3 Malicious Code Flashcards
analyze indicators of malicious activity.
9 things, B, K L R, R, S, T, V, W
What are types of Malware attack?
- Bloatware
- Keylogger
- Logic bomb
- Ransomware
- Rootkit
- Spyware
- Trojan
- Virus
- Worm
Ransomware - what, how to identify, how to combat
What - encrypts key files and holds for ransom
Identify -
Command and control (C&C) traffic and/or contact to known malicious IP addresses
Use of legitimate tools in abnormal ways to retain control of the compromised system
Lateral movement processes that seek to attack or gain information about other systems or devices inside the same trust boundaries
Encryption of files
Notices to end users of the encryption process with demands for ransom
Data exfiltration behaviors, including large file transfers
Combat -
1) Effective backup system that holds files in a separate location
2) Org decides resonse - pay or not
3) Use a pre-existing encryption tool
Trojan horses - what how to identify, how to combat
What - disguised as legitimate software. Relies on unsuspecting individuals running them. Examples:
* Triada Trojan, disguised as WhatsApp.
* Trojans (RATs) provide attackers with remote access to systems
Identify -
* Signatures for the specific malware applications or downloadable files
-
Command and control system hostnames and **IP addresses
** - Folders or files created on target devices
Combat -
* combination of security awareness training to encourage users not to download untrusted software and
* antimalware or endpoint detection and response (EDR) tools that detect Trojan and RAT-like behavior and known malicious files.
Worms - what, how to identify, how to combat
What
Unlike Trojans that require user interaction, worms spread themselves
Identify -
Common IoCs for worms like Raspberry Robin include:
* Known malicious files
* Downloads of additional components from remote systems
* Command and control contact to remote systems
* Malicious behaviors using system commands for injection and other activities, including use of cmd.exe, msiexec.exe, and others
* Hands-on-keyboard attacker activity
Combat -
* firewalls and
* network-level controls remain one of the best ways to mitigate worm attacks.
* **Patching **and configuring services to limit attack surfaces
* After an infection - use of antimalware, EDR, and similar tools, or resetting
If compromised devices cannot communicate with other vulnerable devices, the infection can’t spread!
Spyware - how to identify, how to combat
What - malware that is designed to obtain information about an individual, organization, or system. track users’ browsing habits, installed software, or similar information and report it back to central servers.
is associated with identity theft and fraud, advertising and redirection of traffic, digital rights management (DRM) monitoring, and with stalkerware, a type of spyware used to illicitly monitor partners in relationships.
uses techniques from other types of malware, defining software as spyware typically requires understanding its use and motivations rather than just its behavior. Thus, spyware may use Trojan, worm, or virus-style propagation methods in some cases, but the intent is to gather information about a user or system, with the methods used being less important than the goal.
Identify -
* Remote-access and remote-control-related indicators
* Known software file fingerprints
* Malicious processes, often disguised as system processes
* Injection attacks against browsers
Combat -
* using antimalware tools, although user awareness can help prevent the installation of spyware
* Mitigation practices for spyware focus on awareness, control of the software that is allowed on devices and systems, and antispyware capabilities built into antimalware tools. Since spyware is generally perceived as less of a threat than many types of malware, it is commonly categorized separately and may require specific configuration to identify and remove it.
Bloatware - what, how to identify, how to combat
What - unwanted applications installed on systems by manufacturers.
Identify -
Unlike the other malicious software categories listed in this chapter, bloatware isn’t usually intentionally malicious. It may, however, be poorly written, may call home with information about your system or usage, or may prove to be vulnerable to exploitation, adding another attack surface to otherwise secure devices. Uninstalling bloatware or using a clean operating system image are common practices for organizations as well as individuals.
Combat - it should simply be removed to prevent issues—
Viruses - what, how to identify, how to combat
What - malicious programs that self-copy and self-replicate once they are activated. Unlike worms, they don’t spread themselves via vulnerable services and networks. Viruses require one or more infection mechanisms that they use to spread themselves
Identify - Viruses require one or more infection mechanisms that they use to spread themselves, like copying to a thumb drive or network share, and that mechanism is typically paired with some form of search capability to find new places to spread to once they are run.
Viruses also typically have both a trigger, which sets the conditions for when the virus will execute, and a payload, which is what the virus does, delivers, or the actions it performs.
Memory-resident viruses, which remain in memory while the system of the device is running
Non-memory-resident viruses, which execute, spread, and then shut down
**
Boot sector viruses,** which reside inside the boot sector of a drive or storage media
Macro viruses, which use macros or code inside word processing software or other tools to spread
Email viruses that spread via email either as email attachments or as part of the email itself using flaws inside email clientsFileless virus attacks are similar to traditional viruses in a number of critical ways. They spread via methods like spam email and malicious websites and exploit flaws in browser plug-ins and web browsers themselves. Once they successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system via the same process at reboot through a Registry entry or other technique. At no point do they require local file storage, as they remain memory resident throughout their entire active life—in fact, the only stored artifact of many fileless attacks would be the artifacts of their persistence techniques like Registry entry
Combat - fileless attacks require a vulnerability to succeed, so ensuring that browsers, plug-ins, and other software that might be exploited by attackers are up to date and protected can prevent most attacks.
-
awareness that helps to prevent users from clicking on and activating viruses as well as
* antimalware tools that can detect them and prevent them both on-disk and in-memory or as they are being executed. - **Removal varies, with some viruses easy to remove using antimalware tools or dedicated, virus-specific utilities **while some may require more significant action. sta
- many organizations have a standard practice of wiping the drive of an infected machine and restoring it from a known good backup or reinstalling/reimaging it. While there are some scenarios where even that won’t be enough, such as with BIOS/UEFI resident malware, in most common scenarios a complete wipe and reinstallation or reimaging will ensure the malware is gone.
Keylogger - what, how to identify, how to combat
What - programs that capture keystrokes from a keyboard, although keylogger applications may also capture other input such as mouse movement, touchscreen inputs, or credit card swipes from attached devices. Keyloggers work in a multitude of ways, ranging from tools that capture data from the kernel, via APIs or scripts, or even directly from memory. Regardless of how they capture data, the** goal of a keylogger is to capture user input to be analyzed and used by an attacker.**
Identify -
* File hashes and signatures
* Exfiltration activity to command and control systems (removal of data)
* Process names
* Known reference URLs
Combat -
* patching
* systems management,
* antimalware tools.
* multifactor authentication can help limit the impact of a keylogger, even if it cannot defeat the keylogger itself.
* bootable USB drives can prevent use of a potentially compromised underlying operating system.
Logic bombs - what, how to identify, how to combat
What
* **Functions or code placed inside other programs **that will activate when set conditions are met.
* Some other types of malware may use this type of code as part of their function as well.
Identify
* Code review
* Online analysis tools like VirusTotal can be used to check whether the malware is a known tool and to see what it is identified as by multiple AV tools.
Sandbox tools can be used to analyze malware behavior in a protected environment.
Manual code analysis is common, particularly with scripts and interpreted code like Python and Perl.
Malware can be analyzed using tools like strings to look for recoverable artifacts that may be useful for the analysis
Combat
* While relatively rare compared to other types of malware, logic bombs are a consideration in software development and systems management, and can have a significant impact if they successfully activate
Rootkits - what, identify, combat
What - allow attackers to access a system through a backdoor
**hooking filesystem drivers **to ensure that users cannot see the rootkit files to infecting startup code in the Master Boot Record (MBR) of a disk, allowing attacks against full-disk encryption systems.
Identify - test the suspected system from a trusted system or device.
Combat - rebuild the system or to restore it from a known good backup.
What are common indicators of malicious activity associated with malware types?
IoCs associated with malware include:
* command and control (C&C) traffic patterns,
* IP addresses,
*** hostnames, and domains. **
* Use of system utilities in unexpected ways,
* lateral movement between systems,
* creation of files and directories,
* **encryption of files, **
* data exfiltration are also commonly seen, particularly with Trojans and rootkits.
* Signatures for malware are commonly used to identify specific files associated with given malware packages although malware writers use defensive techniques intended to make this harder.
What are methods to
Methods to mitigate malware.
* manual removal to the
* **use of tools **to identify and remove malicious files, and often rely on
* reinstallation of a system or
* restoration from a known good backup to ensure all malware is removed.
What are Bots and Botnets, how to identify?
Many types of malware use command and control (C&C) techniques and systems to allow attackers to tell them what to do.
* Botnets = groups of systems that are under central command**
* Bots = individual systems**
How to identify
* know how to search for ** C&C communications **and to identify why a system reaching out to unknown hosts may be a sign of a system you’re responsible for being part of a botnet.
What does IoC stand for
Indicators of compromise
What does CMD.exe do
Cmd.exe allows access to the Microsoft Windows Command Prompt. It offers disk and file maintenance functions to your computer as well as network functions
