Lecture 10: Malware Flashcards

1
Q

List some techniques used for propagation of malware

A
  • Virus
  • Trojan horse
  • Worm
  • Backdoor
  • Attack kit
  • Auto-rooter
  • Downloader
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List some techniques used as payloads in malware

A
  • Adware
  • Flooders
  • Keyloggers, Spyware
  • Zombie, bomb
  • Logic bomb
  • Ransomware
  • Rootkit
  • Spammers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain what a “Worm” is, and how it works

A
  • Replicating program that propagates over net
    o Using email, remote exec, SW flaw (USB stick)
    o Zero-day exploit
    o Old bugs (NSA Leakage, Server Message Block (SMB), etc.)
  • Has phases:
    o Does not damage the system immediately
    o Propagation phase: searches for other systems, connects to it, copies self to it and runs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain what a “Virus” is, and how it works

A
  • Piece of software that infects programs
    o Modifying them to include a copy of the virus
    o So, it executes secretly when host program is run
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List the four phases of a typical “Virus”

A
-	A typical virus goes through phases of:
o	Dormant
o	Propagation
o	Triggering
o	Execution
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List the four components of a typical “virus”

A

o Infection mechanism – enables replication
o Modification engine – for disguise
o Trigger – event that makes payload activate
o Payload – what it does, malicious or benign

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List some techniques a virus can use in order to hide itself

A
  • Naïve (simply self replicating)
  • Compress parts of self to hide size
  • Encryption
  • Polymorphism
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain how a “Naïve (simply self replicating) virus” can easily be found by virus protection software

A

A Naïve (simply self-replicating) virus can be detected by changing file size of infected programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain how a (partially) compressed “virus” can be found by virus protection software

A
  • Detection can be done through inspecting contents of potentially infected programs,
  • Checking the signature of potentially infected programs, or
  • Examining if a program contains the fixed code V of a virus
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain how “Encrypted viruses” work

A
o	Generate key
o	Encrypt virus body
o	Copy
♣	The bootstrap (decryption engine with key), and
♣	The encrypted virus body
o	When start
♣	Decrypt the virus body
♣	Execute
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain how an “Encrypted Virus” can be found by virus protection software

A

We can look for program signature, and inspect if contents of program has changed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Briefly explain how “Polymorphic viruses” work

A

o Rebuild the whole virus at every infection to something functionally identical
♣ Either add non-functional code, or
♣ Re-order instructions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Briefly explain how a “Polymorphic Virus” can be found by virus protection software

A

o Focus on the decryption engine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain what a “Macro Virus” is, how it works, and some of its strengths

A
•	Exploit macro/scripting capability of apps
o	Basic, Elisp, Javascript, …
•	Why:
o	Platform independent
o	Infects documents
o	Is easily spread
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Give an example of an “E-mail Virus”, and how it works

A
•	E.g. Melissa
o	Exploits MS Word Macro in attached doc
o	If attachment opened, macro activates
o	Sends email to all users in the address-book, and 
o	does local damage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explain what a “Trojan Horse” is, and how it works

A
  • Based on social engineering
  • It’s a program with two purposes, one obvious and one hidden from the user
  • Today it’s often used to install other software or backdoors
  • Trojan horses can be built
    o From existing programs using a special wrapper
    o Or designed from the start to be one
17
Q

Give some examples of “Integrity-loss”, and some causes for it

A
  • Deletion of files, contacts, etc.
  • Used in ransomware, to:
    o Encrypt files
    o Delete files
    o Collect ransom money (e.g. bitcoin)
18
Q

Give some examples of “Availability-loss”

A
  • Deletion of files, change of firewall rules

- Physical integrity

19
Q

Explain what a “Logic-Bomb” is, and how it works

A
  • A small bit of code that triggers on a specific condition
  • Typically with malicious results
  • No vector for spreading
  • Installed directly
  • Example: Disgruntled ex. employee plants a piece of code that at a given date will attempt to wipe out all company servers
20
Q

Explain what a “Bot” is, and how it works

A
  • Program taking over other computers
  • To launch hard to trace attacks
  • If coordinated from a botnet, characteristics:
    o Remote control facility
    o Multi-layered network of bots
21
Q

Give some examples of possible uses for “Bots”

A
o	DDoS
o	Spamming
o	Manipulating on-line surveys
o	For using computational resources
♣	E.g. bit coin mining, password brute forcing
o	Cheating ad-providers
o	Spreading new malware
22
Q

Give some examples of “Confidentiality-loss”

A
-	Key loggers/pin loggers
o	Password theft
-	Spyware
o	Camera
o	Documents
-	Phishing 
-	Espionage
-	Identity theft
23
Q

Explain what “Backdoors” are, and how they work

A
  • Software that gives access to a system
  • Bypassing OS-login restrictions
  • Often installed for legitimate reasons
  • Only to later be abused
24
Q

Explain what “Rootkits” are, and how they work

A
  • Program installed for admin access
  • Malicious and stealthy changes to OS
  • May hide its existence
    o Subverting report mechanisms on processes, files, registry entries etc.
  • User or kernel mode
  • Installed by Trojan or worm
25
List some examples of countermeasures against malware
- Code signing - Prevention/detection systems - Generic Decryption
26
Explain how "Code Signing" works
``` • Used in digital SW distribution • Used by HW vendors to prevent execution of arbitrary SW • Used by OSes to install binary drivers • SW shipped with a digital certificate • Root of trust o HW checks signature of OS o OS checks signature of apps o App checks signature of plug-ins o … ```
27
Give some examples of Malware "Prevention/detection systems"
• At network level o E.g. to temporarily prevent a worm infection due to a known bug • At application level o E.g. SMTP servers inspecting mails • Behavioral based o E.g. it is unusual to attempt and fail several TCP connections o E.g. An application that uses more CPU cycles than usual • Honeypots o Networked and local
28
List identifying features for each of the "four generations" of Anti virus
o First – signatures scanners o Second – heuristics o Third – identify actions o Fourth – combination packages
29
Explain what "Generic Decryption" is, and how it works
- Run executable files through GD scanner: o CPU emulator o Virus scanner to check known virus signatures - Let virus decrypt itself in interpreter - Periodically scan for virus signatures - Issue: is long to interpret and scan o Trade-off change of detection vs. time delay