3 Malicious Code Flashcards
analyze indicators of malicious activity.
9 things, B, K L R, R, S, T, V, W
What are types of Malware attack?
- Bloatware
- Keylogger
- Logic bomb
- Ransomware
- Rootkit
- Spyware
- Trojan
- Virus
- Worm
Ransomware - what, how to identify, how to combat
What - encrypts key files and holds for ransom
Identify -
Command and control (C&C) traffic and/or contact to known malicious IP addresses
Use of legitimate tools in abnormal ways to retain control of the compromised system
Lateral movement processes that seek to attack or gain information about other systems or devices inside the same trust boundaries
Encryption of files
Notices to end users of the encryption process with demands for ransom
Data exfiltration behaviors, including large file transfers
Combat -
1) Effective backup system that holds files in a separate location
2) Org decides resonse - pay or not
3) Use a pre-existing encryption tool
Trojan horses - what how to identify, how to combat
What - disguised as legitimate software. Relies on unsuspecting individuals running them. Examples:
* Triada Trojan, disguised as WhatsApp.
* Trojans (RATs) provide attackers with remote access to systems
Identify -
* Signatures for the specific malware applications or downloadable files
-
Command and control system hostnames and **IP addresses
** - Folders or files created on target devices
Combat -
* combination of security awareness training to encourage users not to download untrusted software and
* antimalware or endpoint detection and response (EDR) tools that detect Trojan and RAT-like behavior and known malicious files.
Worms - what, how to identify, how to combat
What
Unlike Trojans that require user interaction, worms spread themselves
Identify -
Common IoCs for worms like Raspberry Robin include:
* Known malicious files
* Downloads of additional components from remote systems
* Command and control contact to remote systems
* Malicious behaviors using system commands for injection and other activities, including use of cmd.exe, msiexec.exe, and others
* Hands-on-keyboard attacker activity
Combat -
* firewalls and
* network-level controls remain one of the best ways to mitigate worm attacks.
* **Patching **and configuring services to limit attack surfaces
* After an infection - use of antimalware, EDR, and similar tools, or resetting
If compromised devices cannot communicate with other vulnerable devices, the infection can’t spread!
Spyware - how to identify, how to combat
What - malware that is designed to obtain information about an individual, organization, or system. track users’ browsing habits, installed software, or similar information and report it back to central servers.
is associated with identity theft and fraud, advertising and redirection of traffic, digital rights management (DRM) monitoring, and with stalkerware, a type of spyware used to illicitly monitor partners in relationships.
uses techniques from other types of malware, defining software as spyware typically requires understanding its use and motivations rather than just its behavior. Thus, spyware may use Trojan, worm, or virus-style propagation methods in some cases, but the intent is to gather information about a user or system, with the methods used being less important than the goal.
Identify -
* Remote-access and remote-control-related indicators
* Known software file fingerprints
* Malicious processes, often disguised as system processes
* Injection attacks against browsers
Combat -
* using antimalware tools, although user awareness can help prevent the installation of spyware
* Mitigation practices for spyware focus on awareness, control of the software that is allowed on devices and systems, and antispyware capabilities built into antimalware tools. Since spyware is generally perceived as less of a threat than many types of malware, it is commonly categorized separately and may require specific configuration to identify and remove it.
Bloatware - what, how to identify, how to combat
What - unwanted applications installed on systems by manufacturers.
Identify -
Unlike the other malicious software categories listed in this chapter, bloatware isn’t usually intentionally malicious. It may, however, be poorly written, may call home with information about your system or usage, or may prove to be vulnerable to exploitation, adding another attack surface to otherwise secure devices. Uninstalling bloatware or using a clean operating system image are common practices for organizations as well as individuals.
Combat - it should simply be removed to prevent issues—
Viruses - what, how to identify, how to combat
What - malicious programs that self-copy and self-replicate once they are activated. Unlike worms, they don’t spread themselves via vulnerable services and networks. Viruses require one or more infection mechanisms that they use to spread themselves
Identify - Viruses require one or more infection mechanisms that they use to spread themselves, like copying to a thumb drive or network share, and that mechanism is typically paired with some form of search capability to find new places to spread to once they are run.
Viruses also typically have both a trigger, which sets the conditions for when the virus will execute, and a payload, which is what the virus does, delivers, or the actions it performs.
Memory-resident viruses, which remain in memory while the system of the device is running
Non-memory-resident viruses, which execute, spread, and then shut down
**
Boot sector viruses,** which reside inside the boot sector of a drive or storage media
Macro viruses, which use macros or code inside word processing software or other tools to spread
Email viruses that spread via email either as email attachments or as part of the email itself using flaws inside email clientsFileless virus attacks are similar to traditional viruses in a number of critical ways. They spread via methods like spam email and malicious websites and exploit flaws in browser plug-ins and web browsers themselves. Once they successfully find a way into a system, they inject themselves into memory and conduct further malicious activity, including adding the ability to reinfect the system via the same process at reboot through a Registry entry or other technique. At no point do they require local file storage, as they remain memory resident throughout their entire active life—in fact, the only stored artifact of many fileless attacks would be the artifacts of their persistence techniques like Registry entry
Combat - fileless attacks require a vulnerability to succeed, so ensuring that browsers, plug-ins, and other software that might be exploited by attackers are up to date and protected can prevent most attacks.
-
awareness that helps to prevent users from clicking on and activating viruses as well as
* antimalware tools that can detect them and prevent them both on-disk and in-memory or as they are being executed. - **Removal varies, with some viruses easy to remove using antimalware tools or dedicated, virus-specific utilities **while some may require more significant action. sta
- many organizations have a standard practice of wiping the drive of an infected machine and restoring it from a known good backup or reinstalling/reimaging it. While there are some scenarios where even that won’t be enough, such as with BIOS/UEFI resident malware, in most common scenarios a complete wipe and reinstallation or reimaging will ensure the malware is gone.
Keylogger - what, how to identify, how to combat
What - programs that capture keystrokes from a keyboard, although keylogger applications may also capture other input such as mouse movement, touchscreen inputs, or credit card swipes from attached devices. Keyloggers work in a multitude of ways, ranging from tools that capture data from the kernel, via APIs or scripts, or even directly from memory. Regardless of how they capture data, the** goal of a keylogger is to capture user input to be analyzed and used by an attacker.**
Identify -
* File hashes and signatures
* Exfiltration activity to command and control systems (removal of data)
* Process names
* Known reference URLs
Combat -
* patching
* systems management,
* antimalware tools.
* multifactor authentication can help limit the impact of a keylogger, even if it cannot defeat the keylogger itself.
* bootable USB drives can prevent use of a potentially compromised underlying operating system.
Logic bombs - what, how to identify, how to combat
What
* **Functions or code placed inside other programs **that will activate when set conditions are met.
* Some other types of malware may use this type of code as part of their function as well.
Identify
* Code review
* Online analysis tools like VirusTotal can be used to check whether the malware is a known tool and to see what it is identified as by multiple AV tools.
Sandbox tools can be used to analyze malware behavior in a protected environment.
Manual code analysis is common, particularly with scripts and interpreted code like Python and Perl.
Malware can be analyzed using tools like strings to look for recoverable artifacts that may be useful for the analysis
Combat
* While relatively rare compared to other types of malware, logic bombs are a consideration in software development and systems management, and can have a significant impact if they successfully activate
Rootkits - what, identify, combat
What - allow attackers to access a system through a backdoor
**hooking filesystem drivers **to ensure that users cannot see the rootkit files to infecting startup code in the Master Boot Record (MBR) of a disk, allowing attacks against full-disk encryption systems.
Identify - test the suspected system from a trusted system or device.
Combat - rebuild the system or to restore it from a known good backup.
What are common indicators of malicious activity associated with malware types?
IoCs associated with malware include:
* command and control (C&C) traffic patterns,
* IP addresses,
*** hostnames, and domains. **
* Use of system utilities in unexpected ways,
* lateral movement between systems,
* creation of files and directories,
* **encryption of files, **
* data exfiltration are also commonly seen, particularly with Trojans and rootkits.
* Signatures for malware are commonly used to identify specific files associated with given malware packages although malware writers use defensive techniques intended to make this harder.
What are methods to
Methods to mitigate malware.
* manual removal to the
* **use of tools **to identify and remove malicious files, and often rely on
* reinstallation of a system or
* restoration from a known good backup to ensure all malware is removed.
What are Bots and Botnets, how to identify?
Many types of malware use command and control (C&C) techniques and systems to allow attackers to tell them what to do.
* Botnets = groups of systems that are under central command**
* Bots = individual systems**
How to identify
* know how to search for ** C&C communications **and to identify why a system reaching out to unknown hosts may be a sign of a system you’re responsible for being part of a botnet.
What does IoC stand for
Indicators of compromise
What does CMD.exe do
Cmd.exe allows access to the Microsoft Windows Command Prompt. It offers disk and file maintenance functions to your computer as well as network functions
What is MsiExec.exe
MsiExec.exe is the **executable program of the Windows Installer **used to interpret installation packages and install products on target systems. After you build your release, you can install your Windows Installer package (. msi) from the command line.
Difference between spyware and bloatware
can be difficult to tell apart since manufacturers who install bloatware often have call-home functionality built into the bloatware.
The key differentiator is that spyware’s primary intention is to gather information about the user, their use of the system and Internet, and the configuration of the system, whereas bloatware is simply unwanted programs.
What is the difference between YARA and VirusTotal?
YARA was originally intended to support file-based rules.
VirusTotal’s “vt” module extended YARA’s capabilities with file’s metadata and behavior.
This allows our users to create advanced Livehunt and Retrohunt rules and get notified via IoC Stream every time new or re-scanned files match our rules
What is the BIOS
BIOS **(basic input/output system) **is the program a computer’s microprocessor uses to **start the computer system **after it is powered on. It also manages data flow between the computer’s operating system (OS) and attached devices, such as the hard disk, video adapter, keyboard, mouse and printer.
What is the UEFI
Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS).
Tools for analysing Malware in code
**
Online analysis tools like VirusTotal** can be used to check whether the malware is a known tool and to see what it is identified as by multiple AV tools.
**
Sandbox tools** can be used to analyze malware behavior in a protected environment.
Manual code analysis is common, particularly with scripts and interpreted code like Python and Perl.
Malware can be analyzed using tools like strings to look for recoverable artifacts that may be useful for the analysis
Many other tools and techniques are used to analyze malicious code and software, but these are a good starting point for security analysts who need to determine whether a given executable or block of code might be malicious.
DRM system
Digital rights management (DRM) is the use of technology to control and manage access to copyrighted material. Another DRM meaning is taking control of digital content away from the person who possesses it and handing it to a computer program.
Port 6667
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port:Port 6667 I
What is the key difference between worms and viruses?
how they spread. Worms spread themselves, whereas viruses rely on human interaction.
What are the types of malware covered in this chapter?
- Ransomware
- Trojan
- Worm
- Spyware
- Bloatware
- Virus
- Keylogger
- Logic bomb
- Rootkit
These categories represent different forms of malicious software that can affect systems in various ways.
What is the primary focus of this chapter?
Exploring various types of malware and their distinguishing elements, behaviors, and traits.
Understanding these aspects is crucial for identifying and responding to malware attacks.
What should you analyze to identify malicious activity?
Indicators of malicious activity.
This involves looking for signs that may suggest the presence of malware on a system.
Fill in the blank: ______________ helps ensure that attackers can retain access to systems once they’ve gained a foothold.
Rootkit
Rootkits are designed to conceal the existence of certain processes or programs from normal methods of detection.
True or False: The chapter covers response methods organizations use to deal with malware.
True
Organizations need to have effective response methods to mitigate the impact of malware attacks.
What is one of the objectives covered in this chapter related to the CompTIA Security+ exam?
Analyze indicators of malicious activity.
This objective is part of Domain 2.0: Threats, Vulnerabilities, and Mitigations.
What types of behaviors might indicate the presence of malware?
- Unexpected system crashes
- Slow performance
- Unusual network activity
- Unauthorized access attempts
These behaviors can serve as indicators for the detection of malware.
Fill in the blank: Malware includes various forms such as ransomware, ____________, and viruses.
Worms
Worms are a type of malware that replicate themselves to spread to other systems.
What is the purpose of controls mentioned in this chapter?
Help protect against malware.
Implementing controls is essential for preventing malware infections and minimizing risks.
What type of malware is known for encrypting files and demanding ransom?
Ransomware
Ransomware attacks can lead to significant data loss and financial impact if the ransom is paid.
True or False: Spyware is designed to monitor user activity without their consent.
True
Spyware can collect sensitive information, such as login credentials and personal data.
Which malware type is characterized by its ability to self-replicate and spread without user intervention?
Worm
Worms exploit vulnerabilities in networks to propagate themselves.
What is malware?
A wide range of software intentionally designed to cause harm to systems, networks, or users
Malware can gather information, provide illicit access, and perform unwanted actions.
What is ransomware?
Malware that takes over a computer and demands a ransom
Types of ransomware include crypto malware, which encrypts files.
What are common delivery methods for ransomware?
- Phishing campaigns
- Direct attacks (e.g., Remote Desktop Protocol)
- Exploiting vulnerable services or applications
What are indicators of compromise (IoCs) for ransomware?
- Command and control (C&C) traffic
- Use of legitimate tools in abnormal ways
- Encryption of files
- Notices to users demanding ransom
- Data exfiltration behaviors
True or False: Paying a ransom guarantees that files will be returned.
False
In some cases, attackers demand more money even after payment.
What are Trojans?
A type of malware disguised as legitimate software
They rely on users running them to gain access.
What is an example of a Trojan?
Triada Trojan, which is distributed as a modified WhatsApp version
It gathers device information and allows further malicious actions.
What are indicators of compromise for Trojans?
- Signatures for malware applications
- Command and control hostnames
- Folders or files created on devices
What is a botnet?
A group of systems under central command used by attackers
Individual systems are referred to as bots.
How do worms differ from Trojans?
Worms self-replicate and spread without user interaction
Trojans require user action to be executed.
What is the significance of the Stuxnet worm?
Recognized as the first implementation of a worm as a cyber weapon
Aimed at the Iranian nuclear program.
What are some common IoCs for worms?
- Known malicious files
- Command and control contact
- Malicious behaviors using system commands
What is spyware?
Malware designed to obtain information about an individual or organization
It can track browsing habits and sensitive data.
What are common forms of spyware?
- Stalkerware
- Keyloggers
- Adware
What is bloatware?
Unwanted applications preinstalled on systems by manufacturers
Not usually malicious but can add vulnerabilities.
What are computer viruses?
Malicious programs that self-copy and self-replicate upon activation
They require an infection mechanism to spread.
What are the types of computer viruses?
- Memory-resident viruses
- Non-memory-resident viruses
- Boot sector viruses
- Macro viruses
- Email viruses
What is a fileless virus?
A virus that spreads and operates without needing to store files on disk
It remains memory resident and exploits system vulnerabilities.
Fill in the blank: Ransomware often demands a _______.
[ransom]
True or False: All forms of spyware are considered malicious.
False
Some spyware is relatively innocuous.
What is the main defense against ransomware?
An effective backup system that stores files separately
This ensures that files are recoverable if encrypted.
What is the primary intention of spyware?
To gather information about the user or system
Its methods may vary, but the goal is information collection.
What is the primary characteristic of fileless malware?
Remains memory resident throughout its active life, requiring no local file storage
Fileless malware injects itself into memory and can reinfect systems via techniques like Registry entries.
What are the steps in a typical fileless virus attack chain?
- Email link to a malicious website
- Website exploits browser plugin vulnerability
- Shell code runs command line script to download and execute the payload
- Payload runs in memory and executes further attacks
- Registry entry created to repeat shell code download and execution at boot
This flow illustrates how fileless malware operates without leaving traditional file artifacts.
True or False: Fileless attacks can occur without the presence of software vulnerabilities.
False
Fileless attacks require a vulnerability to succeed.
What types of defenses can help prevent fileless virus attacks?
- Keeping browsers and plugins updated
- Using antimalware tools to detect unexpected behaviors
- Employing network-level defenses like intrusion prevention systems (IPSs)
- Utilizing reputation-based protection systems
These measures can mitigate the risk of exploitation.
What are IoCs related to viruses?
- File hashes and signatures
- Exfiltration activity
- Process names
- Known reference URLs
IoCs help in identifying malicious activities and are often found in threat feeds.
What is a common practice for removing malware from an infected machine?
Wiping the drive and restoring it from a known good backup or reinstalling/reimaging it
This method ensures that the malware is completely removed, although some cases may require additional steps.
Define keyloggers.
Programs that capture keystrokes and other input from devices
Keyloggers can capture mouse movements, touchscreen inputs, and credit card swipes.
What are common methods to prevent software keylogging?
- Implementing normal security best practices
- Patching and systems management
- Using antimalware tools
- Employing multifactor authentication
Multifactor authentication helps mitigate the impact of keyloggers even if they are present.
What is a logic bomb?
Code placed inside other programs that activates under specific conditions
Logic bombs are rare and can significantly impact systems if activated.
How can malware be analyzed?
- Online analysis tools like VirusTotal
- Sandbox tools for behavior analysis
- Manual code analysis of scripts
- Tools like strings for artifact recovery
These techniques help security analysts evaluate potential malware.
What are rootkits designed to do?
Allow attackers to access a system through a backdoor while concealing their presence
Rootkits use various techniques to avoid detection, complicating their removal.
How can rootkits be detected?
- Testing from a trusted system
- Looking for typical behaviors and signatures
- Integrity checking and data validation
Detection can be challenging due to the nature of rootkits.
What are common IoCs for rootkits?
- File hashes and signatures
- Command and control domains, IP addresses
- Behavior-based identification
- Opening ports or creating reverse proxy tunnels
These indicators help in identifying rootkit activity.
Fill in the blank: The best way to prevent rootkits is to use _______.
[normal security practices]
This includes patching and ensuring secure configurations.
What is ransomware?
Malware that encrypts files and holds them for ransom paid via cryptocurrency
Ransomware is one of the most common forms of malware targeting victims.
What are Trojans?
Malware disguised as legitimate software that takes malicious action once downloaded and run
Trojans can trick users into installing them by appearing harmless.
How do worms spread?
They spread themselves on networks via vulnerable services, email, or file shares
Worms can replicate and spread without user intervention.
What distinguishes a virus from other malware?
Viruses infect local systems and often require user action to spread
Unlike worms, viruses do not self-replicate over networks.
What is spyware?
Malicious software intended to gather information about users, systems, and networks
Spyware sends collected information back to remote systems or command and control servers.
What is a keylogger?
A specialized type of spyware that captures keystrokes
Keyloggers can exist in both software and hardware forms.
What are rootkits used for?
To retain access to a system and conceal malicious actions
Rootkits often help attackers maintain a foothold on compromised systems.
What is a logic bomb?
Code that executes unwanted actions under specific conditions
Logic bombs typically need to be identified by reviewing source code or scripts.
Define bloatware.
Unwanted software installed on systems by vendors or as part of software packages
Bloatware takes up resources and can be vulnerable to attacks.
What are some methods to fight malware?
Antivirus tools, endpoint detection and response tools, configuration, and patching
Awareness is often the most effective tool in preventing and responding to malware attacks.
Fill in the blank: Keyloggers are a specialized type of _______.
spyware
Keyloggers track user keystrokes, which can lead to sensitive information being compromised.
True or False: Bloatware is considered malicious software.
False
Bloatware is not truly malicious but can be vulnerable to attacks.
What is the primary purpose of rootkits?
To conceal malicious action and maintain access to a compromised system
Rootkits work in conjunction with other malware to protect the attacker’s presence.
