Chapter 8: Trojans, Viruses, Worms, & Covert Channels Flashcards
Covert channels
path used to transmit info, but does so in a way that is supposed to be impossible or it uses a process in a way that it was not intended to be used
Malware & the Law (3)
THE COMPUTER FRAUD & ABUSE ACT - addresses federal computer-related offenses
THE PATRIOT ACT - penalties up to 10 years for a 1st offense, 20 years for a 2nd offense; assesses damages to multiple systems over the course of a year to determine if it exceeds $5000
CAN-SPAM ACT - designed to stop spam;
VIRUSES
- self replicating application that attaches itself to executables; typically user action to initiate infectious activities
Sheep dip system
used to investigate, analyze & defend against malware; it is a computer specifically configured to analyze files; The computer is stripped down & includes on those services & apps needed to test the SW
OVERT CHANNELS
communication path or channel used to send info or perform other actions; HTTP and TCP/IP are examples to send info
Using BO2K
used to install server & install that server on victim’s computer to gain access
BO2K executable needs to be ran on target system; the application runs an executable called Umgr32.exe which may be masked as a different process in task manager; if stealth was not configured, the app appears as Remote Administration Service
WRAPPER
- takes payload & merges it with a harmless executable
Polymorphic Virus
rewrites itself, hides payload
Sparse infector virus
infect files selectively
WORMS
- successor to viruses; entirely self-replicating quickly, do not need action performed by user, can be spread across NWs crashing routers, consuming bandwidth & resources
TROJAN HORSES
- provides covert access to a system; looks harmless; goals are similar to worm & virus, but info is transmitted & it is more stealthy
ROOTKITS
- hide within the core components of a system, very difficult to detect
SPYWARE
- collect & forward info about a system or user’s activities in a stealthy manner; most common is keyloggers
ADWARE
- replaces homepages in browsers, places pop-up ads, or installs items on a system to advertise a product or service
SYSTEM/BOOT SECTOR VIRUS
- code in MBR (master boot record), boot seq. is altered, can make HD undetected etc
MACRO VIRUSES
- takes adv. of embedded languages (word, excel, etc) designed to hide in those files & change configurations
CLUSTER VIRUSES
This virus alters the file-allocation tables on a storage
device, causing file entries to point to the virus instead of the real file. In practice, this
means that when a user runs a given application, the virus runs before the system
executes the actual file.
STEALTH/TUNNELING VIRUS
designed to employ various mechanisms to evade
detection systems. Stealth viruses employ unique techniques including intercepting
calls from the OS and returning bogus or invalid responses that are designed to fool or
mislead.
ENCRYPTION VIRUSES
uses an encryption algorithm to encrypt and decrypt the virus multiple times as it replicates and infects. Each time the infection process
occurs, a new encryption sequence takes place with different settings, making it
difficult for antivirus software to detect the problem.
CAVITY/FILE-OVERWRITING VIRUSES
- hides in host file without changing file’s appearance;
SPARSE-INFECTOR VIRUSES
- avoid detection by carrying out infectious actions sporadically or on files of certain length or type, etc
COMPANION/CAMOUFLAGE VIRUS
- enables SW w/ the same name, but different extensions (i.e. if you execute program.exe, the virus may create program.com & execute that instead)
LOGIC BOMB
designed to lie in wait until a predetermined event or action occurs.
When this event occurs, the bomb or payload detonates and carries out its intended or
designed action. Logic bombs have been notoriously difficult to detect because they do
not look harmful until they are activated—and by then, it may be too late. In many
cases, the bomb is separated into two parts: the payload and the trigger. Neither looks
all that dangerous until the predetermined event occurs.
FILE/MULTIPARTITE VIRUS
infect systems in multiple ways using multiple attack
vectors, hence the term multipartite. Attack targets include the boot sector and
executable files on the hard drive. What makes such viruses dangerous and powerful
weapons is that to stop them, you must remove all of their parts. If any part of the
virus is not eradicated from the infected system, it can reinfect the system.
SHELL VIRUSES
are another type of virus where the software infects the target
application and alters it. The virus makes the infected program into a subroutine that
runs after the virus itself runs.
CRYPTOVIRUSES
hunt for files or certain types of data on a system and then encrypt it.
Then the victim is instructed to contact the virus creator via a special email address or
other means and pay a specified amount (ransom) for the key to unlock the files.