Chapter 21 Flashcards
Virus
2 main functions:
- Propagation
- Payload execution
Virus propagation techniques
- MBR - master boot record; can compromise and point to infected boot sector
- File infector - infected executable files
- Companion virus - has same name as real OS executables but diff file extension
- Macro viruses - such as VB for apps
- Service injection virus - infected OS processes, e.g. svchost.exe
Virus technologies
- Multipartite virus - use different propagation methods, e.g. file infector + MBR
- Stealth virus - hide by tampering with OS
- Polymorphic virus - modifies itself as it propagates so have diff signatures
- Encrypted virus - similar to polymorphic; key is different as it propagates so signature is different
Logic Bomb
Dormant until triggered by event
Trojan horse
- Fake antivirus sw
- Remote access Trojans (RATs); opens backdoor such as SSH
- Cryptomalware - steal computing power for crypto mining
Worms
Self propagate without human intervention
Well known examples:
1. Code Red
- Probed hosts with IIS vulnerability
- Defaced local webpage
- Installed logic bomb that initiated DoS on White House website
2. RTM and Internet Worm - exploit vulnerability in UNIX
- Sendmail debug mode
- Password attack
- Finger buffer-overflow vulerability
- Trust relationship to infect other systems
Stuxnet - created by Israel/US to target Iran nuclear facilities and destroy centrifuges attached to Siemens controllers
Spyware and Adware
Potentially Unwanted Programs (PUP)
Ransomware
Malware that weaponizes cryptography; encrypt victim’s data and ask for ransom to get key
Window of vulnerability
Time between discovery and availability of patch
Antimalware software
- Signature based
- Heuristic mechanism to detect abnormal behavior
Action options:
1. Disinfect
2. Quarantine
3. Delete to preserve system integrity
Important OS file integrity monitoring
Such as changes to command.com
Compare with stored file hashes
User and Entity Based Analytics (UEBA) systems
Analyze based on focus on user activity/behavior
As opposed to EDR which is focused on endpoints
EDR (endpoint detect and response) systems
- Analyze endpoint memory, file, network activity
- Automatically isolate malicious activity
- Integrate with threat intelligence sources
- Integrate with other incident response systems
Application Attacks
- Buffer overflow
- Time of Check to Time of Use (TOC/TOU) - known as state attacks; race conditions
- Backdoors - left over by developers
- Privilege escalation and rootkits - to escalate from standard to root level after access
Injection Vulnerabilities
- SQL injection - content-based blind SQL injection; timing-based blind SQL injection
- LDAP injection
- XML injection
- Command injection
- HTML injection
- Code injection
- File injection
Authorization Vulnerabilities
Exploit outside of authorized access
- Insecure direct object reference - e.g. change ID number in the URL to access other files/pages
- Directory traversal
- File inclusion - takes advantage of “include” attribute in URL; can be local or remote file
Cross-site Scripting (XSS)
- a form of HTML (code) injection
Reflected XSS - reflected input; embedded in phishing link
Stored/Persistent XSS - stored on server side, such as XSS link in forum
DOM XSS - client side by using DOM (document object model) of browser
Mitigation:
- input validation
- output encoding; transform char to code
Request Forgery
- execute commands against a remote server/site
Cross-site Request Forgery (XSRF or CSRF) - using remote site’s trust on the user to execute commands
Server-side Request Forgery (SSRF) - trick server to visit URL
Application security controls
- Input validation - input whitelisting/blacklisting
- Web application firewall (WAF) - work in layer 7
DB security
- Stored procedures, parameterized queries
- Data obfuscation and camouflage:
- Data minimization
- Tokenization
- Hashing (encryption)
Secure coding practices
- Avoid comments in public viewable code
- Error handling
- Avoid hardcoded credentials
- Do not create backdoor
