Viruses and Worms

Question 1

Virus

Answer 1

Malware that can reproduce itself.

Needs end user to execute a program that starts the replication process.

Needs a human to start the process.

Uses existing file system or network to replicate.

-Can delete files
-Encrypt files
-Put advertising on system
-Gather info from your PC

Question 2

Worm

Answer 2

Malware that needs no human interaction.

Can jump from machine to machine.

Takes advantage of existing vulnerabilities and connectivity between local systems.

Can infect 100,000,000s or millions of systems in a short period.

Question 3

Anti-virus

Answer 3

Software purposely installed on PC.
Recognizes virus.
Stops it from starting and executing.
Updated “signatures” allow anti-virus to recognize new viruses and stop them.

Question 4

Program Virus

Answer 4

One category of virus.
Part of an application that is running.
Clicking / launching app causes it to execute.

Question 5

Boot Sector Virus

Answer 5

Rare virus
Exists in Boot sector of storage device.
Starting up or booting PC launches virus.
Once OS starts, virus is started.

Question 6

Script Viruses

Answer 6

Can operate in OS or browser.

Question 7

Macro Virus

Answer 7

Usually runs in another application.
Commonly involves MS Office apps.

Question 8

A Stealth Attack

Answer 8

Fileless, never installs itself or saves itself as a file system on PC.
New style of virus.
Can sometimes avoid anti-virus detection if anti-virus is looking at what gets saved to storage drive because virus does not save itself.

Operates in memory of PC.
Once started all operations happen in RAM.
Never writes to storage drive on PC.

Executed by clicking links on websites or emails.

Typically run as flash or java file.
Can take advantage of Windows Vulnerabilities to execute.

Can then run script in another app, such as PowerShell which will download script from a 3rd party website and execute file.

Question 9

What can a stealth attack do?

Answer 9

Run:
Scripts
Executables in memory
Exfiltrate data
Damage files

Add auto-start to registry.

Question 10

How to stop worm.

Answer 10

Identify worm

Create signature

Set up Firewall or IDS/IPS to mitigate between two systems.

Not helpful if worm is already on system

Question 11

WannaCry Worm

Answer 11

Occurred Friday, May 12, 2017

Propagated automatically.
Installed crypto malware to begin encrypting personal files.

Took advantage of a vulnerability in MS Server Message Block v1 or SMB v1

Used exploit, Eternal Blue, to find other systems on network and infect them.

Once new PC was exploited, back door was installed called Double Pulsar which would download Wannacry and then encrypt files on new PC.

Process begins again on new PC.