MOD7: Malware Threats Flashcards
What’s the difference between trojans and viruses?
Trojans - infect systems
Viruses - infect files
What is malware?
malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft / fraud
List examples of malware.
Trojans backdoors rootkits ransomware adware viruses worms spyware botnets crypters
What 3 malware components are meant to make code undetected?
Crypter
Obfuscator
Packer
What is a payload?
A piece of software that allows control over a computer system after it has been exploited.
What are APTs?
Advanced Persistent Threats.
APTs are defined as a type of network attack, where an attacker gains unauthorized access to a target network and remains undetected for a long period of time.
Their main objective is to gain sensitive information rather than sabotaging the organization/network.
What is a Trojan?
A program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that the code can get control and cause damage.
How do hackers use Trojans?>
- delete/ replace OS
- generate fake traffic
- download malware/spyware /malicious files
- record screenshots etc
- create backdoors to gain access
- disable firewalls /antivirus
- steal personal info
- encrypt data
What port does Emotet use?
20/22/80/443
What port did WannaCry and Petya use?
445
Name types of Trojans.
Remote Access Trojan (RAT) Backdoor Trojan Botnet Trojan Rootkit Trojan E-banking Trojan Point-of-Sale Trojan Defacement Trojan Service Protocol Trojan Mobile Trojan IoT Trojan Security Software Disabler Trojan Destructive Trojan DDoS Attack Trojan Command Shell Trojan
Attackers use covert channels to deploy and hide malicious trojans in an undetectable protocol.
True/False.
True.
Covert channels operate on a tunneling method and are mostly employed by attackers to evade firewalls that are deployed in the target network.
Port 443 is encrypted.
True/False.
True.
Which one is a Trojan technique for evading antivirus software?
a) break the trojan file into multiple pieces and zip them as a single file.
b) always write your own trojan, and embed it into an application.
c) change the Trojan’s syntax (ex. convert an EXE to VB script, change .EXE extension to a known extension)
d) all of the above
d) all of the above
Note: never use trojans from the web. Antivirus detects it.
What is an exploit kit?
a platform to deliver exploits and payloads such as trojans, spywares, backdoors, bots, and buffer overflow scripts to the target system.
Exploits come with pre-written exploit codes and can be easily used by an attacker, who is not an IT / security expert.
What is a virus?
A virus is a self-replicating program that produces it’s own copy by attacking itself to another program, computer boot sector or document. Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments.
Characteristics of viruses.
- infects other programs
- transform themselves
- encrypt themselves
- alter data
- corrupt files and programs
- self-replicate
Purpose of creating viruses.
- inflict damage on competitors
- financial benefits
- vandalism
- play pranks
- research projects
- cyber terrorism
- distribute political messages
- damage networks or computers
- gain remote access to a victim’s computer
What is ransomware?
A type of malware that restricts access to the computer system’s files and folders and demands an online ransom payment to the malware creator(s) to remove the restrictions.
Dharma is a type of ransomware.
True/False.
True.
Dharma is a ransomware attack through email campaigns.
A virus can be created in two different ways:
- Writing a virus Program
- Using Virus Maker tools
True/False
True.
What are computer worms?
Computer worms are malicious programs that independently replicate, execute, and spread across the network connections, thus consuming available computing resources without human interaction.
ex of worms: Monero, Bondat, Beapy.
How is a worm different than a virus?
A worm replicates on it’s own (replicates itself and use memory but cannot attach itself to other programs).
A worm spreads through the infected network (worm takes advantage of file or info transport features on computer systems and automatically spreads through the infected network, but a virus does not).
What is fileless malware?
aka non-malware.
Infects legitimate software, applications and other protocols existing in the system to perform various malicious activities. It leverages any existing vulnerabilities to infect the system. It resides in the RAM. It injects malicious code into the running processes such as Microsoft Word, Flash, Adobe PDF Reader, Javascript, and PowerShell.
Reasons for using fileless malware in cyber attacks:
1) Stealthy in nature
2) Living-off-the-land
3) Trustworthy
True/False.
True.
1) Stealthy in nature - exploits legitimate system tools
2) Living-off-the-land - exploits default system tools
3) Trustworthy - uses tools that are frequently used and trusted
What is sheep dip computer?
Sheep dipping refers to the analysis of suspect files, incoming messages, etc for malware.
A sheep dip computer is installed with port monitors, file monitors, network monitors, and antivirus software and connects to a network only under strictly controlled conditions.
What is Malware Analysis?
Process of reverse engineering a specific piece of malware to determine the origin, functionality, and potential impact of a given type of malware.
What are the 2 types of malware analysis?
1) Static malware analysis - aka code analysis. It involves going through the executable binary code without executing it to have a better understanding of the malware and it’s purpose.
2) Dynamic malware analysis - aka behaviour analysis. It involves executing the malware code to know how it interacts with the host system and it’s impact on the system after infection.
- it is recommended to do both static and dynamic analysis to understand the functionality of the malware.
Static malware analysis techniques:
- file fingerprinting - process of computing the hash value for a given binary code (Mimikatz, HashCalc, MD5sums, etc)
2) Local and online malware scanning - scan the binary code locally using well-known and up to date antivirus software (ex. Cuckoo Sandbox, VirusTotal)
3) performing string search - strings communicate info from the program to its user. Analyze embedded strings of the readable text within the program’s executable file.
4) identifying packing/obfuscating methods - attackers use packers to compress, encrypt, or modify a malware executable file to avoid detection (can use PEid tool to see details about windows executable files).
5) finding the portable executables (PE) info - can use tool PE Explorer to find metadata of PE file to get info like icons, menus, version info, etc.
6) Identifying file dependencies - Programs need to work with internal sys files to properly function. Check the dynamically linked list in the malware executable file. Programs store the import and export functions in the kernel32.dll file.
7) Malware disassembly - disassemble the binary code and analyze the assembly code instructions. Use tools to reverse the machine code to assembly language (tools - ProcDump, IDA, etc).
In dynamic malware analysis, a safe environment such as a virtual machine and sandboxes are required to deter the spreading of malware.
True/False.
True.
In dynamic analysis, the malware is executed on a system to understand its behaviour after an infection.
Dynamic analysis consists of 2 stages:
- system baselining
- host integrity monitoring
True / False.
True.
dynamic malware analysis:
What’s system baselining?
- refers to taking a snapshot of the system at the time the malware analysis began
- the main purpose of system baselining is to identify significant changes from the baseline state.
- the system baseline includes details of the file system, registry, open ports, network activity, etc.
dynamic malware analysis:
What is host integrity monitoring?
Host integrity monitoring involves taking a snapshot of the system state using the same tools before and after analysis, to detect changes made to the entities residing on the system.
dynamic malware analysis:
What does Host Integrity monitoring include?
- port monitoring
- process monitoring - shows real time file sys, registry and process/thread activity (can use Procexe. It’s like task manager but on steroids).
- registry monitoring - windows registry stores OS and program configuration details such as settings and options.
- windows services monitoring
- startup programs monitoring
- event logs monitoring/analysis (ex. Splunk, SolarWinds Log & Event Manager)
- installation monitoring
- files and folders monitoring - malware programs normally modify sys files and folders after infecting a computer.
- device drivers monitoring
- network traffic monitoring / analysis (ex. Wireshark, SolarWinds NetFlow Traffic Analyzer).
- DNS monitoring /resolution
- API calls monitoring
What port monitoring tool is useful for scanning suspicious ports and looks for any connection established to unknown / suspicious IP addresses?
netstat or TCPView
Virus Detection Methods:
1) scanning
2) integrity checking
3) interception
4) code emulation
5) heuristic analysis
6) all of the above
6) all of the above
