Chapter 6

Question 1

Advanced persistent threat

Answer 1

cybercrime directed at business + political targets using wide variety of intrusion technologies + malware , applied persistently + effectively to specific target over extended period , often state-sponsored

Question 2

Malware

Answer 2

program inserted into system covertly with intent to compromise confidentiality , integrity or availability of victim’s data , applications or OS or otherwise annoy/disrupt victim

Question 3

Adware

Answer 3

advertising integrated into software - result in pop-up ads/redirection of browser to commercial site

Question 4

attack kit

Answer 4

set of tools for generating new malware automatically using variety of supplied propagation + payload mechanisms
- Zeus

Question 5

auto-rooter

Answer 5

malicious hacker tool used to break into new machines remotely

Question 6

backdoor/trapdoor

Answer 6

mechanism bypassing normal security checks - allow unauthorized access to functionality in program / compromised system

Question 7

downloaders

Answer 7

code that installs other items on machine that is under attack - normally included in malware code first inserted on compromised system to then import larger malware package

Question 8

drive-by-download

Answer 8

attack using code in compromised web site - exploits browser vulnerability to attack client system when site = viewed

Question 9

exploits

Answer 9

code specific to single/set vulnerability

Question 10

flooders

Answer 10

used to generate large volume of data to attack networked computer systems by carrying out sort of DOS attack

Question 11

keylogger

Answer 11

logs keystrokes on compromised system - typically includes filter only returns info close to keywords

Question 12

logic bomb

Answer 12

code inserted - lies dormant until predefined condition met - code triggers unauthorized act

Question 13

macro virus

Answer 13

type of virus that uses macro/scripting code - embedded in document + triggered when document viewed/edited to run + replicate itself into other documents

Question 14

mobile code

Answer 14

software can be shipped unchanged to heterogeneous collection of platforms + execute with identical semantics

Question 15

rootkit

Answer 15

set of hacker tools used after attacker has broken into computer system + gained root-level access

Question 16

spammer program

Answer 16

use to send large volumes of unwanted emails

Question 17

spyware

Answer 17

software collect info from computer + transmits to another system by monitoring keystrokes ,screen data + network traffic /scan files on system for sensitive data

Question 18

trojan horse

Answer 18

computer program appears to have useful function but also hidden + potentially malicious function that evades security measures - exploit legitimate authorization of system entity that invokes trojan horse program

Question 19

virus

Answer 19

malware when executed tries to replicate into other executable machine/script code when succeeds = infected . When infected code =executed - virus also executed

Question 20

worm

Answer 20

computer program can run independently + can propagate complete working version of itself on other host on network , usually by exploiting software vulnerabilities in target system

Question 21

zombie/bot

Answer 21

program activated on infected machine that is activated to launch attacks on other machines

Question 22

classification of malware

Answer 22

1. how spreads to reach target
2. actions/payloads
3. parasitic code
4. independent
5. does not replicate
6. does replicate

Question 23

propagation mechanisms

Answer 23

1. infection of existing content by viruses that spread to other systems
2. exploit of software vulnerabilities to allow malware to replicate
3. social engineering attacks

Question 24

payload actions

Answer 24

1. corrupt system files
2. theft of service
3. theft of info
4. hiding presence on system

Question 25

Attack sources

Answer 25

1. politically motivated attackers
2. criminals
3. organized crime
4. organizations that sell services to companies + nations
5. national government agencies

Question 26

virus components

Answer 26

1. infection mechanism
2. trigger
3. payload

Question 27

virus phases

Answer 27

1. dormant - idle
2. triggering - virus activated to perform function for which intended
3. propagation - copy of itself in program - polymorphism
4. execution - function performed

Question 28

threats of macro virus

Answer 28

1. platform independent
2. infect documents not executable portion of code
3. easily spread
4. infect user documents - traditional file control system = limited in preventing spread
5. easier to write/modify

Question 29

virus classification

Answer 29

1. target - boot sector(spread when boot), file infector(files considered executable) , macro virus , multipartite virus(infects in multiple ways)
2. concealment strategy - encrypted virus, stealth virus (hide from anti-virus), polymorphic virus(mutates with each infection) , metamorphic virus(mutates + rewrites at each iteration - change behaviour + appearance)

Question 30

worm replication

Answer 30

1. email/instant messenger - copy of worm sent
2. file sharing - creates copy of itself on removable media
3. remote execution capability - worm executes itself on other system
4. remote file access - worm uses remote file access to copy itself from system to another
5. remote login - worm logs in onto remote system + uses command to copy itself

Question 31

target discovery

Answer 31

1. scanning - 1st function in propagation for worm - search for other systems
2. random - compromised host probes random addresses in IP address using seed - produces high volume of internet traffic
3. hit list - attacker has long list of potential vulnerable machines - each infected machine = provided with portion of list to scan - very short scanning period
4. topological - use info on infected machine to find more hosts to scan
5. local subnet - if host can be infected behind firewall - host looks for target in own local network

Question 32

Morris worm

Answer 32

1. Unix systems
2. attempt to crack password file to use login to logon to other systems
3. exploited bug - report location of remote user
4. exploits trapdoor in debug options of remote process - receives + sends mail
5. successful - communication with OS command interpreter - sends bootstrap program to copy worm over

Question 33

watering-hole attack

Answer 33

attacker researches intended victims - identify websites likely to visit , scan website to identify those with vulnerabilities + wait for intended victim

Question 34

malvertising

Answer 34

place malware on website without actually compromising website self

Question 35

clickjacking

Answer 35

UI redress attack
transparent layers to trick user into clicking on button /link on another page when intended to click on top level

Question 36

social engineering

Answer 36

1. spam - used for phishing
2. trojan horse - program containing hidden harmful code
3. mobile phone trojans

Question 37

payload : system corruption

Answer 37

damage to physical equipment

Question 38

remote control facility

Answer 38

bot controlled from central facility (differs from worm )
IRC server (internet relay chat)
- bots join specific channel + treat incoming messages as commands
- user peer-to-peer protocols - avoid single point of failure

Question 39

phishing

Answer 39

• social engineering to leverage user’s trust by masquerading as communication from trusted source - URL to website, urgent action

Question 40

spear phishing

Answer 40

recipients carefully researched - email crafted to suit recipient

Question 41

rootkit

Answer 41

hidden programs installed on system to maintain covert access to system - subverting mechanisms that monitor + report on processes, files + registries on computer
- administrator privileges to attacker - can change programs

Question 42

rootkit characteristics

Answer 42

1. persistent
2. memory based
3. user mode
4. kernel mode
5. virtual machine based
6. external mode (BIOS)

Question 43

malware countermeasure

Answer 43

1. prevention - policy , awareness , vulnerability mitigation , threat mitigation
2. detection
3. identification
4. removal

Question 44

generation of anti-virus

Answer 44

1. simple scanner - require malware signature to identify malware
2. heuristic scanner - heuristic rules for probable malware - integrity checking
3. activity traps - identify by actions
4. full-featured - variety of techniques used in conjunction