Sec+ Chapter 03: Malicious Code Flashcards
RAT
Remote access Trojan
Attackers use these for remote access and monitoring of systems
Challenging to detect because legit tools can be used as RATs
Antimalware can return false positives, but you can’t turn detection off or you risk RATs
Malware
Malicious software intentionally designed to harm systems, devices, networks, users, etc
Ransomware
Malware that takes over a computer and demands a ransom
EX: Crypto malware that encrypts all files and only decrypts after you pay
Ransomware defense
An effective backup system that stores files in a separate location, ideally one that won’t be impacted if the system, or device it’s backing up is infected and encrypted
Trojan
Malware designed as legit software
Attackers rely on users running them to gain access into a system
Trojan and RAT defense
Security awareness
Don’t dl untrusted software
Antimalware tools to detect behaviors and known files
Worms
Malware that spreads itself without the need for user interaction
EX: Stuxnet
Rootkit
Malware that allows attackers access to a system through a backdoor
Rootkit defense
Test the suspected system from a trusted device
Integrity checking and data validation
Antirootkit tools
Constant backups, patch often, user secure configs
Once detected, you have to rebuild the system or restore from known good backup
Backdoors
Provides access to bypass normal authentication and authorization procedure
Often used in conjunction with Trojans and rootkits
Backdoor defese
Routine checks for open ports and services
Bots
Remotely controlled systems or devices infected with malware
Botnet
Groups of bots
Relies on HTTPS traffic to help hide C2 from monitoring and analysis
C2 / C&C
Command and control
Systems that control bots and botnets
Usually client-server mode
P2P botnet control
Connects bots directly to each other
Uses encrypted P2P traffic
Exceptionally difficult to identify and take down central server, C2 IPs, or domains
Fast Flux DNS
Where botnets use many IPs to answer queries for one or more fully qualified DNS name
Frequent updates (fast flux) means hosts reg and dereg address every few min
Bot and botnet detection
Use network traffic analysis systems (IDS, IPS)
ID underlying malware with antimalware
Take down domain name
DDoS
Distributed Denial of Service
Attack often made through botnets, many devices to cause service to be unavailable
All bots send queries to overwhelm apps and services
Botnet DDoS defense
SIEM systems to monitor for big increases in legit traffic
Monitor network traffic trends constantly
Behavioral analysis tools
Keyloggers
Malware that captures keystrokes, mouse movement, touchscreen input, credit card swipes, etc
Keylogger defense
Security awareness
Antimalware
Patch management
MFA / 2FA
Logic bomb
Functions of code place inside programs that activate when certain conditions are met
Fileless virus
Virus that spreads by spam email and malicious sites to exploit flaws in browsers and plugins
Once in, they inject into memory
Don’t require local file storage because they’re memory-resident
Fileless virus defense
Update all browser plugins and software
Antimalware
IPS and reputation-based protection systems to avoid malicious sites
Spyware
Malware designed to obtain info about an individual, org, or system
Reports findings back to central servers
EX: Browsing habits, installed software, webcam activity, etc
Spyware defense
Antimalware
Security awareness
PUP
Potentially unwanted program
Not very dangerous, more annoying
EX: Adware, browser toolbars, etc
PUP defense
Antimalware
Limit what software can be installed
Security awareness
PowerShell
Built in Windows scripting language
Takes normal cmd and extends function to manage almost every aspect of Windows OS
Popular target for attack because of its powerful capabilities
EX: remote and local execution, network access, exe from CLI, etc
PowerShell hardening and defense
1) Constrained language mode: Limits sensitive ps1 commands
2) Window’s Defender Application Control or AppLocker: Validates scripts, limits modules and plugins
3) PowerShell logging
VBA
Virtual basic for applications
Powerful programming language that interacts with the OS
MS Office macros written in VBA, used to be hit all the time but now disabled
Adversarial AI
Growing field where attackers use AI for malicious purpose
