Chapter 3 Malicious Code Flashcards
What is the difference between a worm and a Virus?
Viruses require help from the host, worms act independently.
Worms do not rely on the user to trigger them whereas viruses lie dormant until you execute them. Because of this, worms are more dangerous.
What are ransomware IoCs?
Indicators of Compromise include ransom notes, ransomware file extensions, changes to file names or locations, unauthorized or undetected extraction of data.
What is Ransomware?
Malware that takes over your computer then demands a ransom.
Best defense against ransomware?
effective backup system
What is Crypto Ransomware?
malware that encrypts files and then holds them hostage until ransom is paid.
Defense - remote backup system
What is a Trojan?
Type of malware disguised as a legitimate program.
Classic use of a trojan is with rootkits, which are then used to create a backdoor. Trojans are non-replicating, but can self repair.
Spam emails are the most common cause
RAT (Remote Access Trojan)
A trojan that provides attackers with remote access to systems.
Remote access typically refers to a backdoor. RAT is usually a trojan with a backdoor as its payload.
Remote… Access… Trojan… because how the fuck else are you supposed to access a trojan?
*Beware of spam emails, trojans REQUIRE user interaction to launch!
Worm
malware that spread themselves, they self-install and spread through any means possible.
update regularly, stick to approved apps, use ad-blocker
Rootkit
Malware specifically designed to allow attackers system access through a backdoor.
The best way to detect a rootkit is to test the suspected system from a trusted system. Rootkits have typical behaviors and signatures.
Search chkrootkit and rkhunter.
Backdoor
methods or tools that bypass authentication and system security to allow attackers in through a concealed access method.
Backdoor
methods or tools that bypass authentication and system security to allow attackers in through a concealed access method.
Check for unexpected open ports.
Bots
Bots are remotely controlled systems or devices that have a malware infection.
Botnet
A group of bots that have a command and control center using client-server mode. Modern bots use HTTPS to hide traffic/activity.
Fast Flux DNS Botnet
Botnet that uses many IP addresses to answer queries for one or more DNS names. The “fast flux” component refers to the systems in the network of the control (bots) registering and de-registering of addresses every so often.
Can be defeated by forcing DNS requests to organizationally controlled DNS servers rather than allowing outbound DNS requests.
Taking down the domain name is the best way to defeat fast flux DNS based botnet.
Keylogger
Programs that capture keyboard input, as well as mouse movement touch screens or peripherals.
Use best security practices and MFA
