CH-5 Malware

Question 1

How a Virus Spreads

Answer 1

Finds a network connection, then copies itself to other hosts on the network.

Mails itself to everyone in host’s address book.

Downloaded from a website link

Question 2

What is a virus?

Answer 2

By definition, a computer virus is a program that self-replicates. Self-replication and rapid spread are the hallmarks of a virus.

Question 3

A computer virus does what?

Answer 3

• Self-replicates
  – Spreads rapidly
  – May or may not have a malicious payload

Question 4

Can a Trojan horse be crafted especially for an individual?

Answer 4

Yes.

Question 5

Can a trojan horse spread like a virus?

Answer 5

Yes.

Question 6

Does Microsoft send “security alerts”?

Answer 6

NO!

Question 7

Exemples of web pages that consistently give the latest, most reliable, most detailed information on virus outbreaks.

Answer 7

https: // www.technewsworld.com/ perl/ section/ viruses-malware/
https: // us.norton.com/ internetsecurity-malware-virus-faq.html?
https: // www.us-cert.gov/ publications/ virus-basics
http: // www.techrepublic.com/ pictures/ the-18-scariest-computer-viruses-of-all-time/

Question 8

How does a Logic Bombs work?

Answer 8

Scheduled to run when a specific condition is met
– The condition is often a date
– Could also be volume of traffic, etc.

Question 9

How does a virus spread?

Answer 9

Method 1: emails itself out to everyone in your email address book- most comon method, especially via MS Outlook.

Method 2: scan your computer for connections to a network and then copy itself to other machines on the network to which your computer has access.

Method 3: USB, CDs, DVDs, masking itself as a legitimate file. In such a case it’s calle a Trojan horse.

Method 4: A website infected with a virus, and when someone visits the website, that person’s computer becomes infected.

Question 10

How does the Antivirus software operate?

Answer 10

– Scans for virus signatures
■ Keeps the signature file updated

– Watches the behavior of executables
■ Attempts to access e-mail address book
■ Attempts to change Registry settings

Question 11

How to remove Spyware?

Answer 11

■ Anti-virus software blocks some spyware
■ Ad-blockers can block additional spyware
■ Many specialized Spyware removal tools exist as well:
– Spybot Search & Destroy
– Malwarebytes Adwcleaner
– Adaware Antivirus
– Norton Power Eraser

Question 12

That can a Trojan Horse do?

Answer 12

Download harmful software from a website.
Install a key logger or other spyware on your machine.
Delete files.
Open a backdoor for a hacker to use.

Question 13

Tips for Avoiding Viruses

Answer 13

1. Install anti-virus software and keep it up to date
2. Do not open questionable email attachments
3. Patch your operating system and applications
4. Avoid questionable websites
5. Avoid pirated software
6. Backup your computer regularly

Question 14

Trojan Variation: Man-in-the-Browser, how does it work?

Answer 14

Perpetrator installs a Trojan on a victim’s computer
■ Trojan monitors user’s web transactions as they occur in real time
■ Trojan can detect a page-load for a specific pattern in its targeted list
■ Captures and/or modifies data being entered into the browser
■ Does not need to simulate encrypted sessions

– Browser establishes a secure connection with a website as usual
– Trojan operates between your browser’s interface and you

Question 15

What are Advanced Persistent Threats (APTs)

Answer 15

■ Highly organized and well-financed
■ Advanced techniques, not “script kiddies”
■ Ongoing over a significant period of time
■ Often carried about by nation states

Question 16

What are Rootkits?

Answer 16

■ A collection of hacking tools that can:
– Monitor traffic and keystrokes
– Create a backdoor
– Alter log files and existing tools to avoid detection
– Attack other machines on the network

Question 17

What are the most widely accepted and used virus scanners?

Answer 17

McAfee and Norton - best

Kaspersky and AVG - also good

Question 18

What do Trojan horses do?

Answer 18

• Download harmful software
  – Install a key logger
  – Open a back door for hackers

Question 19

What does a virus do to a network?

Answer 19

Reduces the functionality and responsiveness of a network by exceeding the traffic load that a network was designed to carry.

Question 20

What is a Boot Sector Virus? How does it work?

Answer 20

Boot sector: As the name suggests, this type of virus infects the boot sector of the drive. Such viruses can be difficult for antivirus software to find because most antivirus software runs within the operating system, not in the boot sector.

Question 21

What is a Boot Sector Viruse?

Answer 21

A malicious programs that reside in your hard drive.
They infect your machine by replacing your Master Boot Record (MBR) or DOS Boot Sector with their code.

In some cases, boot sector viruses will encrypt the MBR.

The Master Boot Record is on the first sector of your hard drive and executes whenever you power on your PC. This means that even if you try to remove boot sector viruses using an antivirus, they get loaded back into your computer’s memory on your next boot.

The most common way that these malicious programs spread is through shared removable media.

Question 22

What is a Botnet?

Answer 22

A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service attacks, steal data, send spam, and allow the attacker to access the device and its connection.

Question 23

What is a Macro Virus?

Answer 23

Macro viruses infect the macros in office documents. Many office products, including Microsoft Office, allow users to write mini-programs called macros. These macros can also be written as a virus. A macro virus is written into a macro in some business application. For example, Microsoft Office allows users to write macros to automate some tasks.

Question 24

What is a Memory Resident virus? How does it work?

Answer 24

A memory-resident virus installs itself and then remains in RAM from the time the computer is booted up to when it is shut down.

Question 25

What is a Memory-Resident Virus?

Answer 25

A Memory-Resident Virus is a virus that is located in the memory of a computer, even after the ‘host’ application or program has stopped running (been terminated).

• load its replication module into memory so it does not need to be executed for it to infect other files,
• activating whenever the operating system loads or operates specific functions.
• may be one of the worst kinds
• it can even attaching itself to anti-virus applications which allows it to infect any file scanned by the program.

Question 26

What is a Metamorphic Virus? How does it work?

Answer 26

Metamorphic: A metamorphic virus is a special case of the polymorphic virus that completely rewrites itself periodically. Such viruses are very rare.

Question 27

What is a Multi-Partite virus? How does it work?

Answer 27

Multi-partite viruses attack the computer in multiple ways, for example, infecting the boot sector of the hard disk and one or more files.

Question 28

What is a multipartite virus?

Answer 28

It uses file infectors or boot infectors to attack the boot sector and executable files simultaneously.
The multipartite virus can affect both the boot sector and the program files at the same time, thus causing more damage than any other kind of virus.

When the boot sector is infected, simply turning on the computer will trigger a boot sector virus because it latches on to the hard drive that contains the data that is needed to start the computer. Once the virus has been triggered, destructive payloads are launched throughout the program files.

Question 29

What is a Polymorphic Virus? How does it work?

Answer 29

Polymorphic: A polymorphic virus literally changes its form from time to time to avoid detection by antivirus software.

Question 30

What is a scareware?

Answer 30

The MacDefender virus was first seen in the early months of 2011, and variations are still seen today.

It is embedded in some web pages, and when a user visits those web pages, she is given a fake virus scan that tells her she has a virus, and it needs to be fixed.

The “fix” is actually downloading a virus. The point of the virus is to get end users to purchase the MacDefender “antivirus” product. This is the second reason this case is noteworthy. Fake antivirus attacks, also known as scareware, have been becoming increasingly common.

Question 31

What is a software patch?

Answer 31

A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes.

Question 32

What is a Sparse infector virus? How does it work?

Answer 32

Eludes detection by performing its malicious activities only sporadically.

The user will see symptoms for a short period, then no symptoms for a time. In some cases the sparse infector targets a specific program but the virus executes only every 10th time or 20th time that target program executes. Or a sparse infector may have a burst of activity and then lie dormant for a period of time. There are a number of variations on the theme, but the basic principle is the same: to reduce the frequency of attack and thus reduce the chances for detection.

Question 33

What is a sparse infector?

Answer 33

A virus that infects only occasionally (e.g. every tenth program executed), or only files whose lengths fall within a narrow range, etc.
By infecting less often, such viruses try to minimize the probability of being discovered.

Question 34

What is a Virulent Virus?

Answer 34

The term virulent means essentially the same thing in reference to a computer virus as it does in relationship to a biological virus: It is a measure of how rapidly the infection spreads and how easily it infects new targets.

Question 35

What is an Armored Virus? How does it work?

Answer 35

A computer virus that contains a variety of mechanisms specifically coded to make its detection and decryption very difficult.

• fooling anti-virus software into believing that the virus is resides somewhere other than its real location - implemented by adding complicated and confusing code to mask the virus and prevent virus researchers from creating an effective countermeasure.

Question 36

What is Buffer Overflow?

Answer 36

Attackers exploit buffer overflow issues by overwriting the memory of an application.

This changes the execution path of the program, triggering a response that damages files or exposes private information. For example, an attacker may introduce extra code, sending new instructions to the application to gain access to IT systems.

Question 37

What is CERT?

Answer 37

Computer Emergency Response Team (CERT).

CERT (www.cert.org) is an organization hosted at Carnegie Mellon University that is a repository for security bulletins, information, and guidelines. CERT is a source that any security professional should be familiar with.

Question 38

What is Ransomware?

Answer 38

A form of malware (viruses and Trojans).

Entire operating system or individual files are encrypted.

Question 39

What is Spyware used for?

Answer 39

Legal Uses:
– Monitoring employees
– Monitoring children’s computer use
– Monitoring customers via cookies (in some countries)

■ Illegal Uses:
– Deployed covertly for malicious purposes
– Violation of the Children’s Online Privacy Protection Act

Question 40

What is the common theme with all virus attacks?

Answer 40

They want you to open some type of attachment.

Question 41

What is the Polymorphic Virus?

Answer 41

“shape shifting” virus produces malicious code that replicates itself endlessly and repeatedly changes its characteristics.

Question 42

What Spyware do you know?

Answer 42

– Web cookies
– Key loggers
– Screen capture