Section 3: Malware Infections

Question 1

How does malware delivery happen?

Answer 1

Through
- software
- messaging & media
- botnet or zombies
- active interception (puts malware into your network, MITM)
- privilege escalation
- back doors
- logic bombs
Easiest delivery
- USB (physical access)

Question 2

What are the two Vectors a malware uses to access a machine?

Answer 2

• Threat Vector
• Attack Vector

Question 3

What is a Threat Vector?

Answer 3

It is the potential method an attacker can use to access a victims machine.

• unpatched software
• installation from USB
• phishing campaign

Remember house scenario
- no gate
- open window etc

Question 4

What is an Attack Vector?

Answer 4

It is the method an attacker uses to gain access to a victims machine in order to infect it with malware

Question 5

What are the key differences between Threat Vector & Attack Vector?

Answer 5

Threat Vector - potential way to get to the machine
Attack Vector - the actual way you got into the machine and how you will infected it

Question 6

Common Delivery Methods of Malware Infections

Answer 6

Software, Messaging, Media

Software & Messaging
- email programs
- peer to peer networks (bit torrent)
- ftp servers

Media
- CD/DVD
- USB
- External HDD
- Tape backups
- Floppy Disks

Question 7

What is the Watering Hole concept?

Answer 7

When a malware is placed on a website that you know your potential victims will access.

Social media - people always come back for more

Question 8

What is Type Squatting?

Answer 8

When an attacker purchases a similar domain, pretends that the website is legit by making it look like the real one, and infecting it with malware

• DionTraining.com
• DionTraining(s).com

One is illegitimate but if you do not pay attention you will think its the same

Question 9

What is a Botnet?

Answer 9

Collection of compromised computers under the control of a master node

Question 10

What is a Zombie?

Answer 10

A single infected computer part of a botnet

Question 11

What is a master node in a Botnet?

Answer 11

It is the Command and Control (C2) computer that controls hundreds of thousands of infected computers

Question 12

What is a Pivot Point?

Answer 12

When an attacker is using your computer to look like the attack is coming from you rather than their own system

• Command & Control (C2) -> Zombie -> victim
• can use zombies to host illegal files such as CP
• can use zombies to spam people and send out phishing campaigns
• DDoS (most common)

Question 13

What is a DDoS?

Answer 13

Distributed Denial of Service

• sending requests/packets to overload a server and make it slow or crash it making it inaccessible to users/customers

Question 14

What is a common use of Botnets now?

Answer 14

To earn money. Bitcoin/Crypto Mining which is processor intensive

Question 15

What are Botnets great for?

Answer 15

Processor intensive functions & activities

• crypto mining
• breaking encryptions

Question 16

What is an Active Interception?

Answer 16

When a computer is placed in-between the sender and receiver resulting in capturing and/or modifying the traffic between them

Question 17

What is Privilege Escalation?

Answer 17

When you use a design flaw exploit or a bug in a system to gain access to resources that a normal user isn’t able to access

• Going from a regular user to an admin

Question 18

What is a Backdoor?

Answer 18

It is a piece of software/code that lets you bypass normal security and authentication functions

• bad security practice
• breach of good secure coding practices

Question 19

What is something that acts like a backdoor?

Answer 19

Remote Access Trojan (RAT)

• gives persistent access

Question 20

What is an Easter Egg?

Answer 20

Non-malicious code that when invoked displays an insider joke, hidden message or secret feature

• harmless
• additional code which could have additional vulnerabilities

Question 21

What is a Logic Bomb?

Answer 21

Malicious code that has been inserted inside a program and will execute only when certain conditions have been met

• employ plants this code inside server’s code which will delete everything if he is removed from payrole

Question 22

What do the Secure Coding Standards say about Easter Eggs and Logic Bombs?

Answer 22

They should not be used!

Question 23

What are some symptoms of an infected system?

Answer 23

• Slow (worms use network & processor resources to spread and replicate)
• pc locking up/crashing/BSOD
• restarting/crashing
• Hard drives & files are not accessible anymore
• strange noises
• unusual error messages
• Display looks strange
• Jumbled printouts

Question 24

What is double file extensions such as textfile.txt.exe a sign of?

Answer 24

Malware infection

Question 25

What is an Antivirus not running a sign of?

Answer 25

Malware Infection

Question 26

What are New files and folders appearing or files and folders missing/corrupted a sign of?

Answer 26

Malware infection

Question 27

What is System Restore not functioning a sign of?

Answer 27

Malware infection

Question 28

What to do if your computer acts strangely due to an infection?

Answer 28

1. Boot up in safe mode
2. boot up from an external hard drive and then scan your computer with an AV (to find boot sector viruses & root kits)

Question 29

What are the steps to identifying if you are infected?

Answer 29

1. Scan your computer
2. Have a healthy backup
3. Steps after you find out you are infected

a. Identify symptoms of malware infection
b. Quarantine infected systems
c. Disable System Restore(if using Windows)
d. Remediate the infected system
e. Schedule automatic updates & scans
f. Enable System Restore and create a new clean restore point
g. Provide end user security awareness training

Question 30

How to quarantine an infected system?

Answer 30

1. Prevent communication with other systems
2. Turn off network card/unplug network cable

Question 31

Why should you disable System Restore if you are infected?

Answer 31

Stop windows from making snapshots of the infected machine

Question 32

How do you remediate an infected system?

Answer 32

1. Update AV & Anti-malware software so that you can use its scanning capabilities, quarantine capabilities, and removal techniques
2. Boot up in safe mode and then use AV
   - this makes sure the infected file is not in use

Question 33

Should you schedule automatic updates and scans after you remediate an infected machine?

Answer 33

Absolutely

Question 34

Should you re-enable System Restore and create a new restore point after you remediate an infected machine?

Answer 34

Yes!

Question 35

What is the final step after remediating an infected machine to prevent this from happening again?

Answer 35

Provide end user security awareness training?

Question 36

What should you do if a Boot Sector Virus is suspected?

Answer 36

Reboot the computer from an external device and scan it

OR

Remove the infected drive and install it onto a clean system as a secondary drive. Then scan it

Question 37

How to prevent malware infections?

Answer 37

• Use of included AV with OS
• 3rd party AV
• Patch system and update regularly
• Host based Firewall to block outside connections
• Use encrypted websites (SSL certificates)
• Security settings when browsing should be set to “Non Trusting Method”

Question 38

How are Worms, Trojans, and Ransomware best detected with?

Answer 38

Anti-Malware solutions

Question 39

How is Spyware detected?

Answer 39

Anti Spyware solution

Question 40

How can you tell if you are infected with a Spyware?

Answer 40

• popups
• different homepage on browser than usual

Question 41

How can you detect a rootkit?

Answer 41

Boot from an external device and scan the infected system

Question 42

How can you remove a rootkit?

Answer 42

reimage the machine

Question 43

Can scanners detect a file containing a rootkit before it is installed?

Answer 43

Yes

Question 44

How can you prevent Spam Relay?

Answer 44

Verify your email servers are not configured as:

• Open Mail Relays
• SMTPT Open relays are disabled

Question 45

How can you prevent Spam?

Answer 45

• Remove email addresses from websites
• Use whitelists and blacklists
• Train and educate end users

Question 46

What are some Malware protection best practices?

Answer 46

1. Update your anti-malware automatically and scan your computer
2. Update and patch the OS and applications regularly
3. Educate and train end users on safe internet surfing practises

Question 47

What is an Exploit Technique?

Answer 47

Method by which malware code infects a target host

• modern malware uses fileless techniques to avoid detection by signature-based security software

Question 48

What is a Fileless Malware?

Answer 48

Malware executed directly by a script or small piece of shell code that creates a process in the system memory without having to use local file system

• APT’s use these

Question 49

What are the 5 steps of an attack?

Answer 49

1. Dropper or Downloader
2. Maintain Access
3. Strengthen Access
4. Actions on Objectives
5. Concealment

Question 50

How can an attacker maintain access?

Answer 50

1. Install a second stage downloader
2. downloader can then download a RAT
3. gain C2 (Command & Control) over the machine

Question 51

How can an attacker strengthen their access?

Answer 51

By identifying and infecting other systems of higher value

• servers & domain controllers
• lateral movement to gain additional privileges and additional footprint

Question 52

What are some Actions on Objectives?

Answer 52

• copying & stealing files
• encrypting

Question 53

How can an attacker use Concealment to their advantage?

Answer 53

By maintaining their tool access but covering their tracks

• deleting log files

Question 54

What is a Dropper?

Answer 54

Malware designed to install or run other types of malware embedded in a payload of an infected host.

Bundled dropper installs the malicious downloader or malware and then it runs the legit utility.

• stage one code, once it runs, it gets a downloader to get the rest of the malware

Question 55

What is a Downloader?

Answer 55

A piece of code that connects to the internet to retrieve additional tools after the initial infection by a dropper

Question 56

What is a shellcode? (in Security+ exam)

Answer 56

Lightweight (small) code designed to run an exploit on the target, which may include any type of code format, from scripting languages to binary code

• small piece of code used as the payload in the exploitation of a software vulnerability

Question 57

What is a Code Injection?

Answer 57

Exploit technique that runs malicious code with the identification number (UID) of a legitimate process

Question 58

What are some other Code Injection techniques?

Answer 58

Masquerading - dropper replaces a genuine exe with a malicious one

DLL Injection - dropper forces a process to load as part of the DLL (loads DLL and executable malicious code)

DLL Sideloading - dropper exploits a vulnerability in a legitimate program’s manifest to load a malicious DLL at runtime

Process hollowing - Dropper starts process in a suspended state and then rewrites the memory locations containing the process code with the malware code

Question 59

What are some anti-forensic techniques droppers can implement to prevent detection and analysis?

Answer 59

• Encrypting payload
• Compressing payload
• Obfuscating payload

Question 60

What does Living Off the Land mean?

Answer 60

Exploit technique that uses standard system tools and packages to perform intrusions

• pen tester uses power shell
• bash scripting in Linux

These can be used in a malicious way but it is difficult to detect.

Question 61

Why is Living Off the Land more difficult to detect?

Answer 61

Because you are using the machine’s own tools to attack it. No foreign tools. (using standard tools and processes)

• executing malware code within standard tools and processes