P2L2: Modern Malware

Question 1

T/F: Modern malware is for fun and games

Answer 1

False. Modern malware is often for profit and political gains. It is technically sophisticated and based on the latest tech. It is designed for efficiency, robustness, and evasiveness.

Question 2

Botnet

Answer 2

Botnets are a network of bots (zombies) controlled by an attacker to carry out coordinated malicious attacks

Question 3

Examples of Attacks/Frauds by botnets

Answer 3

–Spam–DDOS–Click fraud–Phishing and Pharming–Keylogging and data/ID theft–Key/password cracking–Anonymized terrorist and criminal communication–Cheat in online games and polls

Question 4

Amplified Distributed Reflective Attacks

Answer 4

Attacker uses open recursive DNS servers, which are plentiful

Question 5

Why DDoS attack?

Answer 5

–Attacker does not need to use his own computer–So many computers involved in the attack, it is difficult to distinguish legitimate from malicious traffic

Question 6

Botnet Command and Control (C&C)

Answer 6

Botnet master needs C&C to control the bots

Question 7

C&C design

Answer 7

–Must be efficient and reliable–Stealthy–Resilient

Question 8

T/F: The botmasters prefer dynamic DNS servers

Answer 8

True: Because of the frequent change between domain name and IP address.

Question 9

Anomaly detection

Answer 9

The way the bots look up a domain suggest the domain is most likely used for C&C.

Question 10

What can be done when the anomaly is detected?

Answer 10

Map the domain name to a sinkhole

Question 11

What is the advantage of the sinkhole?

Answer 11

Researchers can discover where the bots are in the net.

Question 12

Advanced Persistent Threat (APT)

Answer 12

Advanced: Use special malwarePersistent: Long-term presence, multi-step, low-and-slowThreat: Data targeted is high valueTend to target specific organizations

Question 13

APT Lifecycle

Answer 13

–Define target–Research target infrastructure/employees–Test for detection–deployment–establish outbound connections–exfiltrate data–remain undetected–Repeat

Question 14

Zero-day exploit

Answer 14

Takes advantage of a previously unknown weakness or vulnerability in a system.

Question 15

Social Engineering

Answer 15

APTs are designed to fool even the most sophisticated of users.

Question 16

APT attacks

Answer 16

Boy in the middle–covertly changes a computer’s network routingClickjacking–web users unknowingly click on something that is not as it is portrayed.Man in the Browser–Modifies web pages covertlyMan in the middle–EavesdropsKeyloggers–covertly records keystrokes

Question 17

Malware analysis: Static Analysis

Answer 17

Attempts to understand what a malware instance would do if executed.

Question 18

Malware analysis: Dynamic Analysis

Answer 18

Attempts to understand what a program does when executed.

Question 19

Different granularities of analysis

Answer 19

Fine-grained: Looking at instruction by instructionCoarse-grained: looking at function calls

Question 20

Malware Obfuscation: Packing

Answer 20

A technique whereby parts or all of an executable file are compressed, encrypted or transformed in some fashion.

Question 21

T/F: Can use signatures to detect packing.

Answer 21

False: A number of legitimate programs use packing/unpacking