Malware Types

Question 1

What is a virus?

Answer 1

A program or piece of code that runs on your computer (w/out your knowledge), executed by some type of action (ex. clicking a link). It then attaches to other code and replicates.

Question 2

Classification: How does a Resident Virus live?

Answer 2

Resides in memory and stays active after host program terminates. It loads each time sys starts and can infect other areas based on specific actions.

Question 3

Classification: How does a Nonresident Virus live?

Answer 3

Looks for targets locally and across the network once it’s executed. It infects the targets and then exits - doesn’t stay active.

Question 4

Classification: How does a Boot Sector Virus live?

Answer 4

Placed in 1st sector of hard drive and loads into memory when computer boots. Loads before the OS - more prevalent in floppy disk era.

Question 5

Classification: How does a Macro Virus live?

Answer 5

Uses the macro language and executes when the document opens. It’s inserted into MS Office doc and emailed to unsuspecting users.

Question 6

Characteristic: Program & File Infecting Virus

Answer 6

Virus infects executable program files and becomes active in memory. It will then seek out other files to infect (most common viruses are this type). Identified by its binary pattern (signature) - similar to a fingerprint.

Question 7

Characteristic: Polymorphic Virus

Answer 7

Virus that avoids detection by changing its form or signature each time it’s executed. Each time it infects a new file or system, it changes its code. Difficult to detect by pattern/signature, use heuristic-based scanning to look for the instructions running within a program instead.

Question 8

Characteristic: Armored Virus

Answer 8

Virus that makes it difficult to detect or analyze its functions (metaphorical layer of armor). This type also tries to defeat heuristic countermeasures and uses mechanisms to prevent disassembly & debugging.

Question 9

Characteristic: Stealth Virus

Answer 9

This virus type resides in memory and will use various techniques to avoid detection. For example, it can temporarily remove itself from an infected file or mask a file’s size.

Question 10

Characteristic: Multipartie Virus

Answer 10

Virus that infects executable files and attacks the master boot record. The boot sector must be cleaned along with the infected files or the files can become infected again.

Question 11

What is a worm?

Answer 11

A worm is created to take advantage of a security hole in an application or OS. It finds other systems running the same software, then self-replicates to the new host. If it finds an Internet connection, it will replicate from one system to the next. Common methods of replicating: email, the network, the Internet

Question 12

How are a virus and a worm different?

Answer 12

The main difference is that a worm replicates without a host file/user intervention.

Question 13

What is ransomware?

Answer 13

Ransomware involves an attacker that attempts to hold a user ransom, typically for monetary gain (via cryptocurrencies). It’s an evolved and more demanding form of “scareware”.

Question 14

Classification: What is crypto-malware?

Answer 14

Type of malware that is designed to specifically find valuable data on a system and encrypt it. Example - CryptoLocker. Encryption keys are generated after data is encrypted and they’re stored on a command-and-control server. The user must pay the ransom to receive the key, if not, the ransomware threatens to delete the key. The key is needed to regain access.

Question 15

What is a Trojan horse?

Answer 15

Trojans are programs that trick users by disguising themselves as useful applications. Code hidden inside the application can attack and compromise the user’s system without their knowledge or consent. Example: collecting or sending data or causing the computer to malfunction.

Question 16

Classification: What is a backdoor Trojan?

Answer 16

AKA Remote Access Trojan (RAT). Backdoor Trojans take advantage of shortcut entry points, or backdoors, that are not closed by software designers who use them to evaluate code and testing. RAT’s allow a remote attacker to take control of the targeted system.

Question 17

Classification: What is an infostealer Trojan?

Answer 17

Infostealer Trojans will try to steal information from the infected machine.

Question 18

Classification: What is a keylogger Trojan?

Answer 18

Keylogger Trojans monitor and send keystrokes typed from an infected machine.

Question 19

What is a rootkit?

Answer 19

A rootkit is a piece of software that can be installed and hidden on a computer. Its intent is to compromise the system and gain escalated privileges, such as admin rights. A rootkit is typically installed on a computer when it first obtains user-level access. Then it enables the attacker to gain root/privilege access to the computer, compromising other machines on the network. Rootkits can be part of software packages, downloaded/installed by users, or installed through unpatched vulnerability.

Question 20

What is a rootkit?

Answer 20

A rootkit is a piece of software that can be installed and hidden on a computer. Its intent is to compromise the system and gain escalated privileges, such as admin rights. They are difficult to detect with an antivirus since they usually run in the background. Check for memory processes, outbound communications, and newly installed programs.

Question 21

How does a rootkit work?

Answer 21

A rootkit is typically installed on a computer when it first obtains user-level access. Then it enables the attacker to gain root/privilege access to the computer, compromising other machines on the network. Rootkits can be part of software packages, downloaded/installed by users, or installed through unpatched vulnerability.

Question 22

What is a kernel rootkit?

Answer 22

Kernel rootkits modify the kernel component of an operating system. They can intercept system calls passed to the kernel and filter out queries generated by the rootkit. They can also use encryption on outbound communication and piggyback off commonly used ports without interrupting applications. This makes them invisible to admins and detection tools

Question 23

How to remove a rootkit?

Answer 23

The actual rootkit and malware used by the rootkit must be removed. Since the rootkits often change the Windows OS and cause it to improperly function, the only definitive way to remove the rootkit is to format the hard drive and reinstall the OS.

Question 24

What is a logic bomb?

Answer 24

A logic bomb (AKA slag code) is a virus or Trojan horse designed to launch malicious code when a specific event occurs or after a certain period of time. It’s typically planted by a disgruntled employee.

Question 25

What is a bot?

Answer 25

Short for robot, a bot is an automated computer program that does not require user interaction. They are controlled by outside sources and provide a spam/virus originator with a platform to propagate.

Question 26

How are bots created?

Answer 26

Bots can be created through an open port or unpatched vulnerability. Once in, a small program is left on the machine for future activation. It can be controlled by commands sent from the bot master.

Question 27

What is a botnet?

Answer 27

A botnet (sometimes called zombie army) is a large number of computers that forward transmissions to other computers on the Internet. A botnet can be programmed to launch DDoS attacks, distribute spam, or perform other malicious acts. Botnets are securely hidden (users may not know they are part of a botnet), so a botnet master can commit crimes while remaining undetected.

Question 28

What is spyware?

Answer 28

It is software that communicates info from a user’s system to another party without user consent. This can include monitoring user activity, such as keystrokes, and logging the data to send to the originator.

Question 29

What are some symptoms of spyware?

Answer 29

• Slow running system, especially with Internet browsing
• Windows desktop is slow to come up
• Clicking links redirects to unexpected site or the link doesn’t do anything
• Browser home page has changed and doesn’t allow you to reset it
• Web pages have automatically been added to your favorites without your knowledge

Question 30

What is adware?

Answer 30

Adware (advertising-supported software) is a form of spyware that allows advertisers a way to make online sales. Companies offer to place banner ads from advertisers in their products. A portion of revenue from banner goes to the company. However, tracking software is also installed and reports user data & surfing habits to a remote location. Symptoms include slow running computer and pop-up ads.