Malware

Question 1

What are the TWO components that every piece of malware has?

Answer 1

1) Propagation Mechanism

2) Payload

Question 2

Describe what the “propagation mechanism” component of malware is

Answer 2

How malware spreads from one system to another.

Question 3

Describe what the “payload” component of malware is.

Answer 3

The malicious action that the malware performs.

Question 4

What are the defining characteristics of a VIRUS?

Answer 4

It spreads from system to system based on some type of user action.
Examples: Opening e-mail attachments, clicking on a link to a malicious website, inserting infected USB into workstation.

Question 5

What is the best way to defend against a VIRUS?

Answer 5

User education.

Question 6

What are the defining characteristics of a WORM?

Answer 6

They spread from system to system without any user interaction. They reach out and exploit system vulnerabilities, infecting systems without the user doing anything. Once a worm has infected a system, it uses that system as a new base for spreading to other parts of the local area network, or the broader intranet.

Question 7

What is the best way to defend against a WORM?

Answer 7

The best way to defend against worms is keeping systems updated with the most recent operating system and application patches. This is because they require vulnerable systems to spread.

Question 8

What are the defining characteristics of a TROJAN?

Answer 8

They pretend to be legitimate pieces of software that a user might want to download and install. When the user runs the program, it does perform as expected, however the Trojan horse also carries a malicious hidden payload that performs some unwanted action behind the scenes.

Question 9

What is the best way to defend against a TROJAN?

Answer 9

Application control.

Question 10

What are the defining characteristics of REMOTE ACCESS TROJANS (RATs)?

Answer 10

They are a special class of Trojan horse that serve a specific purpose. They provide hackers with the ability to remotely access and control infected systems.

Question 11

What is application control?

Answer 11

Limiting the software that may run on systems to titles and versions specifically approved by the administrators.

Question 12

Main characteristics of VIRUSES, WORMS, and TROJANS.

Answer 12

VIRUS - Spreads between systems after a user action.
WORM - Self replicating.
TROJAN - Pose as legitimate software with a hidden malicious effect.

Question 13

What are the three different types of malware payloads?

Answer 13

Adware, Spyware, and Ransomware

Question 14

Describe the ADWARE payload.

Answer 14

Malware used for the purpose of displaying advertisements, but instead of generating revenue for the content owner, the revenue goes to the malware author.

Question 15

What are the mechanisms of ADWARE?

Answer 15

• Changing the default search engine
• Displaying pop-up advertisements
• Replacing legitimate ads on websites with ones that benefit the malware author

Question 16

Describe the SPYWARE payload.

Answer 16

Malware that gathers user info without their knowledge or consent and then reports it back to the malware author to use.
Examples: Identity theft, access to financial accounts, espionage.

Question 17

Different techniques of SPYWARE.

Answer 17

• Keystroke loggers
  + Captures every key a user presses
• Web browser monitoring
  + Used to target advertising to the user or report on user activity
• Search hard drive and/or cloud storage
  + Seeks out sensitive info like social security numbers to be used in identity theft

Question 18

Describe the RANSOMWARE payload.

Answer 18

Blocks the use of a computer or data until a ransom is paid, most commonly by encrypting files and selling the key for ransom.

Question 19

What are the top 3 methods for preventing malware on a computer or system?

Answer 19

1) Installing and keeping an up to date anti-malware software
2) Installing security patches as early as possible
3) Educating end users on the dangers of malware

Question 20

What makes BACKDOORS and LOGIC BOMBS different than other types of malware?

Answer 20

Instead of being independent programs used to deliver a malicious payload, they are pieces of code inserted into other applications with malicious intent.

Question 21

What is a BACKDOOR?

Answer 21

When a programmer provides a means to grant themselves or others future access to a system, usually with benevolent purposes.

Question 22

What are some common occurrences that create a BACKDOOR?

Answer 22

• Hard-coded accounts with a specific username and password that will always grant access to the system
• Default passwords a user may not remember to change
• Unknown access channels, where there’s a way to gain access to a system without going through the normal authentication process.

Question 23

What is a LOGIC BOMB?

Answer 23

Malware that is set to execute a payload when certain conditions are met.
Examples: When a specific time and date occurs, the contents in a file contain certain information, or the results of an API call.

Question 24

What are 3 examples of advanced malware concepts?

Answer 24

Rootkits, polymorphism, and armored viruses.

Question 25

What is the root account?

Answer 25

Special superuser account on a system that provides unrestricted access to system resources and is normally reserved for system administrators.

Question 26

What is the current definition of a ROOTKIT?

Answer 26

A software technique that is designed to hide other software on a system.

Question 27

What were ROOTKITS originally designed for?

Answer 27

Privilege escalation.

Question 28

What are the types of payloads that a ROOTKIT can deliver?

Answer 28

Backdoors, botnet agents, adware, or spyware.

Question 29

What are some non-malicious examples of ROOTKIT usage?

Answer 29

Anti-theft mechanism, user mode rootkits, kernel mode rootkits

Question 30

Whats the difference between a USER MODE ROOTKIT and a KERNEL MODE ROOTKIT?

Answer 30

User Mode Rootkit
 - Run with normal user privileges
 - Easy to write and difficult to detect
Kernel Mode Rootkit
 - Run with system privileges
 - Difficult to write and easy to detect

Question 31

What is SIGNATURE DETECTION in reference to anti-malware software?

Answer 31

The software recognizes viruses by maintaining a database of known virus patterns and then comparing suspected files to that database.

Question 32

What is a POLYMORPHIC VIRUS?

Answer 32

Viruses that change themselves constantly. The virus will not look the same from one system to another due to using encryption and a different encryption key on each system they infect. and since the signature will not match, signature detection will not work.

Question 33

What technique to antivirus researches use to help detect a POLYMORPHIC VIRUS?

Answer 33

Reverse engineering.

Question 34

In reference to antivirus detection, describe the technique of REVERSE ENGINEERING.

Answer 34

When the programmers go deep into the virus in order to analyze the machine language or assembly code that make up its DNA.

Question 35

What is an ARMORED VIRUS?

Answer 35

A virus that uses sophisticated techniques in order to avoid detection and prevent reverse engineering.

Question 36

What are some techniques that ARMORED VIRUSES use to avoid detection?

Answer 36

Writing the virus in obfuscated assembly language that hides the codes true intent, blocking the use of system debuggers, and preventing the sandboxing technique, which can isolate the virus

Question 37

In terms of computer security, what is a SANDBOX?

Answer 37

Security mechanism for separating running programs in an effort to mitigate system failures or software vulnerabilities from spreading.

Question 38

What are the major characteristics of ROOTKITS, POLYMORPHIC VIRUSES, AND ARMORED VIRUSES?

Answer 38

ROOTKITS - Hide other software installed on the system
POLYMORPHIC VIRUS - Change themselves often to avoid detection by antivirus software
ARMORED VIRUS - Use sophisticated techniques to hide themselves from virus detection mechanisms.

Question 39

What is a BOTNET?

Answer 39

A collection of zombie computers used for malicious purposes, or a network of infected systems.

Question 40

What is a ZOMBIE computer?

Answer 40

A computer connected to the Internet that has been compromised by a hacker, computer virus or Trojan horse program and can be used to perform malicious tasks of one sort or another under remote direction. Most owners of zombies do not realize that they are being used in such a way.

Question 41

How do hackers give orders to all the infected systems on the botnet?

Answer 41

Using indirect and redundant command and control mechanisms

Examples: Internet Relay Chat (IRC), Twitter accounts, peer-to-peer communication with the botnet itself

Question 42

What are the 6 steps that lead to a system becoming part of a BOTNET?

Answer 42

1) System is infected with malware
2) The infected system becomes part of the botnet
3) The now infected system spreads the infection to other systems, increasing the size of the botnet.
4) The systems check in with the botnet owner through a command and control network in order to receive instructions
5) The infected systems then execute the instructions
6) After execution, the payload is delivered (Ex: delivering spam or conducting a DDoS attack)

Question 43

What is a ZERO-DAY VULNERABILITY?

Answer 43

When a new vulnerability is discovered, but instead of sharing it with the vendor or the world, the researcher simply holds onto it and preserves the vulnerability as a secret weapon used to gain access to systems.

Question 44

What is the WINDOW OF VULNERABILITY?

Answer 44

The time between when a new vulnerability is discovered and a patch is released for it.

Question 45

What type of attacker is known to use attacks involving ZERO-DAY VULNERABILITIES?

Answer 45

Advanced Persistent Threats (APTs)

Question 46

What is an Advanced Persistent Threat (APT)?

Answer 46

Highly skilled and well funded attackers, usually a military unit, government intelligence agency or other highly organized group carrying out a focused attack.