2.3 Malware Detection, Removal and Prevention Flashcards
Define social engineering
Any attempt to manipulate users to reveal confidential information or perform actions detrimental to a system’s security
Phishing
A social engineering attack where the malicious actor communicates with he victim from a supposedly reputable source to lure the victim into divulging sensitive information
What can the response rate be up to for generic phishing campaigns?
60-70% (with good grammar)
30-40% (with bad grammar)
Spearphishing
A more targeted version of phishing using mainly the same techniques
Whaling
Focused on key executives within an organisation or other key leaders, executives and managers in the company
What is the most effective form of phishing in a pentest?
Whaling
Smishing
Phishing over SMS
Vishing
Message being communicated to the target using the voice functions of a telephone
BEC
An attacker takes over or impersonates a high-level executive’s email account
Pharming
Tricking users into divulging private information by redirecting a victim to a website controlled by the attacker or pentester
How can attackers execute pharming?
Redirects, popups, URL masking, background processes
Malware
Software that is designed to infiltrate and damage a system
Boot sector virus
Viruses stored in the first sector of a hard drive and loaded into memory upon boot
Macro (virus)
Virus embedded into a document and executed when the document is opened
Why is it called a macro?
Because it is written in the same macro language used to create software programs (e.g. Excel, Word)
Program virus
Viruses that seek out executables or applications to infect
When are program viruses launched?
When the program is installed or executed.
Name three ways program viruses can infect a computer.
CD, removable media, email
Multipartite
A virus that combines boot and program viruses to attach to boot sector and system files before attacking other files on the computer
How do multipartite viruses propagate?
Through compromised files, downloads, or bootable media
Self-encryption
When a virus uses a cipher to encrypt its contents and avoid detection by AV software
Polymorphic
Advanced encrypted virus that changes the code after every infection, varying encryption keys to avoid detection
Metamorphic
Viruses able to rewrite their own code entirely without an encryption key
Stealth
A broad category to describe any virus that attacks while trying to avoid detection by AV software
How do stealth viruses avoid detection?
It copies itself between files and replaces itself with a “clean” file
Armored
A virus designed to conceal the code by encrypting the payload, making it difficult to detect and analyse
Hoax
A warning about a nonexistent computer virus designed to trick a user into infecting their own machine
Worm
A standalone malware program that replicates itself on a network in order to spread to other users
Trojan
A type of malware disguised as a legitimate program
How does ransomware gain access to a computer to encrypt files?
By using vulnerabilities in the software
Spyware
Malware that secretly gathers information about the user without their consent
Adware
Malicious software that secretly installs itself onto a device and displays unwanted advertisements and popups.
Grayware
Applications or files that are not classified as malware but can worsen the performance of computers and/or cause security risks
Rootkit
Software designed to gain admin level control over a system without detection, often made up of a collection of certain tools
Name three ways rootkits can be downloaded onto a computer
- DLL Injection
- Driver Manipulation
- Shim
Shim
A piece of software code that is placed between two components to intercept API calls and redirect them
Driver manipulation
Compromising the kernel-mode device drivers that operate at a privileged or system level
DLL Injection
Malicious code is inserted into a running process on a Windows machine by taking advantage of DLL libraries that are loaded at runtime
DLL
Dynamic Link Library
Zombie
A computer connected to the internet that has been compromised by a hacker
Botnet
A collection of compromised computers under the control of a master node
DDoS
Many machines targeting a single victim at the same time
If you are looking at files and folders, what are some symptoms that a PC might be infected?
- Hard drives/files/applications no longer accessible
- Double file extensions being displayed
- New files/folders created
- Files/folders missing or corrupted
Give five symptoms (not related to files) that may indicate an infected computer
- Strange noises
- Unusual error messages
- Display looks strange
- Jumbled printouts
- System Restore won’t function
List the seven steps of removing malware
- Identify the symptoms of a malware infection
- Quarantine the infected systems
- Disable System Restore
- Remediate the infected system
- Schedule automatic updates and scans
- Enable System Restore and create a new restore point
- Provide end user security awareness training
How do you scan a computer for a boot sector virus?
Reboot the computer from an external device and scan it; then remove the hard drive and connect as a secondary drive to a clean workstation and scan it also
What three types of malware are best detected with anti-malware solutions?
Worms, trojans and ransomware
Give two simple protections against malware
Updating OS regularly and having a good host-based firewall.
Give three steps for protecting against malware sent over email
- Remove email addresses from website
- Use allowlist and blocklists
- Train and educate end users
Give three steps for protecting against downloadable malware
- Update your anti-malware software automatically and scan your computer
- Update and patch the operating system and applications regularly
- Educate and train end users on safe internet surfing practices
What are two ways email servers should not be configured?
Open mail relays/SMTP open relays
What is the best firewall setup?
Personal software-based and a network-based (preferably hardware) to provide two layers of protection
What is iptables?
A firewall utility for Linux operating systems
Briefly overview how iptables works.
It compares network traffic against a set of rules and rejects packets that don’t match the rules