Lesson 10 - Chapter 1: Malware Flashcards
What is malware?
software designed to do something harmful to a system or network
(maldad)
What are 4 of the many types of malware?
v, b, t, r
- Virus
- Boot Sector Virus
- Trojan Horse
- Rootkit
What is a virus?
a program with 2 jobs: to replicate and to activate
What is replication? (Virus)
it makes copies of itself by injecting itself as extra code added to the end of executable programs or hiding out in a drive’s boot sector
What is activation? (Virus)
when a virus does something like corrupt data or steal private information
A virus only replicates to….
other drives (thumb drives, optical media)
Can a virus replicate itself across networks?
No
A virus needs ___ ___ to spread
human action
What is a boot sector virus?
a virus that infects the boot sector of the hard drive (so the virus loads on boot)
(stays in memory, infects other files as they run)
What is a Trojan Horse?
malware that pretends to do one thing but behind the scenes does something evil
(can be a game, fake security program, etc)
Can a Trojan Horse replicate?
No
(viruses do replicate though)
What is a Rootkit?
a program that takes advantage of very low-level operating system functions to hide itself from all but the most aggressive anti-malware tools
A rootkit by definition gains privileged access to a computer, which can strike what 3 things?
- Operating systems
- Hypervisors
- Firmware (hard drives, accessories)
What are 5 bad things malware can potentially do?
S
R
Z, b
C
G
- Harvest private information (spyware)
- Hold files for ransom (ransomware)
- Use the PC to attack other systems (zombie; botnet)
- Cryptomine
- Gain a foothold in the system
What is spyware?
software that spies on the computer user, collecting info about their activities and habits
Keyloggers are what type of software?
spyware
What are keyloggers? are they all malware? (2)
keyloggers log the user’s keystrokes and sends the data back to the spyware creator (harvesting important info like passwords, cc numbers)
not all are malware, parental controls use keyloggers
What is ransomware?
encrypts all the data it gains access to on a system and even mapped network drives!
What happens after ransomware locks up all your data?
the ransomware application pops up a message asking for money (often bitcoins) to decrypt your data often with a timer and if it reaches 0 triggers the deletion of the encryption keys
What’s a zombie?
an infected computer that obeys the commands of the malware creator
(zombie puppet)
What is a botnet?
a network of infected computers under the control of a single person or group
(can easily grow into millions of zombies for large networks)
[zombie horde]
What is a bot herder? What does it activate?
controls the botnet actions, activates scripts installed on the zombies to launch an attack
[Puppet master]
What’s one of the most common ways to send spam?
using botnets (use hacked/stolen bandwidth)
Which method is used to launch Denial of Service (DoS) and Distributed DoS (DDoS) attacks?
botnets
What is crypto mining?
using a computer’s processing power to “mine” for cryptocurrency
What malware method is used for crypto mining?
botnets
(malware creators use bots to take control of zombies and steal processing power as a mining ‘team’)
How does malware help a criminal gain a foothold in the system?
some malware creates a backdoor that cybercriminals use to access the system’s data (can harvest info and sell it)
What’s one tricky thing about how malware presents?
it can appear like normal PC “wonkiness”
(momentary slowdowns, random one-time crashes, etc)
What are 8 symptoms of a PC infected by malware?
- sl
- ap
- cha
- me
- up
- lo
- ov
- se
- Slow PC
- Application crashes
- Changed permissions or missing or renamed files
- Messages you didn’t send
- Update/Protection software stops working
- Loss of Internet connectivity
- Overwritten Hosts file
- Security alerts
A slow PC can mean what 2 things?
- too many applications are open at once
- system hit with malware (like a botnet using up CPU)
How do you tell the difference between a normal application crash and malware?
if it’s happening a lot (even when all applications are closed)
(also goes for frequent lockups too)
What does malware try to do to system files?
rename system files, change file permissions, or hide files
How would you know when malware is fighting back?
Windows Update stops working or tools show up as “Access Denied”
What do you do if removing malware broke your Internet connection?
reinstall your NIC and its drivers, reboot router, etc
What is a Hosts file?
overrules any DNS settings and can redirect your browser to whatever site the malware adds to the file
How would you know if malware has overwritten your hosts file?
you type in one web address and end up at a different site
What is rogue anti-malware?
free anti-malware applications that are actually malware
The only way to permanently protect your PC from malware is to what?
disconnect it from the Internet (unlikely scenario)
What are 4 tools you have for combating malware?
- Anti-malware software
- Training and awareness
- Patch management
- Remediation
What 2 ways does an anti-malware product protect your PC?
- Active seek and destroy mode
- Passive sentry mode
Is antivirus software the same as anti-malware?
malware is a more generic term and refers to all types, antivirus is an older term to remove viruses. today, antivirus software can also target non-virus malware.
How do anti-malware programs detect boot sector viruses?
they compare the driver’s boot sector to a standard boot sector because most boot sectors are the same
___ viruses are harder to find because they can be found on any file in the drive
executable viruses
What does an anti-malware program use to detect executable viruses?
it uses a library of signatures
What are signatures?
a code pattern of known viruses
(virus code patterns, a virus’s signature)
Where is the library of signatures stored?
in a definition file
Anti-malware programs compare each executable file to its library of ____
signatures
The first line of defense shouldn’t be anti-malware but ___ ___
user education
What is patch management?
keeping systems patched
(automatic updating OS, otherwise update it manually)
What are the 7 steps to take to remediate malware?
On the A+ exams
- Identify malware symptoms
- Quarantine infected system
- Disable System Restore (Windows)
- Remediate infected systems (update anti-malware software, use scan and removal)
- Schedule scans and run updates
- Enable System Restore and create a restore point (Windows)
- Educate end users
What are 2 signs a PC might be infected?
- Starts spewing emails
- Was running fast yesterday but today it’s sluggish
What are 2 ways to disconnect and quarantine a system?
- Software employed on a network that automatically monitors and cuts off a machine from the network if it starts to send suspicious packets
- Manually disconnect the network cable
Before making any changes to get rid of the virus/malware, what should you do? Why?
disable System Restore so the virus isnt’ included in any restore points going forward
How do you turn off System Restore in Windows?
Settings > System > About > System Protection > Select Drive > Configure > Disable system protection
What kinds of events might malware leave traces of in Event Viewer? (3)
- Destabilizing programs
- Disabling protection services
- Triggering warnings about resource use
What do you do after you’ve isolated the infected computer(s)?
get to a safe boot environment and run anti-malware software
(try Windows Recovery Environment first bc it only requires a reboot)
How do you boot into the Windows Recovery Environment?
Hold down SHIFT as you click the POWER button on the START menu
What do you do if you suspect a boot sector virus and can’t use Windows Recovery Environment?
use an external bootable source (bootable CD or USB flash drive)
Get into the habit of keeping around a bootable anti-malware flash drive or optical media so you…?
can use the boot media if you suspect a virus or other malware, even if the anti-malware program says it eliminated the problem
(boots you into a clean environment)
How do you boot from an anti-malware disc or drive?
change CMOS settings to boot to optical or USB media
What options do you have for creating a bootable optical disc or flash drive? 3
- Anti-malware software in a bootable version (Avast! Virus Cleaner Tool)
- Download a copy of Linux that offers a live CD/DVD option like Ubuntu so you can boot to the disc and install a complete working copy of the OS into RAM to be Internet-ready and access anti-malware sites for tools
- Download and burn a copy of Ultimate Boot CD (contains several anti-malware programs but out of date)
What do you do after you get into a boot environment?
you update your anti-malware software and run its most comprehensive scan and check all removable media exposed to the system and any system that received data from it
When would you need to turn to an external (anti-malware) boot environment?
When Windows Recovery Environment doesn’t work or it might be a boot sector virus
What does remediation mean?
Fixing files that the malware harmed
What do you do if you can’t start Windows after the malware scan is finished?
boot from Windows setup media and use the Windows Recovery Environment/System Recovery options
What should you remember to do after the system has been repaired?
re-enable System Restore and create a new restore point