Malware Flashcards
Define malware
Malicious software designed to infiltrate computer systems and potentially damage them without user consent
List malware categories
1 Viruses
2 Worms
3 Trojans
4 Ransomware
5 Spyware
6 Rootkits
7 Spam
Threat Vector vs. Attack Vector
Threat Vector
Method used to infiltrate a victim’s machine. Examples
- Unpatched software
- USB drive installation
- Phishing campaigns
Attack Vector
Means by which the attacker gains access and infects
the system
Combines both infiltration method and infection
process
Types of Malware Attacks
1: Viruses
Attach to clean files, spread, and corrupt host files
2: Worms
Standalone programs replicating and spreading to
other computers
3: Trojans
Disguise as legitimate software, grant unauthorized
access
4: Ransomware
Encrypts user data, demands ransom for decryption
5: Zombies and Botnets
Compromised computers remotely controlled in a
network for malicious purposes
6: Rootkits
Hide presence and activities on a computer, operate at
the OS level
7: Backdoors and Logic Bombs
Backdoors allow unauthorized access, logic bombs
execute malicious actions
8: Keyloggers
Record keystrokes, capture passwords or sensitive
information
9: Spyware and Bloatware
Spyware monitors and gathers user/system
information, bloatware consumes resources without
value
Indications of Malware Attack
Account lockouts
Concurrent session utilization
Blocked content
Impossible travel
Resource consumption
Inaccessibility
Out-of-cycle logging
Missing logs
Documented attacks
10 Different Types of Viruses
1: Boot Sector
One that is stored in the first sector of a hard drive and
is then loaded into memory whenever the computer
boots up
2: Macro
Form of code that allows a virus to be embedded inside
another document so that when that document is
opened by the user, the virus is executed
3: Program
Try to find executables or application files to infect with their malicious code
4: Multipartite
Combination of a boot sector type virus and a program virus
Able to place itself in the boot sector and be loaded
every time the computer boots
It can install itself in a program where it can be run
every time the computer starts up
5: Encrypted
Designed to hide itself from being detected by
encrypting its malicious code or payloads to avoid
detection by any antivirus software
6: Polymorphic
Advanced version of an encrypted virus, but instead of
just encrypting the contents it will actually change the
viruses code each time it is executed by altering the
decryption module in order for it to evade detection
7: Metamorphic
Able to rewrite themselves entirely before it attempts
to infect a given file
8: Stealth
Technique used to prevent the virus from being
detected by the anti-virus software
9: Armored
Have a layer of protection to confuse a program or a
person who’s trying to analyze it
10: Hoax
Form of technical social engineering that attempts to
scare our end users into taking some kind of
undesirable action on their system
Define worm
Piece of malicious software, much like a virus, but it can
replicate itself without any user interaction
Able to self-replicate and spread throughout your
network without a user’s consent or their action
Worms are dangerous for two reasons
1: Infect your workstation and other computing assets
Cause disruptions to your normal network traffic since
they are constantly trying to replicate and spread
themselves across the network
2: Worms are best known for spreading far and wide over
the internet in a relative short amount of time
Define Trojan
Piece of malicious software that is disguised as a piece
of harmless or desirable software
Claims that it will perform some needed or desired
function for you
Trojans are commonly used today by attackers to
exploit a vulnerability in your workstation and then
conducting data exfiltration to steal your sensitive
documents, creating backdoors to maintain
persistence on your systems, and other malicious
activities
Remote Access Trojan (RAT)
Widely used by modern attackers because it provides the attacker with remote control of a victim machine
Define Ransonware
Type of malicious software that is designed to block access to a computer system or its data by encrypting it until a ransom is paid to the attacker
How can we protect ourselves and our organizations against ransomware?
Always conduct regular backups
Install software updates regularly
Provide security awareness training to your users
Implement Multi-Factor Authentication (MFA)
What should you do if you find yourself or your organization as the victim of a ransomware attack?
Never pay the ransom
If you suspect ransomware has infected your machine,
you should disconnect it from the network
Notify the authorities
Restore your data and systems from known good
backups
Define Botnet
Network of compromised computers or devices controlled remotely by malicious actors
Define Zombie
Name of a compromised computer or device that is
part of a botnet
Used to perform tasks using remote commands from
the attacker without the user’s knowledge
Command and Control Node
Computer responsible for managing and coordinating the activities of other nodes or devices within a network
Botnets are used:
as pivot points
disguise the real attacker
to host illegal activities
to spam others by sending out phishing campaigns and
other malware
Most common use for a botnet
Distributed Denial-of-Service (DDoS) Attack
Occurs when many machines target a single victim and
attack them at the exact same time
Define ‘rootkit’
Designed to gain administrative level control over a given computer system without being detected
Account with highest level of permissions is called:
The Administrator account:
Allows the person to install programs, delete programs,
open ports, shut ports, and do whatever it is they want
to do on that system
In a UNIX, Linux, or MacOS computer, this type of
administrator account is actually called the root
account
A computer system has several different rings of permissions throughout the system
1: Ring 3 (User Mode): Lowest privilege, where user
applications run. These processes cannot directly access
hardware and must go through controlled system calls.
2: Ring 1 and Ring 2: Intermediate privilege levels, often
used for device drivers and system services (less common
in modern systems).
2: Ring 0 (Innermost or Highest Permission Levels)
Operating in Ring 0 is called “kernel mode”
Kernel mode
Allows a system to control access to things like device drivers, your sound card, your video display or monitor, and other similar things
Rootkit movements
o When a rootkit is installed on a system, it tries to move
from Ring 1 to Ring 0 so that it can hide from other
functions of the operating system to avoid detection
o One technique used by rootkits to gain this deeper level
of access is a DLL injection
Define DLL injections
Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library
Define Dynamic Link Library (DLL)
Collection of code and data that can be used by multiple programs simultaneously to allow for code reuse and modularization in software
Define shim development
Piece of software code that is placed between two components and that intercepts the calls between those components and can be used redirect them
How to detect rootkits
To detect them, the best way is to boot from an external device and then scan the internal hard drive to ensure that you can detect those rootkits using a good anti-malware scanning solution from a live boot Linux distribution
Define backdoor
Originally placed in computer programs to bypass the
normal security and authentication functions
Most often put into systems by designers and
programmers
Remote Access Trojan (RAT) acts just like a backdoor in
our modern networks
Can be placed by a threat actor on your computer to
help them maintain persistent access to that system
Define ‘easter egg’
A hidden feature or novelty within a program that is
typically inserted by the software developers as an
inside joke
Code often has significant vulnerabilities
Define logic bomb
Malicious code that’s inserted into a program, and the malicious code will only execute when certain conditions have been met
Define ‘keylogger’
o Piece of software or hardware that records every single
keystroke that is made on a computer or mobile device
o Keyloggers can be either software-based or hardware-
based
Software Keyloggers
Malicious programs that get installed on a victim’s
computer
Often bundled with other software or delivered
through social engineering attacks, like phishing or
pretexting attacks
Hardware Keyloggers
Physical devices that need to be plugged into a
computer
These will resemble a USB drive or they can be
embedded within a keyboard cable itself
To protect your organization from keyloggers, ensure the following:
Perform regular updates and patches
Rely on quality antivirus and antimalware solutions
Conduct phishing awareness training for your users
Implement multi-factor authentication systems
Encrypt keystrokes being sent to your systems
Perform physical checks of your desktops, laptops, and
servers
Define ‘Spyware’
Malicious software that is designed to gather and send information about a user or organization without their knowledge
Spyware can get installed on a system in several different ways
Bundled with other software
Installed through a malicious website
Installed when users click on a deceptive pop-up
advertisement
How to protect against Spyware
To help protect yourself against spyware, you should
only use reputable antivirus and anti-spyware tools that
are regularly updated detect and remove any potential
threats
Bloatware
Any software that comes pre-installed on a new computer or smartphone that you, as the user, did not specifically request, want, or need
Other examples of bloatware are things like unnecessary toolbars or applications that promote certain services
Bloatware isn’t malicious, but it can
- waste your storage space
- slow down the performance of your devices
- introduce security vulnerabilities into your systems
To remove bloatware, you can either do the following
Do a manual removal process
Use bloatware removal tools to uninstall the unwanted
applications
Perform a clean operating system installation
How does this modern malware work?
When a user accidentally clicks on a malicious link or opens a malicious file, the specific type of malware being installed is known as a stage one dropper or downloader
Stage 1 Dropper or Downloader
Piece of malware that is usually created as a lightweight
shellcode that can be executed on a given system
Dropper
Specific malware type designed to initiate or run other
malware forms within a payload on an infected host
Downloader
Retrieve additional tools post the initial infection
facilitated by a dropper
The primary function of a stage one dropper or
downloader is to retrieve additional portions of the
malware code and to trick the user into activating it
Shellcode
Broader term that encompasses lightweight code
meant to execute an exploit on a given target
Stage 2: Downloader
Downloads and installs a remote access Trojan to
conduct command and control on the victimized
system
“Actions on Objectives” Phase
Threat actors will execute primary objectives to meet
core objectives like
data exfiltration
file encryption
Concealment
Used to help the threat actor prolong unauthorized
access to a system by
hiding tracks
erasing log files
hiding any evidence of malicious activity
“Living off the Land”
A strategy adopted by many Advanced Persistent
Threats and criminal organizations
the threat actors try to exploit the standard tools to perform intrusions
9 Common Indicators of Malware Attacks
1: Account Lockouts
Malware, especially those designed for credential theft
or brute force attacks, can trigger multiple failed login
attempts that would result in a user’s account being
locked out
2: Concurrent Session Utilization
If you notice that a single user account has multiple
simultaneous or concurrent sessions open, especially
from various geographic locations
3: Blocked Content
If there is a sudden increase in the amount of blocked
content alerts you are seeing from your security tools
4: Impossible Travel
Refers to a scenario where a user’s account is accessed
from two or more geographically separated locations in
an impossibly short period of time
5: Resource Consumption
If you are observing any unusual spikes in CPU,
memory, or network bandwidth utilization that cannot
be linked back to a legitimate task
Resource Inaccessibility
6: Ransomware
Form of malware that encrypts user files to make them inaccessible to the user
If a large number of files or critical systems suddenly become inaccessible or if users receive messages demanding payment to decrypt their data
7: Out-of-Cycle Logging
If you are noticing that your logs are being generated at odd hours or during times when no legitimate activities should be taking place (such as in the middle of the night when no employees are actively working)
8: Missing Logs
If you are conducting a log review as a cybersecurity
analyst and you see that there are gaps in your logs or
if the logs have been cleared without any authorized
reason
9: Published or Documented Attacks
If a cybersecurity research or reporter published a
report that shows that your organization’s network has
been infected as part of a botnet or other malware-
based attack
