Chapter 11

Question 1

Malicious software (malware)

Answer 1

Any program that carries out actions that you do not intend

Question 2

types of viruses (3)

Answer 2

System infectors
File infectors
Data infectors

Question 3

System infectors

Answer 3

Target computer hardware and software startup functions

Question 4

File infectors

Answer 4

Attack and modify executable programs (COM, EXE, SYS, and DLL files in Microsoft Windows)

Question 5

Data infectors

Answer 5

(Also called macro infectors) Attack document files containing embedded macro programming capabilities

Question 6

Other virus classifications (6)

Answer 6

Polymorphic viruses 
Stealth viruses 
Slow viruses
Retro viruses 
Cross-platform viruses
Multipartite viruses

Question 7

Polymorphic viruses:

Answer 7

These include a separate encryption engine that stores the virus body in encrypted format while duplicating the main body of the virus. The virus exposes only the decryption routine for possible detection. It embeds the control portion of the virus in the decryption routine, which seizes control of the target system and decrypts the main body of the virus so that it can execute. True polymorphic viruses use an additional mutation engine to vary the decryption process for each iteration. This makes even this portion of the code more difficult to identify.

Question 8

Stealth viruses:

Answer 8

Also called armored viruses, these use a number of techniques to conceal themselves from users and from detection software. By installing a low-level system service function, they can intercept any system request and alter the service output to conceal their presence. Stealth viruses can have size stealth, read stealth, or both.

Question 9

Slow viruses:

Answer 9

These counter the ability of antivirus programs to detect changes in infected files. This class of virus resides in the computer’s memory, where antivirus software cannot detect it. It waits for certain tasks, like copying or moving files, to execute. As the operating system reads the file into memory, the virus alters it before writing to the output file, making it much harder to detect.

Question 10

Retro viruses:

Answer 10

Retro viruses: These attack countermeasures such as antivirus signature files or integrity databases. A retro virus searches for these data files and deletes or alters them, thereby crippling the antivirus software’s ability to function. Other viruses, especially boot viruses (which gain control of the target system at startup), modify Windows Registry keys and other operating system key startup files to disable AV, firewall, and intrusion detection system (IDS) software if found.

Multipartite viruses:

Question 11

Cross-platform viruses:

Answer 11

These are less prevalent but can still be potent threats. There have been a number of documented viruses that target multiple operating systems (Apple Macintosh HyperCard viruses, for instance). If those platforms also run Windows emulation software, they become as susceptible to Windows viruses as a native Windows computer.

Question 12

Multipartite viruses:

Answer 12

These are hybrid viruses that exhibit multiple behaviors. There are two main types of multipartite virus: Master Boot Record/boot sector viruses and file infecting viruses. Such viruses may exist as file infectors within an application. Upon execution of the infected application, the virus might spawn a Master Boot Record infection, which then infects other files when you restart the system.

Question 13

Rootkits

Answer 13

• Type of malware that modifies or replaces one or more existing programs to hide the fact that a computer has been compromised
• Modify parts of the operating system to conceal traces of their presence
• Provide attackers with access to compromised computers and easy access to launching additional attacks
• Difficult to detect and remove

Question 14

Ransomware

Answer 14

• Attempts to generate funds directly from a computer user
• Attacks a computer and limits the user’s ability to access the computer’s data
• Encrypts important files or even the entire disk and makes them inaccessible
• One of the first ransomware programs was Crypt0L0cker

Question 15

Spam

Answer 15

Consumes computing resources bandwidth and CPU time

Diverts IT personnel from activities more critical to network security

Is a potential carrier of malicious code

Compromises intermediate systems to facilitate remailing services

Opt-out (unsubscribe) features in spam messages can represent a new form of reconnaissance attack to acquire legitimate target addresses

Question 16

Worms

Answer 16

Designed to propagate from one host machine to another using the host’s own network communications protocols

Unlike viruses, do not require a host program to survive and replicate

The term “worm” stems from the fact that worms are programs with segments, working on different computers, all communicating over a network

Question 17

Trojan Horses

Answer 17

Largest class of malware

Any program that masquerades as a useful program while hiding its malicious intent

Relies on social engineering to spread and operate

Spreads through email messages, website downloads, social networking sites, and automated distribution agents (bots)

Question 18

Logical boms

Answer 18

Programs that execute a malicious function of some kind when they detect certain conditions

Typically originate with organization insiders because people inside an organization generally have more detailed knowledge of the IT infrastructure than outsiders

Question 19

Malicious Add-Ons

Answer 19

Add-ons are companion programs that extend the web browser; can decrease security

Malicious add-ons are browser add-ons that contain some type of malware that, once installed, perform malicious actions

Only install browser add-ons from sources you trust

Question 20

Injection types (5)

Answer 20

Cross-site scripting (XSS)
SQL injection
LDAP injection 
XML injection
Command injection

Question 21

Injection definition

Answer 21

When malicious software provides deliberately invalid input to some other software

Question 22

Cross-site scripting (XSS):

Answer 22

This technique allows attackers to embed client-side scripts into webpages that users view. When a user views a webpage with a script, the web browser runs the attacking script. These scripts can be used to bypass access controls. XSS effects can pose substantial security risks, depending on how sensitive the data are on the vulnerable site.

Question 23

SQL injection

Answer 23

A code injection is used to attack applications that depend on data stored in databases. SQL statements are inserted into an input field and are executed by the application. SQL injection attacks allow attackers to disclose and modify data, violate data integrity, or even destroy data and manipulate the database server.

Question 24

LDAP injection

Answer 24

The LDAP injection exploits websites that construct LDAP based on user input. Web applications that don’t sanitize input enable attackers to alter the way that LDAP statements are constructed. LDAP statements that are modified by an attacker run with the same permissions as the component that executed the command.

Question 25

XML injection

Answer 25

XML injection is a technique to manipulate the logic of an XML application or service. Injecting XML content into an XML message can alter the logic of an application or even insert malicious content into an XML document.

Question 26

Command injection

Answer 26

The goal of this type of attack is to execute commands on a host operating system. A vulnerable application provides the ability for this attack to succeed. These attacks are possible only when an application accepts unvalidated user input and passes the input to a system shell.

Question 27

Botnets

Answer 27

Robotically controlled networks

Attackers infect vulnerable machines with agents that perform various functions at the command of the bot-herder or controller

Controllers communicate with other members of the botnet using Internet Relay Chat (IRC) channels

Attackers can use botnets to distribute malware and spam and to launch DoS attacks against organizations or even countries

Question 28

SYN Flood

Answer 28

Attacker uses IP spoofing to send a large number of packets requesting connections to the victim computer

Question 29

Smurf Attack

Answer 29

Attackers direct forged Internet Control Message Protocol (ICMP) echo request packets to IP broadcast addresses from remote locations to generate DoS attacks

Question 30

Spyware

Answer 30

Any unsolicited background process that installs itself on a user’s computer and collects information about the user’s browsing habits and website activities

Question 31

Adware

Answer 31

Triggers nuisances such as popup ads and banners when user visits certain websites

Question 32

Phishing

Answer 32

Tricks users into providing logon information on what appears to be a legitimate website but is actually a website set up by an attacker to obtain this information

Question 33

Spear-phishing

Answer 33

Attacker supplies information about victim that appears to come from a legitimate company

Question 34

Pharming

Answer 34

The use of social engineering to obtain access credentials such as usernames and passwords

Question 35

Keystroke Loggers

Answer 35

Capture keystrokes or user entries and forwards information to attacker

Enable the attacker to capture logon information, banking information, and other sensitive data

Question 36

Guidelines for Recognizing Hoaxes

Answer 36

Did a legitimate entity (computer security expert, vendor, etc.) send the alert?

Is there a request to forward the alert to others?

Are there detailed explanations or technical terminology in the alert?

Does the alert follow the generic format of a chain letter?

Question 37

Homepage Hijacking

Answer 37

Exploiting a browser vulnerability to reset the homepage

Covertly installing a browser helper object (BHO) Trojan program

Question 38

Webpage Defacements

Answer 38

Someone gaining unauthorized access to a web server and altering the index page of a site on the server

The attacker replaces the original pages on the site with altered versions

Question 39

The purpose of an attack (4 reasons)

Answer 39

Denial of availability
Data modification
Data export
Launch point

Question 40

Types of attacks (4)

Answer 40

Unstructured attacks
Structured attacks
Direct attacks
Indirect attacks

Question 41

Structured attacks

Answer 41

Sophisticated hacking techniques to identify, penetrate, probe, and carry out malicious activities.

Question 42

Unstructured attacks

Answer 42

Moderately skilled attackers initially attack simply for personal gratification. Can lead to more malicious attacks.

Question 43

Direct attacks

Answer 43

Attacks against a specific target, such as a specific organizations through remote log on exploits.

Question 44

Indirect attacks

Answer 44

Result of a preprogramed hostile code exploits, such as Internet worms or viruses. The attacks are unleashed indiscriminately