Malicous software Flashcards

1
Q

Malware

A

program inserted into a system, covertly, compromising the CIA of the victim’s data, apps, OS/ annoying or disrupting the victim.

Payloads -> system corruption, bots, phishing, spyware and rootkits.

Classified by propagation technique and payload action.
Blended attacks use multiple methods of infection or propagation to maximize speed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Attack Kits & attack sources

A

Virus-creation toolkits
toolkits known as crimeware

Individuals -> organized crime/groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Advanced Persistent Threat

A

Intrustion technologies and malware to selected (often political/business) targets.
Advanced -> carefully selected
Persistent -> determined over an extended period to max success

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Propagation - Infected content - Virus

A

Parasitic sw fragments that attach themselves to some existing exec content
infects programs by modifying them

Components:
Infection mechanism -> means of propagation (infection vector)
trigger -> logic bomb, when it is activated
payload -> damage or benign but noticeable activity

Lifecycle phases
Dormant -> idle activated by event,data,presence
Propagation -> copies into other programs or in certain system areas
Triggering -> performs function caused by many events

Macro viruses -> platform independent, documents more easily spread, automatically opened/trusted

Target discovery -> scanning or fingerprinting.
Random (high traffic), hit-list (slow gather and then attack), topological (moves through hosts and related), local subnet (bypassing firewall and finding machines in subnets)
exponential growth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Propagation - Infected Content - Virus - Melissa

A

Introduce to system as word doc sent by email
code contained in the Document_Open automatically run
Disables macro menu and related sec features
check to see if running in infected machine copies to the global template file
every time a new document opens it gets infected
it checks for key Melissa to check if has run before
if it is a new computer is uses outlook to email the first 50 addresses
it checks current time and date and generates a simpson quote (if minute in hour equals day of month)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Propagation - Infected Content - Virus - Classification

A

By Target

Boot sector infector -> master boot record, spreads when system is booted
File infector -> executable file
macro virus -> files w/ macro or scripting code
multipartite virus -> multiple types of files

By Concealment strategy

Encrypted virus -> part of code generates random key, encrypts other part of content with it
stealth virus -> designed to hide (code mutation, compression, rootkit
polymorphic virus -> replicates, same behavior but different instructions (encryption might be used)
metamorphic virus -> replicates, diff instructions and behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Propagation - Infected Content - Worm - Study Cases

A

Morris worm (Robert Morris 1988)
UNIX systems using multiways to propagate
find other known trusted hosts
Tried to log on to systems cracking passwords, assuming multisystem usage of passwords
exploited UNIX finger protocol and trapdoor in the debug option of the process that receives mail
executed, downloaded other part of worm and executed

Code Red (2001). security hole in IIS. disables system file checker in windows, probes other ip hosts it spreads slowly and start a DDoS attack against gov websites
Code Red II (Aug 2001). installs backdoor, remotely execute commands

Nimda (Sep 2001). propagates through email, windows share, web servers/clients, backdoors. Uses backdoors created by previous worms.

SQL Slammer (2003). Buffer overflow in Microsoft SQL Server.
Sobig.F (2003). infect proxy servers into spam engines
Mydoom (2004). mass-mailing email, backdoor -> remote access to data.
Warezov family (2006). creates exec in system dirs startup run. can have trojans and adware.
Conficker (Downadup) (2008) buffer overflow windows, via USB drives of network file shares.
Stuxnet (2010) hide spread rate. attack industrial control systems to control them. first use of cyberwarfare.
Duqu (2011) cyber-espionage
WannaCry ( 2017) aggressively scans and encrypts files, demanding ransom

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Propagation - Infected Content - Worm - State

A

Multiplatform, multi-exploit (ways to propagate), polymorphic (evade detection skip past filters), metamorphic (changing appearance), ideal for DDoS, rootkits, spam generators and spyware

Mobile
Cabir, Lasco and CommWarrior -> communicate through Bluetooth wireless or Multimedia Messaging Service (MMS) Symbian OS
Can disable the phone, delete data, force the device to send messages. Use trojan apps to install themselves

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Propagation - Infected Content - Client Vulnerabilities

A

Drive-by-download. when the user visits a page controlled by the attacker it downloads the malware exploiting vulnerabilities.
Watering-hole attacks, targets common visited websites with targeted subjects.

Malvertising, attacker pays for ads that will appear to targets

Attacks through PDF viewers

Clickjacking. an opaque layer infront of a button or a hidden input capturing clicks or keystrokes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Propagation - Social Engineering

A

Tricking users to assist in the compromise of their own systems or personal information.

Spam e-mails, trick users to propagate malware or trojan executing scripts and programs. Phishing attacks, sending scams for products.

Trojans, useful or apparently useful applications containing hidden code. scans files for sensitive information. It can continue doing the expected behavior or replace it completely. Sometimes it does not need user interaction and does not replicate
tech support scams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Malware - Payload - System Corruption

A

Chernobyl virus (1998) infects executable files, when date is reached, deletes data on infected system overwriting the 1st MB with zeroes, massive corruption of the entire file system.
Attempts to rewrite the BIOS code

Klez (2001) emails copies to addresses. On the 13th of several months deletes all files on the local hard drive. It can stop and delete antiviruses. Destroys or ransomwares (Cyborg Trojan - 1989)
Wannacry (2017) ransomware certain type of files and request payment in bitcoin
Logic bombs -> executes when specified trigger occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Malware - Payload - Attack - Zombie, bots

A

subverts network resources infected by attacker turning system into zombie
DDoS, spamming, sniffing sensitive information, logging keystrokes, spreading new malware, clickjacking advertisements, flooding IRC chats, manipulation of games/polls.
Remote Control Facility -> Command and Control server network, distributed to avoid single point of failure
countermeasure -> reverse name generation (fast-flux dns), take-over or shutdown the C&C network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Malware - Payload - Information Theft - Keyloggers, phishing, spyware

A

Gathers data to steal or impersonate user, searches target documents or system config for espionage. Targets confidentiality of the information
Capture text with a filtering mechanism to monitor sensitive information. General spyware payloads monitors wide range of activities significant compromise.
Deployed by spam e-mails or drive-by-download.

Phishing
capture sensitive information through social engineering by leveraging user’s trust by masquerading as communications from a trusted source.
Spear-phishing
carefully crafted e-mail

Exploiting their legitimate access rights to release information for ideological reasons.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Malware - Payload - Stealthing - Backdoors, rootkits

A

Hides presence on system and provides covert access
Attacks integrity of system
Backdoor -> allows someone to bypass authentication procedures
Triggered by user using special seq of inputs, from certain user ID
Network service on some non-standard port the attacker connects and issues commands

Rootkit
maintain covert access to admin privileges
subverting what monitors reports on processes, files, and registries
It can be persistent, memory based, user/kernel intercepting mode, virtual machine based and external mode.

Kernel mode interception
- attacker modifies certain syscall addresses from the system call table
- overwrite system calls with custom code
- redirects references to the entire system call table w/new table new kernel mem location
entire boot process must be secure/monitor loading of hypervisor to ensure legitimacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Malware - Countermeasures

A

Components for prevention
- Policy -> defines appropriate rules to prevent introducing malware
- Awareness
- Vulnerability mitigation
Detection -> detect and find malware
Identification -> identify malware
Removal -> remove all traces
- Threat mitigation

Requirements -> General, Timeliness (fast), Resilient, Minimal DDoS costs, transparent, global/local coverage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Generations of antivirus

A

1st -> simple scanners
2nd -> heuristic scanners
3rd -> activity traps
4th -> full-featured protection

Sandbox analysis of code in a controlled virtualized environment
host-based dynamic malware analysis -> constant control of activities to block potentially-damaging actions (some operations might succeed)
Spyware detection and removal