Malware Flashcards
For Malware to infect your system it needs to create 2 things, and they are:
Threat Vector
Attack Vector
A specific method used by an attacker to infiltrate a victims machine, like using some unpatched software, installing code, Phishing campaigns or how they can get in is known as a:
Threat Vector
The actual means by which an attacker gains access to a computer to infect the system with Malware and how they’re going to infect the system is know as:
Attack Vector
Popular security patch from 2017:
MS17-010
Malicious software or code that runs and attaches to clean files and spreads into a computer system without the user’s knowledge is known as a
Virus
Stand-alone malware programs that replicate and spread to other systems by exploiting software vulneralbilities
Worms
Malicious programs which appear to be legitimate software that allowed unauthorized access to a victims system when executed.
Trojans
These are compromised computers that are remotely controlled by attackers and used in coordination to form what is called a botnet:
Zombies
A network of zombies that are often used for DDOS attacks, spam distribution, or cryptocurrency mining is:
Botnet
Malicious tools that hide their activities and operate at or below the OS level to allow for ongoing privileged access are known as:
Rootkits
These are malicious means of bypassing normal authentication processes to gain unauthorized access to a system
Backdoors
This is embed code placed in legitimate programs that executes a malicious action when a specific condition or trigger occurs:
Logic Bombs
These record a user’s keystrokes and are used to capture passwords or other sensitive information.
keyloggers
this secretly monitors and gathers user info or activities and sends data to third parties:
Spyware
this is Unnecessary or pre-installed software that consumes system resources and space without offering any value to the user.
Bloatware
There are 10 different types of viruses that you should be aware of:
Boot Sector
Macro
Program
Multipartite
Encrypted
Polymorphic
metamorphic
Stealth
Armor
Hoax
this type of virus is stored in the first sector of a hard drive and is then loaded into memory whenever the computer boots up:
Boot Sector
this type of virus is a form of code that allows a virus to be embedded inside another document so that when that document is opened by the user, the virus is executed:
macro virus
this type of virus tries to find executables or application files to infect with their malicious code:
Program virus
This virus is designed to hide itself from being detected by a encrypting its malicious code or payloads to avoid detection by any antivirus software:
Encrypted Virus
A combination of a boot sector type virus and a program virus. It’s possible that a technician can actually remove the program virus from your machine but miss the one in the boot sector, hince the name:
Mulitpartite virus
This is an advanced version of an encrypted virus but instead of just encrypting the contents, it will actually change the virus’s code each time it is executed by altering the decryption module in order for it to evade detection.
Polymorphic Virus
This virus is able to rewrite itself entirely before it attempts to infect a given file:
Metamorphic Virus
this is not necessarily a specific type of virus as much as it is a technique used to prevent the virus from being detected by the anti-virus software.
Stealth virus
This type of virus has a layer of protection to confuse a program or a person who’s trying to analyze it
Armored Virus
this is technically not a virus but instead a form of technical social engineering that attempts to scare end users into taking undesirable action on their system
Hoax
A piece of malicious software much like a virus, but it can replicate itself without any user interaction. They are best known for spreading far and wide over the Internet in a relatively short amount of time.
Worm
this worm is one of the largest because it was able to infect between 9 and 15 million machines.
Conficker
A _________ can replicate itself without any user interaction
Worm
A ___________ requires the user to take some action
Virus
A piece of malicious software that is disguised as a piece of harmless or desirable software. It is or they are commonly used today by attackers to exploit a vulnerability in a workstation and then conducting data exfiltration
Trojan
This is a type of Trojan that is widely used by modern attackers because it provides the attacker with remote control of a victims machine
Remote Access Trojan (RAT)
A type of malicious software that is designed to block access to a computer system or its data by encrypting it until a ransom is paid to the attacker.
Ransomware
Ways to help prevent Ransomware attacks are:
Conducting Regular Backups
Installing Regular Software updates
Providing Security Awareness Training
Implementing Multi-Factor Authentication for the Systems
If you are a victim of a Ransomware Attack you should:
Never Pay the Ransom
Disconnect the infected System from the Network
Notify the Authorities
Restore the Data from Know Good Backups
A network hundreds, thousands, or even millions of compromised computers or devices controlled remotely by malicious actors that can use the processing, memory, storage, or networking without giving your consent
Botnet
the name of a compromised computer or device that is part of a botnet and used to perform tasks using remote commands
Zombie
for hackers, these are responsible for managing and coordinating the activities of other nodes or devices within a network
command and control node (C2 node)
__________ are used to spam others by sending out phishing campaigns and other malware, also to combine processing power to break through different types of encryption schemes to gain more zombies
Botnets
The most common use of Botnets are for:
Distributed Denial of Service attack (DDoS)
crypto mining, or breaking your computers encryption
When you have a lot of machines trying to take control or attack one machine, that is called:
Distributed Denial of Service attack (DDoS)
A type of software that is designed to gain administrative-level control over a given computer system without being detected, designed to dig deeply into the operating system, without being detected
Rootkit
Rootkits, because of the admin access, will allow an attacker to:
install Programs
Delete Programs
Open Ports
Close Ports
A ________ _________ has what’s called a rings of permissions and most / basic users are or in the outermost Ring 3. Ring 0 is the innermost and has the most permissions
computer system
When in this part or mode ( ring 0 ) allows a system to control access to things like device drivers, sound card, and monitor
Kernel mode
if you log in as “Administrator or Root” you’ll be operating at :
Ring 1
this is a technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library
DLL injection
DLL injections work by utilizing a software code that is placed between two components. It will intercept calls between those components and re-direct into some malicious code
Shim
because a Rootkit, once it reaches say ring 1 or 0 and it’s almost impossible to detect it, the best way search or find one is to do a:
External Scan
this is used to bypass the normal security and authentication functions of your computer
Backdoor
this can be placed on your system via a backdoor by a threat actor to help maintain persistent access to that system
Remote Access Trojan ( RAT )
this is an insecure coding practice that was initially used by programmers as a joke or gag gift to users
Easter Egg
A piece of software ( programs normally bundled ) or hardware that records every single keystroke that is made on a computer or mobile device
keylogger
this is any software that comes pre-installed on a new computer or smartphone like tool bars and Office 365. It wastes storage space, slows down the performance of devices, and introduces new security vulnerabilities into systems
Bloatware
A type of malicious software that is designed to gather and send information about a user or organization. It can be bundled with other software, installed through a Malicious Website, or installed when users click on a deceptive pop-up advertisement.
Spyware
Describes the specific method by which malware code infects a target host
Exploit Technique
Some _______ focuses on infecting the systems memory to leverage remote procedure calls over the organizations network
Malware
Most modern ________ uses fileless techniques to avoid detection by signature-based security software and they use a 2-stage model.
Malware`
this is used to create a process in the systems memory without relying on the local file system of the infected host.
Fileless malware
this is when a user clicks on a malicious link or opens a malicious file, malware is then installed is known as:
Stage 1: Dropper or Downloader
this initiates or runs other malware forms within a payload on an infected host
Dropper
This actually retrieves additional tools post the initial infection facilitated by a dropper.
Downloader
this Encompasses lightweight code meant to execute an exploit on a given target
Shellcode
This downloads and installs a remote access Trojan to conduct command and control on the victimized system
Stage 2: Downloader
threat actors will execute primary objectives to meet core objectives ( data exfiltration or file encryption ) is known as the:
“Actions on Objectives” Phase
After a Stage 1 and Stage 2 Malware attack has been initiated, this is then used to help the threat actor prolong unauthorized access to a system by hiding tracks, erasing log files, and hiding any evidence of malicious activities
Concealment
Malware can be entered into your system by any of the following techniques:
Code Injection DLL sideloading
Masquerading Process hollowing
DLL injection+
this known Malware strategy was adopted by many Advanced Persistent Threats and Criminal Organizations where the threat actors try to exploit the standard system tools to perform intrusions like possibly using Powershell.
Living off the land
Signs that you may have some form of Malware on your machine:
Account lockouts
concurrent Session utilization
Blocked content
Resource Consumption
Out-of-cycle logging
Published or documented attacks
Impossible travel
Resource inaccessibility
missing logs
