Module 6: Handling Malicious Code Incidents Flashcards
What is a virus
Small malicious codes that are attached to files in computers and replicate themselves to spread and infect other files without the user’s knowledge or permission
How do viruses spread
Through email attachments, instant messages, download from the Internet, etc.
Viruses are generally characterized as
- File infectors (attached to programs or files)
- System or boot-record infectors (infect executable code)
- Macro viruses (Infect Word application)
What is a worm
A self-replicating computer program
How does a worm spread
Worms spread automatically by infecting one system after the other in a network, and even spreading further to other networks
TRUE or FALSE: A worm relies for a user’s action for execution
FALSE
What is a Trojan
Malicious programs masked as a genuine harmless program
How does a Trojan work
Install backdoors on user’s system and allows unauthorized access to the attacker
What is spyware
Software that gathers user information without user’s knowledge
How does one generally start the preparation for preventing malware
Installing anti-virus software and backing up important data
What are the 10 steps to handling malware incidents
- Establish malicious code security policy
- Install antivirus software
- Check all downloaded files and email attachments for infection
- Check all the removable media such as USB, diskettes, etc.
- Users must be aware of malicious code issues
- Study the antivirus vendor bulletins
- Install host based IDS’s on critical hosts
- Collect malware incident analysis resources
- Acquire malware incident mitigation software
- Establish the procedures for reporting of malicious code incident
TRUE or FALSE: A point of contact for reporting malicious code is needed
TRUE
How can spyware be prevented
Disabling a user’s web browser such that it prevents the installation of plug-ins
What is one way to help make sure users handle email attachments properly
Educate the users
.exe, .txt, .vbs, .htm are all examples of files that need to be what
Blocked due to malicious file extensions. Especially on the email server and client
How might a user know if they have a virus
- Files are deleting, are corrupted, or inaccessible
- Computer runs slowly or crashes
- Sudden increase in emails and crashes
- Odd messages and graphics
How might a user know if they have a worm
- Increase network bandwidth
- Failed connections
- Programs running slowly or do not start
- System crashes
How might a user know if they have a Trojan
- IDS, firewall, and router alert on suspicious client-server connections
- Unknown processes being executed
- High amount of network traffic
- Programs running slowly or do not start
- System crashes
What are the steps in a malware containment strategy
- Disconnect infected hosts from the network & the network from the Internet
- Register malicious code with antivirus (submit sophos sample)
- Block emails & particular hosts
- Shut down email servers
- Soliciting user participation
- Disable services
- Disable connectivity
What are the three techniques to identify the infected host
- Forensic Identification
- Active Identification
- Manual Identification
Why is it hard to find the original source of the malicious code
Malware can be transmitted automatically or accidentally by the infected users
Why is forensic identification more advantageous
Data is collected beforehand and the applicable data is simply extracted from the complete data set
What should a user do if the anti-malware software cannot disinfect infected files
The files need to be deleted or removed
What should a user do if the files are deleted by the malware
Restore the files through backups
