M7: Malware - C.7

Question 1

Definition of Malware

M7: Malware - C.7

Answer 1

Software purposefully designed to have effects that are not in the users best interest. P. 184

Question 2

Definition of Harmful software

M7: Malware - C.7

Answer 2

Software that causes some damage, either deliberately (Malware) or inadvertently due to poor design/implementation etc. P. 184

Question 3

Malware vs Harmful software

M7: Malware - C.7

Answer 3

Harmful software includes software, which inadvertently causes harm, while Malware only includes software that intentionally causes it. Thus Malware is a subcatagory of Harmful software P. 184

Question 4

What makes Malware hard to detect? Big picture

M7: Malware - C.7

Answer 4

It is often less about what it does and more about what the intent is. Such as a remote desktop connection. It also depends on ones definition of Malware, are adds Malicious or gathering data. P. 185

Question 5

Definition of Virus

M7: Malware - C.7

Answer 5

A program that can infect other programs or files by modifying them to include a copy of themselves. P. 186

Question 6

How does a virus work

M7: Malware - C.7

Answer 6

They inject themselves into other programs or files, in such a way that they are executed when the host program is executed. They can coexist or coopt the host depending on design. P. 186

Question 7

Life cycle of a Virus

M7: Malware - C.7

Answer 7

1) Dormant - waiting for host execution
2) Propagation - when host is executed virus attempts to propagate to other hosts (programs, devices etc)
3) Trigger condition - determines if the conditions are right for payload deployment
4) Payload - The malicious payload is executed. P. 187

Question 8

Life cycle of a Worm

M7: Malware - C.7

Answer 8

1) Propagation - automatic and continued propagation
3) Trigger condition - determines if the conditions are right for payload deployment
4) Payload - The malicious payload is executed. P. 187

Question 9

Worm vs Virus

M7: Malware - C.7

Answer 9

Worms propagate automatically - Viruses rely on user interaction
Worms propagate directly over the network - Viruses propagate on and through hosts
Worms exploit software vulnerabilities - Viruses abuse software features or rely on social engineering P. 187

Question 10

Email-Based Malware

M7: Malware - C.7

Answer 10

Spreads through the email attachments and email infrastructure. Often referred to as Email Virus, Email Worms or Mass-Mailing Worm-Virus. It spread rapidly often using the victims email and contact lists to find new targets. P. 187

Question 11

Virus infected programs.

M7: Malware - C.7

Answer 11

Viruses either:
1) Prepend virus before code. Retains program. Increasing file size
2) Append virus after code. Retains program. Increasing file size
3) Overwrite from top. Destroys program. Retains file size
4) Overwrite center. Destroys program. Retains file size
5) Other variants exists
P. 187-188

Question 12

Virus infected Datafiles

M7: Malware - C.7

Answer 12

Modern text files requires special processing to display and are thus vulnerable to virus and/or malware.

Question 13

Can all viruses be detected by a single program?

M7: Malware - C.7

Answer 13

No. A virus could simply not deploy if it detects an antivirus program.

Question 14

Virus detection strategies

M7: Malware - C.7

Answer 14

1) Malware signatures - Deny listing
2) Integrity checking - Allow listing
3) Behavioral Signatures
4) Sandboxing

Question 15

Virus detection - Malware signatures

M7: Malware - C.7

Answer 15

Short byte sequences that identify a program as a known malware. Candidates are compared to known Malware lists.

Question 16

Virus detection - Integrity Checking

M7: Malware - C.7

Answer 16

Program hash is compared against known valid hash of program.

Question 17

Virus detection - Behavioral Signatures

M7: Malware - C.7

Answer 17

Malware is detected by certain sequences of actions such as massive file deletion or use of system calls etc.

Question 18

Virus detection - Sandboxing

M7: Malware - C.7

Answer 18

Emulating a program usually briefly to detect suspicious behavior

Question 19

Virus Anti-Detection - Code hiding/Obfuscation

M7: Malware - C.7

Answer 19

1) Encryption
2) Polymorphism
3) Metamorphism

Question 20

Virus Anti-Detection - Hiding tracks

M7: Malware - C.7

Answer 20

Techniques aim to hide
1) Changes to filesystem attributes (length, timestamp etc)
2) Location of existing code
3) Processes
4) Resources used

Question 21

Virus Anti-Detection - Encryption

M7: Malware - C.7

Answer 21

Virus source code is encrypted to hide details from manual and automatic inspection. Virus must first decrypt itself before it can be executed.

Question 22

Virus Anti-Detection - Polymorphism

M7: Malware - C.7

Answer 22

Virus is encrypted and each new instance of the virus makes changes to its decryption portion using a mutation engine.

Question 23

Virus Anti-Detection - Metamorphism

M7: Malware - C.7

Answer 23

Virus is unencrypted. Each new instance makes extensive changes to itself using a mutation engine. Including body, payload and the mutation engine itself.

Question 24

Malware - Auto-Rooters

M7: Malware - C.7

Answer 24

Malicious program that scans networks looking for vulnerable targets, on which it can obtain a reverse shell and/or install a rootkit. Many are point and click and require no special skills to use.

Question 25

Worms - Context aware spreading

M7: Malware - C.7

Answer 25

Worms spread over networks. If a vulnerable machine exists in one part of a network, then computer topographically close to it are more likely to also exhibit the same vulnerabilities.

Question 26

Worms - Optimized spreading

M7: Malware - C.7

Answer 26

1) Hit-list scanning - list of high likelihood targets
2) Permutation scanning - methods to avoid contacting already contacted servers by other infected servers.
3) Internet-scale hit-lists - pre-scan of internet to detect devices potentially vulnerable

Question 27

What is keylogger?

M7: Malware - C.7

Answer 27

A malware that logs activity on the keyboard

Question 28

Types of malware/Virus

M7: Malware - C.7

Answer 28

• Virus
• Malware
• Trojan
• Backdoor
• Rootkit Bootkit
• Keylogger
• Wiper
• Ransomware
• RAT
• CrimeWare
• C2 Scripts

Question 29

What is Crimeware?

M7: Malware - C.7

Answer 29

Common description for maleware used by cyber criminals. Does not say what the malware does.

Question 30

What layers can malware be found Malware in?

M7: Malware - C.7

Answer 30

• OS - application
• Kernel
• Assembler
• Firmware
• Hardware

Question 31

What are the advantages/disadvantages of malware in lower levels?

M7: Malware - C.7

Answer 31

The lower the lever, the more limited tools, but easier to hide.