J.Dion Sec. 6 Malware Flashcards
Any software that is designed to infiltrate a computer system without the user’s knowledge.
Malware
What two things does malware need to create?
Threat vector
Attack vector
Specific method used by an attacker to infiltrate a victim’s machine.
Threat Vector
What are some examples of threat vectors?
Unpatched software
Installing code
User clicks on a link
Phishing campaign
Other vulnerabilities or exploits that can be taken advantage of.
A means by which an attacker gains access to a computer to infect the system with malware.
Attack vector
When we say threat vector think
ways the attacker breaks into the system.
When we say attack vector think
ways the attacker breaks into and infects the system.
What vulnerability was the MS17-010 security patch was made to patch?
The EternalBlue vulnerability
What is the vulnerability on computers missing the MS17-010 patch?
File and printer services that operate over the SMB protocol are vulnerable on the system until it has been updated with the patch.
Which known attack ran scans all day and all night to find as many unpatched Windows machines running version 7 through 10 missing the MS17-010 patch?
WannaCry ransomware
How did WannaCry Ransomware do it?
They would run the exploit against machines not updated, gain administrative rights over the system to then encrypt the user’s files with a message on the screen saying “Computers locked and if you want to access it you owe x-amount of bitcoin for decryption key.”
Malicious code that’s run on a machine without the user’s knowledge and this allows the code to infect the computer whenever it has been run.
Computer virus
What are the 10 different types of viruses?
Boot sector
Macro
Program
Multipartite
Encrypted
Polymorphic
Metamorphic
Stealth
Armor
Hoax
Virus type that is stored in the first sector of a hard drive and is then loaded into memory whenever the computer boots up.
Boot sector virus
Why are boot sector viruses difficult to detect?
Boot sector viruses are installed before the operating system boots up and are able to from antivirus scans.
How to detect boot sector viruses?
Use a specific antivirus that looks for boot sector viruses which are usually run from a network anti-virus scanning engine or from an anti-virus that can be loaded from a Linux live boot disc.
Virus type that is a form of code that allows a virus to be embedded inside another document so that when that document is opened by the user, the virus is executed.
Macro virus
Where are the most common macros examples found?
In Microsoft Word documents or Excel spreadsheets
What makes macros malicious?
Macros by default are used to add specific functionality to different documents without needing to create an entire program to do it.
Malice occurs when someone purposely adds malicious codes into documents.
Virus type that tries to find executable or application files to infect with their malicious code.
Program virus
Virus type that is a combination of a boot sector type virus and a program virus.
Mutipartite virus
How does a multipartite virus work?
The virus can place itself into the boot sector and be loaded every time at boot time then it can install itself within a program.
Virus maintains persistence on infected machine.
Standalone malware programs that replicate and spread to other systems by exploiting software vulnerabilities.
Worms
Malicious software that attaches to clean files and spreads into a computer system.
Virus
Malicious programs which appear to be legitimate software that allow unauthorized access to a victim’s system when executed.
Trojans
Encrypts a user’s data and holds it hostage until a ransom is paid to the attacker for decryption.
Ransomware
Compromised computers that are remotely controlled by attackers and used in coordination to form a botnet.
Zombies
Network of zombies and are often used for DDoS attacks, spam distribution, or cryptocurrency mining.
Botnet
Malicious tools that hide their activities and operator at the OS level to allow for ongoing priviledged access.
Rootkits
Malicious means of bypassing normal authentication process to gain unauthorized access to a system.
Backdoors
Embedded code placed in legitimate programs that execute a malicious action when a specific condition or trigger occurs.
Logic Bombs
Record a user’s keystrokes and are used to capture passwords or other sensitive information.
Keyloggers
Software that secretly monitors and gathers users information or activities and sends data to third parties.
Spyware
Unnecessary or pre-installed software that consumes system resources and space without offering any value to the user.
Bloatware
What is an example of a program virus?
Browsing the internet and accidentally opening a program virus that will try to install itself into one of your programs like Microsoft Word.
How do program viruses infect?
When a program virus is installed into a computer program like Microsoft Word, every time the infected application is opened the installed program virus will infect the computer each and every time. It can keep re-infecting the system.
Type of virus designed to hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software.
Encrypted Virus
Why are encrypted viruses difficult for anti-virus software to detect?
The malicious code is scrambled into cipher text which makes it unreadable to both the user and anti-virus software.
Type of virus that is an advanced version of an encrypted virus but instead of just encrypting the contents, it will actually change the virus’s code each time it is executed by altering the decryption module in order for it to evade detection.
Polymorphic virus
Type of virus that is able to rewrite itself entirely before it attempts to infect a given file.
Metamorphic Virus
This type of virus is not necessarily a specific type of virus as much as it is a technique used to prevent the virus from being detected by the anti-virus software.
Stealth Virus
What techniques do stealth viruses use to avoid being detected by anti-virus software?
Encrypting its contents
Modifying its payload
Type of virus that has a layer of protection to confuse a program or a person who is trying to analyze it.
Armored Virus
Type of virus that isn’t an actual virus but a form of technical social engineering that attempts to scare end users into taking undesirable actions on their systems.
Hoax
Piece of malicious software, much like a virus, but it can replicate itself without any user interaction.
Worm
How do worms infect?
Worms take advantage of vulnerabilities in operating systems and applications if appropriate security controls or security patching isn’t done.
Worm could scan network and find a workstation that is missing a security patch then taking advantage of workstation
What is the key difference between a virus and worm?
A virus requires a user to take some action such as opening a file, clicking on a malicious web link, or connecting a mass storage device to the system.
Where as a worm, can replicate itself and spread throughout the network without user’s consent or action.
Why are worms very dangerous?
They can affect the workstation and other computing assets.
They can cause disruptions to the normal network traffic since they are constantly trying to replicate and spread across the network.
Consuming not only network resource but also compute power, processing power, memory power, and network capacity.
What happens when a worm replicates itself too rapidly?
Denial-of-service attack against network and associated servers.
How fast was the worm Nimda able to propagate across the entire internet in 2021?
22 minutes
This worm is one of the largest seen in to date and was able to infect between 9 and 15 million machines.
Conficker in 2009
What vulnerability was the worm Conficker seeking?
Windows operating system critical security patch known as 08-067.
What was the security patch 08-067 designed to solve?
A software vulnerability inside the way Windows was doing file and printer sharing.
Piece of malicious software that is disguised as a piece of harmless or desirable software.
Trojan
Type of Trojan that is widely used by modern attackers because it provides the attacker with remote control of a victim machine.
Remote Access Trojan (RAT)
How are Trojans commonly used by attackers?
Attackers exploit a vulnerability in a workstation, conduct data exfiltration to steal sensitive documents, and then create back doors to create persistence in your system.
Type of malicious software that is designed to block access to a computer system or its data by encrypting it until a ransom is paid to the attacker.
Ransomware
The Colonial Pipeline attack in 2021 was what type of attack?
Ransomware
What group led the Colonial Pipeline attack in 2021?
Darkside
What happened in the Colonial Pipeline attack?
Colonial Pipeline was attacked with ransomware
Pipeline was shut down for 5 days caused massive disruptions to USA fuel on the East coast.
The attackers, Darkside, demanded/received a ransom of $4.4 million dollars in bitcoin for exchange of a decryption key.
What ransomware attack occurred in 2020?
Universitatsklinikum Dusseldorf in September 2020 was disrupted by a ransomware attack.
Hospital computers were disrupted and patients had to be diverted to other hospitals for emergency treatments.
A woman with a life-threatening condition died due to this delay in care and being diverted.
This was the first death directly related to ransomware attack in a hospital.
Network of compromised computers or devices controlled remotely by malicious actors.
Botnet
What can an attacker use through a botnet attack?
If attackers are successful they gain access to use a computers processing, memory, storage, and networking resources.
Name of a compromised computer or device that is part of a botnet and used to perform tasks using remote commands.
Zombie
Responsible for managing and coordinating the activities of other nodes or devices within a network.
Command and Control Node
Also known as C2 node
These are used to span others by sending out phishing campaigns and other malware.
Botnets
What is the most common type of botnet attack?
DDoS
Distributed Denial of Service Attack
Used for cyberattacks or other malicious activity.
a. Botnet
b. Zombie
Used to perform the task using remote commands from the attacker without the user’s knowledge.
a. Botnet
b. Zombie
Tasks using remote commands from the attacker without the user’s knowledge to perform crypto mining or break encryption.
Zombie
Type of software that is designed to gain administrative-level control over a given computer system without being detected.
Rootkit