Chapters 6, 7, 10 Flashcards
Malware propagation mechanisms include those used by…(3)
viruses, worms and Trojans
______ include system corruption, bots, phishing, spyware, and rootkits.
Payloads
Virus Dormant Phase
The Virus is Idle.
Virus Propagation Phase
The virus places a copy of itself into other programs or
into certain system areas on the disk.
Virus Triggering Phase
The virus is activated to perform the function for which it was intended.
Virus Execution Phase
The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of
programs and data files.
Infects files with macro or scripting code that is interpreted by an application.
Macro Virus
Infects files that the operating system or shell consider to be executable.
File Infector Virus
An attack, that exploits social engineering to leverage user’s trust by masquerading as communications from a trusted source
Phishing Attack
The recipients are carefully researched by the attacker, and each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity.
Spear-Phishing Attack
Is a set of programs installed on a system to maintain covert access to that
system with administrator (or root) privileges, while hiding evidence of its presence
to the greatest extent possible.
Rootkit
An attempt to compromise availability
by hindering or blocking completely the provision of some service.
Denial-of-service (DoS) attack
DDoS Flooding attack targets…(3)
Network BW, System resources, Application resources
The ICMP echo response
packets generated in response to a ping flood using randomly spoofed source addresses is a good example.
Backscatter Traffic
This attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.
DoS attach, SYN Spoofing Attack
The attacker sends packets to a known service on the intermediary with a spoofed source address
of the actual target system. When the intermediary responds, the response is sent to
the target.
Reflection attack
Involve sending a
packet with a spoofed source address for the target system to intermediaries. They
differ in generating multiple response packets for each original packet sent. This can
be achieved by directing the original request to the broadcast address for some network.
Amplification Attacks
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting
other information. Attackers exploit such a condition to crash a system or to insert specially
crafted code that allows them to gain control of the system.
Buffer Overflow
Instead of the sequence of letters used as padding in the example above, binary values corresponding to the desired machine instructions were used.
Shellcode
Aim to prevent or detect buffer overflows by instrumenting programs when they are compiled.
Compile-Time Defenses
Can be deployed as operating systems updates to provide some protection for existing vulnerable
programs. These defenses involve changes to the memory management of the virtual
address space of processes.
Run-Time Defenses
Most commonly
the address of a standard library function is chosen, such as the system() function. The attacker specifies an overflow that fills the buffer, replaces the saved
frame pointer with a suitable address, replaces the return address with the address of the desired library function, writes a placeholder value that the library function will believe is a return address, and then writes the values of one (or more) parameters to this library function.
Return-to-system-call Attack
If the allocated space includes a pointer to a
function, which the code then subsequently calls, an attacker can arrange for this address to be modified to point to shellcode in the overwritten buffer.
Heap Buffer Overflow
