Chapter 4 - Malware Infection

Question 1

What are the two vector methods to infect u w/ malware can get onto ur machine

Answer 1

1- Threat Vector=A threat vector is the method used by an attacker to access a victim’s machine. (the path someone uses to gain access to a device)

Some ex of threat vectors are unpatched software, installation from a USB thumb drive, a phishing campaign, where one of your users clicks on a link to install a program, & many other different methods that are out there.

After we figure out what the threat vector is, the next piece is what we call the attack vector.

2- Attack Vector= Method used by an attacker to gain access to a victim’s machine in order to infect it w/ malware (intentional threats that require planning & analysis)

An attack vector is the means by which the attacker is going to gain access to that computer in order to affect you with malware. Now I know these two terms sound very similar, but there is a key difference. A threat vector is how we get to the machine itself, but the attack vector includes both the way we got to the machine & how we’re going to infect it. Let me provide you an example to hopefully simplify this just a little bit. Let’s pretend that your house is a computer & I have a cupcake that’s going to represent malware. My job as the attacker is to get the cupcake from my house to your house & put it on your kitchen table. Now, that’s my goal, as the attacker. U are going to try & defend against it. The threat vector I use might be that I can drive right up to ur house, bc ur house isn’t inside a gated community & there’s no security guards looking for me. This would be a threat vector, your unguarded neighborhood. Now if I walk up to your door, & I start picking your lock, & I enter your house, & I place the cupcake on your kitchen table, this represents the attack vector. It’s all the things I did from driving to your house, to picking your lock, & delivering that poison cupcake onto your kitchen table. That’s the difference between the threat vector and the attack vector.

Question 2

What are the Common Delivery Methods of ways your computer can get infected w/ malware?

Answer 2

**The most common ones come from software, messaging, & media. **

Software & messaging are things like email programs, peer-to-peer networks like BitTorrent, FTP servers, & pretty much any other way that we communicate from one computer to another.

Question 3

What are watering holes?

Answer 3

Watering hole is a place on a website that u know ur potential victims will access

EX= an attacker can figure out where that website is that you go to every day. & if they can go & attack that company & embed viruses or malware into their website, when you go to the website to do regular work, like pulling your invoices, u can also be pulling that virus.

Question 4

There are lots of things that can create watering holes for us. There’s an automated toolkit called an ______ that makes this really easy to do as an attacker.

Answer 4

exploit kit

Question 5

Say an attack tries to spoof you. Right website is DionTraining.com.

Now, if you look at the one on the bottom,

it says DionTrainings.com.

What is that called?

Answer 5

Typosquatting

they might clone it to look like my site. & they might place malware there & then use that as a watering hole to try to go after all of my students.

Question 6

What is a Botnet

Answer 6

A collection of compromised computers under the control of a master node

if your computer becomes part of this network & it becomes a zombie, it doesn’t even know it’s doing a lot of these things & you might not even know that it’s doing these things either. Instead you just see your machine is slowing down.

Question 7

What kind of things can a zombie do?

Answer 7

(1) They might be used as a pivot point so that when they get a new victim, or if they’re attacking a server, they can access it through your computer & it looks like you’re doing the attack instead of the master node.
(2) They’ll jump from their command and control node into one of the zombies & from the zombie over to the victim & they might go out and use those zombies to host files that are illegal, like child – so they don’t get caught with them & all sorts of things like that.
(3) They may use them to spam other people & send out phishing campaigns and other malware or, most commonly, they can use this botnet to conduct a DDoS, a distributed denial-of-service attack.

Question 8

What is a DDoS?

Answer 8

denial-of-service attack occurs when many machines target a single victim & attack them at the exact same time.

Question 9

What is the most common use of Botnets?

Answer 9

DDoS & money (cryptomining or bitcoin mining)

Question 10

What is an Active Interception?

Answer 10

Occurs when a computer is placed between your sending computer & your receiving computer. Bc of that position it’s able to capture or modify the traffic that’s going between the two computers.

Ex= We think we’re connected to Pete’s Coffee or Starbucks, or whatever your favorite coffee shop is. But in actuality we’re not connected to the coffee shop wifi. Instead, we’re connecting to an attacker who’s sitting in the back of the room with their laptop. This attacker has set up their laptop & is putting out a signal stronger than the coffee shop’s signal. So our machines are connecting to them. Now whenever we’re trying to go to the internet we’re actually going from our laptops to the hackers laptop and from the hackers laptop out to the internet. To us it still looks like we’re connected & we can go online and everything is fine w/ the world. But bc of the placement of the attackers laptop in between us & our final destination they can capture anything that we’re doing. They can see the emails that we’re sending. They may be able to capture usernames and passwords. They may be able to modify what’s coming back to us as well & embed malware into the files that we’d been requesting. That’s what active interception is.

Question 11

What is Privilege Escalation?

Answer 11

occurs when you’re able to exploit a design flaw or a bug in a system to gain access to resources that a normal user isn’t able to access.

Ex=Using IP to get administrative access

Question 12

How to prevent Privilege Escalation?

Answer 12

To prevent this, we want to make sure that we patch and update our machines.

Question 13

What acts just like a backdoor to maintain persistent access?

Answer 13

RAT= to maintain persistent access

Question 14

Backdoors are used to ________.

Answer 14

bypass normal security & authentications functions

Question 15

What is an Easter Egg?

Answer 15

was an insecure coding practice

It is a non-malicious code that when invoked, displays an insider joke, hidden message, or secret feature

EX= googling barrel roll and google page would spin leading to logic bombs

Question 16

What are Logic Bombs

Answer 16

Logic bombs are malicious code that’s inserted into a program, & it will execute only when certain conditions have been met (set up at a certain time, and certain action will occur).

For EX= a disgruntled employee may insert a logic bomb into the server’s code so that if that employee isn’t on the payroll anymore, a bad action, like deleting all the files, could occur.

Question 17

Logic Bombs and Easter Eggs and Backdoors are all things that should not be found inside our code. Why?

Answer 17

These all go against our secure coding standards

Question 18

What are the symptoms your computer has been infected?

Answer 18

Well, the most common thing is to notice that it starts beginning to act strange

(1) Slows down
(2) Unusual error messages
(3) Restarts or crashes a lot
(4) Hard drives, files, or applications are not accessible anymore
(5) Strange noises
(6) Display looks strange
(7) Double file extension ex= textfile.txt.exe
(8) No able to run antivirus
(9) Corrupted files/folders
(10) System restore will not function

Question 19

If your computer is acting funny or strange, what do you do?

Answer 19

You may be infected with malware & so it’s best to boot up into safe mode or boot from an external drive & then scan your computer with a good antivirus software.

Question 20

Removing Malware

Answer 20

o Identify symptoms of a malware infection

o Quarantine the infected systems

o Disable System Restore (if using a Windows machine)
o Remediate the infected system

o Schedule automatic updates and scans

o Enable System Restore and create a new restore point

o Provide end user security awareness training

o If a boot sector virus is suspected, reboot the computer from an external device & scan it

Question 21

Preventing Malware

Answer 21

o Worms, Trojans, and Ransomware are best detected with anti-malware solutions

o Scanners can detect a file containing a rootkit before it is installed…

o …removal of a rootkit is difficult and the best plan is to reimage the machine

o Verify your email servers aren’t configured as open mail relays or SMTP open
relays

o Remove email addresses from website

o Use whitelists and blacklists

o Train and educate end users
▪ Update your anti-malware software automatically and scan your
computer
▪ Update and patch the operating system and applications regularly
▪ Educate and train end users on safe Internet surfing practices

Question 22

How to prevent Viruses

Answer 22

Viruses are most commonly detected using a good antivirus software. These can be either third-party solutions like Norton or McAfee, or using the included Windows Defender from your operating system. In addition to antivirus software, you’ll also want to make sure that you’re continually doing your service packs & updates for your operating system. Most viruses are going to infect you by taking advantage of some known exploit

Question 23

How to prevent worms, Trojans, and ransomware?

Answer 23

Much like viruses, these are best detected using anti-malware solutions. Now, ransomware is usually going to be detected, not in its fully ransomware form, but instead, through its delivery mechanism, which is most commonly a Trojan horse. Remember, it’s always important to ensure that your anti-malware solution is current and up-to-date, both for its definitions and for its scanning engine

Question 24

How to prevent spyware?

Answer 24

You need a good anti-spyware product. There are third-party ones available out there, but again, Windows Defender has this capability built in. Just like anti-malware solutions, you need to ensure that your definitions are up-to-date so it can scan & detect most types of spyware out there.

Question 25

How do you know if you have been infected by spyware?

Answer 25

(1) If you’re getting a lot of advertisements based on traffic that you’ve done in the past, someone is looking at your information somehow. That could be through spyware, it could be through cookies, or it could be through database retention settings
(2) when you go to your home page of your browser & it’s no longer your home page.

Question 26

How to prevent Spams?

Answer 26

You can use all sorts of things like spam filters & Outlook security settings to minimize spam. Therefore, you need to verify that your email servers aren’t configured as an open mail relay or as an SMTP open relay

Question 27

How to prevent Spam from getting into your organization?

Answer 27

(1) You need to remove email addresses from your website, bc there are bots out there that are crawling the Internet, gathering up email addresses, just to send spam out to them.
(2) You want to make sure that you’re using whitelists & blacklists. This is going to say who can send you information, if they’re on the whitelist, and who cannot send you information, if they’re on the blacklist.
(3) You want to train and educate your users,

because as we talked about before,

our users are one of our biggest vulnerabilities.

And so, always training them and educating them

on where to submit their emails to,

which type of websites they should be visiting,

and other things, can help prevent spam

from overtaking your organization.