Malware

Question 1

Malware

Answer 1

Malicious software designed to infiltrate computer systems and potentially damage them without user consent

Question 2

Threat Vector

Answer 2

method used to infiltrate a victim’s machine

examples:
- USB drive installation
- unpatched software
- phishing campaigns

Question 3

Attack Vector

Answer 3

Means by which the attacker gains access and infects the system
- combines infiltration method and infection process

Question 4

Viruses

Answer 4

Computer virus made up of malicious code that’s run on a machine without the user’s knowledge and this allows the code to infect the computer whenever it has been run
- attach to clean files, spread and corrupt host files

Question 5

10 Types of Viruses

Answer 5

1. Boot sector
2. Macro
3. Program
4. Multipartite
5. Encrypted
6. Polymorphic
7. Metamorphic
8. Stealth
9. Armored
10. Hoax

Question 6

Boot Sector Virus

Answer 6

stored in the first sector of a hard drive then loaded into memory whenever the computer boots up

Question 7

Macro Virus

Answer 7

code that allows a virus to be embedded inside another document so when opened by user, virus is executed

Question 8

Program Virus

Answer 8

Try to find executables or application files to infect with their malicious code

Question 9

Multipartite Virus

Answer 9

combo of boot sector and program; place itself in boot sector and can load every time computer boots; can install itself in a program where it can be run at computer startup

Question 10

Encrypted Virus

Answer 10

hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software

Question 11

Polymorphic Virus

Answer 11

advanced encrypted virus; also changes the viruses code each time it is executed by altering the decryption module to evade detection

Question 12

Metamorphic Virus

Answer 12

Able to rewrite themselves entirely before it attempts to infect a given file

Question 13

Stealth Virus

Answer 13

Technique used to prevent the virus from being detected by the anti-virus software

Question 14

Armored Virus

Answer 14

Have a layer of protection to confuse a program or a person who’s trying to analyze it

Question 15

Hoax Virus

Answer 15

Form of technical social engineering that attempts to scare our end usersinto taking some kind of undesirable action on their system

Question 16

Worms

Answer 16

Standalone programs replicating and spreading to other computers without any user interaction or consent
- Known for spreading far and wide over internet in short time

Danger:
- Infects your workstation and other computing assets
- Cause disruptions to your normal network traffic since they try to replicate across network

Question 17

Trojans

Answer 17

Disguise as a legitimate software, grant unauthorized access; claims it will perform some needed or desired function for you

commonly used today to exploit:
- a vulnerability in your workstation -
- conduction data exfiltration
- create backdoors to maintain persistence on your system
- etc.

Question 18

Remote Access Trojan (RAT)

Answer 18

Widely used by modern attackers because it provides the attacker with remote control of a victim machine

Question 19

Ransomware

Answer 19

Encrypts user data, demands ransom for decryption

Prevent
- Always conduct regular backups
- Install software updates regularly
- provide security awareness training to users
- MFA

Question 20

How to address a ransomware attack?

Answer 20

Never pay the ransom
- disconnect device from network
- notify the authorities
- Restore your data and systems from known good backups

Question 21

Botnets

Answer 21

network of compromised computers or devices controlled remotely by malicious actors

Used:
- as pivot points
- disguise the real attacker
- host illegal activities
- spam others by sending out phishing campaigns and other malware
- most commonly used for DDoS attacks
- combine processing power to break through encryption schemes

Question 22

Zombies

Answer 22

Name of a compromised computer or device that is part of a botnet
- used to perform tasks using remote commands from the attacker without the user’s knowledge
- Attackers use about 20-25 percent of any zombies power

Question 23

Command and Control Node (C2 Node)

Answer 23

Computer responsible for managing and coordination the activities of other nodes or devices devices within a network

Question 24

Rootkits

Answer 24

Hide presence and activities on a computer, operate at the OS/root/administrative level
- OS is blind to them

Detect :
- boot from an external device and scan the internal HD to ensure you can detect the rootlets using a good anti-malware scanning solution from live boot Linux distribution

Question 25

Administrator/Root

Answer 25

Account with the highest level of permissions and allows there person to install and delete programs, open and shut ports, and do whatever they want
- administrator - winows
- root - macOS, UNIX, Linux

Question 26

Rings of Permission

Answer 26

Computer systems has several different rings of permissions throughout the system

Ring 3 (Outermost) - standard:
- where user level permissions are used
Ring 1 - logged in at root/admin
- have root permission
Ring 0 (Innermost) - high permission
- “kernel mode” - most trusted and allows a system to control access to things like device drivers, sound card, video display, etc.

Question 27

Dynamic Link Library (DLL injection)

Answer 27

Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic link library

Question 28

Dynamic Link Library

Answer 28

Collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software development

Question 29

Shim

Answer 29

Piece of software code that is placed between two components and that intercepts the calls between those components and can be used to redirect them

Question 30

Backdoors

Answer 30

allow unauthorized access; placed in computer programs to bypass the normal security and authentication functions
- Most often put into systems by designers and programmers
- RATs act like a backdoor in our modern networks

Question 31

Easter egg

Answer 31

A hidden feature or novelty within a program that is typically inserted by the developer as an inside joke
- code often has significant vulnerabilities

Question 32

Logic bombs

Answer 32

Execute malicious actions when certain conditions have been met

Question 33

Keyloggers

Answer 33

Record keystrokes, capture passwords, or sensitive information

Software - malicious program; aften bundled with other software or delivered through social engineering/pretexting

Hardware - physical device, resembles a USB drive or embedded in keyboard cable

Protection:
■ Perform regular updates and patches
■ Rely on quality antivirus and antimalware solutions
■ Conduct phishing awareness training for your users
■ Implement multi-factor authentication systems
■ Encrypt keystrokes being sent to your systems
■ Perform physical checks of your desktops, laptops, and servers

Question 34

Spyware

Answer 34

Monitors and gathers user/system information without their knowledge

Installation
- Bundled with other software
- Installed through a malicious website
- Installed when users click on a deceptive pop-up ad

Protection:
- Only use reputable anti-virus and anti-spyware tools that are regularly updated

Question 35

Bloatware

Answer 35

Any software that comes pre-installed on a new computer or smartphone that the user did not specifically request/want/need
- also includes unnecessary toolbars/apps

not malicious but:
- waste your storage space
- slowdown the performance of your devices
- introduce security vulnerabilities into your systems

Remove:
- manual removal
- use bloatware removal tools to uninstall
- perform clean OS install

Question 36

Malware Exploitation Technique

Answer 36

Specific method by which malware code penetrates and infects a targeted system
- some malware focuses on infecting the system’s memory to leverage remote procedure calls over the organization’s network

Question 37

Fileless Malware

Answer 37

Used to create a process in the system memory without relying on the local file system of the infected host
- avoid detection by signature based security software

Question 38

How does modern malware work?

Answer 38

When a user clicks malicious link or file, the specific type of malware installed is known as a stage one dropper or downloader

Stage 1 Dropper or Downloader
- Piece of malware that is usually created as a lightweight shell code that can be executed on a given system

Question 39

*Stage 1: Dropper or Downloader

Answer 39

Piece of malware that is usually created as a lightweight shell code that can be executed on a given system

• primary function:
• retrieve additional portions of the malware code to trick the user into activating it

Question 40

*Dropper

Answer 40

Specific malware designed to initiate or run other malware forms within a payload on an infected host

Question 41

*Downloader

Answer 41

Retrieve additional tools post the initial infection facilitated by a dropper

Question 42

*Shellcode

Answer 42

Broader term that encompasses lightweight code meant to execute an exploit on a given target

Question 43

*Stage 2: Downloader

Answer 43

Downloads and installs a remote access Trojan to conduct command and control on the victimized system

Question 44

*“Actions on Objectives” phase

Answer 44

Threat actor will execute primary objectives to meet core objectives like data exfiltration and file encryption

Question 45

*Concealment

Answer 45

Used to help the treat actor prolong unauthorized access to a system by
- hiding tracks
- erasing log files
- hiding any evidence of malicious activity

“Living off the Land”
- strategy adopted by many APTs and criminal organizations
- the threat actor try to exploit the standard tools to perform intrusions

Question 46

9 Common indicators of Malware Attacks

Answer 46

• Account Lockout - multiple failed login attempts
• Concurrent Session Utilization - single user, multiple sessions open at once
• Blocked Content - Sudden increase in amount of blocked content alerts on your security tools
• Impossible Travel - User account accessed in two or more geo-locations in impossibly short time
• Resource Consumption - Unusual spikes in CPU, memory, network bandwidth not linked to legit task
• Resource Inaccessibility - Ransomware
• Out-of-Cycle Logging - Logs generated outside business hours
• Missing Logs - Log review shows gaps or logs cleared without any authorized reason
• Published/Documented Attacks - a cybersecurity research or reporter published a report that shows that your organization’s network has been infected as part of a botnet or other malware-based attack