system in a virtualized environment. These rootkits are hard to detect because the operating system has no idea it is being hosted in
the virtualized environment, and because no application code or DLLs have been replaced in the operating system.
Firmware
A firmware rootkit is stored in firmware code on a system or device and is hard to detect because it is not present in the operating system.
Keylogger
A keylogger is a piece of software that records keystrokes pressed into a log file and then allows that log file to be viewed so that passwords and other sensitive data can be seen. The log file is often encrypted so that it isn’t easily seen or accessed by anyone other than the troublemaker who placed the keylogger on the machine.
Although some keyloggers exist as software only, many are installed on devices such as keyboard adapters that can be placed on a system and retrieved at a later date. These hardware devices store the log file and operate as hidden drives until unlocked using their unlock code.
Adware
If the primary purpose of the malware application is to
deliver ads, then it is classified as adware. Adware can have the same qualities as spyware, but the primary purpose of adware is to display ads and generate revenue for the creator.
In other words, adware is software that automatically loads advertisements on the screen, typically in the form of a pop-up window. The advertisement is designed to entice you into purchasing a product or subscribing to a site.
Spyware
Spyware is hidden software that monitors and collects information about you and your activities and then sends that information to a remote system for the hacker to review.
Spyware differs from other malware in that it works—often actively—on behalf of a third party. Rather than self-replicating, like viruses and worms, spyware is spread to machines by users who inadvertently ask for it. The users often do not know that they have asked for it, but they have acquired it by downloading other programs, visiting infected sites, and so on. The spyware program monitors the user’s activity and reports it to
another party without informing the user that it is doing so. Often, it is gathering information about the user to pass on to marketers, or intercepting personal data such as credit card numbers. One thing separating spyware from most other malware is that it almost always exists to provide commercial gain.
One of the reasons why spyware is so prevalent is that
there are many legal uses for it, such as monitoring children’s or employees’ online habits. It is the implementation of spyware in an illegal manner that makes it a problem.
Bots
Software running on infected computers called zombies is often known as a bot or botnet. Bots, by themselves, are but a form of software that runs automatically and autonomously. (For example, Google uses the Googlebot to find web pages and bring back values for the index.) Botnet, however, has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder.
RAT
A remote administration tool (RAT) is one that, as the name implies, allows a remote user to access the system for the purpose of administering it. Although this can be extremely valuable for legitimate administration, improperly accessed it offers the opportunity to exploit
powerful features of the operating system. One of the most dangerous exploits was Ghost Rat (or GhostRat), which took advantage of the complex features built into Adobe Acrobat PDF files to allow attackers to record audio and video remotely in Windows-based operating
systems.
Logic Bomb
Logic bombs are programs or code snippets that execute when a certain predefined event occurs. A bomb may send a note to an attacker when a user is logged on to the Internet and is using a word processor. This message informs the attacker that the user is ready for an attack.
Backdoor
The term backdoor attack (known also as backdoor) can
have two different meanings. The original term backdoor referred to troubleshooting and developer hooks into systems that often circumvented normal authentication. During the development of a complicated operating system or application, programmers add backdoors or maintenance hooks. Backdoors allow them to examine operations inside the code while the code is running. The backdoors are stripped out of the code when it’s moved into production. When a software manufacturer discovers a hook that hasn’t been removed, it releases a maintenance upgrade or patch to close the backdoor. These patches are common when a new product is initially released.
The second type of backdoor refers to gaining access to a network and inserting a program or utility that creates an entrance for an attacker. The program may allow a certain user ID to log on without a password or to gain administrative privileges.