Malware

Question 1

What is Malware?

Answer 1

Mal + Software, Software intentionally designed or deployed to have effects contrary to the best interests of one or more users. including potential damage related to resources, devices, or other systems.

Question 2

What are way malicious payloads cause damage?

Answer 2

1. System disruption
2. Defacement of a publicly visible service
3. Destruction of data
4. Crashing a system
5. Stealing data (“exfiltration”)
6. Hidden malicious services to send spam, etc.
7. Setting up backdoor access to a system

Question 3

What are the 3 main categories of Malware payloads?

Answer 3

• Virus
• Worm
• Trojan

Question 4

What is a Virus?

Answer 4

1. hides in stored code, propagates based on user action
2. A malicious code or program written to alter the way a computer operates
3. Designed to spread from one computer to another
4. Operates by inserting or attaching itself to a legitimate program or document that supports macros in order to execute its code.

Question 5

What is a Worm?

Answer 5

1. hides in running code, propagates automatically, exploits vulnerabilities 2. Typically, use network to send copies of themselves without any user intervention 3. Try to replicate themselves onto other systems (self-replicating).

Question 6

What is a Trojan?

Answer 6

1. imitates legitimate software, typically propagated by attacker 2. Overt functionality -> the program works and appears to be normal, 3. Covert functionality -> the program violates the security policy.

Question 7

What are types of Viruses?

Answer 7

1. File infector virus
2. Boot Sector virus
3. Web scripting virus
4. Browser hijacker
5. Resident virus
6. Polymorphic virus
7. Macro virus

Question 8

What are 4 types of other malware?

Answer 8

1. Spyware 2. Adware 3. Ransomeware 4. Rootkit

Question 9

What are the 5 types of Rootkit Malware?

Answer 9

1. Hardware or Firmware Rootkit
2. Boot-loader Rootkit.
3. Kernel Rootkit
4. Application Rootkit
5. Memory Rootkit

Question 10

What are the 4 Malware Infection Vectors?

Answer 10

• Security defects in software
• Insecure design or user error
• Homogeneity
• Over privileged users and code

Question 11

What are the security defects in Software?

Answer 11

1. system security procedures
2. internal controls
3. Bugs, error mistakes from programs
4. Backdoor Vulnerabilities, hidden functions.
5. Zero day Vulnerabilities
6. CVE – Common Vulnerabilities and Exposures

Question 12

What are the infection vectors with Insecure design or user error?

Answer 12

• social engineering with malicious link

Question 13

What are the Malware infection Vectors with Homogeneity?

Answer 13

when all computers in a network run the same operating system (MS Windows,
Apple OS X), upon exploiting one, one worm can exploit them all.

Question 14

What are the issues with Over Privilege as Malware Infection Vector?

Answer 14

• Over Privilege user example: The normal user allowed to install any software and make system changes.
• Over Privilege code example: Allow code executed by a user to access all rights of that user. Commonly exploited in Email-based malware

Question 15

What was Stuxnet?

Answer 15

• Discovered in 2010
• Targeted specific part of Iran’s nuclear infrastructure
• Designed to circumvent protection mechanisms
• Complex malware with rootkits, worms, detection,
• command and control module
• A very high complexity requiring huge investment: 6+man years to develop
• Developed by state actors.
• Zero-day exploits (4 different ones actually)
• Windows rootkit
• Programmable Logic Controller (PLC) rootkit -
• first ever! Antivirus evasion

Question 16

Why is Malware detection hard?

Answer 16

• Malware actively aims to evade detection,
• It is not clear what triggers a malware

Question 17

What are the 2 types Malware analysis?

Answer 17

• Static Analysis: Examine without running the malware
• Dynamic Analysis: Run the malware and monitor its effect

Question 18

What are Malware Analysis: Evasion Techniques?

Answer 18

• Packer; coders use packing w multiple layers to make it difficult
• Process Hollowing; injecting malicious code into another process
• Anti-Debug; if detected changes its behaviour or terminates
• Anti-VM; adds virtualization detection into malware.

Question 19

How does using a VM protect a malware engineer against possible security risks?

Answer 19

• A VM allows the engineer to debug the malware live with it infecting the host computer.
• Virtual Machines are installed on top of a hypervisor, Therefore the virtual machine does not share the host operating system and is isolated from the host kernel

Question 20

What is a polymorphic virus?

Answer 20

A polymorphic virus is a complicated computer virus that affects data types and functions. It is a self-encrypted virus designed to avoid detection by a scanner. Upon infection, the polymorphic virus duplicates itself by creating usable, albeit slightly modified, copies of itself.

Question 21

What is a kernel in an operating system?

Answer 21

A Kernel is a program/central module at the core of the operating system that manages all the process and devices