1 - Threats, Attacks, & Vulnerabilities

Question 1

Name the 12 types of Malware.

Answer 1

Adware Spyware Virus Worm Trojan Rootkit Ransomware (Crypto–malware) Keylogger Backdoor Logic Bomb Botnet RAT

RAT means Remote Access Trojan here; Remote Access Tool in another context)

Question 2

Definition of malware?

Answer 2

Software designed to infiltrate or damage a computer system without the owner’s informed consent.

Question 3

Name the three types of mutating malware.

Answer 3

Oligomorphic Polymorphic Metamorphic

To detect malware, a scanning tool is used to find the pattern of a particular malware. To defeat this, attackers will use these three types of mutating malware.
(21)

Question 4

Oligomorphic malware

Answer 4

Oligomorphic malware changes its internal code to one of a set number of preconfigured mutations when executed. The issue is that there is only a limited number of mutations and it will eventually change back to a known pattern and get caught by a scanner.

(21)

Question 5

Polymorphic malware

Answer 5

Polymorphic malware changes its form once executed but keeps the function of the code the same. This is usually done by encrypting the code to hide it and then decrypt it once it is executed.

(21)

Question 6

Metamorphic malware

Answer 6

Metamorphic malware completely rewrites it’s code and appears different every time it’s executed. It uses machine code to change its code and avoid pattern recognition.

(21)

Question 7

Name the primary traits of malware.

Answer 7

Circulation Infection Concealment Payload Capabilities

Circulation - malware spreads rapidly to other systems, infecting as many systems as possible. This can be through network connections, emails, and USB flash drives.

Infection - once malware reaches a system through circulation, it must infect or embed itself into that system. It might run only once and store itself in memory or remain on a system and run an infinite number of times. Some malware attaches itself to legitimate programs, while others are standalone programs.

Concealment - malware with the ability to avoid detection by scanners. Some will morph into something else, others will embed into an existing process, or modify the underlying host OS.

Payload Capabilities - trait of malware referring to the action it performs. Some steal passwords or files, while others change system settings or delete programs and files.

(22)

Question 8

Virus

Answer 8

A computer program that can copy itself (replicate) and infect a specific computer without the permission or knowledge of the owner. Spread by user action.

Once a virus is launched, it performs two actions:
— Unload the payload to do some kind of malicious action such as computer crash, erase files from the hard drive, change security settings, reformat the hard drive.
— Replicates itself - once the payload is triggered the virus will reproduce itself into another file on the same computer.

Question 9

Name and describe the three forms of viruses.

Answer 9

Program virus Macro virus Armored virus (2 types)

Program virus - Infects executable programs.

Macro virus - a macro is a series of instructions grouped together in a single command, used on documents to automate complex tasks, and run when the document is open. A Macro virus is written in the macro language and will infect the document once the macro is run.

Armored virus - avoids detection from scanners. Two types:
— Swiss cheese infection -virus will encrypt its code, then divide the engine used to decrypt the code and inject those pieces throughout the infected program code making it harder to detect where the virus is located in the file system.
— Split infection - splits the actual virus code into several parts and the code is then inserted in several places in the infected code.

(23)

Question 10

Ransomeware

Answer 10

Encrypts user files and demands a ransom before releasing the key.
Prevents use of the computer system or files unless a fee is paid.
a.k.a. crypto-ware, crypto ransomware
Examples that made the news are Reveton and Cryptlocker.

Question 11

Worm

Answer 11

A Worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and it may do so without any user intervention. It does this by taking advantage of vulnerabilities in an application or host operating system.

Causes damage like a virus by leaving a payload behind.

Once a Worm infects a computer, it searches across the network to find other computers with vulnerabilities to infect.

Question 12

Trojan Horse

Answer 12

A Trojan is malicious code that mimics a legitimate program in order to steal sensitive data.

Masquerades as desirable software to trick users into installing it.

Sometimes simply referred to as Trojan.

Question 13

What is the difference between a Virus, Worm, and a Trojan horse?

Answer 13

Virus
— will only affect one system.
— Inserts malicious code into a program or data file.
— Requires user interaction to spread to other systems via removable media or email.
— runs without user consent.

Worms
— propagate between systems by exploiting vulnerabilities on affected hosts.
— Does not require user interaction to spread to other computers; only a network connection.
— Does not infect files but can leave a destructive payload.
— runs without user consent.

Trojan
— appears as a legitimate program, but perform malicious actions.
— Runs with user consent.
— Like a virus, it cannot spread without user interaction.

Question 14

Rootkit

Answer 14

A Rootkit is malware which consist of a program designed to hide or obscure the fact that the system has been compromised. It will actually change the operating system forcing it to ignore the malicious activity. It can also remove traces of itself by changing log files.
— Requires admin access to install.
— installation of a rootkit is usually preceded by privilege escalation.
— are incredibly hard to detect & even harder to remove.
— Once a rootkit has affected the system, the system cannot be trusted & usually will need to be reformatted & the operating system reinstalled.

Question 15

Adware

Answer 15

Adware or advertising – supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Usually causes the following:

— Display objectionable content such as pornography or gambling sites.
— Causes frequent pop-up windows that use computer resources and slow down the computer.
— Unwanted ads
— Tracks a user’s online activities and sends a log to the attacker without the users knowledge or consent. This content is used to tailor ads to the user based on the sites they visit.

Question 16

Spyware

Answer 16

Spyware is malware that is installed on computers to collect information about users without their knowledge. The presence of spyware is typically hidden from the user.

— Keylogger is a type of spyware.

(31)

Question 17

Keylogger

Answer 17

Keylogger is a type of spyware that captures keystrokes from a user’s keyboard and sends this information to the attacker. The attacker then uses it to obtain passwords, credit card numbers, and other personal information.

Two types:
— Hardware keylogger - a device inserted between a keyboard and the USB port on the computer. The device is designed to look like part of the keyboard and is plugged into the back of the computer, so it can go unnoticed for a long period of time. The attacker must return at a later time and retrieve the device to get the data.

— Software keylogger - programs installed on a computer to silently capture keystrokes. Usually concealed like Rootkits to avoid detection by the user. Software keyloggers are installed through a Trojan Horse or a virus and will send information to the attacker across the computer’s Internet connection.

Question 18

Botnet

Answer 18

A Bot is an infected computer, “known as zombie” that is under an attacker’s “bot herder” control.

When an attacker can infect thousand or tens of thousands of computers, it’s known as a Botnet.

Infected computers wait for instructions called Command and Control (C2), which a bot herder uses to tell the zombie computer what to attack and how.

Types of Botnet attacks:
— Spamming

— Spreading malware

— Manipulating online polls - since each zombie has a unique IP address, each counts as a legitimate vote.

— Denying services

Question 19

Remote Access Trojan/Tools

Answer 19

Remote Access Trojan is a Trojan horse that allows an attacker to gain remote access to a system.

Remote Access Tool is a piece of software used to remotely access or control a computer. This tool can be used legitimately by a system admin for accessing client computers.

Remote Access Tools used for malicious purposes are known as Remote Access Trojans.

The tools can steal passwords, collect keystrokes, and record audio by using an infected device’s microphone.

Question 20

Logic Bomb

Answer 20

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function or delete data when specified conditions are met.

Logic bombs are insider threats that can be intentionally or unintentionally malicious.

Logic Bombs are set off by a specific event, date, or time.

Logic Bombs are difficult to detect because they are usually inserted into large pieces of computer code, by trusted employees who insert a few lines of the logic bomb without anybody knowing it.

Logic Bombs are usually not detectable by a scanner.

Question 21

Backdoor

Answer 21

A backdoor gives access to a computer system to circumvent the normal security protections.

They are installed on computers to allow attackers to have access to the computer at a later date.

Programmers usually have a backdoor into their software during development for easy access to it. If they forget to close the door before it is released to the public, an attacker can use it to access the program.

Question 22

Name 14 types of social engineering attacks.

Answer 22

Psychological Approaches, Impersonation, Phishing, Pharming, Spear Phishing, Whaling, Vishing, Spam, Virus Hoax, Typo Squatting, Waterhole Attack, Dumpster Diving, Tailgating, Shoulder Surfing

Question 23

Social Engineering

Answer 23

Social engineering attacks manipulate individuals to gain unauthorized access or information.

Social engineering attacks rely on the psychology or emotions of the victim. It is a way that an attacker can manipulate a victim in taking some form of action or giving out information in an innocent seeming way

Question 24

Psychological Approaches to Social Engineering

Answer 24

Psychological approaches to social engineering:

— Authority - directed by an attacker impersonating an authority figure or falsely citing that authority.
— Intimidation - frighten or coerced by threat
— Consensus/Social Proof - influenced by what others do
— Scarcity - something in short supply
— Urgency - immediate action is needed
— Familiarity/Liking - victim is well-known and well-received
— Trust - confidence

Question 25

Impersonation

Answer 25

Impersonation is when an attacker masquerades as a real or fictitious character and plays that role to a victim to take advantage of them.

An attacker will usually take the approach of an authoritative figure since most people find it hard to say no to them.

Some of the most popular roles for impersonation are:
— IT support
— Repairman
— Manager
— Fellow employee
— Trusted third-party

Question 26

Phishing

Answer 26

Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

Attackers look for:
— Password/login info
— Social Security numbers
— Bank account numbers

Phishing is usually successful because the email looks like it was sent from a legitimate company.

Attackers will use the following techniques:

— deceptive web links - variations and legitimate addresses such as www.ebay_secure.com

— Logos - The logo of the vendor is usually included in the email to make it look genuine.

— urgent request - The email is written with instructions to act immediately or something bad will happen.

Question 27

Spear Phishing

Answer 27

Spear Phishing is a form of Phishing that targets a specific organization or group of individuals, seeking unauthorized access to confidential data.

Spear Phishing emails are customized to the victims including their names and personal information to make the emails seem legitimate.

(41)

Question 28

Whaling

Answer 28

Whaling is a type of Spear Phishing that targets wealthy individuals and senior executives of companies. The attacker is after a bigger payday since these individuals usually have a large amount of money in bank accounts or investments.

An attacker gathers a lot of information about the individual and targets the attacks specifically towards the victim. By focusing on one individual, an attacker has more time to gather this information and achieve a higher success rate.

Question 29

Vishing

Answer 29

Vishing is the same as Phishing except an attacker is using a telephone call instead.

Attackers will use features on the newer VoIP phones like Caller ID Spoofing and Automated Systems (IVR) to propagate their schemes.

Question 30

Pharming

Answer 30

Pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus website.

Pharming can be conducted either by changing the hosts file on a victims computer or by exploitation of a vulnerability in DNS server software called DNS Poisoning.

Question 31

SPAM

Answer 31

Spam is the abuse of electronic messaging systems to send unsolicited bulk messages indiscriminately.

Spam Filters are used to cut down on the amount of spam by blocking emails based on certain keywords like Viagra or investments.

Spammers have turned to image spam which puts an image of the text in the email that cannot be blocked by spam filters

Spam is almost exclusively sent out by botnets nowadays.

Question 32

SPIM

Answer 32

SPIM (SPAM Over Internet Messaging) is perpetuated by bots that harvest IM screen names off of the Internet and simulate a human user by sending spam to the screen names via an instant message.

The SPIM typically contains a link to a website that the Spimmer is trying to market.

Also referred to as Instant Spam or the less intrusive sounding IM marketing.

Question 33

Virus Hoax

Answer 33

A Virus Hoax is a false email message warning the recipient of a virus that is going around. The message usually serves as a chain email that tells the recipient to forward it to everyone they know.

The emails are made to look like they are from IT support and tell the users to either delete files or change settings on their computer and then forward the email to everyone they know.

Some detrimental effects of a virus hoax are:

— users are tricked into changing system configuration opening their system up to attack.

— users are tricked into deleting system files that prevent the computer from working at all.

— email gateways get full with all the emails being passed to everybody slowing down email.

— technical support resources are consumed by increased user calls.

Question 34

Typo Squatting

Answer 34

Typo Squatting or URL hijacking are websites set up using URL’s that are close to legitimate URL’s so when a person accidentally mistypes the URL they end up going to the attacker’s website.

— Once a victim goes to one of these fake sites, they can be bombarded with ads.

— The site might have a fake survey which asks for the victims email address that is then turned around and sold to spammers.

Along with the URL hijacking, victims can send private emails accidentally to a mistyped address that some attacker has purchased to collect millions of emails in hopes of getting private information to be used to exploit a person.

Question 35

Watering Hole Attack

Answer 35

Watering hole attacks is an attack directed towards a small group of specific individuals, such as executives of a company.

Since most of the executives will visit the same websites, an attacker will figure out what that website is and infect it with malware to try to infect the executives’ computers.

Question 36

Dumpster Diving

Answer 36

Dumpster diving is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to an attacker.

Some items an attacker searches for:

— calendars - reveals when employees are out of town.

— Flash drives or portable hard drives - can contain valuable private information if improperly disposed of.

— memos - give pieces of information to an attacker who is collecting for a social engineering attack.

— Organization charts - identifies individuals who are in authority.

— phone directories - gives names and phone numbers of individuals in a company.

— policy manuals - could reveal the true security posture of the company.

— System manuals - can tell an attacker what kind of computer and networking equipment a company is using to formulate an attack against them.

Question 37

Tailgating

Answer 37

Tailgating is the act of an unauthorized person who follows someone to a restricted area without the consent of the authorized person.

Piggybacking is when an employee conspires with an unauthorized person to allow him to walk in with him through the open door.

Question 38

Shoulder Surfing

Answer 38

Shoulder surfing refers to using direct observation techniques, such as looking over someone’s shoulder, to get information.

Using password protected screen savers, password masking, and privacy screens would be used to mitigate shoulder surfing.

Use of proximity cards instead of punch key doors also helps mitigate shoulder surfing.