Section 3

Question 1

There are two ways for malware to infect. What are they called?

Answer 1

Threat Vector
Attack Vector

Question 2

What is a threat vector?

Answer 2

Method used by an attacker to access a victim’s machine

Question 3

What is an attack vector?

Answer 3

Method used by an attacker to gain access to a victim’s machine in order
to infect it with malware

Question 4

Malware infections usually start where?

Answer 4

within software, messaging, and media

Question 5

What is a watering hole?

Answer 5

Malware is placed on a website that you know your potential victims will
access

Question 6

What is a botnet?

Answer 6

A collection of compromised computers under the control of a master node

Question 7

What is active interception?

Answer 7

Occurs when a computer is placed between the sender and receiver and
is able to capture or modify the traffic between them

Question 8

What is privilege escalation?

Answer 8

Occurs when you are able to exploit a design flaw or bug in a system to
gain access to resources that a normal user isn’t able to access

Question 9

____ are used to bypass normal security and authentication functions

Answer 9

Backdoors

Question 10

Backdoors are highly discouraged in the modern technology world however a kind of backdoor still in use is…?

Answer 10

Remote Access Trojan (RAT) is placed by an attacker to maintain persistent
access

Question 11

What is a logic bomb?

Answer 11

a type of malicious code embedded in software that remains dormant until specific conditions are met.

Question 12

What is an Easter Egg?

Answer 12

Non-malicious code that when invoked, displays an insider joke, hidden
message, or secret feature

Question 13

True or False: Logic bombs and Easter eggs should not be used according to secure coding standards

Answer 13

True

Question 14

What are some symptoms of infection?

Answer 14

• Hard drives, files, or applications are not accessible anymore
  ▪ Strange noises occur
  ▪ Unusual error messages
• Display looks strange
  ▪ Jumbled printouts
  ▪ Double file extensions are being displayed, such as textfile.txt.exe
  ▪ New files and folders have been created or files and folders are
  missing/corrupted
  ▪ System Restore will not function

Question 15

What are the ways that you can remove malware?

Answer 15

• Identify symptoms of a malware infection
  o Quarantine the infected systems
  o Disable System Restore (if using a Windows machine)
  o Remediate the infected system
  o Schedule automatic updates and scans
  o Enable System Restore and create a new restore point
  o Provide end user security awareness training
  o If a boot sector virus is suspected, reboot the computer from an external device
  and scan it

Question 16

What is the best way to prevent a virus?

Answer 16

Anti-virus program like Norton or McAfee or using your computers Window Defender from your operating system

Continue to do service packs and updates from your operating system (patches)

Have a good host base firewall

When surfing the internet use encrypted websites

Question 17

The best way to detect worms, trojans and ransomware is…?

Answer 17

Using anti-malware solutions. Ensure to keep your anti-malware solution up to date and current both for its definition and scanning engine.

Question 18

What is the best way to prevent spyware?

Answer 18

Anti-spyware product. There are third-party products you can buy but Windows Defender already has this capability built into it. Make sure your definitions are up to date when using this so it can scan and detect properly.

Additionally, when browsing the internet make sure your browser security settings are set to non-trusted method. This means you won’t accept pop-ups or cookies.

Question 19

How do you prevent rootkits?

Answer 19

Scanners can detect a rootkit before it is installed

If the rootkit has already been installed you will need to run a scan by booting from an external device. You most likely will want to reimage your machine

Question 20

How do you prevent spam?

Answer 20

Verify your email servers aren’t configured as open mail relays or SMTP open
relays

Remove email addresses from website

Use whitelists and blacklists

Train and educate end users

Question 21

What are the three best practices to remember when it comes to preventing malware?

Answer 21

• Update your anti-malware software automatically and scan your
  computer
  ▪ Update and patch the operating system and applications regularly
  ▪ Educate and train end users on safe Internet surfing practices

Question 22

What is a malware exploit technique?

Answer 22

Describes the specific method by which malware code infects a target host

Question 23

Most modern malware uses ___ techniques to avoid detection by signature-based security software

Answer 23

fileless (By being fileless, this means that the malware is executed directly as a script or a small piece of shellcode that creates a process in the system memory without having to use the local file system.)

Question 24

How does an APT use modern malware to operate?

Answer 24

Step 1: Dropper or Downloader - Now, a dropper is a specialized type of malware that’s designed to install or run other types of malware embedded in a payload on an infected host. Usually, this will be a stage one dropper, it’s that code you first got. And once you get that code and run it, it’s then going to go out and get some other code, and it uses a downloader do that. Now, a downloader is a piece of code that connects to the Internet to retrieve additional tools after the initial infection happens by a dropper.

Step 2: Maintain Access -
Step 3: Strengthen Access -
Step 4: Actions on objectives -
Step 5: Concealment -

Question 25

What is a dropper?

Answer 25

Malware designed to install or run other types of malware embedded in a
payload on an infected host

Question 26

What is a downloader?

Answer 26

A piece of code that connects to the Internet to retrieve additional tools after the
initial infection by a dropper

Question 27

What is shellcode?

Answer 27

Any lightweight code designed to run an exploit on the target, which may include
any type of code format from scripting languages to binary code

Question 28

What is code injection?

Answer 28

Exploit technique that runs malicious code with the identification number of
a legitimate process

*** Code injection is an exploit technique that runs malicious code with the identification number of a legit process. So, when I go to install this code, you’re going to notice that every process has a unique ID number with it. And so, if I have something that is allowed to run like the Explorer for Windows, and I decide to run malware and make you think I’m running it as the Explorer for Windows, I can hide that malware by injecting the code into that.That’s the idea of code injection.

Question 29

What are some code injection techniques?

Answer 29

• Masquerading
  ▪ DLL injection
  ▪ DLL sideloading
  ▪ Process hollowing

Question 30

How does masquerading code injection work?

Answer 30

Where your dropper is going to replace a genuine executable with a malicious one.

Question 31

How does DLL code injection work?

Answer 31

Where the dropper starts forcing a process to load as part of the DLL. So, it’s going to load the DLL in the executable malicious code.

Question 32

How does DLL sideloading work?

Answer 32

This is where the dropper is going to exploit a vulnerability in a legitimate program’s manifest to load a malicious DLL at runtime, and essentially you sideload by making it load this malicious thing.

Question 33

How does process hollowing work?

Answer 33

This is when a dropper starts a process in a suspended state, and then rewrites the memory locations containing the process code with the malware code. So, essentially, we’re taking over someplace in memory and putting our malicious code in there.

Question 34

Droppers are likely to implement ____ techniques to prevent detection and analysis

Answer 34

anti-forensics

When we talk about anti-forensic techniques, this is things like encrypting their payloads, or compressing their payloads, or obfuscating their payloads.

Question 35

Exploit techniques that use standard system tools and packages to perform
intrusions

Answer 35

Living off the Land

For instance, they might use something like this, which is PowerShell. PowerShell can be used to do all sorts of malicious activities. And so, what we can do is, when we break into a system as a pentester or as an attacker, we can actually use your own PowerShell against you. If I’m on a Linux system, I can’t use PowerShell, but I can use Bash scripting. And so, again, if I use the tools that are native to your operating system, I am now using tools that were already installed for your administrators. And I’m using them in a malicious way. But it’s going to be really hard for you to detect that because I’m living off the land. So, if you fall victim to an attacker who is used to living off the land, the detection of that adversary is going to be much more difficult because they’re executing malware code within those standard tools and processes. And that makes it really hard to detect, and it’s going to allow them to stay on your system a lot longer.

Question 36

What is APT?

Answer 36

An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data.