Chapter 6 - Malicious Code Activity

Question 1

Does a virus have to be executed to infect a system?

Answer 1

yes - simply downloading malware does not execute/deliver the payload

Question 2

What are Stealth Viruses?

Answer 2

Stealth Viruses hide themselves from AV by providing AV with misleading information such as misreporting file size when the file executes.

Question 3

What are Armoured Viruses?

Answer 3

Armoured viruses make it difficult for researchers to reverse-engineer virus code.

This is done through the use of compilers in conjunction with encryption to make code decryption difficult.

Question 4

What are Polymorphic Viruses?

Answer 4

Polymorphic viruses mutate each time they replicate through different encryption means each time a virus executes.

This makes IOC detection difficult for AV as IOC for each virus would be different from each other even though purpose remains the same.

Question 5

What are Metamorphic Viruses?

Answer 5

Metamorphic viruses actually alter their code slightly when they replicate / execute.

This alters a number of things for the virus and makes detection more difficult.

Question 6

What are Boot-Sector viruses?

Answer 6

Boot sector viruses reside in the device’s boot sector and executes when the system is booted/rebooted.

Question 7

What are Multipartite Viruses?

Answer 7

Multipartite viruses are multi-dimensional viruses such as a boot-sector virus infecting different files and have metamorphic capabilities.

Question 8

What are Macro Viruses?

Answer 8

Macro Viruses reside in MS Office document as a macro function.

Question 9

What are Worms?

Answer 9

Worms travel along a network looking for hosts to infect and they typically do not need user interaction to execute.

Question 10

What are Trojan Horses?

Answer 10

Trojan Horse are malicious applications masquerading as something benign and safe.

Many trojans install a RAT once a system is infected.

Question 11

What are Remote Access Tools (RATs)?

Answer 11

Remote Access Tools grant attackers access to a system remotely via the internet.

Question 12

What are Scareware?

Answer 12

Scareware are malware that disguises themselves as AV software instructing the user to install the software / pay for services they do not need.

Scareware can be RATs, Trojans, worms - the scareware part is simply a delivery method.

Question 13

What are Logic Bombs?

Answer 13

Logic Bombs are malware that executes when certain defined criteria are met such as time, date, system the malware reaches etc.

Keyloggers can have a logic bomb capability where it sends data once it detects that the user is on a banking website.

Question 14

What are Ransomware?

Answer 14

Ransomware is malware that blackmails the user to handing over sums of money in exchange for decrypting their systems, promising not to expose sensitive information etc.

This type of attack will typically have a time component to instil panic for the user.

Question 15

What are keyloggers?

Answer 15

Keyloggers are software/hardware based tools that captures a system’s keystrokes.

Data is then exfiltrated out to the attacker.

Question 16

What are Rootkits?

Answer 16

Rootkits are programs that run on systems that remains largely undetected as it has root-level access to the system.

Rootkits can detect system scans and hide itself from the scan or restrict scan data from returning any results.

Rootkits are typically installed via trojans.

Question 17

Name some examples of malicious mobile code?

Answer 17

Scripts

Java Applets

VBA macros/scripts

Question 18

What are application backdoor/trapdoors?

Answer 18

Application backdoors provide a user access to the application and its code through covert means.

Usually installed by developers for debugging purposes.

Question 19

What are Spywar?

Answer 19

Software that aims to spy on the machine it is installed in such as accessing email, photos, location etc.

Question 20

Name some Malware Delivery Methods?

Answer 20

Drive-By-Downloads
- web servers hosting malicious code and the user interacts with this webpage

Malvertising
- Website hosted ads can be malicious and intend to infect a user’s machine

Email Delivery
- Most common delivery method through phishing campaigns

Hardware Delivery
- User plugs in hardware device into their machine such as USB drives, CD drives etc.

Question 21

What are some of the common countermeasures against malicious code?

Answer 21

AV in all systems
AV signature DB updated
Anti-Spam filtering
Content filtering FWs
Patched systems

Question 22

What is Fuzzy Hashing in relation to AV signature matching?

Answer 22

Fuzzy Hashing is the degree matching of file hashes.

Instead of 100% file hash match, AV signatures may be content with a degree of similarity with previously identified viruses.

Question 23

What is Behaviour Based Detection based on?

Answer 23

Heuristic Signals

Question 24

How does Sender Policy Framework (SPF) function?

Answer 24

SPF provides a method to identify spoofed email address

SPF records identify email servers that are authorized to send out email for a specific domain.

If an email has originated from an unauthorized email server then this fails SPF.

For example - Gmail will publish servers that are authorized to send out gmail emails, any gmail not originating from this list of servers does not pass SPF.

Question 25

How does Domain Keys Identified Mail (DKIM) work?

Answer 25

DKIM works by sending a certificate / digital signatures along with the email for authentication and verification of the email.

Question 26

What is DMARC?

Answer 26

DMARC is an extension of SPF and DKIM which allows domain owners to publish a policy to state whether they are using SPF or DKIM for verification.

Question 27

What are content filtering appliances?

Answer 27

Content Filtering Appliances is a hardware device that filter traffic in and out of a network actively monitoring data streams and inspecting them for malicious code activity or behaviour.