Malware Flashcards
Boot Sector Virus
Stored in the first sector of a hard drive and is then loaded into memory whenever the computer boots up -
Macro
Form of code that allows a virus to be embedded inside another document so that when that document is opened by the user by the user, the virus is executed
Program
Try to find executables or application files to infect with their malicious code
Multipartite
Combination of a boot sector type virus and a program virus
Able to place itself in the boot sector and be loaded every time computer boots
It can install itself in a program where it can be run every time the computer starts up
Encrypted
Designed to hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software
Polymorphic
Advanced version of an encrypted virus, but instead of just encrypting the content it will actually change the viruses code each time it is executed by altering the decryption module in order for it to evade detection
Metamorphic
Able to rewrite themselves entirely before it attempts to infect a given file
Stealth
Technique used to prevent the virus from being detected by the anti virus software
Armored
Have a layer of protection to confuse a program or a person who’s trying to analyze it
Hoax
Form of technical social engineering that attempts to scare our end users
Worm
Piece of malicious software, much like a virus, but it can replicate itself without any user interaction
Able to self replicate and spread throughout your network without a user’s consent on their action
What are the two dangerous reason why worm are bad
Infect your workstation and other computing assets
Cause disruptions to your normal network traffic since they are constantly trying to replicate and spread themselves across the network
Trojan
Piece of malicious software that is disguised as a piece of harmless or desirable software
Claims that it will perform some needed or desired functions for your
What is a RAT
Remote access trojan
Widely used by modern attackers because it provided the attacker with remote control of a victim machine
It uses to exploit a vulnerability in your workstation and then conducting data exfiltration to steal your sensitive documents creating backdoors to maintain persistence on your systems , and other malicious activities
Ransomware
Type of malicious software the is designed to block access to a computer system or its data by encrypting it until a ransom is paid to the attacker
GIVE ME THE WAYS TO PROTECT OURSELVES AND OUR ORGANIZATIONS AGAINST RANSOMEWARE
- Always conduct regular backups
- Install software updates regularly
- Provide security awareness training to your users
- Implement MFA
What should you do if you find yourself or your organization as the victim of a ransomware attack?
- Don’t pay the ransom
- Suspect ransomware has infected your machine, you should disconnect it from the network
- Notify the authorities
- Restore your data and systems from known good backups
Botnets
Network of compromised computers or devices controlled remotely by malicious actors
Zombies
Name of a compromised computer or device that is part of a botnet
Used to perform tasks using remote commands from the attackers without the user’s knowledge
Command and Control Node
Computer responsible for managing and coordinating the activities of other nodes or devices within a network
what is the most common use of botnet
DISTRIBUTED denial of service attack it occurs when many machines target a single viciim and attack them at the exact same time
What are Botnets are used
as pivot points
disguise the real attacker
to host illegal activities
to spam others by sending out phishing campaigns and other malware
Botnets are used attackers to combine processing power to break through different types of encryption schemes
botnets
What is the percentage that an attackers use for the zombies power
20-25%
Rootkit
Designed to gain administrative level control over a given computer system without being detected
What can you do administrator account
install programs, delete programs, open ports, shut ports, do whatever it is they want to do on that system
A computer system has several different rings of permissions throughout the system
Ring 3- Where user level permissions are used
Ring 0 - Operating in Ring is called kernel mode
Allows a system to control access to things like device drivers, your sound card, your video displays or monitor, and other similar things
Rootkit what does it do
it tries to move from ring 1 to Ring 0 so that it can hide from other functions of the operating system to avoid detection
One technique used by rootkit to gain this deeper level of access is a
DLL injection - technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic link library
Dynamic Link Library
Collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software
Shims
Piece of software code that is placed between two components and that intercepts the calls between those components and can be used redirect them
Rootkits are extremely powerful, and they are very diffcult to detect because the operating system is essentially blinded to them
To detect them, the best way is to boot from an external device and then scan the internal hard drive to ensure that you can detect those rootkits using a good anti malware scanning solution from a live boot linux distribution
Backdoor
Originally placed in compute program to bypass the normal security and authentication functions
Most often put into system by designers and programmers
Does a rat act like a backdoor?
Yes, can be placed by a threat actor on your computer to help them maintain persistent access to that system
Logic bombs
Malicious code that’s insert into a program, and the malicious code will only execute when certain conditions have been met
What is keylogger
Piece of software or hardware that records every single keystroke that is made on a computer or mobile device
Software keyloggers
Malicious programs that get installed on a victim’s computer
Often bundled with other software or delivered through social engineering attacks, like phishing or pretexting attacks
Hardware Keyloggers
Physical devices that need to be plugged into a computer
These will resemble a USB drive or they can be embedded within a keyboard cable itself
Spyware
Malicious software that is designed to gather and send information about a user or organization without their knowledge
Some ways spyware can get installed on a system
Bundled with other software
Installed through malicious website
Installed when users click on a deceptive pop up advertisement
Bloatware
Any software that come pre installed on a new computer that you as the user did not specifically request want or need
Malware Exploitation Techniques
Specific method by which malware code penetrates and infects a targeted system
Some malware focuses on infecting the systems memory to leverage remote procedure calls over the organizations network
Most modern malware uses fileless techniques to avoid detection by signature based security software
Fileless malware is used to create a process in the system memory without relying on the local file system of the infected host
How does this modern malware work
Talk about the two stages
- Dropper or downloaders
Dropper Specific malware type designed to initiate or run other malware forms within a payload on an infect host
Downloader- Retrieve additional tools post the initial infection facilitated by a dropper
Stage 2: Downloads and installs a remote access Trojan to conduct command and control on a the victimized system.
Actions on objectives Phase
Threat actors will execute primary objectives to meet core objectives like data infiltration, file encryption
Concealment
Used to help the threat actor prolong unauthorized access to a system by hiding tracks, erasing log files, hiding an evidence of malicious activity
What does living off the land mean
A strategy adopted by many Advanced Persistent Threats and criminal organizations
the threat actors try to exploit the standard tools to perform intrusions
Describe Account Lockouts
Malware especially those designed for credential thrift or brute force attacks can trigger multiple failed login attempts that would result in a users account being locked out
