Malware Infections Flashcards
Threat Vector/Attack Vector
Threat Vector:
Method used by an attacker to access a victim’s machine
Attack Vector:
Method used by an attacker to gain access to a victim’s machine in order to infect it with malware
Watering Holes
Malware is placed on a website that you know your potential victims will access
Ex: DionTraining.com = correct
DionTranings.com = incorrect (potentially malicious)
Active Interception
Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them
Privilege Escalation
Occurs when you are able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn’t able to access
Backdoors & Logic Bombs
Backdoors are used to bypass normal security and authentication functions
Remote Access Trojan (RAT) is placed by an attacker to maintain persistent access
Logic Bomb
Malicious code that has been inserted inside a program and will execute only when certain conditions have been met
Easter Egg
Non-malicious code that when invoked, displays an insider joke, hidden message, or secret feature
Logic bombs and Easter eggs should not be used according to secure coding standards
Symptoms of Infection
Hard drives, files, or applications are not accessible anymore
Strange noises occur
Unusual error messages
Display looks strange
Jumbled printouts
Double file extensions are being displayed, such as textfile.txt.exe
New files and folders have been created or files and folders are missing/corrupted
System Restore will not function
Malware Removal
o Identify symptoms of a malware infection
o Quarantine the infected systems
o Disable System Restore (if using a Windows machine)
o Remediate the infected system
o Schedule automatic updates and scans
o Enable System Restore and create a new restore point
o Provide end user security awareness training
If a boot sector virus is suspected, reboot the computer from an external device and scan it
Preventing Malware
Viruses, worms, trojans, ransomware, spyware, rootkits, spam, worms, & trojans are best detected with anti-malware solutions
Scanners can detect a file containing a rootkit before it is installed…
Removal of a rootkit is difficult and the best plan is to reimage the machine
Verify your email servers aren’t configured as open mail relays or SMTP open relays
Remove email addresses from website
Use whitelists and blacklists
Train and educate end users
Exploit Technique
Describes the specific method by which malware code infects a target host
Most modern malware uses file-less techniques to avoid detection by signature-based security software
How does an APT use modern malware to operate?
Dropper or downloader
Maintain access
Strengthen access
Actions on objectives
Concealment
Dropper
Malware designed to install or run other types of malware embedded in a payload on an infected host
Downloader
A piece of code that connects to the Internet to retrieve additional tools after the initial infection by a dropper
Shellcode
Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code
Code Injection
Exploit technique that runs malicious code with the identification number of a legitimate process:
Masquerading
DLL injection
DLL sideloading
Process hollowing
Droppers are likely to implement anti-forensics techniques to prevent detection and analysis
Living Off the Land
Exploit techniques that use standard system tools and packages to perform intrusions
Detection of an adversary is more difficult when they are executing malware code within standard tools and processes
Vulnerability Scans (Credentialed vs. Non-Credentialed)
Credentialed:
Require logging in with a given set of credentials
Conducted with a trusted user’s eye view of the environment
Uncover many vulnerabilities that non-credentialed scans may overlook
Non-credentialed:
Do not require credentials & do not get trusted access to the systems they are scanning
Tend to miss most vulnerabilities within a target environment