Chapter 8: Malicious Code and Application Attacks

Question 1

What is a “script kiddie”?

Answer 1

A malicious individual who doesn’t understand the technology behind security vulnerabilities but downlaods ready-to-use software from the Internet and uses them to launch attacks against remote systems.

Question 2

Describe the Zeus trojan horse.

Answer 2

Zeus is widely believed to be the product of an Eastern European organized crime ring seeking to infect as many systems as possible to log keystrokes and harvest online banking passwords. The Zeus outbreak started in 2007 and continues today.

Question 3

What is a computer virus?

Answer 3

A virus is malicious code that spreads from system to system aided by unsuspecting computer users seeking to share data.

Question 4

What is the MBR?

Answer 4

MBR is the Master Boot Record, which is the bootable portion of a hard disk that contains information used to load the operating system during the boot process.

Question 5

What is a MBR virus?

Answer 5

A virus which attacks the master boot record. Since the MBR is very small, these viruses generally store most of their code elsewhere.

Question 6

What is a file infector virus?

Answer 6

A virus which infects executable files, such as .exe and .com files. They typically slightly alter the targeted file, but may entirely replace it.

Question 7

What is a companion virus?

Answer 7

A virus that doesn’t change the original binary, but uses a similar but different filename. For example, game.com instead of game.exe.

Question 8

What is a macro virus?

Answer 8

A virus executed in an application’s scripting language. Melissa in Word, 1999. I Love You, 2000.

Question 9

What is a service injection virus?

Answer 9

A virus which injects itself into trusted runtime processes like svchost.exe, winlogin.exe, or explorer.exe. This helps these viruses escape detection by antivirus software.

Question 10

What is the best technique to defend against service injection?

Answer 10

Keeping all software that can view web content up to date. (browsers, media players, helper applications)

Question 11

What is the zero day problem?

Answer 11

Antivirus is an arms race, with AV always trying to keep up with evolving threats. Day 0 exploits don’t have patches or detection mechanisms simply because they’re new.

Question 12

How do most antivirus packages work?

Answer 12

Most use signature detection. This is essentially a large database that contains the telltale characteristics of all known viruses.

Question 13

What is a multipartite virus?

Answer 13

A virus that uses more than one propagation technique to attempt to penetrate systems that only defend against one or a few techniques.

Question 14

What is a stealth virus?

Answer 14

A virus that hide by tampering with the OS to fool antivirus packages.

Question 15

What is a polymorphic virus?

Answer 15

A virus that actually modifies it’s own code as it travels from system to system. The propagation and destruction techniques remain unchanged, but this signature changes to make detection more difficult.

Question 16

What is an encrypted virus?

Answer 16

A virus that uses cryptographic techniques to avoid detection.

Question 17

What is a logic bomb?

Answer 17

A malicious code object that infects a system and lies dormant until it is triggered by the occurrence of one or more events.

Question 18

What is a trojan horse?

Answer 18

A program that appears benefolent but carries a malicious, hidden payload.

Question 19

What is a worm?

Answer 19

A malicious code object that can propagate without human interaction.

Question 20

What did the Code Red worm do?

Answer 20

Randomly selected hundreds of IPs to attack, probed them for vulnerable versions of IIS, defaced the web serer with “Welcome to http:///www.worm.com! Hacked by Chinese!”, and planted a logic bomb that would DoS an IP that belonged to whitehouse.gov.

Question 21

What was Robert Morris’s punishment for the famous Morris worm?

Answer 21

3 years probation, 400 hours community service, $10,000 fine under the DFAA of 1986.

Question 22

What was Robert Morris’s dad’s job?

Answer 22

He was director of the National Security Agency’s Computer SEcurity Center.

Question 23

What is Stuxnet?

Answer 23

A highly sophisticated worm that was discovered in 2010. It searched for unprotected administrative shares on the local network, exploited zero day vulnerabilities in Windows Server and Print Spooler services, connected to systems using a default database password, or spread by infected USB drive.

Stuxnet spread widely, but was looking for systems using a controller manufactured by Siemens and allegedly used in the production of material for nuclear weapons. When it found such a system, it deployed a payload intended to destroy centrifuges attached to the controller.

Question 24

What is spyware?

Answer 24

Malicious code that monitors your actions and transmits important details to a remote system that spies on your activity.

Question 25

What is adware?

Answer 25

Malicous code that uses a variety of techniques to display ads on infected computers.

Question 26

What’s the best malicious code countermeasure for client systems?

Answer 26

Updated antivirus software that searches local storage for viruses.

Question 27

What are the solutions to signature-based antivirus problems?

Answer 27

Integrity checking software like tripwrie and access controls that limit the ability of malicious code to damage data.

Question 28

What other techniques can prevent systems from being infected by malicous code?

Answer 28

Sandboxing, like Java.
ActiveX control signing to insure code comes from a trusted source
Whitelisting applications at the operating system level, which requires administrators specifically approving applications.

Question 29

List password attacks

Answer 29

Password guessing
Dictionary attacks
Social engineering

Question 30

What is the cornerstone of any security program?

Answer 30

Education

Question 31

List the application attacks

Answer 31

Buffer overflow
time-of-check to time-of-use
back doors
escalation of privileges and rootkits

Question 32

What is a buffer overflow

Answer 32

It’s an input validation error where an external input is allowed to be longer than the internal space allocated for it

Question 33

Describe the time-of-check to time-of-use attack

Answer 33

It’s a timing vulnerability where access permissions are checked too far in advance of a resource request.

Question 34

What is a back door?

Answer 34

An undocumented command sequence that allows an individual with knowledge of it to bypass normal security restrictions

Question 35

What is escalation of privilege?

Answer 35

.

Question 36

What is a rootkit?

Answer 36

.

Question 37

How does cross-site-scripting (XSS) work?

Answer 37

.

Question 38

How does SQL injection work?

Answer 38

.

Question 39

How do you defend against SQL injection?

Answer 39

input validation, limit account privs, use stored procedures

Question 40

List the reconnaissance attacks

Answer 40

IP probes
port scans
vulnerability scans
dumpster diving

Question 41

List the masquerading attacks

Answer 41

IP spoofing

Session hijacking

Question 42

What is a masquerading attack?

Answer 42

.