Malware

Question 1

Major Infection Channels

Answer 1

2 biggest:

• spam email
• > send a lot of mails
• > targeted mails to specific person
• software exploration
• > venerability in Web browsers
• > untrusted media
• > files or software

Question 2

Ransomware

Answer 2

• generate local symmetric K_s
• encrypt all files with K_s
• encrypt K_s with public of attacker
• send K’ = asym_enc(K_s, pubkey) to remote server
• delete K_s from victim device

-> victims pays to get privkey - asymm_dec(K’, privkey)

Question 3

Banking Trojan

Answer 3

• steal money
  e. g.
• web site manipulation
• IAT Hooking
• > change jump address in Import Address Table(contains pointer to library)

Question 4

RATs / RAT Trojans

Answer 4

• > Remote Administration Tools

- essentials control computer remotely; search files controls mouse and keyboard, install applications

Question 5

Spambots

Answer 5

• spams, post twitter accounts, sells emails

Question 6

DDoS Bots

Answer 6

• floods a page with request or something like that

- server is overloaded -> not reachable anymore

Question 7

Fake AV (Fake Anti-Virus) / Scareware / Rogueware

Answer 7

• pretends to be fake anti virus or something like that user pay to remove

Question 8

Adware

Answer 8

• runs in background of compute rand clicks on adds

Question 9

Crypto-mining

Answer 9

• use CPU and energy cost of other computer to mine for yourself crypto

Question 10

Dialers

Answer 10

• call over phone premium numbers and make money of that

Question 11

Worms

Answer 11

• self spreading malware
• > infects system and searchs how to infect more systems
• > infections spreads faster then fixing bug

Question 12

Rootkits

Answer 12

• sits in system and hide from anti-virus software
• user mode:
• > inject malicious library
• > inject backdoor into processes
• kernel mode:
• > rewrite sys call tabels to point to malicious code

Question 13

Command & Control: Communication Protocols

Answer 13

• tries to hide communication
  -> blend into HTTPS traffic
  -> abuses DNS for exchanging data
  also possible on top of UDP/TCP
  -> easily detected

Question 14

C&C: Centralized Architectures

Answer 14

• one centralised server
• > bots connect down/upload

=> single point of failure

Question 15

C&C: Domain Generation Algorithms

Answer 15

• generate several domains where bots can communicate over

- if alg. leaked it’s over

Question 16

C&C: Peer-to-Peer (P2P) Botnets

Answer 16

-> bots make up network with
Structured:
- distributed hash table
- commando stored at ID
unstructured:
- no hash table
- command via broadcast