Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Computer Security > Lecture 10: Malware > Flashcards

Lecture 10: Malware Flashcards

1
Q

List some techniques used for propagation of malware

A
  • Virus
  • Trojan horse
  • Worm
  • Backdoor
  • Attack kit
  • Auto-rooter
  • Downloader
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List some techniques used as payloads in malware

A
  • Adware
  • Flooders
  • Keyloggers, Spyware
  • Zombie, bomb
  • Logic bomb
  • Ransomware
  • Rootkit
  • Spammers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain what a “Worm” is, and how it works

A
  • Replicating program that propagates over net
    o Using email, remote exec, SW flaw (USB stick)
    o Zero-day exploit
    o Old bugs (NSA Leakage, Server Message Block (SMB), etc.)
  • Has phases:
    o Does not damage the system immediately
    o Propagation phase: searches for other systems, connects to it, copies self to it and runs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain what a “Virus” is, and how it works

A
  • Piece of software that infects programs
    o Modifying them to include a copy of the virus
    o So, it executes secretly when host program is run
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List the four phases of a typical “Virus”

A 
-	A typical virus goes through phases of:
o	Dormant
o	Propagation
o	Triggering
o	Execution
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List the four components of a typical “virus”

A

o Infection mechanism – enables replication
o Modification engine – for disguise
o Trigger – event that makes payload activate
o Payload – what it does, malicious or benign

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List some techniques a virus can use in order to hide itself

A
  • Naïve (simply self replicating)
  • Compress parts of self to hide size
  • Encryption
  • Polymorphism
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain how a “Naïve (simply self replicating) virus” can easily be found by virus protection software

A

A Naïve (simply self-replicating) virus can be detected by changing file size of infected programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain how a (partially) compressed “virus” can be found by virus protection software

A
  • Detection can be done through inspecting contents of potentially infected programs,
  • Checking the signature of potentially infected programs, or
  • Examining if a program contains the fixed code V of a virus
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain how “Encrypted viruses” work

A 
o	Generate key
o	Encrypt virus body
o	Copy
♣	The bootstrap (decryption engine with key), and
♣	The encrypted virus body
o	When start
♣	Decrypt the virus body
♣	Execute
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain how an “Encrypted Virus” can be found by virus protection software

A

We can look for program signature, and inspect if contents of program has changed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Briefly explain how “Polymorphic viruses” work

A

o Rebuild the whole virus at every infection to something functionally identical
♣ Either add non-functional code, or
♣ Re-order instructions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Briefly explain how a “Polymorphic Virus” can be found by virus protection software

A

o Focus on the decryption engine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain what a “Macro Virus” is, how it works, and some of its strengths

A 
•	Exploit macro/scripting capability of apps
o	Basic, Elisp, Javascript, …
•	Why:
o	Platform independent
o	Infects documents
o	Is easily spread
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Give an example of an “E-mail Virus”, and how it works

A 
•	E.g. Melissa
o	Exploits MS Word Macro in attached doc
o	If attachment opened, macro activates
o	Sends email to all users in the address-book, and 
o	does local damage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explain what a “Trojan Horse” is, and how it works

A
  • Based on social engineering
  • It’s a program with two purposes, one obvious and one hidden from the user
  • Today it’s often used to install other software or backdoors
  • Trojan horses can be built
    o From existing programs using a special wrapper
    o Or designed from the start to be one
17
Q

Give some examples of “Integrity-loss”, and some causes for it

A
  • Deletion of files, contacts, etc.
  • Used in ransomware, to:
    o Encrypt files
    o Delete files
    o Collect ransom money (e.g. bitcoin)
18
Q

Give some examples of “Availability-loss”

A
  • Deletion of files, change of firewall rules

- Physical integrity

19
Q

Explain what a “Logic-Bomb” is, and how it works

A
  • A small bit of code that triggers on a specific condition
  • Typically with malicious results
  • No vector for spreading
  • Installed directly
  • Example: Disgruntled ex. employee plants a piece of code that at a given date will attempt to wipe out all company servers
20
Q

Explain what a “Bot” is, and how it works

A
  • Program taking over other computers
  • To launch hard to trace attacks
  • If coordinated from a botnet, characteristics:
    o Remote control facility
    o Multi-layered network of bots
21
Q

Give some examples of possible uses for “Bots”

A 
o	DDoS
o	Spamming
o	Manipulating on-line surveys
o	For using computational resources
♣	E.g. bit coin mining, password brute forcing
o	Cheating ad-providers
o	Spreading new malware
22
Q

Give some examples of “Confidentiality-loss”

A 
-	Key loggers/pin loggers
o	Password theft
-	Spyware
o	Camera
o	Documents
-	Phishing 
-	Espionage
-	Identity theft
23
Q

Explain what “Backdoors” are, and how they work

A
  • Software that gives access to a system
  • Bypassing OS-login restrictions
  • Often installed for legitimate reasons
  • Only to later be abused
24
Q

Explain what “Rootkits” are, and how they work

A
  • Program installed for admin access
  • Malicious and stealthy changes to OS
  • May hide its existence
    o Subverting report mechanisms on processes, files, registry entries etc.
  • User or kernel mode
  • Installed by Trojan or worm
25
Q

List some examples of countermeasures against malware

A
  • Code signing
  • Prevention/detection systems
  • Generic Decryption
26
Q

Explain how “Code Signing” works

A 
•	Used in digital SW distribution
•	Used by HW vendors to prevent execution of arbitrary SW
•	Used by OSes to install binary drivers
•	SW shipped with a digital certificate
•	Root of trust
o	HW checks signature of OS
o	OS checks signature of apps
o	App checks signature of plug-ins
o	…
27
Q

Give some examples of Malware “Prevention/detection systems”

A

• At network level
o E.g. to temporarily prevent a worm infection due to a known bug
• At application level
o E.g. SMTP servers inspecting mails
• Behavioral based
o E.g. it is unusual to attempt and fail several TCP connections
o E.g. An application that uses more CPU cycles than usual
• Honeypots
o Networked and local

28
Q

List identifying features for each of the “four generations” of Anti virus

A

o First – signatures scanners
o Second – heuristics
o Third – identify actions
o Fourth – combination packages

29
Q

Explain what “Generic Decryption” is, and how it works

A
  • Run executable files through GD scanner:
    o CPU emulator
    o Virus scanner to check known virus signatures
  • Let virus decrypt itself in interpreter
  • Periodically scan for virus signatures
  • Issue: is long to interpret and scan
    o Trade-off change of detection vs. time delay

Computer Security (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions