MOD7: Malware Threats

Question 1

What’s the difference between trojans and viruses?

Answer 1

Trojans - infect systems

Viruses - infect files

Question 2

What is malware?

Answer 2

malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft / fraud

Question 3

List examples of malware.

Answer 3

Trojans
backdoors
rootkits
ransomware 
adware
viruses
worms 
spyware
botnets
crypters

Question 4

What 3 malware components are meant to make code undetected?

Answer 4

Crypter
Obfuscator
Packer

Question 5

What is a payload?

Answer 5

A piece of software that allows control over a computer system after it has been exploited.

Question 6

What are APTs?

Answer 6

Advanced Persistent Threats.
APTs are defined as a type of network attack, where an attacker gains unauthorized access to a target network and remains undetected for a long period of time.
Their main objective is to gain sensitive information rather than sabotaging the organization/network.

Question 7

What is a Trojan?

Answer 7

A program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that the code can get control and cause damage.

Question 8

How do hackers use Trojans?>

Answer 8

• delete/ replace OS
• generate fake traffic
• download malware/spyware /malicious files
• record screenshots etc
• create backdoors to gain access
• disable firewalls /antivirus
• steal personal info
• encrypt data

Question 9

What port does Emotet use?

Answer 9

20/22/80/443

Question 10

What port did WannaCry and Petya use?

Answer 10

445

Question 11

Name types of Trojans.

Answer 11

Remote Access Trojan (RAT)
Backdoor Trojan
Botnet Trojan
Rootkit Trojan
E-banking Trojan
Point-of-Sale Trojan
Defacement Trojan
Service Protocol Trojan
Mobile Trojan
IoT Trojan
Security Software Disabler Trojan
Destructive Trojan
DDoS Attack Trojan
Command Shell Trojan

Question 12

Attackers use covert channels to deploy and hide malicious trojans in an undetectable protocol.
True/False.

Answer 12

True.
Covert channels operate on a tunneling method and are mostly employed by attackers to evade firewalls that are deployed in the target network.

Question 13

Port 443 is encrypted.

True/False.

Answer 13

True.

Question 14

Which one is a Trojan technique for evading antivirus software?

a) break the trojan file into multiple pieces and zip them as a single file.
b) always write your own trojan, and embed it into an application.
c) change the Trojan’s syntax (ex. convert an EXE to VB script, change .EXE extension to a known extension)
d) all of the above

Answer 14

d) all of the above

Note: never use trojans from the web. Antivirus detects it.

Question 15

What is an exploit kit?

Answer 15

a platform to deliver exploits and payloads such as trojans, spywares, backdoors, bots, and buffer overflow scripts to the target system.
Exploits come with pre-written exploit codes and can be easily used by an attacker, who is not an IT / security expert.

Question 16

What is a virus?

Answer 16

A virus is a self-replicating program that produces it’s own copy by attacking itself to another program, computer boot sector or document. Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments.

Question 17

Characteristics of viruses.

Answer 17

• infects other programs
• transform themselves
• encrypt themselves
• alter data
• corrupt files and programs
• self-replicate

Question 18

Purpose of creating viruses.

Answer 18

• inflict damage on competitors
• financial benefits
• vandalism
• play pranks
• research projects
• cyber terrorism
• distribute political messages
• damage networks or computers
• gain remote access to a victim’s computer

Question 19

What is ransomware?

Answer 19

A type of malware that restricts access to the computer system’s files and folders and demands an online ransom payment to the malware creator(s) to remove the restrictions.

Question 20

Dharma is a type of ransomware.

True/False.

Answer 20

True.

Dharma is a ransomware attack through email campaigns.

Question 21

A virus can be created in two different ways:

• Writing a virus Program
• Using Virus Maker tools

True/False

Answer 21

True.

Question 22

What are computer worms?

Answer 22

Computer worms are malicious programs that independently replicate, execute, and spread across the network connections, thus consuming available computing resources without human interaction.

ex of worms: Monero, Bondat, Beapy.

Question 23

How is a worm different than a virus?

Answer 23

A worm replicates on it’s own (replicates itself and use memory but cannot attach itself to other programs).

A worm spreads through the infected network (worm takes advantage of file or info transport features on computer systems and automatically spreads through the infected network, but a virus does not).

Question 24

What is fileless malware?

Answer 24

aka non-malware.
Infects legitimate software, applications and other protocols existing in the system to perform various malicious activities. It leverages any existing vulnerabilities to infect the system. It resides in the RAM. It injects malicious code into the running processes such as Microsoft Word, Flash, Adobe PDF Reader, Javascript, and PowerShell.

Question 25

Reasons for using fileless malware in cyber attacks:

1) Stealthy in nature
2) Living-off-the-land
3) Trustworthy

True/False.

Answer 25

True.

1) Stealthy in nature - exploits legitimate system tools
2) Living-off-the-land - exploits default system tools
3) Trustworthy - uses tools that are frequently used and trusted

Question 26

What is sheep dip computer?

Answer 26

Sheep dipping refers to the analysis of suspect files, incoming messages, etc for malware.
A sheep dip computer is installed with port monitors, file monitors, network monitors, and antivirus software and connects to a network only under strictly controlled conditions.

Question 27

What is Malware Analysis?

Answer 27

Process of reverse engineering a specific piece of malware to determine the origin, functionality, and potential impact of a given type of malware.

Question 28

What are the 2 types of malware analysis?

Answer 28

1) Static malware analysis - aka code analysis. It involves going through the executable binary code without executing it to have a better understanding of the malware and it’s purpose.
2) Dynamic malware analysis - aka behaviour analysis. It involves executing the malware code to know how it interacts with the host system and it’s impact on the system after infection.

• it is recommended to do both static and dynamic analysis to understand the functionality of the malware.

Question 29

Static malware analysis techniques:

Answer 29

1. file fingerprinting - process of computing the hash value for a given binary code (Mimikatz, HashCalc, MD5sums, etc)
   2) Local and online malware scanning - scan the binary code locally using well-known and up to date antivirus software (ex. Cuckoo Sandbox, VirusTotal)
   3) performing string search - strings communicate info from the program to its user. Analyze embedded strings of the readable text within the program’s executable file.
   4) identifying packing/obfuscating methods - attackers use packers to compress, encrypt, or modify a malware executable file to avoid detection (can use PEid tool to see details about windows executable files).
   5) finding the portable executables (PE) info - can use tool PE Explorer to find metadata of PE file to get info like icons, menus, version info, etc.
   6) Identifying file dependencies - Programs need to work with internal sys files to properly function. Check the dynamically linked list in the malware executable file. Programs store the import and export functions in the kernel32.dll file.
   7) Malware disassembly - disassemble the binary code and analyze the assembly code instructions. Use tools to reverse the machine code to assembly language (tools - ProcDump, IDA, etc).

Question 30

In dynamic malware analysis, a safe environment such as a virtual machine and sandboxes are required to deter the spreading of malware.
True/False.

Answer 30

True.

In dynamic analysis, the malware is executed on a system to understand its behaviour after an infection.

Question 31

Dynamic analysis consists of 2 stages:
- system baselining
- host integrity monitoring
True / False.

Answer 31

True.

Question 32

dynamic malware analysis:

What’s system baselining?

Answer 32

• refers to taking a snapshot of the system at the time the malware analysis began
• the main purpose of system baselining is to identify significant changes from the baseline state.
• the system baseline includes details of the file system, registry, open ports, network activity, etc.

Question 33

dynamic malware analysis:

What is host integrity monitoring?

Answer 33

Host integrity monitoring involves taking a snapshot of the system state using the same tools before and after analysis, to detect changes made to the entities residing on the system.

Question 34

dynamic malware analysis:

What does Host Integrity monitoring include?

Answer 34

• port monitoring
• process monitoring - shows real time file sys, registry and process/thread activity (can use Procexe. It’s like task manager but on steroids).
• registry monitoring - windows registry stores OS and program configuration details such as settings and options.
• windows services monitoring
• startup programs monitoring
• event logs monitoring/analysis (ex. Splunk, SolarWinds Log & Event Manager)
• installation monitoring
• files and folders monitoring - malware programs normally modify sys files and folders after infecting a computer.
• device drivers monitoring
• network traffic monitoring / analysis (ex. Wireshark, SolarWinds NetFlow Traffic Analyzer).
• DNS monitoring /resolution
• API calls monitoring

Question 35

What port monitoring tool is useful for scanning suspicious ports and looks for any connection established to unknown / suspicious IP addresses?

Answer 35

netstat or TCPView

Question 36

Virus Detection Methods:

1) scanning
2) integrity checking
3) interception
4) code emulation
5) heuristic analysis
6) all of the above

Answer 36

6) all of the above