Threats, Vulnerabilities, Attacks

Question 1

Worm

Answer 1

• Malicious software, like a virus, but is able to replicate itself without user
  interaction
  -> Worms self-replicate and spread without a user’s consent or action
  -> Worms can cause disruption to normal network traffic and computing
  activities
  -> Example
  • 2009: 9-15 million computers infected with conficker

Question 2

Virus

Answer 2

*Malicious code that runs on a machine without the user’s knowledge and
infects the computer when executed

*Viruses require a user action in order to reproduce and spread

Question 3

Trojan Horse

Answer 3

• Malicious software that is disguised as a piece of harmless or desirable software.
• Trojans perform desired functions and malicious functions.

Question 4

RAT

Answer 4

Remote Access Trojan:

• Provides the attacker with remote control of a victim computer and is the most commonly used type of Trojan.

Question 5

Ransomware

Answer 5

• Malware that restricts access to a victim’s computer system until a ransom is received
• Ransomware uses a vulnerability in your SW to gain access and then encrypts your files.

(Example: $17 million: SamSam cost the City of Atlanta)

Question 6

Spyware

Answer 6

Spyware is malware that secretly gathers information about the user without their consent.

*It captures keystrokes made by the victim and takes screenshots that are sent to the attacker

Question 7

Adware

Answer 7

Displays advertisements based upon its spying on you

Question 8

Grayware

Answer 8

Software that isn’t benign nor malicious and tends to behave improperly without serious consequences

Question 9

Rootkits

Answer 9

Rootkit is SW designed to gain administrative level control over a system without detection.

DLL injection is commonly used by toolkits to maintain their persistent control.

Rootkits are activated before booting the operating system and are difficult to detect

Question 10

DLL

Answer 10

A type of Rootkit where malicious code is inserted into a running process on a Windows machine by taking advantage of Dynamic Link Libraries that are loaded at runtime.

Question 11

Driver Manipulation

Answer 11

A type of Rootkit attack that relies on compromising the kernel-mode device drivers that operate at a privileged or system level

*A shim is placed between two components to intercept calls and redirect them.

Question 12

Spam

Answer 12

Spam is activity that abuses electronic messaging systems, most commonly through email.

**Spammers often exploit a company’s open mail relays to send their messages.

***CAN-SPAM Act of 2003

Question 13

Summary of Malware (name some)

Answer 13

• Virus
• Worm
• Trojan
• Ransomware
• Spyware
• Rootkit
• Spam

Question 14

Where does Malware usually start?

Answer 14

Typically, Malware infections start within SW, messaging, and media

Question 15

Watering Holes

Answer 15

Watering Holes is a method of a Malware attack:

Malware is placed on a website that you know your potential victims will access.

Question 16

Botnet

Answer 16

A collection of comprised computers under the control of a master node

Note: Botnets can be utilized in other processor intensive functions and activities

Question 17

Active Interception

Answer 17

Occurs when a computer is placed between the sender and receiver and is able to capture or modify the traffic between them.

Question 18

Privilege Escalation

Answer 18

Occurs when you’re able to exploit a design flaw or bug in a system to gain access to resources that a normal user isn’t able to access

Question 19

Backdoor

Answer 19

Backdoors are used to bypass normal security and authentication functions.

Remote Access Trojan (RAT) is placed by an attacker to maintain persistent
access

Question 20

Logic Bomb

Answer 20

Malicious code that has been inserted inside a program and will execute
only when certain conditions have been met

Question 21

Easter Egg

Answer 21

Non-malicious code that when invoked, displays an insider joke, hidden
message, or secret feature

Question 22

IAW secure coding standards, should Logic Bombs and Easter Eggs be used?

Answer 22

No.

Question 23

Symptoms of Infection

Answer 23

• Hard drives, files, or applications are not accessible anymore
• Strange noises occur
• Unusual error messages
• Display looks strange
• Jumbled printouts
• Double file extensions are being displayed, such as textfile.txt.exe
• New files and folders have been created or files and folders are missing/corrupted
• System Restore will not function

Question 24

Removing Malware

Answer 24

Removing Malware:

o Identify symptoms of a malware infection
o Quarantine the infected systems
o Disable System Restore (if using a Windows machine)
o Remediate the infected system
o Schedule automatic updates and scans
o Enable System Restore and create a new restore point
o Provide end user security awareness training
o If a boot sector virus is suspected, reboot the computer from an external
device and scan it

Question 25

Preventing Malware

Answer 25

o Worms, Trojans, and Ransomware are best detected with anti-malware
solutions

o Scanners can detect a file containing a rootkit before it is installed…

o …removal of a rootkit is difficult and the best plan is to reimage the machine

o Verify your email servers aren’t configured as open mail relays or SMTP open
relays

o Remove email addresses from website

o Use whitelists and blacklists

o Train and educate end users

o Update your anti-malware software automatically and scan your
computer

o Update and patch the operating system and applications regularly

o Educate and train end users on safe Internet surfing practices