BOOK: Ch 6, 7, 10 Flashcards
Malware propagation mechanisms include those used by…(3)
viruses, worms and Trojans
______ include system corruption, bots, phishing, spyware, and rootkits.
Payloads
Virus Dormant Phase
The Virus is Idle.
Virus Propagation Phase
The virus places a copy of itself into other programs orinto certain system areas on the disk.
Virus Triggering Phase
The virus is activated to perform the function for which it was intended.
Virus Execution Phase
The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction ofprograms and data files.
Infects files with macro or scripting code that is interpreted by an application.
Macro Virus
Infects files that the operating system or shell consider to be executable.
File Infector Virus
An attack, that exploits social engineering to leverage user’s trust by masquerading as communications from a trusted source
Phishing Attack
The recipients are carefully researched by the attacker, and each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity.
Spear-Phishing Attack
Is a set of programs installed on a system to maintain covert access to thatsystem with administrator (or root) privileges, while hiding evidence of its presenceto the greatest extent possible.
Rootkit
An attempt to compromise availabilityby hindering or blocking completely the provision of some service.
Denial-of-service (DoS) attack
DDoS Flooding attack targets…(3)
Network BW, System resources, Application resources
The ICMP echo responsepackets generated in response to a ping flood using randomly spoofed source addresses is a good example.
Backscatter Traffic
This attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.
DoS attach, SYN Spoofing Attack
The attacker sends packets to a known service on the intermediary with a spoofed source addressof the actual target system. When the intermediary responds, the response is sent tothe target.
Reflection attack
Involve sending apacket with a spoofed source address for the target system to intermediaries. Theydiffer in generating multiple response packets for each original packet sent. This canbe achieved by directing the original request to the broadcast address for some network.
Amplification Attacks
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwritingother information. Attackers exploit such a condition to crash a system or to insert speciallycrafted code that allows them to gain control of the system.
Buffer Overflow
Instead of the sequence of letters used as padding in the example above, binary values corresponding to the desired machine instructions were used.
Shellcode
Aim to prevent or detect buffer overflows by instrumenting programs when they are compiled.
Compile-Time Defenses
Can be deployed as operating systems updates to provide some protection for existing vulnerableprograms. These defenses involve changes to the memory management of the virtualaddress space of processes.
Run-Time Defenses
Most commonlythe address of a standard library function is chosen, such as the system() function. The attacker specifies an overflow that fills the buffer, replaces the savedframe pointer with a suitable address, replaces the return address with the address of the desired library function, writes a placeholder value that the library function will believe is a return address, and then writes the values of one (or more) parameters to this library function.
Return-to-system-call Attack
If the allocated space includes a pointer to afunction, which the code then subsequently calls, an attacker can arrange for this address to be modified to point to shellcode in the overwritten buffer.
Heap Buffer Overflow
