Questions from readings Flashcards
What is the difference between persistent and transient malware?
Persistent malware is stored somewhere like a file system, so rebooting the computer will not get rid of it. Transient malware is memory dependent and will disappear after rebooting.
What is standalone malware?
A complete program that can run on its own, rather than a sequence of instructions that require a host program to run
What is the opposite of auto-spreading malware?
Malware activated by user action
What is the difference between static and dynamic malware?
Dynamic malware can be continuously updated by the attacker
Polymorphism can be used to bypass what kind of detection technique?
Signature based detection
Definition of botnet malware?
Any malware part of a botnet infrastructure that provides command-and-control
What is a PUP?
A Potentially Unwanted Program is a piece of code downloaded by the user as part of a useful program, such as a user downloads a game that comes with adware that collects user data
What are the characteristics of APT?
The are persistent, receive updates from the attacker and are quiet. All of these factors are necessary for the APT to have a long lifespan
What does static analysis of malware involve?
Examining the code of the malware without actually executing it - this is of limited use since behaviour will change during runtime
What does dynamic analysis of malware involve?
Examining the behaviour of malware during runtime - might miss behaviour not triggered by input
What is fuzzing?
Method for discovering vulnerabilities by feeding randomised inputs to programs
Given the safety and live-environment requirements of malware analysis, analysis environments are usually constructed using what?
Virtualisation technologies
What is the most common code obfuscation technique?
Packing
What are heuristics?
Heuristic analysis helps identify threats that might evade traditional signature-based detection. It analyses patterns and behaviours.
What is the most reliable way to detect packed malware?
Wait for it to unpack and execute and observe behaviour at runtime
What is an example of a technique used to take down C&C domains?
Sinkholing
What does a DNS fast-flux network do?
It points the C&C domain names to a large pool of compromised machines, used in combination with DGAs (Domain-name Generated Algorithms)
What are cyber-dependent crimes?
Crimes that can only be committed with the use of computer/technology devices
What is an example of interpersonal cybercrime?
Doxing
What is one of the most common types of cybercrimes perpetrated by organised criminals?
Advance fee fraud: scams involving Nigerian princes with inheritances but also romance scams
What is financial malware?
Installing malware on victims’ computers and steal financial credentials
What is cryptojacking?
Adding scripts to webpages and have visitors mine cryptocurrencies
What are the two key differences between attacks by financially motivated groups and state actors?
-Commodity cybercrime needs as many victims as possible and therefore needs to be as general as possible, whereas state-sponsored attacks usually have well-defined victims
-Commodity cybercrime needs to be fast, state-sponsored attacks do not
State-sponsored attacks fall into which three categories?
-Sabotage
-Espionage
-Disinformation
Four examples of infection vectors?
-Malicious attachments
-Black hat search engine optimisation
-Drive by download attacks
-Compromising of internet connected devices
