Malware Flashcards
Define malware
Malicious software designed to infiltrate computer systems and potentially damage them without user consent
List malware categories
1 Viruses
2 Worms
3 Trojans
4 Ransomware
5 Spyware
6 Rootkits
7 Spam
Threat Vector vs. Attack Vector
Threat Vector
Method used to infiltrate a victim’s machine. Examples
- Unpatched software
- USB drive installation
- Phishing campaigns
Attack Vector
Means by which the attacker gains access and infects
the system
Combines both infiltration method and infection
process
Types of Malware Attacks
1: Viruses
Attach to clean files, spread, and corrupt host files
2: Worms
Standalone programs replicating and spreading to
other computers
3: Trojans
Disguise as legitimate software, grant unauthorized
access
4: Ransomware
Encrypts user data, demands ransom for decryption
5: Zombies and Botnets
Compromised computers remotely controlled in a
network for malicious purposes
6: Rootkits
Hide presence and activities on a computer, operate at
the OS level
7: Backdoors and Logic Bombs
Backdoors allow unauthorized access, logic bombs
execute malicious actions
8: Keyloggers
Record keystrokes, capture passwords or sensitive
information
9: Spyware and Bloatware
Spyware monitors and gathers user/system
information, bloatware consumes resources without
value
Indications of Malware Attack
Account lockouts
Concurrent session utilization
Blocked content
Impossible travel
Resource consumption
Inaccessibility
Out-of-cycle logging
Missing logs
Documented attacks
10 Different Types of Viruses
1: Boot Sector
One that is stored in the first sector of a hard drive and
is then loaded into memory whenever the computer
boots up
2: Macro
Form of code that allows a virus to be embedded inside
another document so that when that document is
opened by the user, the virus is executed
3: Program
Try to find executables or application files to infect with their malicious code
4: Multipartite
Combination of a boot sector type virus and a program virus
Able to place itself in the boot sector and be loaded
every time the computer boots
It can install itself in a program where it can be run
every time the computer starts up
5: Encrypted
Designed to hide itself from being detected by
encrypting its malicious code or payloads to avoid
detection by any antivirus software
6: Polymorphic
Advanced version of an encrypted virus, but instead of
just encrypting the contents it will actually change the
viruses code each time it is executed by altering the
decryption module in order for it to evade detection
7: Metamorphic
Able to rewrite themselves entirely before it attempts
to infect a given file
8: Stealth
Technique used to prevent the virus from being
detected by the anti-virus software
9: Armored
Have a layer of protection to confuse a program or a
person who’s trying to analyze it
10: Hoax
Form of technical social engineering that attempts to
scare our end users into taking some kind of
undesirable action on their system
Define worm
Piece of malicious software, much like a virus, but it can
replicate itself without any user interaction
Able to self-replicate and spread throughout your
network without a user’s consent or their action
Worms are dangerous for two reasons
1: Infect your workstation and other computing assets
Cause disruptions to your normal network traffic since
they are constantly trying to replicate and spread
themselves across the network
2: Worms are best known for spreading far and wide over
the internet in a relative short amount of time
Define Trojan
Piece of malicious software that is disguised as a piece
of harmless or desirable software
Claims that it will perform some needed or desired
function for you
Trojans are commonly used today by attackers to
exploit a vulnerability in your workstation and then
conducting data exfiltration to steal your sensitive
documents, creating backdoors to maintain
persistence on your systems, and other malicious
activities
Remote Access Trojan (RAT)
Widely used by modern attackers because it provides the attacker with remote control of a victim machine
Define Ransonware
Type of malicious software that is designed to block access to a computer system or its data by encrypting it until a ransom is paid to the attacker
How can we protect ourselves and our organizations against ransomware?
Always conduct regular backups
Install software updates regularly
Provide security awareness training to your users
Implement Multi-Factor Authentication (MFA)
What should you do if you find yourself or your organization as the victim of a ransomware attack?
Never pay the ransom
If you suspect ransomware has infected your machine,
you should disconnect it from the network
Notify the authorities
Restore your data and systems from known good
backups
Define Botnet
Network of compromised computers or devices controlled remotely by malicious actors
Define Zombie
Name of a compromised computer or device that is
part of a botnet
Used to perform tasks using remote commands from
the attacker without the user’s knowledge
Command and Control Node
Computer responsible for managing and coordinating the activities of other nodes or devices within a network
Botnets are used:
as pivot points
disguise the real attacker
to host illegal activities
to spam others by sending out phishing campaigns and
other malware
Most common use for a botnet
Distributed Denial-of-Service (DDoS) Attack
Occurs when many machines target a single victim and
attack them at the exact same time
Define ‘rootkit’
Designed to gain administrative level control over a given computer system without being detected
Account with highest level of permissions is called:
The Administrator account:
Allows the person to install programs, delete programs,
open ports, shut ports, and do whatever it is they want
to do on that system
In a UNIX, Linux, or MacOS computer, this type of
administrator account is actually called the root
account
A computer system has several different rings of permissions throughout the system
1: Ring 3 (User Mode): Lowest privilege, where user
applications run. These processes cannot directly access
hardware and must go through controlled system calls.
2: Ring 1 and Ring 2: Intermediate privilege levels, often
used for device drivers and system services (less common
in modern systems).
2: Ring 0 (Innermost or Highest Permission Levels)
Operating in Ring 0 is called “kernel mode”
Kernel mode
Allows a system to control access to things like device drivers, your sound card, your video display or monitor, and other similar things
Rootkit movements
o When a rootkit is installed on a system, it tries to move
from Ring 1 to Ring 0 so that it can hide from other
functions of the operating system to avoid detection
o One technique used by rootkits to gain this deeper level
of access is a DLL injection
Define DLL injections
Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library