7. Malware, Botnets, and Spam Flashcards
Name 3 network security problems
- Host compromise (attacker gains control of host)
- Denial-of-service (attacker prevents legitimate users from gaining service)
- Both (host compromise that provides resources for DDoS)
Name the 5 malware types
- Virus (program that attaches itself to other program)
- Worm (replicates itself over network, usually relying on remote exploit)
- Rootkit (program that infects operating system, used for privilege elevation)
- Trojan horse (program that opens backdoors on an infected host, gives attacker remote access to machines)
- Botnet (group of trojaned machines, used for spam, DDoS, click-fraud, etc)
What are 4 things an attacker can accomplish upon Host Compromise?
- Read data
- Erase data
- Compromise other host
- Launch DDoS attack on another host
Why is network code vulnerable?
Because it accepts input from the network
Worm spreading slows down towards the end. Why?
True, high chance that machines will re-infect already infected machines
Explain 2 ways to speed up worm spread
- Reduce redundant scanning (each worm instance starts at random point, worm that encounters another instance re-randomizes)
- Reduce slow startup phase (construct ‘hit-list’ of vulnerable servers in advance)
2 classes of monitors in threat detection
- Network based
- Host/endpoint-based
Static vs Dynamic analysis
Static:
- complete analysis
- difficult to extract semantics
- obfuscation/packing
Dynamic:
- easy to see ‘behaviours’
- malware unpacks itself
- dormant code
What is the ultimate goal of most Internet worms?
Compromise machine, install rootkit, then trojan
What’s a vulnerability of old-school C&C IRC Channels?
Single point of failure makes them easy to locate and take down
Explain Fast-flux
Generic concept that 1 domain name can be resolves to many IP addresses
Explain a way Botmaster can protect himself?
Tell DNS resolver to keep changing IP addresses (fast-flux)
Solution to counter traditional fast-flux
Black-list the rendez-vous point (domain name)
What counters blacklisting a rendez-vous point used by Botmaster?
Random domain generation combined with fast-flux. Because domain name changes quickly, hard to get it flagged.
How can you make money off financial credentials?
Using money mules. Deposit $ into mule account. They purchase real expensive items. Sell them online. Withdraw cash from ATM using victim credentials. Wire money to source criminal.
