Chapter 3 - Malicious Code Flashcards
Malware
Malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.
Ransomware
Ransomware is malware that takes over a computer and then demands a ransom. Some Indicators of Compromise for Ransomware include:
- Encryption of files
- Data exfiltration behaviors (large file transfers)
- Notices to end users of the encryption with demands for ransom
- Command and control traffic and/or contact to known malicious IP addresses
Trojans
Trojan Horses are a type of malware that are typically disguised as legitimate software. They rely on unsuspecting individuals running them, thus providing attackers with a path into a system. Some Indicators of Compromise for Trojans include:
- Signatures for the specific malware applications or downloadable files
- Command and control system hostnames and IP addresses
- Folders or files created on target devices
Worms
Worms spread themselves. Worms can spread via email attachments, network file shares, vulnerable IoT devices and more. Worms self-install, rather than requiring users to click on them. Some Indicators of Compromise for Worms include:
- Known malicious files.
- Downloads of additional components from remote systems.
- Command and control contact to remote systems.
- Malicious behaviors using system commands (cmd.exe, msiexec.exe) for injection and other activities.
Spyware
Spyware is malware that is designed to obtain information about an individual, organization or system. Spyware is associated with identity theft and fraud, advertising and redirection of traffic, digital rights management (DRM) monitoring, and with stalkerware (spyware specifically used to monitor partners in relationships). Some Indicators of Compromise for Spyware include:
- Remote-access and remote-control-related indicators.
- Known software file fingerprints.
- Malicious processes, often disguised as system processes.
- Injection attacks against browsers
To properly classify malware as Spyware, understanding of the attackers motivations is often necessary.
Bloatware
Bloatware describes unwanted preinstalled applications on a device. Bloatware can be programs the manufacturer provides or can be due to commercial relationships the manufacturer has with other vendors.
Viruses
Viruses are malicious programs that self-copy and self-replicate once they are activated. Viruses come in many varieties, including:
- Memory-resident viruses, which remain in memory while the system of the device is running.
- Non-memory-resident viruses, which execute, spread, and then shut down.
- Boot sector viruses, which reside inside the boot sector of a drive or storage media.
- Macro viruses, which use macros or code inside word processing software or other tools to spread.
- Email viruses that spread via email either as email attachments or as part of the email itself using flaws inside email clients.
Keyloggers
Keyloggers are programs that capture keystrokes from a board (although keylogger applications may also capture other input such as mouse movement, touchscreen input, or credit card swipes from attached devices). Some common IoCs for keyloggers include:
- File hashes and signatures
- Exfiltration activity to command and control systems
- Process names
- Known reference URLs
Logic Bombs
Logic Bombs are not independent malicious programs. Instead, they are functions or code placed inside other programs that will activate when set conditions are me. Logic Bombs often require code analysis for the relevant application to discover and mitigate the attackers desired outcome.
Rootkits
Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor. Some common IoCs for Rootkits include:
- Opening ports or creation of reverse proxy tunnels.
- Behavior-based identification like the creation of services, executables, configuration changes, file access, and command invocation.
- Command and control domains, IP addresses, and systems.
