P2L1: Malicious Software Flashcards
Types of malware: Needs a Host
trap doors, logic bombs, trojan horses, viruses, browser plug-ins, extensions, scripts
Types of malware: Independent
Worms, botnets, APT
Trap doors (or back doors)
Secret entry point to a program or system
Logic bomb
Embedded in some legitimate program
Trojan Horses
Hidden in an apparently useful host program
Virus
Infect a program by modifying it. Can self copy
4 Stages of a Virus
–Dormant phase: Program infected, but virus has not been triggered–Propagation phase: Virus is being spread–Triggering phase: When the host program is run, the virus is run.–Execution phase: When the virus runs and performs malicious activities. (also looks to spread)
Email attachment that when opened will be sent to all people in address book
virus
Keyboard app that logs user input and sends it to the attacker
trojan horse
Part of a program will only run in the computer is at the user’s home.
Logic bomb
A login program with an undocumented option
trapdoor
Virus Structure
Virus code has to be physically inserted into the program code. The virus code runs first, then the original program. virus code may run last, too, to do any clean up. Program needs to run cleanly to avoid detection.
Types of viruses
Parasitic virus: scan/infect programsMemory-resident virus: infect running programsBoot sector virus: Runs when the system is bootedMacro virus: executable program embedded in a word processing document; triggered when doc openedPolymorphic virus: encrypt part of the virus program using randomly generated key
T/F: Any virus can be polymorphic
True
Rootkit
Resides in OS. Modifies OS code and data structure. Can hide itself by manipulating functions that list directory contents.
T/F: Linux, iOS, Windows, and Android have all been infected by rootkits
True
Rootkit facts
–All OSes can be affected–Can modify hidden and read-only files–Can spread in any form–Cannot remain in memory after reboot, but since it is a part of the OS, it will return with the OS is restarted–Rootkits cannot affect HW that does not have FW–Rootkits are always malevolent
Worms
Use network connections to spread from system to system.
Malware Prevention and Detection
Prevention: Limit contact to outside worldDetection/IdentificationRemovalPrevention hampers productivity, so detection is preferred.
4 Generations of anti-virus software
Simple scanners–use signatures of known viruses. not effective against polymorphic virusesHeuristic scanners–Integrity checking (checksum). Can be defeated by compressing file to have the same size as the pre-infection file.Activity traps: Look for specific activities that malware performs. Not effective against newer malware.Full-featured analysis: State of the art. Host-based, network-based, and sandbox-based.
Why are signature-based anti-virus solutions still used?
–Efficient–Effective against known malware–good first line of defense
