Chapter 8: Malicious Code and Application Attacks Flashcards
What is a “script kiddie”?
A malicious individual who doesn’t understand the technology behind security vulnerabilities but downlaods ready-to-use software from the Internet and uses them to launch attacks against remote systems.
Describe the Zeus trojan horse.
Zeus is widely believed to be the product of an Eastern European organized crime ring seeking to infect as many systems as possible to log keystrokes and harvest online banking passwords. The Zeus outbreak started in 2007 and continues today.
What is a computer virus?
A virus is malicious code that spreads from system to system aided by unsuspecting computer users seeking to share data.
What is the MBR?
MBR is the Master Boot Record, which is the bootable portion of a hard disk that contains information used to load the operating system during the boot process.
What is a MBR virus?
A virus which attacks the master boot record. Since the MBR is very small, these viruses generally store most of their code elsewhere.
What is a file infector virus?
A virus which infects executable files, such as .exe and .com files. They typically slightly alter the targeted file, but may entirely replace it.
What is a companion virus?
A virus that doesn’t change the original binary, but uses a similar but different filename. For example, game.com instead of game.exe.
What is a macro virus?
A virus executed in an application’s scripting language. Melissa in Word, 1999. I Love You, 2000.
What is a service injection virus?
A virus which injects itself into trusted runtime processes like svchost.exe, winlogin.exe, or explorer.exe. This helps these viruses escape detection by antivirus software.
What is the best technique to defend against service injection?
Keeping all software that can view web content up to date. (browsers, media players, helper applications)
What is the zero day problem?
Antivirus is an arms race, with AV always trying to keep up with evolving threats. Day 0 exploits don’t have patches or detection mechanisms simply because they’re new.
How do most antivirus packages work?
Most use signature detection. This is essentially a large database that contains the telltale characteristics of all known viruses.
What is a multipartite virus?
A virus that uses more than one propagation technique to attempt to penetrate systems that only defend against one or a few techniques.
What is a stealth virus?
A virus that hide by tampering with the OS to fool antivirus packages.
What is a polymorphic virus?
A virus that actually modifies it’s own code as it travels from system to system. The propagation and destruction techniques remain unchanged, but this signature changes to make detection more difficult.
What is an encrypted virus?
A virus that uses cryptographic techniques to avoid detection.
What is a logic bomb?
A malicious code object that infects a system and lies dormant until it is triggered by the occurrence of one or more events.
What is a trojan horse?
A program that appears benefolent but carries a malicious, hidden payload.
What is a worm?
A malicious code object that can propagate without human interaction.
What did the Code Red worm do?
Randomly selected hundreds of IPs to attack, probed them for vulnerable versions of IIS, defaced the web serer with “Welcome to http:///www.worm.com! Hacked by Chinese!”, and planted a logic bomb that would DoS an IP that belonged to whitehouse.gov.
What was Robert Morris’s punishment for the famous Morris worm?
3 years probation, 400 hours community service, $10,000 fine under the DFAA of 1986.
What was Robert Morris’s dad’s job?
He was director of the National Security Agency’s Computer SEcurity Center.
What is Stuxnet?
A highly sophisticated worm that was discovered in 2010. It searched for unprotected administrative shares on the local network, exploited zero day vulnerabilities in Windows Server and Print Spooler services, connected to systems using a default database password, or spread by infected USB drive.
Stuxnet spread widely, but was looking for systems using a controller manufactured by Siemens and allegedly used in the production of material for nuclear weapons. When it found such a system, it deployed a payload intended to destroy centrifuges attached to the controller.
What is spyware?
Malicious code that monitors your actions and transmits important details to a remote system that spies on your activity.
What is adware?
Malicous code that uses a variety of techniques to display ads on infected computers.
What’s the best malicious code countermeasure for client systems?
Updated antivirus software that searches local storage for viruses.
What are the solutions to signature-based antivirus problems?
Integrity checking software like tripwrie and access controls that limit the ability of malicious code to damage data.
What other techniques can prevent systems from being infected by malicous code?
Sandboxing, like Java.
ActiveX control signing to insure code comes from a trusted source
Whitelisting applications at the operating system level, which requires administrators specifically approving applications.
List password attacks
Password guessing
Dictionary attacks
Social engineering
What is the cornerstone of any security program?
Education
List the application attacks
Buffer overflow
time-of-check to time-of-use
back doors
escalation of privileges and rootkits
What is a buffer overflow
It’s an input validation error where an external input is allowed to be longer than the internal space allocated for it
Describe the time-of-check to time-of-use attack
It’s a timing vulnerability where access permissions are checked too far in advance of a resource request.
What is a back door?
An undocumented command sequence that allows an individual with knowledge of it to bypass normal security restrictions
What is escalation of privilege?
.
What is a rootkit?
.
How does cross-site-scripting (XSS) work?
.
How does SQL injection work?
.
How do you defend against SQL injection?
input validation, limit account privs, use stored procedures
List the reconnaissance attacks
IP probes
port scans
vulnerability scans
dumpster diving
List the masquerading attacks
IP spoofing
Session hijacking
What is a masquerading attack?
.
