Malware

Question 1

What kinds of malware needs a host program?

Answer 1

Trap Doors
Viruses
Trojan Horses
Logic Bombs
Browser extensions, plugins

Question 2

What kinds of malware do not need a host?

Answer 2

Worms
Botnets
APTs

Question 3

What is a trap door?

Answer 3

Contains a secret entry point that is activated by a special input or a specific user

Question 4

What is a logic bomb?

Answer 4

Malicious code embedded in the program that is set to go off when certain conditions are met

Question 5

What is a Trojan Horse?

Answer 5

Performs malicious activity while the host program is executing

Host program appears normal and doing what it is supposed to. Trojan does work in the background.

Question 6

What is a virus?

Answer 6

Malicious code that is spread by modifying an existing program
It finds and checks for uninfected programs before infecting them and using them to spread
Avoids detection by adjusting the size of itself once it has infected the host program

Question 7

What are the four stages of a virus?

Answer 7

Dormant
Propagation
Triggering
Execution

Question 8

Types of Viruses

Answer 8

• Parasitic (scans/infects programs)
• Memory-resident (disappears on reboot/resides in memory only)
• Boot sector (runs/spreads when system is booted)
• Polymorphic (encrypts part of virus using random key, alters the way it looks)

Question 9

What is a rootkit?

Answer 9

Modifies OS code and data structures
Resides in the OS
Intercepts system calls to hide user-level malware

Question 10

What is an internet worm?

Answer 10

Uses network connections to spread
Causes resource exhaustion due to repeated infections
Exploits security flaws, such as buffer overflow, trap doors, guessing passwords to gain access
Can accept shell commands
Bootstrap loads itself to the host machine and then fetches instructions
Hard to detect: loads in memory, encrypts itself, changes its name and process ID

Question 11

How do we prevent internet worms?

Answer 11

Prevention (limit connections to outside world via firewall)
Detection and identification
Removal

Question 12

What are the types of antivirus?

Answer 12

Simple scanners: checks for signatures
Heuristic scanners
Activity traps: honeypots
Full featured analysis: sandboxes

Question 13

What is a reflected amplification attack?

Answer 13

A bot sends multiple requests to NTP and floods packets to a victim it has spoofed

Question 14

What is a botnet?

Answer 14

Network of bots controlled by an attacker to perform a coordinated malicious activities
Needs a Command and Control to communicate

Question 15

What kind of attacks do botnets do?

Answer 15

Spam
Keylogging
Data/Identity Theft
DDoS attacks
Clickfraud
Phishing and Pharming

Question 16

What is an APT?

Answer 16

Advanced Persistent Threat
Zero day exploit or a specially crafted malware
Operates in a low and slow manner
Multiple deliberate steps over time

Question 17

What are the two types of malware analysis?

Answer 17

Static analysis (what to do if malware executes)
Dynamic analysis (what to do when malware executes)

Question 18

What is packing in malware obfuscation?

Answer 18

When parts of the malware are compressed, encrypted, or transformed

Code to unpack is included in the executable