2. Malware Flashcards
What is malware?
Program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity or availability of the victims data, applications or operating system or otherwise annoying or disrupting the victim
Motivation to write Malware
Fame, Fighting authority, Pen-testing, Financial gain (Sell data, sell attack kits), Cyber-war, Corporate espionage
What is a Trojan horse?
Program with overt purpose (known to user) and a covert purpose (unknown to user).
What are covert purposes of trojan?
Keylogger, System backdoor, DDOS engine, Web clicker
What is the Thompson compiler hack?
Using a modified compiler to compile a trojan and publishing the original source code with the modified executable. Proves that open source code does not solve the trust issue
What is a virus?
A software fragment that attaches itself to some existing executable. The virus can replicate itself and pass on malicious code to other non-malicious executable by modifying them
How do trojans spread?
Usually the user installs them e.g.: Hacker tools, Website widgets that make your website prettier, Thumbnails of adult videos
How do viruses propagate?
By users exchanging infected executables or files e.g. by E-Mail, file-sharing or USB Sticks
What are the parts of a virus?
- Infection mechanism/ vector: The means by which a virus spreads or propagates, enabling it to replicate
- Trigger: The event or condition that determines when the payload is activated or delivered
- Payload: What the virus does, besides spreading. The payload may involve damage or may involve benign but noticeable activity.
Whats the typical lifetime phases of a virus?
- Dormant phase: Sleep
- Propagation phase: Place a copy of itself (or mutation) into other programs
- Triggering phase: Virus is activated (e.g. by Timer)
- Execution phase: Malicious payload is executed
Virus classification by source
- Boot sector infector: Infects a boot record and spreads when a system is booted from the disk containing the virus
- File infector / Executable infector: Infects files that the operating system or shell consider as executable
- Macro virus: Infects files with macro or scripting code that is interpreted by an application
-
Multipartite virus: Infects files in multiples ways. Typically, the multipartite virus is capable of infecting multiple types of files, so that virus eradication must deal with all the
possible sites of infection
Virus classification by concealment
- Polymorphic virus: Encrypts its own code
- Metamorphic virus: Able to edit, rewrite and translate its own code
How are viruses detected?
- Signature detection: Scan for known virus signatures
- Emulation: Emulate CPU execution for a couple hundred instructions and check for known signatures after decryption
What are obfuscation and anti-debugging techniques?
-Obfuscation: Insert garbage opcodes and change control structure. Different signature on each instance makes it difficult to detect
-Anti-Debugging: Detect virtual machines and debuggers. Terminate process
What is a worm?
A program which actively seeks to infect other machines by exploiting software vulnerabilities
