Malware Flashcards
What is a Computer Virus?
Made up of malicious code that’s run on a machine without the user’s knowledge and allows the code to infect the computer whenever it has been run.
Computer viruses can lead to data corruption, loss, or unauthorized access to information.
What is a Boot Sector Virus?
Stored in the first sector of a hard drive and is loaded into memory whenever the computer boots up.
Boot sector viruses can be particularly damaging as they can prevent the operating system from loading.
What is a Macro Virus?
A form of code that allows a virus to be embedded inside another document so that when that document is opened by the user, the virus is executed.
Commonly found in documents created with applications like Microsoft Word.
What does a Program Virus do?
Tries to find executables or application files to infect with their malicious code.
These viruses often spread through software downloads or installations.
What is a Multipartite Virus?
A combination of a boot sector type virus and a program virus, able to place itself in the boot sector and install itself in a program.
This type of virus can be particularly difficult to remove due to its dual nature.
What is an Encrypted Virus?
Designed to hide itself from being detected by encrypting its malicious code or payloads to avoid detection by any antivirus software.
Encryption makes it harder for security software to recognize the virus.
What is a Polymorphic Virus?
An advanced version of an encrypted virus that changes its code each time it is executed by altering the decryption module to evade detection.
Polymorphic viruses are more challenging to detect and remove than standard viruses.
What is a Metamorphic Virus?
Able to rewrite themselves entirely before attempting to infect a given file.
This capability allows metamorphic viruses to evade detection even more effectively than polymorphic ones.
What is a Stealth Virus?
A technique used to prevent the virus from being detected by antivirus software.
Stealth viruses can manipulate system resources to hide their presence.
What is an Armored Virus?
Has a layer of protection to confuse a program or a person who’s trying to analyze it.
This protection can make it significantly more challenging for security experts to reverse-engineer the virus.
What is a Hoax Virus?
A form of technical social engineering that attempts to scare users into taking undesirable actions on their system.
Hoax viruses often spread through emails or social media, misleading users about threats.
What is a worm in the context of cybersecurity?
A piece of malicious software that can replicate itself without any user interaction
Worms operate autonomously to infect systems.
How do worms replicate and spread?
They self-replicate and spread throughout your network without a user’s consent or action
This ability allows them to propagate rapidly.
What are the two main dangers posed by worms?
- Infecting workstations and other computing assets
- Causing disruptions to normal network traffic
The constant replication attempts can overwhelm network resources.
True or False: Worms require user interaction to spread.
False
Worms can spread without any action from users.
What is a key characteristic of worms compared to viruses?
Worms can replicate themselves without user interaction
Unlike viruses, which often require user action to spread.
Fill in the blank: Worms are best known for spreading far and wide over the internet in a _______.
[short amount of time]
Their rapid propagation can lead to widespread damage.
What is a Trojan?
Piece of malicious software that is disguised as a piece of harmless or desirable software
Trojans are often used to trick users into installing them.
What does RAT stand for?
Remote Access Trojan
RATs provide attackers with remote control of a victim machine.
Why are Trojans commonly used by attackers today?
To exploit a vulnerability in your workstation and conduct data exfiltration, create backdoors, and perform other malicious activities
Attackers use Trojans for various malicious purposes, including stealing sensitive documents.
Fill in the blank: A Remote Access Trojan (RAT) provides the attacker with _______.
remote control of a victim machine
True or False: Trojans can maintain persistence on systems.
True
Trojans can create backdoors to ensure continued access to infected systems.
What is ransomware?
Type of malicious software that is designed to block access to a computer system or its data by encrypting it until a ransom is paid to the attacker.
How can we protect ourselves and our organizations against ransomware? List at least three methods.
- Always conduct regular backups
- Install software updates regularly
- Provide security awareness training to your users
- Implement Multi-Factor Authentication (MFA)
What should you do if you find yourself or your organization as the victim of a ransomware attack? Name one action.
Never pay the ransom.
True or False: Paying the ransom guarantees that you will get your data back.
False.
What is the first step to take if you suspect ransomware has infected your machine?
Disconnect it from the network.
What should you do after disconnecting a machine infected with ransomware?
Notify the authorities.
Fill in the blank: To recover from a ransomware attack, you should restore your data and systems from known good _______.
backups.
What is a Botnet?
Network of compromised computers or devices controlled remotely by malicious actors
Botnets can include a wide range of devices, from personal computers to IoT devices.
What is a Zombie in the context of cybersecurity?
Name of a compromised computer or device that is part of a botnet
Zombies perform tasks using remote commands from the attacker without the user’s knowledge.
What is the role of a Command and Control Node?
Computer responsible for managing and coordinating the activities of other nodes or devices within a network
This node is crucial for the functioning of a botnet.
List some uses of Botnets.
- As pivot points
- Disguise the real attacker
- To host illegal activities
- To spam others by sending out phishing campaigns and other malware
Botnets are often utilized for various malicious purposes, including data theft and distributed denial-of-service (DDoS) attacks.
What is a rootkit?
Designed to gain administrative level control over a given computer system without being detected
What are the different rings of permissions in a computer system?
Several different rings, including Ring 3 (User level permissions) and Ring 0 (Highest Permission Levels)
What is Ring 3 in a computer system?
The outermost ring where user level permissions are used
What is Ring 0 in a computer system?
The innermost or highest permission level, also known as kernel mode
What is kernel mode?
Operating in Ring 0, allowing control over access to device drivers and other critical system resources
What does kernel mode allow a system to control?
Access to things like device drivers, sound card, video display or monitor, and other similar things
What technique do rootkits use to gain deeper access to a system?
DLL injection
What is DLL Injection?
Technique used to run arbitrary code within the address space of another process by forcing it to load a dynamic-link library
Why are rootkits difficult to detect?
The operating system is essentially blinded to them
What is the best way to detect rootkits?
Boot from an external device and scan the internal hard drive
What should be used to scan for rootkits when booting from an external device?
A good anti-malware scanning solution from a live boot Linux distribution
What is a backdoor?
Originally placed in computer programs to bypass the normal security and authentication functions.
Who most often places backdoors into systems?
Designers and programmers.
What is an Easter egg in programming?
A hidden feature or novelty within a program typically inserted by the software developers as an inside joke.
True or False: Easter eggs are always harmful to software.
False
What is a common issue associated with code in software?
Code often has significant vulnerabilities.
What are Logic Bombs?
Malicious code that’s inserted into a program, and the malicious code will only execute when certain conditions have been met
Logic bombs can be triggered by specific events, dates, or user actions.
What is a keylogger?
A piece of software or hardware that records every single keystroke made on a computer or mobile device
Keyloggers are often used for monitoring or malicious purposes.
What is spyware?
Malicious software that is designed to gather and send information about a user or organization without their knowledge
What is bloatware?
Any software that comes pre-installed on a new computer or smartphone that you, as the user, did not specifically request, want, or need
Bloatware can often take up valuable storage space and may slow down device performance.
What technique do most modern malware use to avoid detection?
Fileless techniques
Fileless malware operates in system memory instead of relying on the local file system.
What is Fileless Malware?
Malware that creates a process in system memory without using the local file system
This method helps evade detection by traditional security software.
What happens when a user clicks on a malicious link or file?
A stage one dropper or downloader is installed
This initiates the infection process.
Define Stage 1 Dropper or Downloader.
A piece of malware created as lightweight shellcode that can be executed on a system
It is critical in the initial stage of malware deployment.
What is a Dropper?
Specific malware designed to initiate or run other malware forms within a payload
The dropper is responsible for delivering the main malicious payload.
What is a Downloader?
Malware that retrieves additional tools post-initial infection facilitated by a dropper
Downloaders play a crucial role in expanding the malware’s capabilities.
What is Shellcode?
Lightweight code meant to execute an exploit on a given target
Shellcode is often used in various types of cyber attacks.
What occurs in Stage 2 of malware execution?
A downloader installs a remote access Trojan for command and control
This stage allows attackers to maintain control over the compromised system.
What does the ‘Actions on Objectives’ Phase entail?
Executing primary objectives like data exfiltration and file encryption
This phase is where attackers achieve their main goals.
What is Concealment in the context of malware?
Methods used to prolong unauthorized access by hiding tracks, erasing log files, and hiding evidence
Concealment techniques help attackers remain undetected.
What does ‘Living off the Land’ refer to?
A strategy where threat actors exploit standard tools for intrusions
This tactic is common among Advanced Persistent Threats.