Sec+ Chapter 03: Malicious Code

Question 1

RAT

Answer 1

Remote access Trojan

Attackers use these for remote access and monitoring of systems

Challenging to detect because legit tools can be used as RATs

Antimalware can return false positives, but you can’t turn detection off or you risk RATs

Question 2

Malware

Answer 2

Malicious software intentionally designed to harm systems, devices, networks, users, etc

Question 3

Ransomware

Answer 3

Malware that takes over a computer and demands a ransom

EX: Crypto malware that encrypts all files and only decrypts after you pay

Question 4

Ransomware defense

Answer 4

An effective backup system that stores files in a separate location, ideally one that won’t be impacted if the system, or device it’s backing up is infected and encrypted

Question 5

Trojan

Answer 5

Malware designed as legit software

Attackers rely on users running them to gain access into a system

Question 6

Trojan and RAT defense

Answer 6

Security awareness

Don’t dl untrusted software

Antimalware tools to detect behaviors and known files

Question 7

Worms

Answer 7

Malware that spreads itself without the need for user interaction

EX: Stuxnet

Question 8

Rootkit

Answer 8

Malware that allows attackers access to a system through a backdoor

Question 9

Rootkit defense

Answer 9

Test the suspected system from a trusted device

Integrity checking and data validation

Antirootkit tools

Constant backups, patch often, user secure configs

Once detected, you have to rebuild the system or restore from known good backup

Question 10

Backdoors

Answer 10

Provides access to bypass normal authentication and authorization procedure

Often used in conjunction with Trojans and rootkits

Question 11

Backdoor defese

Answer 11

Routine checks for open ports and services

Question 12

Bots

Answer 12

Remotely controlled systems or devices infected with malware

Question 13

Botnet

Answer 13

Groups of bots

Relies on HTTPS traffic to help hide C2 from monitoring and analysis

Question 14

C2 / C&C

Answer 14

Command and control

Systems that control bots and botnets

Usually client-server mode

Question 15

P2P botnet control

Answer 15

Connects bots directly to each other

Uses encrypted P2P traffic

Exceptionally difficult to identify and take down central server, C2 IPs, or domains

Question 16

Fast Flux DNS

Answer 16

Where botnets use many IPs to answer queries for one or more fully qualified DNS name

Frequent updates (fast flux) means hosts reg and dereg address every few min

Question 17

Bot and botnet detection

Answer 17

Use network traffic analysis systems (IDS, IPS)

ID underlying malware with antimalware

Take down domain name

Question 18

DDoS

Answer 18

Distributed Denial of Service

Attack often made through botnets, many devices to cause service to be unavailable

All bots send queries to overwhelm apps and services

Question 19

Botnet DDoS defense

Answer 19

SIEM systems to monitor for big increases in legit traffic

Monitor network traffic trends constantly

Behavioral analysis tools

Question 20

Keyloggers

Answer 20

Malware that captures keystrokes, mouse movement, touchscreen input, credit card swipes, etc

Question 21

Keylogger defense

Answer 21

Security awareness

Antimalware

Patch management

MFA / 2FA

Question 22

Logic bomb

Answer 22

Functions of code place inside programs that activate when certain conditions are met

Question 23

Fileless virus

Answer 23

Virus that spreads by spam email and malicious sites to exploit flaws in browsers and plugins

Once in, they inject into memory

Don’t require local file storage because they’re memory-resident

Question 24

Fileless virus defense

Answer 24

Update all browser plugins and software

Antimalware

IPS and reputation-based protection systems to avoid malicious sites

Question 25

Spyware

Answer 25

Malware designed to obtain info about an individual, org, or system

Reports findings back to central servers

EX: Browsing habits, installed software, webcam activity, etc

Question 26

Spyware defense

Answer 26

Antimalware

Security awareness

Question 27

PUP

Answer 27

Potentially unwanted program

Not very dangerous, more annoying

EX: Adware, browser toolbars, etc

Question 28

PUP defense

Answer 28

Antimalware

Limit what software can be installed

Security awareness

Question 29

PowerShell

Answer 29

Built in Windows scripting language

Takes normal cmd and extends function to manage almost every aspect of Windows OS

Popular target for attack because of its powerful capabilities

EX: remote and local execution, network access, exe from CLI, etc

Question 30

PowerShell hardening and defense

Answer 30

1) Constrained language mode: Limits sensitive ps1 commands

2) Window’s Defender Application Control or AppLocker: Validates scripts, limits modules and plugins

3) PowerShell logging

Question 31

VBA

Answer 31

Virtual basic for applications

Powerful programming language that interacts with the OS

MS Office macros written in VBA, used to be hit all the time but now disabled

Question 32

Adversarial AI

Answer 32

Growing field where attackers use AI for malicious purpose