Chapter 3 Malicious Code Flashcards
What is the difference between a worm and a Virus?
Viruses require help from the host, worms act independently.
Worms do not rely on the user to trigger them whereas viruses lie dormant until you execute them. Because of this, worms are more dangerous.
What are ransomware IoCs?
Indicators of Compromise include ransom notes, ransomware file extensions, changes to file names or locations, unauthorized or undetected extraction of data.
What is Ransomware?
Malware that takes over your computer then demands a ransom.
Best defense against ransomware?
effective backup system
What is Crypto Ransomware?
malware that encrypts files and then holds them hostage until ransom is paid.
Defense - remote backup system
What is a Trojan?
Type of malware disguised as a legitimate program.
Classic use of a trojan is with rootkits, which are then used to create a backdoor. Trojans are non-replicating, but can self repair.
Spam emails are the most common cause
RAT (Remote Access Trojan)
A trojan that provides attackers with remote access to systems.
Remote access typically refers to a backdoor. RAT is usually a trojan with a backdoor as its payload.
Remote… Access… Trojan… because how the fuck else are you supposed to access a trojan?
*Beware of spam emails, trojans REQUIRE user interaction to launch!
Worm
malware that spread themselves, they self-install and spread through any means possible.
update regularly, stick to approved apps, use ad-blocker
Rootkit
Malware specifically designed to allow attackers system access through a backdoor.
The best way to detect a rootkit is to test the suspected system from a trusted system. Rootkits have typical behaviors and signatures.
Search chkrootkit and rkhunter.
Backdoor
methods or tools that bypass authentication and system security to allow attackers in through a concealed access method.
Backdoor
methods or tools that bypass authentication and system security to allow attackers in through a concealed access method.
Check for unexpected open ports.
Bots
Bots are remotely controlled systems or devices that have a malware infection.
Botnet
A group of bots that have a command and control center using client-server mode. Modern bots use HTTPS to hide traffic/activity.
Fast Flux DNS Botnet
Botnet that uses many IP addresses to answer queries for one or more DNS names. The “fast flux” component refers to the systems in the network of the control (bots) registering and de-registering of addresses every so often.
Can be defeated by forcing DNS requests to organizationally controlled DNS servers rather than allowing outbound DNS requests.
Taking down the domain name is the best way to defeat fast flux DNS based botnet.
Keylogger
Programs that capture keyboard input, as well as mouse movement touch screens or peripherals.
Use best security practices and MFA
Logic Bombs
Function or code inside a program that activates when set conditions are met. NOT independent malicious programs.
Virus
malicious programs that self-copy and self-replicate, viruses typically have a trigger and a payload.
Fileless viruses reside on memory, traditional viruses reside on disk.
Spyware
Malware that spies on users providing information to advertisers.
Defended by using antimalware tools
PUP
Potentially Unwanted Programs are unwanted programs or software but are not necessarily malicious, they might just be a nuisance.
Use security best practices
Malicious Code
Malicious scripts and custom built code leverage built in tools like Windows Powershell and VBA or Bash and Python on Linux, or Macros like those build into MS Office.
What is the built-in Windows Scripting Language?
Powershell
What is Visual Basic (VBA)?
Visual Basic programming language for Windows
Malicious code might use Powershell or VBA in Windows, what might a malicious code be run in on a Linux based machine?
Bash, Perl, Python, etc.
What is Macros
MS Office specific command automation, can be used for running malicious scripts. Macros are disabled by default.
Macros can be run in VBA.
How can you defend against malicious code written in Powershell?
Use Constrained Language Mode and turn on Logging
Are Python, Perl, and Bash interpreted or compiled?
Interpreted scripting languages
How can one defend against Malicious code written in Bash on a Linux machine?
Used Restricted Shell.
