Lecture 10: Malware Flashcards
List some techniques used for propagation of malware
- Virus
- Trojan horse
- Worm
- Backdoor
- Attack kit
- Auto-rooter
- Downloader
List some techniques used as payloads in malware
- Adware
- Flooders
- Keyloggers, Spyware
- Zombie, bomb
- Logic bomb
- Ransomware
- Rootkit
- Spammers
Explain what a “Worm” is, and how it works
- Replicating program that propagates over net
o Using email, remote exec, SW flaw (USB stick)
o Zero-day exploit
o Old bugs (NSA Leakage, Server Message Block (SMB), etc.) - Has phases:
o Does not damage the system immediately
o Propagation phase: searches for other systems, connects to it, copies self to it and runs
Explain what a “Virus” is, and how it works
- Piece of software that infects programs
o Modifying them to include a copy of the virus
o So, it executes secretly when host program is run
List the four phases of a typical “Virus”
- A typical virus goes through phases of: o Dormant o Propagation o Triggering o Execution
List the four components of a typical “virus”
o Infection mechanism – enables replication
o Modification engine – for disguise
o Trigger – event that makes payload activate
o Payload – what it does, malicious or benign
List some techniques a virus can use in order to hide itself
- Naïve (simply self replicating)
- Compress parts of self to hide size
- Encryption
- Polymorphism
Explain how a “Naïve (simply self replicating) virus” can easily be found by virus protection software
A Naïve (simply self-replicating) virus can be detected by changing file size of infected programs
Explain how a (partially) compressed “virus” can be found by virus protection software
- Detection can be done through inspecting contents of potentially infected programs,
- Checking the signature of potentially infected programs, or
- Examining if a program contains the fixed code V of a virus
Explain how “Encrypted viruses” work
o Generate key o Encrypt virus body o Copy ♣ The bootstrap (decryption engine with key), and ♣ The encrypted virus body o When start ♣ Decrypt the virus body ♣ Execute
Explain how an “Encrypted Virus” can be found by virus protection software
We can look for program signature, and inspect if contents of program has changed
Briefly explain how “Polymorphic viruses” work
o Rebuild the whole virus at every infection to something functionally identical
♣ Either add non-functional code, or
♣ Re-order instructions
Briefly explain how a “Polymorphic Virus” can be found by virus protection software
o Focus on the decryption engine
Explain what a “Macro Virus” is, how it works, and some of its strengths
• Exploit macro/scripting capability of apps o Basic, Elisp, Javascript, … • Why: o Platform independent o Infects documents o Is easily spread
Give an example of an “E-mail Virus”, and how it works
• E.g. Melissa o Exploits MS Word Macro in attached doc o If attachment opened, macro activates o Sends email to all users in the address-book, and o does local damage
Explain what a “Trojan Horse” is, and how it works
- Based on social engineering
- It’s a program with two purposes, one obvious and one hidden from the user
- Today it’s often used to install other software or backdoors
- Trojan horses can be built
o From existing programs using a special wrapper
o Or designed from the start to be one
Give some examples of “Integrity-loss”, and some causes for it
- Deletion of files, contacts, etc.
- Used in ransomware, to:
o Encrypt files
o Delete files
o Collect ransom money (e.g. bitcoin)
Give some examples of “Availability-loss”
- Deletion of files, change of firewall rules
- Physical integrity
Explain what a “Logic-Bomb” is, and how it works
- A small bit of code that triggers on a specific condition
- Typically with malicious results
- No vector for spreading
- Installed directly
- Example: Disgruntled ex. employee plants a piece of code that at a given date will attempt to wipe out all company servers
Explain what a “Bot” is, and how it works
- Program taking over other computers
- To launch hard to trace attacks
- If coordinated from a botnet, characteristics:
o Remote control facility
o Multi-layered network of bots
Give some examples of possible uses for “Bots”
o DDoS o Spamming o Manipulating on-line surveys o For using computational resources ♣ E.g. bit coin mining, password brute forcing o Cheating ad-providers o Spreading new malware
Give some examples of “Confidentiality-loss”
- Key loggers/pin loggers o Password theft - Spyware o Camera o Documents - Phishing - Espionage - Identity theft
Explain what “Backdoors” are, and how they work
- Software that gives access to a system
- Bypassing OS-login restrictions
- Often installed for legitimate reasons
- Only to later be abused
Explain what “Rootkits” are, and how they work
- Program installed for admin access
- Malicious and stealthy changes to OS
- May hide its existence
o Subverting report mechanisms on processes, files, registry entries etc. - User or kernel mode
- Installed by Trojan or worm
List some examples of countermeasures against malware
- Code signing
- Prevention/detection systems
- Generic Decryption
Explain how “Code Signing” works
• Used in digital SW distribution • Used by HW vendors to prevent execution of arbitrary SW • Used by OSes to install binary drivers • SW shipped with a digital certificate • Root of trust o HW checks signature of OS o OS checks signature of apps o App checks signature of plug-ins o …
Give some examples of Malware “Prevention/detection systems”
• At network level
o E.g. to temporarily prevent a worm infection due to a known bug
• At application level
o E.g. SMTP servers inspecting mails
• Behavioral based
o E.g. it is unusual to attempt and fail several TCP connections
o E.g. An application that uses more CPU cycles than usual
• Honeypots
o Networked and local
List identifying features for each of the “four generations” of Anti virus
o First – signatures scanners
o Second – heuristics
o Third – identify actions
o Fourth – combination packages
Explain what “Generic Decryption” is, and how it works
- Run executable files through GD scanner:
o CPU emulator
o Virus scanner to check known virus signatures - Let virus decrypt itself in interpreter
- Periodically scan for virus signatures
- Issue: is long to interpret and scan
o Trade-off change of detection vs. time delay