Chapter 6 Flashcards
malicious software
Advanced persistent threat
cybercrime directed at business + political targets using wide variety of intrusion technologies + malware , applied persistently + effectively to specific target over extended period , often state-sponsored
Malware
program inserted into system covertly with intent to compromise confidentiality , integrity or availability of victim’s data , applications or OS or otherwise annoy/disrupt victim
Adware
advertising integrated into software - result in pop-up ads/redirection of browser to commercial site
attack kit
set of tools for generating new malware automatically using variety of supplied propagation + payload mechanisms
- Zeus
auto-rooter
malicious hacker tool used to break into new machines remotely
backdoor/trapdoor
mechanism bypassing normal security checks - allow unauthorized access to functionality in program / compromised system
downloaders
code that installs other items on machine that is under attack - normally included in malware code first inserted on compromised system to then import larger malware package
drive-by-download
attack using code in compromised web site - exploits browser vulnerability to attack client system when site = viewed
exploits
code specific to single/set vulnerability
flooders
used to generate large volume of data to attack networked computer systems by carrying out sort of DOS attack
keylogger
logs keystrokes on compromised system - typically includes filter only returns info close to keywords
logic bomb
code inserted - lies dormant until predefined condition met - code triggers unauthorized act
macro virus
type of virus that uses macro/scripting code - embedded in document + triggered when document viewed/edited to run + replicate itself into other documents
mobile code
software can be shipped unchanged to heterogeneous collection of platforms + execute with identical semantics
rootkit
set of hacker tools used after attacker has broken into computer system + gained root-level access
spammer program
use to send large volumes of unwanted emails
spyware
software collect info from computer + transmits to another system by monitoring keystrokes ,screen data + network traffic /scan files on system for sensitive data
trojan horse
computer program appears to have useful function but also hidden + potentially malicious function that evades security measures - exploit legitimate authorization of system entity that invokes trojan horse program
virus
malware when executed tries to replicate into other executable machine/script code when succeeds = infected . When infected code =executed - virus also executed
worm
computer program can run independently + can propagate complete working version of itself on other host on network , usually by exploiting software vulnerabilities in target system
zombie/bot
program activated on infected machine that is activated to launch attacks on other machines
classification of malware
- how spreads to reach target
- actions/payloads
- parasitic code
- independent
- does not replicate
- does replicate
propagation mechanisms
- infection of existing content by viruses that spread to other systems
- exploit of software vulnerabilities to allow malware to replicate
- social engineering attacks
payload actions
- corrupt system files
- theft of service
- theft of info
- hiding presence on system
Attack sources
- politically motivated attackers
- criminals
- organized crime
- organizations that sell services to companies + nations
- national government agencies
virus components
- infection mechanism
- trigger
- payload
virus phases
- dormant - idle
- triggering - virus activated to perform function for which intended
- propagation - copy of itself in program - polymorphism
- execution - function performed
threats of macro virus
- platform independent
- infect documents not executable portion of code
- easily spread
- infect user documents - traditional file control system = limited in preventing spread
- easier to write/modify
virus classification
- target - boot sector(spread when boot), file infector(files considered executable) , macro virus , multipartite virus(infects in multiple ways)
- concealment strategy - encrypted virus, stealth virus (hide from anti-virus), polymorphic virus(mutates with each infection) , metamorphic virus(mutates + rewrites at each iteration - change behaviour + appearance)
worm replication
- email/instant messenger - copy of worm sent
- file sharing - creates copy of itself on removable media
- remote execution capability - worm executes itself on other system
- remote file access - worm uses remote file access to copy itself from system to another
- remote login - worm logs in onto remote system + uses command to copy itself
target discovery
- scanning - 1st function in propagation for worm - search for other systems
- random - compromised host probes random addresses in IP address using seed - produces high volume of internet traffic
- hit list - attacker has long list of potential vulnerable machines - each infected machine = provided with portion of list to scan - very short scanning period
- topological - use info on infected machine to find more hosts to scan
- local subnet - if host can be infected behind firewall - host looks for target in own local network
Morris worm
- Unix systems
- attempt to crack password file to use login to logon to other systems
- exploited bug - report location of remote user
- exploits trapdoor in debug options of remote process - receives + sends mail
- successful - communication with OS command interpreter - sends bootstrap program to copy worm over
watering-hole attack
attacker researches intended victims - identify websites likely to visit , scan website to identify those with vulnerabilities + wait for intended victim
malvertising
place malware on website without actually compromising website self
clickjacking
UI redress attack
transparent layers to trick user into clicking on button /link on another page when intended to click on top level
social engineering
- spam - used for phishing
- trojan horse - program containing hidden harmful code
- mobile phone trojans
payload : system corruption
damage to physical equipment
remote control facility
bot controlled from central facility (differs from worm )
IRC server (internet relay chat)
- bots join specific channel + treat incoming messages as commands
- user peer-to-peer protocols - avoid single point of failure
phishing
- social engineering to leverage user’s trust by masquerading as communication from trusted source - URL to website, urgent action
spear phishing
recipients carefully researched - email crafted to suit recipient
rootkit
hidden programs installed on system to maintain covert access to system - subverting mechanisms that monitor + report on processes, files + registries on computer
- administrator privileges to attacker - can change programs
rootkit characteristics
- persistent
- memory based
- user mode
- kernel mode
- virtual machine based
- external mode (BIOS)
malware countermeasure
- prevention - policy , awareness , vulnerability mitigation , threat mitigation
- detection
- identification
- removal
generation of anti-virus
- simple scanner - require malware signature to identify malware
- heuristic scanner - heuristic rules for probable malware - integrity checking
- activity traps - identify by actions
- full-featured - variety of techniques used in conjunction
