Malware Flashcards
What is meant by Overt Channels?
Legitimate communication channels used by programs
What is meant by Covert Channels?
Used to transport data in unintended ways
What is a Malware Wrapper?
Software that allows you to bind an executable to an ordinary file.
What is a Crypter?
A software that provides combination of encryption, code manipulation and obfuscation to render malware undetectable from security applications.
What is a packer?
Used for compressing executables which helps evade signature based detection
What are the following tools used for?
1. Infinity
2. Bleeding Life
3. Crimepack
4. Blackhole Kit
Exploit kits - Help delivery of exploits and payloads
What type of Malware is a Trojan?
Software that appears legitimate but instead functions and performs malicious activity
What is the purpose of a Proxy Trojan?
Turn the victims infected machine into a proxy server, routing traffic through it.
Additionally have full access to the infected host.
What is the purpose of a Defacement Trojan?
Change the workings or appearance of a website or system, additionally can be used to exfiltrate data.
What is the purpose of a Botnet Trojan?
Be able to remotely control the infected host, which could be used in DDoS attacks or spam. End goal is to weaponise infected hosts.
Examples:
- Chewbacca
- Skynet
What malware types are listed below:
1. RAT
2. MoSucker
3. Optix Pro
4. Blackhole
Remote Access Trojans, gives the attacker ability to remote into to infected hosts
What malware type is listed below:
1. Zeus
2. Spyeye
Banking Trojans - To steal banking information
What is a Command Shell Trojan?
Purpose is to provide a backdoor access through a command line
Example:
- Netcat
What is a Covert Channel Tunnelling Trojan (CCTT)?
A RAT type trojan. Creates data transfer channels in the data streams authorized by a network access control system
What does the following command do?
netstat -an
Shows open ports in order
What does the following command do?
netstat -b
Displays all active connections and processes using them
What is the general purpose of the following tools:
- SysAnalyzer
- Tiny Watcher
- Regshot
Registry Monitoring
Additional tools: Active Registry Monitor
What is the purpose of msconfig?
Windows program that shows all programs set to start on startup
What is meant by HIDS?
Host Intrusion Detection System
What type of tool is Tripwire?
Integrity verifier
What is SIGVERIF used in Windows?
Verify the integrity of the system
Which of the following BEST describes the mechanism of a Boot Sector Virus?
Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR Moves the MBR to another location on the RAM and copies itself to the original location of the MBR Overwrites the original MBR and only executes the new virus code Modifies directory table entries so that directory entries point to the virus code instead of the actual program
Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR
What is meant by Heuristic Analysis?
Examining code for malicious properties.
What characteristics does a Virus have?
Self replicating malware, attaches itself to other executables
What is Fake Antivirus malware?
Disguised as AV but is a malware. Tries convince users they have malware in order for people to download it.
What type of malware is Wannacry?
Ransomware, exploited by unpatched SMB servers
What type of malware is Cryptorbit?
Ransomware
What type of malware is CryptoLocker?
Ransomware
What type of malware is police-themed?
Ransomware
What type of malware is CryptoDefense?
Ransomware
What’s the purpose of a Shell Virus?
Wraps itself around other application codes
What is the purpose of a Cluster Virus?
Modifies directory table entries. Every time a directory or file is opened, cluster virus executes.
What is a Multipartite Virus?
Infects boot sectors and files. Virus with multiple infection methods.
What is a Macro Virus?
Written in VBA, infects Word and Excel files.
What is a Polymorphic Code Virus?
Virus that mutates its code (using polymorphic engine). Evades AV because code is always changing.
What is a Encryption Virus?
Encrypts itself to hide from AVs.
What is a Metamorphic Virus?
Rewrites itself after every infection.
What is a Stealth/Tunnelling Virus?
Attempts to evade AVs by many means, tries to intercept AV requests to the OS.
What is a Cavity Virus?
Embeds itself within files, replaces data to avoid increasing file size
What is a Sparse Infector Virus?
Only infects occasionally (e.g. every 10th time) to avoid being discovered
What is a Extension Virus?
Changes the file extensions of files.
What is Sonic Bat?
Virus Generator
What characteristics does a Worm have?
- Self-replicating malware that sends itself to other computers without human intervention.
- Mostly resides in Active Memory.
- Used in Botnets
In a VM, which NIC configuration is best used in Malware Analysis?
Host-only mode. Also disable open shares.
What are these tools used for?
- binText
- UPX
Analysis of malware in static state
What are these tools used for during malware analysis?
- NetResident
- TCPView
- Wireshark
Monitoring processes and network activity
What are these tools used in malware analysis?
- IDA Pro
- VirusTotal
- Anubis
- Threat Analyzer
Determining what files were added, changed, or deleted
What is meant “sheepdip”?
System that is used to analyse malware before it is introduced to other computers or network.
What type of malware is Stuxnet?
Worm.
What type of malware is Lemon Duck?
Botnet.
What type of malware is Mirai
Botnet.
What type of malware is Prometei?
Botnet.
What is a Logic Bomb malware?
Malware that’s been placed and waits for programmed condition to trigger for execution.
What is Botnet?
Network of infected zombie hosts, used for distributed attacks.
How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?
Attaching itself to the master boot record in a hard drive and changing the machine’s boot sequence/options
What type of malware is Morris?
Worm
What type of malware is Code Red?
Worm