Questions from readings

Question 1

What is the difference between persistent and transient malware?

Answer 1

Persistent malware is stored somewhere like a file system, so rebooting the computer will not get rid of it. Transient malware is memory dependent and will disappear after rebooting.

Question 2

What is standalone malware?

Answer 2

A complete program that can run on its own, rather than a sequence of instructions that require a host program to run

Question 3

What is the opposite of auto-spreading malware?

Answer 3

Malware activated by user action

Question 4

What is the difference between static and dynamic malware?

Answer 4

Dynamic malware can be continuously updated by the attacker

Question 5

Polymorphism can be used to bypass what kind of detection technique?

Answer 5

Signature based detection

Question 6

Definition of botnet malware?

Answer 6

Any malware part of a botnet infrastructure that provides command-and-control

Question 7

What is a PUP?

Answer 7

A Potentially Unwanted Program is a piece of code downloaded by the user as part of a useful program, such as a user downloads a game that comes with adware that collects user data

Question 8

What are the characteristics of APT?

Answer 8

The are persistent, receive updates from the attacker and are quiet. All of these factors are necessary for the APT to have a long lifespan

Question 9

What does static analysis of malware involve?

Answer 9

Examining the code of the malware without actually executing it - this is of limited use since behaviour will change during runtime

Question 10

What does dynamic analysis of malware involve?

Answer 10

Examining the behaviour of malware during runtime - might miss behaviour not triggered by input

Question 11

What is fuzzing?

Answer 11

Method for discovering vulnerabilities by feeding randomised inputs to programs

Question 12

Given the safety and live-environment requirements of malware analysis, analysis environments are usually constructed using what?

Answer 12

Virtualisation technologies

Question 13

What is the most common code obfuscation technique?

Answer 13

Packing

Question 14

What are heuristics?

Answer 14

Heuristic analysis helps identify threats that might evade traditional signature-based detection. It analyses patterns and behaviours.

Question 15

What is the most reliable way to detect packed malware?

Answer 15

Wait for it to unpack and execute and observe behaviour at runtime

Question 16

What is an example of a technique used to take down C&C domains?

Answer 16

Sinkholing

Question 17

What does a DNS fast-flux network do?

Answer 17

It points the C&C domain names to a large pool of compromised machines, used in combination with DGAs (Domain-name Generated Algorithms)

Question 18

What are cyber-dependent crimes?

Answer 18

Crimes that can only be committed with the use of computer/technology devices

Question 19

What is an example of interpersonal cybercrime?

Answer 19

Doxing

Question 20

What is one of the most common types of cybercrimes perpetrated by organised criminals?

Answer 20

Advance fee fraud: scams involving Nigerian princes with inheritances but also romance scams

Question 21

What is financial malware?

Answer 21

Installing malware on victims’ computers and steal financial credentials

Question 22

What is cryptojacking?

Answer 22

Adding scripts to webpages and have visitors mine cryptocurrencies

Question 23

What are the two key differences between attacks by financially motivated groups and state actors?

Answer 23

-Commodity cybercrime needs as many victims as possible and therefore needs to be as general as possible, whereas state-sponsored attacks usually have well-defined victims
-Commodity cybercrime needs to be fast, state-sponsored attacks do not

Question 24

State-sponsored attacks fall into which three categories?

Answer 24

-Sabotage
-Espionage
-Disinformation

Question 25

Four examples of infection vectors?

Answer 25

-Malicious attachments
-Black hat search engine optimisation
-Drive by download attacks
-Compromising of internet connected devices