Malware Flashcards
What are the TWO components that every piece of malware has?
1) Propagation Mechanism
2) Payload
Describe what the “propagation mechanism” component of malware is
How malware spreads from one system to another.
Describe what the “payload” component of malware is.
The malicious action that the malware performs.
What are the defining characteristics of a VIRUS?
It spreads from system to system based on some type of user action.
Examples: Opening e-mail attachments, clicking on a link to a malicious website, inserting infected USB into workstation.
What is the best way to defend against a VIRUS?
User education.
What are the defining characteristics of a WORM?
They spread from system to system without any user interaction. They reach out and exploit system vulnerabilities, infecting systems without the user doing anything. Once a worm has infected a system, it uses that system as a new base for spreading to other parts of the local area network, or the broader intranet.
What is the best way to defend against a WORM?
The best way to defend against worms is keeping systems updated with the most recent operating system and application patches. This is because they require vulnerable systems to spread.
What are the defining characteristics of a TROJAN?
They pretend to be legitimate pieces of software that a user might want to download and install. When the user runs the program, it does perform as expected, however the Trojan horse also carries a malicious hidden payload that performs some unwanted action behind the scenes.
What is the best way to defend against a TROJAN?
Application control.
What are the defining characteristics of REMOTE ACCESS TROJANS (RATs)?
They are a special class of Trojan horse that serve a specific purpose. They provide hackers with the ability to remotely access and control infected systems.
What is application control?
Limiting the software that may run on systems to titles and versions specifically approved by the administrators.
Main characteristics of VIRUSES, WORMS, and TROJANS.
VIRUS - Spreads between systems after a user action.
WORM - Self replicating.
TROJAN - Pose as legitimate software with a hidden malicious effect.
What are the three different types of malware payloads?
Adware, Spyware, and Ransomware
Describe the ADWARE payload.
Malware used for the purpose of displaying advertisements, but instead of generating revenue for the content owner, the revenue goes to the malware author.
What are the mechanisms of ADWARE?
- Changing the default search engine
- Displaying pop-up advertisements
- Replacing legitimate ads on websites with ones that benefit the malware author
Describe the SPYWARE payload.
Malware that gathers user info without their knowledge or consent and then reports it back to the malware author to use.
Examples: Identity theft, access to financial accounts, espionage.
Different techniques of SPYWARE.
- Keystroke loggers
+ Captures every key a user presses - Web browser monitoring
+ Used to target advertising to the user or report on user activity - Search hard drive and/or cloud storage
+ Seeks out sensitive info like social security numbers to be used in identity theft
Describe the RANSOMWARE payload.
Blocks the use of a computer or data until a ransom is paid, most commonly by encrypting files and selling the key for ransom.
What are the top 3 methods for preventing malware on a computer or system?
1) Installing and keeping an up to date anti-malware software
2) Installing security patches as early as possible
3) Educating end users on the dangers of malware
What makes BACKDOORS and LOGIC BOMBS different than other types of malware?
Instead of being independent programs used to deliver a malicious payload, they are pieces of code inserted into other applications with malicious intent.
What is a BACKDOOR?
When a programmer provides a means to grant themselves or others future access to a system, usually with benevolent purposes.
What are some common occurrences that create a BACKDOOR?
- Hard-coded accounts with a specific username and password that will always grant access to the system
- Default passwords a user may not remember to change
- Unknown access channels, where there’s a way to gain access to a system without going through the normal authentication process.
What is a LOGIC BOMB?
Malware that is set to execute a payload when certain conditions are met.
Examples: When a specific time and date occurs, the contents in a file contain certain information, or the results of an API call.
What are 3 examples of advanced malware concepts?
Rootkits, polymorphism, and armored viruses.
What is the root account?
Special superuser account on a system that provides unrestricted access to system resources and is normally reserved for system administrators.
What is the current definition of a ROOTKIT?
A software technique that is designed to hide other software on a system.
What were ROOTKITS originally designed for?
Privilege escalation.
What are the types of payloads that a ROOTKIT can deliver?
Backdoors, botnet agents, adware, or spyware.
What are some non-malicious examples of ROOTKIT usage?
Anti-theft mechanism, user mode rootkits, kernel mode rootkits
Whats the difference between a USER MODE ROOTKIT and a KERNEL MODE ROOTKIT?
User Mode Rootkit - Run with normal user privileges - Easy to write and difficult to detect Kernel Mode Rootkit - Run with system privileges - Difficult to write and easy to detect
What is SIGNATURE DETECTION in reference to anti-malware software?
The software recognizes viruses by maintaining a database of known virus patterns and then comparing suspected files to that database.
What is a POLYMORPHIC VIRUS?
Viruses that change themselves constantly. The virus will not look the same from one system to another due to using encryption and a different encryption key on each system they infect. and since the signature will not match, signature detection will not work.
What technique to antivirus researches use to help detect a POLYMORPHIC VIRUS?
Reverse engineering.
In reference to antivirus detection, describe the technique of REVERSE ENGINEERING.
When the programmers go deep into the virus in order to analyze the machine language or assembly code that make up its DNA.
What is an ARMORED VIRUS?
A virus that uses sophisticated techniques in order to avoid detection and prevent reverse engineering.
What are some techniques that ARMORED VIRUSES use to avoid detection?
Writing the virus in obfuscated assembly language that hides the codes true intent, blocking the use of system debuggers, and preventing the sandboxing technique, which can isolate the virus
In terms of computer security, what is a SANDBOX?
Security mechanism for separating running programs in an effort to mitigate system failures or software vulnerabilities from spreading.
What are the major characteristics of ROOTKITS, POLYMORPHIC VIRUSES, AND ARMORED VIRUSES?
ROOTKITS - Hide other software installed on the system
POLYMORPHIC VIRUS - Change themselves often to avoid detection by antivirus software
ARMORED VIRUS - Use sophisticated techniques to hide themselves from virus detection mechanisms.
What is a BOTNET?
A collection of zombie computers used for malicious purposes, or a network of infected systems.
What is a ZOMBIE computer?
A computer connected to the Internet that has been compromised by a hacker, computer virus or Trojan horse program and can be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombies do not realize that they are being used in such a way.
How do hackers give orders to all the infected systems on the botnet?
Using indirect and redundant command and control mechanisms
Examples: Internet Relay Chat (IRC), Twitter accounts, peer-to-peer communication with the botnet itself
What are the 6 steps that lead to a system becoming part of a BOTNET?
1) System is infected with malware
2) The infected system becomes part of the botnet
3) The now infected system spreads the infection to other systems, increasing the size of the botnet.
4) The systems check in with the botnet owner through a command and control network in order to receive instructions
5) The infected systems then execute the instructions
6) After execution, the payload is delivered (Ex: delivering spam or conducting a DDoS attack)
What is a ZERO-DAY VULNERABILITY?
When a new vulnerability is discovered, but instead of sharing it with the vendor or the world, the researcher simply holds onto it and preserves the vulnerability as a secret weapon used to gain access to systems.
What is the WINDOW OF VULNERABILITY?
The time between when a new vulnerability is discovered and a patch is released for it.
What type of attacker is known to use attacks involving ZERO-DAY VULNERABILITIES?
Advanced Persistent Threats (APTs)
What is an Advanced Persistent Threat (APT)?
Highly skilled and well funded attackers, usually a military unit, government intelligence agency or other highly organized group carrying out a focused attack.
