P2L2 Flashcards
what’s the goal of past malware?
fun and fame
what’s the goal of modern malware?
profit and political gain
modern malware is more sophisticated. (T/F)
True
bots is also called zombies (T/F)
True
what is botnet
- a coordinated network of bots, a network of compromised computers that the botmaster influences via C&C (command and control)
- key platform for most internet-based attacks and frauds
almost all spams are sent by botnet (T/F)
True
botnet is used for profit or political activism?
True, both!
most common DDOS botnet
attacker order bots to SYN flood the victim
amplified distributed reflective attack
DDOS, attacker order bots to request large txt record sent to victim spoofed IP
an attacker doesn’t have to use his own computer in an attack (T/F)
True
the characteristic of DNS helps mitigate the effect of DDOS attack
False. DNS actually amplified the effect of DDOS
naive botnet C&C
spread bots and have them directly communicate back
problems with naive botnet C&C
- not stealthy. If someone catches a bot, they can trace back to the attacker
- not robust: only 1 method of communication
botnet C&C design considerations
- efficient and reliable
- stealthy
- resilient
bots require communication before an attack (T/F)
false
bots are less likely to be found if it uses custom communication
false. That will make it stand out
many botnet use DNS for C&C (T/F)
True
DNS is good for C&C because?
- DNS is always allowed. DNS is needed whenever a machine on the internet wants to talk to another machine
- using DNS won’t make the bot standout
the way a bot look up a domain is different from a machine looks up a web server
- domain is looked up by too many bots and unknown to google search
how to detect botnet C&C domain
anomaly detection. Then the DynDSN provider to map that domain to a sinkhole
APT is used for attack and phishing (T/F)
false, it’s used for high-value operations (like stealing designs)
spear phising
target specific individuals
APT tries to infect as many machine as possible
no. the whole purpose is to keep the footprint as small as possible
Boy in the browser
changes network routing
clickjacking
webuser unknowingly click on something not as portrayed
man in the browser
modifies webpages
man in the middle
eavesdrops
problem with malware static analysis
those that depend on runtime or input data cannot be analyzed by looking at the code
problem with malware dynamic analysis
only reveal behavior of the runs, won’t show the complete picture
analysis by looking at instruction by instruction
fine-grained
signature-based approach is effective against packed malware (T/F)
false
signature-based approach is effective against packed malware (T/F)
false
we can use the unpacked code as signature to detect malware (T/F)
false
the key of fine-grained tracing based universal unpacking algorithms
detecting the execution of code not in the static code model. Then unpack that part of the code, and use signature-based approach to detect that part of the malware
