Malware Flashcards
Malware
Malicious software designed to infiltrate computer systems and potentially damage them without user consent
Threat Vector
method used to infiltrate a victim’s machine
examples:
- USB drive installation
- unpatched software
- phishing campaigns
Attack Vector
Means by which the attacker gains access and infects the system
- combines infiltration method and infection process
Viruses
Computer virus made up of malicious code that’s run on a machine without the user’s knowledge and this allows the code to infect the computer whenever it has been run
- attach to clean files, spread and corrupt host files
10 Types of Viruses
- Boot sector
- Macro
- Program
- Multipartite
- Encrypted
- Polymorphic
- Metamorphic
- Stealth
- Armored
- Hoax
Boot Sector Virus
stored in the first sector of a hard drive then loaded into memory whenever the computer boots up
Macro Virus
code that allows a virus to be embedded inside another document so when opened by user, virus is executed
Program Virus
Try to find executables or application files to infect with their malicious code
Multipartite Virus
combo of boot sector and program; place itself in boot sector and can load every time computer boots; can install itself in a program where it can be run at computer startup
Encrypted Virus
hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software
Polymorphic Virus
advanced encrypted virus; also changes the viruses code each time it is executed by altering the decryption module to evade detection
Metamorphic Virus
Able to rewrite themselves entirely before it attempts to infect a given file
Stealth Virus
Technique used to prevent the virus from being detected by the anti-virus software
Armored Virus
Have a layer of protection to confuse a program or a person who’s trying to analyze it
Hoax Virus
Form of technical social engineering that attempts to scare our end usersinto taking some kind of undesirable action on their system
Worms
Standalone programs replicating and spreading to other computers without any user interaction or consent
- Known for spreading far and wide over internet in short time
Danger:
- Infects your workstation and other computing assets
- Cause disruptions to your normal network traffic since they try to replicate across network
Trojans
Disguise as a legitimate software, grant unauthorized access; claims it will perform some needed or desired function for you
commonly used today to exploit:
- a vulnerability in your workstation -
- conduction data exfiltration
- create backdoors to maintain persistence on your system
- etc.
Remote Access Trojan (RAT)
Widely used by modern attackers because it provides the attacker with remote control of a victim machine
Ransomware
Encrypts user data, demands ransom for decryption
Prevent
- Always conduct regular backups
- Install software updates regularly
- provide security awareness training to users
- MFA
How to address a ransomware attack?
Never pay the ransom
- disconnect device from network
- notify the authorities
- Restore your data and systems from known good backups
Botnets
network of compromised computers or devices controlled remotely by malicious actors
Used:
- as pivot points
- disguise the real attacker
- host illegal activities
- spam others by sending out phishing campaigns and other malware
- most commonly used for DDoS attacks
- combine processing power to break through encryption schemes
Zombies
Name of a compromised computer or device that is part of a botnet
- used to perform tasks using remote commands from the attacker without the user’s knowledge
- Attackers use about 20-25 percent of any zombies power
Command and Control Node (C2 Node)
Computer responsible for managing and coordination the activities of other nodes or devices devices within a network
Rootkits
Hide presence and activities on a computer, operate at the OS/root/administrative level
- OS is blind to them
Detect :
- boot from an external device and scan the internal HD to ensure you can detect the rootlets using a good anti-malware scanning solution from live boot Linux distribution
Administrator/Root
Account with the highest level of permissions and allows there person to install and delete programs, open and shut ports, and do whatever they want
- administrator - winows
- root - macOS, UNIX, Linux
Rings of Permission
Computer systems has several different rings of permissions throughout the system
Ring 3 (Outermost) - standard:
- where user level permissions are used
Ring 1 - logged in at root/admin
- have root permission
Ring 0 (Innermost) - high permission
- “kernel mode” - most trusted and allows a system to control access to things like device drivers, sound card, video display, etc.
Dynamic Link Library (DLL injection)
Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic link library
Dynamic Link Library
Collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software development
Shim
Piece of software code that is placed between two components and that intercepts the calls between those components and can be used to redirect them
Backdoors
allow unauthorized access; placed in computer programs to bypass the normal security and authentication functions
- Most often put into systems by designers and programmers
- RATs act like a backdoor in our modern networks
Easter egg
A hidden feature or novelty within a program that is typically inserted by the developer as an inside joke
- code often has significant vulnerabilities
Logic bombs
Execute malicious actions when certain conditions have been met
Keyloggers
Record keystrokes, capture passwords, or sensitive information
Software - malicious program; aften bundled with other software or delivered through social engineering/pretexting
Hardware - physical device, resembles a USB drive or embedded in keyboard cable
Protection:
■ Perform regular updates and patches
■ Rely on quality antivirus and antimalware solutions
■ Conduct phishing awareness training for your users
■ Implement multi-factor authentication systems
■ Encrypt keystrokes being sent to your systems
■ Perform physical checks of your desktops, laptops, and servers
Spyware
Monitors and gathers user/system information without their knowledge
Installation
- Bundled with other software
- Installed through a malicious website
- Installed when users click on a deceptive pop-up ad
Protection:
- Only use reputable anti-virus and anti-spyware tools that are regularly updated
Bloatware
Any software that comes pre-installed on a new computer or smartphone that the user did not specifically request/want/need
- also includes unnecessary toolbars/apps
not malicious but:
- waste your storage space
- slowdown the performance of your devices
- introduce security vulnerabilities into your systems
Remove:
- manual removal
- use bloatware removal tools to uninstall
- perform clean OS install
Malware Exploitation Technique
Specific method by which malware code penetrates and infects a targeted system
- some malware focuses on infecting the system’s memory to leverage remote procedure calls over the organization’s network
Fileless Malware
Used to create a process in the system memory without relying on the local file system of the infected host
- avoid detection by signature based security software
How does modern malware work?
When a user clicks malicious link or file, the specific type of malware installed is known as a stage one dropper or downloader
Stage 1 Dropper or Downloader
- Piece of malware that is usually created as a lightweight shell code that can be executed on a given system
*Stage 1: Dropper or Downloader
Piece of malware that is usually created as a lightweight shell code that can be executed on a given system
- primary function:
- retrieve additional portions of the malware code to trick the user into activating it
*Dropper
Specific malware designed to initiate or run other malware forms within a payload on an infected host
*Downloader
Retrieve additional tools post the initial infection facilitated by a dropper
*Shellcode
Broader term that encompasses lightweight code meant to execute an exploit on a given target
*Stage 2: Downloader
Downloads and installs a remote access Trojan to conduct command and control on the victimized system
*“Actions on Objectives” phase
Threat actor will execute primary objectives to meet core objectives like data exfiltration and file encryption
*Concealment
Used to help the treat actor prolong unauthorized access to a system by
- hiding tracks
- erasing log files
- hiding any evidence of malicious activity
“Living off the Land”
- strategy adopted by many APTs and criminal organizations
- the threat actor try to exploit the standard tools to perform intrusions
9 Common indicators of Malware Attacks
- Account Lockout - multiple failed login attempts
- Concurrent Session Utilization - single user, multiple sessions open at once
- Blocked Content - Sudden increase in amount of blocked content alerts on your security tools
- Impossible Travel - User account accessed in two or more geo-locations in impossibly short time
- Resource Consumption - Unusual spikes in CPU, memory, network bandwidth not linked to legit task
- Resource Inaccessibility - Ransomware
- Out-of-Cycle Logging - Logs generated outside business hours
- Missing Logs - Log review shows gaps or logs cleared without any authorized reason
- Published/Documented Attacks - a cybersecurity research or reporter published a report that shows that your organization’s network has been infected as part of a botnet or other malware-based attack
