Chapter 6 - Malware Flashcards
Threat Vector
Vulnerabilities that COULD be exploited
Attack Vector
The way vulnerabilities WILL BE/WERE exploited (it’s a sequence of event)
Boot Sector Virus
Virus that boots up with the system
Marco (Virus)
performs a set of actions; it’s embedded in the document
Program Virus
looks for app files to attach to the app code, so that it opens up each time with the app
Multipartite Virus
With each system boot it looks for a program to attached itself to its code; can re-install itself with every boot
(BOOT+PROGRAM VIRUS)
Encrypted Virus
Virus of which malicious code is deciphered making it harder to find
Polymorphic Virus
Its code changes with each execution (instead of encrypting itself, its code changes)
Metamorphic Virus
More advanced polymorphic virus; rewrites the entire code
Stealth Virus
It’s a technique virus uses so it’s prevented from detection (e.g. encrypted virus, poly/metamorphic virus)
Armored Virus
focus on making analysis difficult for researchers and security programs (obfuscation techniques like encryption, compression, and code packing)
Hoax
It’s a social engineering technique meant to scare people
Worm
Oppositely to a virus it can replicate itself without human intervention (application) and spreads far and wide
Trojan
Disguised software that has malicious code along with the regular app of the code (is a virus APART from performing the expected tasks)
R.A.T
Remote Access Trojan - provides attacker with the remote access of victim’s machine
What are the methods to protect from ransomware?
1) Backups
2) Regular Updates
3) Staff training
4) MFA
How to act in an event of ransomware attack?
1) NEVER PAY
2) Disconnect from network
3) Notify authorities (unless the policy states otherwise)
4) Restore the backup
Zombie
A part of the BOTNET; it’s a compromised device
Botnet
A network of compromised devices (Zombies); controlled remotely
Command and Control Node (C-2 Node)
A device controlling the Botnet
What are Botnets used for?
1) Storing illegal content on victim’s machines (zombie devices)
2) Pivot points (enables lateral movement; acts a a middleman; data exfiltrated through a zombie) e.g. spreading through IoT devices through the network
3) Disguise in the events of attacks
4) Coin mining
5) Using the computing power to break encryption
6) DDoS (Mirai Botnet)
*often only 20-25% of computing power is used not to alarm the users
Rootkit
A software designed to gain admin level of permission (going from Ring 3 to Ring 0)
Kernel Mode
Operating in the “Ring 0” - highest permission level allowing access to drivers, sound cards, video displays etc.
Shim
Piece of software placed in between network components; shim can intercept and alter system behaviors like hiding files or bypassing security controls
Backdoor
Way to directly access the “inside” of the code/system; RAT works this way. If done on purpose it’s dumb
Logic Bomb
A piece of malicious code activated only in a certain condition; (worker placing a data extraction code in case he gets fired)
Keyloger
Software recording the keystrokes
Spyware
Software gathering and sending the data to the attacker // to prevent - antivirus+anti-spyware
Bloatware
A piece of software you didn’t ask for (marketing purposes); pre-installed or added in other downloads // malicious for its memory usage or possibility of having vulnerabilities
Dropper
Acts as a normal program but in fact initiates other malware
Downloader
Retrieves tools post DROPPER infection
Shellcode
A lightweight piece of code meant to execute an exploit
Concealment
Hiding evidence of an attack/exploit to prolong it
9 Indicators of Malware Attacks:
1) Account Lockouts (after several brute force attempts)
2) Concurrent Session Utilization (simultaneous sessions on one account)
3) Blocked Content
4) Impossible Travel (account logged in the US and an hour later in Poland)
5) Resource Consumption (spikes in CPU, memory or network usage)
6) Resource Inaccessibility
7) Out-of-Cycle Logging
8) Missing Logs (attackers trying to hide their tracks)
9) Published or Documented Attacks (you find out on a website about a leakage)
