Trojans and other Attacks Flashcards

1
Q

Malware

A

Software designed to harm or secretly access a computer system without the owner’s informed consent. Computer contaminant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Malvertising

A

Embedding malware into ad networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Malware Delivery

A

Downloaded from the Internet
Drive by downloading
Hijacking of peer to peer applications
Email attachment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Overt Channels

A

Legitimate communication channels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Covert Channels

A

Used to transport data in unintended ways

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Wrappers

A

Programs that allow you to bind a trojan to an innocent file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Crypters

A

Software tools that use a combination of encryption and code manipulation to render malware undetectable to AV and other security-monitoring products, Fud-fully undetectable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Packers

A

Use compression to pack the malware executable harder to detect for antivirus engines. Extraction occurs in memory and not on desk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Trojan Exploit Kits

A

Infinity
Bleeding Life
Crimepack
Blackhole Exploit Kit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Trojan

A

Embedded malicious code in an otherwise normal application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Types of Trojans

A

Defacement trojan
Proxy server trojan
Botnet trojan (tor based Chewbacca and Skynet)
Remote Access trojan (RAT, MoSucker, Optix Pro, Blackhole)
Ebanking trojan (Zeus, Spyeye)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Covert Channel Tunneling Trojan (CCTT)

A

A form of remote access trojan that uses a variety of exploitation techniques to create data transfer channels in previously authorized data streams. Designed to provide an external shell from within the internal environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Command shell trojan

A

Provides a backdoor to the system that you connect to via command-line access. Netcat, example: nc -e IPaddress port#
-t option will provide telnet
Example: nc -l -p 5555 opens a port in a listening state and nc IPaddress -p 5555 connects to the target machine with a telnet like connection
Netcat can be used for outbound or inbound connections over TCP or UDP, to or from any port on the machine. It offers DNS forwarding, port mapping and forwarding and proxying. It can also be used as a port scanner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Trojan Ports

A
Death 2
Senna Spy 20
Hackers Paradise 31,456
TCP Wrappers 421
Doom,Satanz Backdoor 666
Silencer,WebEx 1001
RAT 1095-98
SubSeven 1243
Shivka-Burka 1600
Trojan Cow 2001
Deep Throat 6670-71
Tini 7777
Netbus 12345,12346
Whack a Mole 12361-12363
Back Orifice 31337,313338
Use netstat -an to monitor listening ports
netstat -b - displays all active connections and the processes using them
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Neverquest Trojan

A

Targets banking websites. designed to steal credentials and sensitive information and to set up VNC remote access targets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Port monitoring tools

A
Fport - shows same info as netstat -an but also maps them to running processes and PIDs
Whats Running
TCPView
IceSword
CurrPorts
Process Explorer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Registry monitoring tools

A
SysAnalyzer, 
Tiny Watcher, 
Active Registry Monitor, 
Regshot, 
Malwarebytes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Service monitoring

A

Windows Service Manager
Service Manager Plus
Smart Utility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Verifying the integrity of system files - can act as a HIDS for trojans

A

Tripwire

Sigverif - creates c:\windows\system32\sigverif.txt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Virus

A

self-replicating program that reproduces its code by attaching copies into other executable codes
Can be distributed through virus hoaxes and fake antivirus programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Ransomware

A

Malicious software designed to deny access to a computer until a ransom is paid

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Wannacry

A

Ransomware that took advantage of an unpatched SMBv1 exploit known as Eternal Blue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Ransomware programs

A

Cryptorbit
Cryptolocker
CryptoDefense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Boot sector virus

A

Also known as a system virus, this virus type actually moves the boot sector to another location on the hard drive, forcing the virus code to be executed first
Petya ransomware overwrote the master boot record

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Shell virus

A

Wraps itself around an application’s code, inserting its own code before the application’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Cluster virus

A

Modified directory table entries so that user or system processes are pointed to the virus code itself instead of the application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Multipartite virus

A

Attempts to infect both files and the boot sector at the same time and refers to a virus with multiple infection vectors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Macro virus

A

Usually written with Visual Basic for Applications (VBA), infects template files created by Microsoft Office apps. Melissa virus was a macro virus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Polymorphic code virus

A

Mutates its code using a built in polymorphic engine. Difficult to find and remove because its signature constantly changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Encryption virus

A

Uses encryption to hide the code from antivirus scanners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Metamorphic virus

A

Rewrites itself every time it infects a new file

32
Q

Stealth virus

A

Also known as tunneling virus that evades AV by intercepting the AV’s requests to the operating system and alters the response to AV as uninfected

33
Q

Cavity virus

A

Overwrite portions of host files using the null content sections so as not to increase the actual size of the file

34
Q

Sparse infector virus

A

Infects only occasionally for example only every tenth time an application is run

35
Q

File extension virus

A

Changes the file extensions of files to take advantage that file extensions are hidden by default. readme.txt.vbs looks like readme.txt when file extensions are not being shown

36
Q

Create your own virus

A

Sonic Bat,
PoisonVirus Maker,
Sam’s Virus generator,
JPS Virus Maker

37
Q

Worm

A

Self replicating malware computer program that uses a network to send copies to other systems. Normally it doesn’t alter files, but it resides in memory and duplicates itself eating up resources.

38
Q

Confiker worm

A

Disabled services, denied access to administrator shared drives, locked users out of directories, and restricted access to security-related sites.

39
Q

Ghost eye worm

A

Hacking tool that uses random messaging on Facebook and other sites to perform a host of malicious efforts

40
Q

Code red word

A

Exploited indexing software on IIS servers in 2001. Used a buffer overflow and defaced thousands of servers

41
Q

Darlloz

A

Worm for IOT. Linux based worm that targets running ARM, MIPS and PowerPC architectures, normally routers, set-top boxes and security cameras

42
Q

Nimda

A

Modified and touched nearly all web content on a machine. Was the most widespread worm in history. Nimda spread through email, open network shares, and websites and took advantage of backdoors left on machines infected by the Code Red worms.

43
Q

Slammer

A

SQL slammer was a denial of service worm attacking buffer overflow weaknesses in Microsoft SQL. ALso called Saphire, SQL_HEL, and Helkern, spread quickly using UDP and its small size (fit inside a single packet)

44
Q

Bug Bear

A

Propagated over open network shares and email. Terminated AV applications and set up a backdoor for later use. Also a keylogger

45
Q

Pretty Park

A

Spread via email and took advantage of IRC to propagate stolen passwords. Often displayed a 3D Pipe screensaver.

46
Q

Analyzing malware

A

Use a virtual machine with the NIC in host only mode and open shares. Analyze the malware statically using tools like binText and UPX to examine the binary itself as well as the compression and packaging techniques. Then execute the malware and check the processes in place (with Process Monitor and Process Explorer). Review network traffic using NetResident, TCPview, or wireshark. Tools for malware analysis include IDA Pro, virustotal, anubis, and threat analyzer.

47
Q

Sheepdip System

A

A standalone computer that is set up to check physical media, device drivers, and other files for malware before it is introduced to a network. Normally configured with a couple of different AV programs, port monitors, registry monitors, and file integrity verifiers.

48
Q

Netizen

A

Cybercitizen, a person actively involved in online communities

49
Q

Technorati

A

blog search engine

50
Q

Distributed Denial of Service (DDoS) attack

A

DOS from many systems normally part of a botnet

51
Q

Botnet

A

A network of zombies computers the hacker can use to start a distributed denial of service attack

52
Q

Botnet software

A

Shark, Poison Ivy. Preferred communication channel used to signal the bots is Internet Relay Chat (IRC) ir Internet Chat Query (ICQ), Could also be http or https

53
Q

Categories of DOS/DDOS

A
  1. Fragmentation attacks - takes advantage of the system’s ability to reconstruct fragmented packets
  2. Volumetric attacks - also known as a bandwidth attacks, these consume all available bandwidth for the system or service
  3. Application attacks - consume the resources necessary for the application to run
54
Q

TCP state exhaustion attacks

A

Goes after load balancers, firewalls, and applications servers by attempting to consume their connection state tables

55
Q

SYN attack

A

Sending thousands of SYN packets to the victim with a false source IP address. Eventually all the resources are consumed

56
Q

SYN flood

A

Sending thousands of SYN packets to the victim but does not respond to the SYN/ACK. Also consumes all resources on the victim that has to leave the connection open waiting for a response that never arrives.

57
Q

ICMP flood

A

Sending thousands of ICMP echo packets to the target with a false source IP address.

58
Q

Smurf

A

Sending thousands of ping requests to a subnet broadcast address with the source IP of the target. Fraggle attack is similar but uses UDP

59
Q

Ping of Death

A

The attacker fragments an ICMP message to a target. When the fragments are reassembled, the resultant ICMP packet is larger than the maximum size and crashes the system.

60
Q

Teardrop

A

A large number of garbled IP fragments with overlapping, oversized payloads are sent to the target machine. On older Microsoft OS this would cause a crash.

61
Q

Peer to peer

A

Clients of a peer to peer hub are disconnected and directed to connect to a target system

62
Q

Pemanent

A

Phlashing causes permanent damage to a system normally by overwriting firmware. Also known as bricking a system,

63
Q

LAND attack

A

Will send a SYN packet to the target with the source IP spoofed to the same IP of the target. The target will loop endlessly and crash the OS.

64
Q

DOS/DDOS tools

A

Low Orbit Ion Cannon (LOIC) - can flood a target with TCP, UDP, or HTTP requests
Trinity - linux based
Tribe Flood Network - uses a botnet
R-U-Dead-Yet (RUDY) - performs DOS with HTTP post via a long form field
Slowloris - TCP DOS tool that ties up open sockets and causes services to hang. Useful against web servers

65
Q

DOS/DDOS countermeasures

A
Disabling unnecessary services
Good firewall policy
Patching
Use a good NIDS
Skydance - can detect a DOS
Network ingress filtering and auditing
66
Q

Session Hijacking

A

Refers to stealing an active TCP session from a client. The server is not aware and the client reconnects using a different session.

  1. Sniff the traffic between the client and the server
  2. Monitor the traffic and predict the sequence numbering
  3. Desynchronize the session with the client by sending a TCP RST, or FIN.
  4. Predict the session token
  5. Take over the session by pretending to be the client to the server. Inject packets to the target server

Session hijacking can be done via brute force, calculation or stealing.

Sequence numbers increment on acknowledgment, An acknowledgment of 105 with a windows size of 200 means you could expect sequence numbering from 105 through 305

67
Q

Session hijacking tools

A
Ettercap
Hunt - can sniff, hijack and reset connections
T-sight
Zaproxy
Paros - also a proxy
Burp Suite
Juggernaut
Hamster
Ferret
68
Q

Man in the browser

A

When an attacker sends a trojan to intercept browser calls, sitting between the browser and the libraries, allowing a hacker to watch and interact within a browser session.

69
Q

Session hijacking countermeasures

A

Use unpredictable session IDs
Limit incoming connections
Minimize remote access
Regenerate the session key after authentication is complete
Use encryption to protect the channel (IPSEC is an option)

70
Q

IPSEC

A

Secures traffic by providing encryption and authentication services to each packet. Works in one of two modes:

  1. Transport mode - payload and ESP trailer are encrypted but the original IP header is not. Can be used in a NAT network
  2. Tunnel mode - the whole packet including the original IP header is encrypted making it incompatible with NAT
71
Q

IPSEC Authentication Header (AH)

A

Guarantees the integrity and authentication of the IP packet sender

72
Q

IPSEC Encapsulating Security Payload (ESP)

A

Provides origin authenticity and integrity and can also encrypt. ESP does not provide integrity and authentication for the entire IP packet in transport mode, but in tunnel mode protection is provided to the entire IP packet

73
Q

Internet Key Exchange (IKE)

A

IKE produces the encryption keys

74
Q

Oakley

A

Uses Diffie-Hellman to create master and session keys

75
Q

Internet Security Association Key Management Protocol (ISAKMP)

A

Facilitates encryption between two endpoints

76
Q

Spectre and Meltdown

A

Attacks that took advantage of speculative processing