Malware

Question 1

What are six motivations for writing malware?

Answer 1

1. Fun
2. To show something is possible
3. Vandalism
4. Steal information
5. Control machines for DDoS or spam
6. To make money

Question 2

What’s a payload?

Answer 2

What malware will do when triggered by an action, such as starting up Windows, keylogger starts, timed shutdowns.

Question 3

What’s another term for crimeware?

Answer 3

Toolkits

Question 4

Give three distinguishing features of a virus

Answer 4

1. It reproduces it’s own code.
2. It attaches itself to other files (a virus cannot survive by itself)
3. Gets executed when the infected executable file is executed.

Question 5

What is the structure of a virus and what do each components do?

Answer 5

1. Infection mechanism: how a virus spreads or propagates, enabling it to replicate. Also known as ‘infection vector’
2. Trigger: event/condition that determines when payload is activated. Also known as ‘logic bomb’
3. Payload: what the virus does, besides spreading. May involve damage or benign but noticeable activity.

Question 6

During its lifetime, what four phases does a typical virus go through?

Answer 6

1. Dormant: virus is idle and will eventually be activated by some event.
2. Propagation: virus places a copy of itself into other programs or into certain system areas on the disk.
3. Triggering: virus activated to perform the function for which it was intended, can be caused by a variety of system events.
4. Execution: function is performed.

Question 7

What’s a worm and how does it replicate itself? (Five ways)

Answer 7

A work is a program that actively seeks out more machines to infect. Once activated, it may replicate and propagate again. Replicates through:

1. Electronic mail / instant messaging
2. Remote execution capability (reverse shell)
3. Remote file access / transfer capability
4. Remote login capability

Question 8

Give three distinguishing features of a bot

Answer 8

Easy to control remotely.

Implementation of different commands.

Infected machines are incorporated in large networks (botnets) that are controlled by the bot master.

Question 9

What is one advantage of Host-based Blocking Software over antivirus detection?

And what is one limitation?

Answer 9

Advantage: it can block suspicious software in real time.

Limitation: because the malicious code must run on the target machine before all its behaviours can be identified, it can cause harm before it’s been detected and blocked.

Question 10

Out of a bot, Command and Control server, a botnet and the botmaster, which is the weakest link?

Answer 10

The Control and Command server. It’s a single point of failure, therefore real botnets don’t have a single Command and Control server.

Question 11

What’s a Trojan horse and what are it’s three distinguishing features?

Answer 11

Trojan is a class of malware that appears to perform a desirable function but also performs undisclosed malicious activities.

1. Requires user to explicitly run the program.
2. Unable to make copies of itself or self-replicate.
3. Can be used to perform any kind of malicious activity.

Question 12

In general, what are the three lines of defence against DDoS attacks?

Answer 12

1. Attack prevention and pre-emption (before the attack)
2. Attack detection and filtering (during the attack)
3. Attack source trace back and identification (during and after the attack)