Chapter 21: Malicious Code and Application Attacks Flashcards
Main difference between virus and worm?
Viruses and worms both travel from system to system attempting to deliver their mali- cious payloads to as many machines as possible. However, viruses require some sort
of human intervention, such as sharing a file, network resource, or email message, to propagate. Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well‐connected network.
Stuxnet
Stuxnet uses following techniques:
- Searching for unprotected administrative shares of system on the local network.
- Exploiting zero-day vulnerabilities in the Windows server system and Windows print pooler services
- Connecting to a system using default database password
- Spreading by using shared infected USB drive
Stuxnet marks two major evolutions in the world of malicious code: the use of worm to cause major physical damage to a facility and the use of malicious code in warfare between nations.
Polymorphic Virus
Polymorphic viruses actually modify their own code as they
travel from system to system. The virus’s propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system. It is the hope of polymorphic virus creators that this constantly changing signature will render signature-based antivirus packages useless. However, antivirus vendors have “cracked the code” of many polymorphism techniques, so current versions of antivirus software are able to detect known polymorphic viruses. However, it tends to take vendors longer to generate the necessary signature les to stop a polymorphic virus in its tracks, which means the virus can run free on the Internet for a longer time
What is a malware threat associated with virtualization?
The correct answer is: VM Escape
When you host multiple logical servers on a physical host you run the risk of some disadvantages. One of which is malware escaping one virtual machine to infect another VM on the same host.
VM Escape is when malware leaps from VM to VM which can be a nightmare for a busy server with multiple VMs on it.
Securing virtual servers requires the same defense in depth strategy common to non-virtualized systems. Be sure to take threats to servers the same when their both virtual and physical.
Rootkits
Rootkits are kernel-level malicious programs which can hide themselves and cover up their own activities from antivirus or investigators and allow attackers to maintain access to the systems.
Rootkits can replace operating system components, act as services, cover event logs and otherwise provide an entry point for the attacker at a later date, basically anything a user or administrator can do to the system with root/admin privileges.
What is the difference between Metamorphic and Polymorphic
Metamorphic malware is rewritten with each iteration so that each succeeding version of the code is different from the preceding one. The code changes makes it difficult for signature-based antivirus software programs to recognize that different iterations are the same malicious program.
In spite of the permanent changes to code, each iteration of metamorphic malware functions the same way. The longer the malware stays in a computer, the more iterations it produces and the more sophisticated the iterations are, making it increasingly hard for antivirus applications to detect, quarantine and disinfect.
Polymorphic malware also makes changes to code to avoid detection. It has two parts, but one part remains the same with each iteration, which makes the malware a little easier to identify.
Core cause of XSS
XSS also called CSS attacks occur because the web server is compromised or deliberately malicious and hosting malicious scripts. When the user’s browser executes the scripts, the malicious script can use existing cookies, session tokens or other sensitive information stored by the browser.
XSS attacks occur because of unchecked or unvalidated user input into web forms in the form of malicious JavaScript, VBScript, ActiveX, Flash or HTML that is executed on the user’s computer.
Packers
Packers
Packers provide runtime compression of executables. The original exe is compressed, and a small executable decompresser is prepended to the exe. Upon execution, the decompresser unpacks the compressed executable machine code and runs it.
Packers are a neutral technology that is used to shrink the size of executables. Many types of malware use packers, which can be used to evade signature-based malware detection. A common packer is UPX (Ultimate Packer for eXecutables), available athttp://upx.sourceforge.net/.
Covert Timing Attack
Covert timing attacks manipulate system resources to access information obtained by another process.
Key: modify system resources