Malicous Code Flashcards
In 2010 how many strains of Virus’s did Symantec claim to exist?
Over 286
What are the two primary functions of a virus?
Propagation and destruction
What does a MBR virus do?
Infects/ overwrites the master boot record of a disk/ media.
What is the difference between master boot record and master boot sector?
MBR - determines what media partition to boot from.
Master boot sector - sector of disk with boot data.
What is the sequence of execution extensions in a windows OS?
.com
.exe
.bat
What is a companion virus?
Virus that has an executable name one sequence of execution higher than intended program.
What is a service injection virus?
Virus that takes over a trusted OS service ie SVCHOST.exe
What are two forms of AV methodology?
- Signature based
2. Heuristic
What actions can a AV platform typically take against a virus?
- Eradicate and clean.
- Quarantine.
- Delete
What is a multipartite virus?
Virus that can infect in multiple methods.
What is a stealth virus?
Virus that will cover itself from inspection.
What is a polymorphic virus?
Virus that changes itself as it moves form system to system.
What is an encrypted virus?
Virus that will encrypt portions of its executable to hide.
What was the code red worm?
Launched in 2001. Did three things:
- Port scan to find IIS platforms and exploited weakness.
- Changed webpages with hack message
- Turned server into a bot that would attack WH.gov.
What is spyware?
Watches activities of users on system.
What is adware?
Displays ads on infected system.
What is active content?
Code that is downloaded from server to client for local execution.
Tripwire is what class of software?
Integrity management.
What sort of control mechanisms are in place in Java and ActiveX?
Java - Sandbox
ActiveX - Digital signatures
What is whitelisting?
Practice used by administrators to allow specific applications to be executed.
What issues lead to zero day vulnerabilities?
- Delays in announcement and fix
2. Delays in patching
What is an alternative to the Unix /etc/passwd file?
/etc/shadow
What is a buffer overflow?
When input data exceeds the structure that was built to receive it.
What steps should a developer take when dealing with input data?
- Input cannot exceed data length.
- Input type cannot be changed int vs char
- Answers must be checked for validity.
What is TOCTTOU?
Time of check to time of use. Validations are constantly checked an immediately effective.
What is a back door?
Undocumented commands that allow specific users to bypass security controls.
What is cross site scripting attack?
Attack that embeds rouge command in place and sends back to client.
What should you do to avoid SQL Injection attack?
- Strip things like semi-colon and quotes from input fields.
- Use stored procedures.
- db IDs should only have read level access.
What are some sample firewall rules to protect against IP spoofing?`
- Packets with internal addresses should never originate from outside.
- Packets with external addresses should only originate from outside.
- Private IP ranges don’t move in either direction (in or out).
What is another example of session hijacking?
Man in the middle attack.
