1.1 Given a scenario, analyze indicators of compromise and determine the type of malware Flashcards
Viruses (Chapter 6)
A virus is malicious code that attaches itself to a host application. The host application must be executed to run, and the malicious code executes when the host application is executed. The virus tries to replicate by finding other host applications to infect with the malicious code.
Crypto-malware (Chapter 6)
Ransomware that encrypts the user’s data is
sometimes called crypto-malware.
Ransomware (Chapter 6)
A specific type of Trojan is ransomware. Attackers encrypt the user’s
data or take control of the computer and lock out the user. Then, they
demand that the user pay a ransom to regain access to the data or computer.
Criminals often deliver ransomware via drive-by downloads or embedded in
other software delivered via email. Attackers originally targeted individuals
with ransomware. However, they have increasingly been targeting
organizations demanding larger and larger ransoms.
Worm (Chapter 6)
A worm is self-replicating malware that travels throughout a network
without the assistance of a host application or user interaction. A worm resides in memory and can use different transport protocols to travel over the
network. One of the significant problems caused by worms is that they consume network bandwidth. Worms can replicate themselves hundreds of times and
spread to all the systems in the network. Each infected system tries to locate and infect other systems on the network, and network performance can slow to a crawl
Trojan (Chapter 6)
A Trojan, also called a Trojan horse, looks like something beneficial, but it’s actually something malicious.
Rootkit (Chapter 6)
A rootkit is a group of programs (or, in rare instances, a single program) that hides the fact that the system has been infected or compromised by malicious code. A user might suspect something is wrong, but antivirus scans and other checks indicate everything is fine because the rootkit hides its running processes to avoid detection.
Rootkits have system-level access to systems. This is sometimes called root-level access, or kernel-level access, indicating that they have the same
level of access as the operating system. Rootkits use hooked processes, or hooking techniques, to intercept calls to the operating system. In this context, hooking refers to intercepting system-level function calls, events, or messages. The rootkit installs the hooks into memory and uses them to control the system’s behavior.
Keylogger (Chapter 6)
A keylogger attempts to capture a user’s keystrokes. The keystrokes are stored in a file, and are either sent to an attacker automatically, or the attacker may manually retrieve the file. While a keylogger is typically software, it can also be hardware. For example, you can purchase a USB keylogger, plug it into the computer, and plug the keyboard into the USB keylogger. This hardware keylogger will
record all keystrokes and store them within memory on the USBdevice.
Adware (Chapter 6)
When adware first emerged, its intent was primarily to learn a user’s habits for the purpose of targeted advertising. As the practice of gathering
information on users became more malicious, more people began to call it spyware. However, some traditional adware still exists.
The term adware also applies to software that is free but includes advertisements. The user understands that the software will show advertisements and has the option to purchase a version of the software that
does not include the ads. All of this is aboveboard without any intention of misleading the user.
spyware (Chapter 6)
Spyware is software installed on users’systems without their awareness or consent. Its purpose is often to monitor the user’s computer and the user’s activity. Spyware takes some level of control over the user’s computer to learn information and sends this information to a third party. If spyware can
access a user’s private data, it results in a loss of confidentiality. Some examples of spyware activity are changing a user’s home page,
redirecting web browsers, and installing additional software within the
browser. In some situations, these changes can slow a system down, resulting
in poorer performance. These examples are rather harmless compared with
what more maliciousspyware (called privacy-invasive software) might do.
Privacy-invasive software tries to separate users from their money
using data-harvesting techniques. It attempts to gather information to
impersonate users, empty bank accounts, and steal identities. For example,
some spyware includes keyloggers. The spyware periodically reads the data
stored by the keylogger, and sends it to the attacker. In some instances, the
spyware allows the attacker to take control of the user’s system remotely.
Spyware is often included with other software like a Trojan. The user
installs one application but unknowingly gets some extras. Spyware can also
infect a system in a drive-by download. The user simply visits a malicious web
site that includes code to automatically download and install the spyware onto
the user’ssystem.
Bots and botnet (Chapter 6)
A botnet combines the words robot and network. It includes multiple computers that act as software robots (bots) and function together in a network (such as the
Internet), often for malicious purposes. The bots in a botnet are often called zombies and they will do the bidding of whoever controls the botnet.
RAT (Chapter 6)
A remote access Trojan (RAT) is a type of malware that allows attackers to take control of systems from remote locations. It is often delivered via drive-by downloads. Once installed on a system, attackers can
then access the infected computer at any time, and install additional malware if desired.
Logic bomb (Chapter 6)
A logic bomb is a string of code embedded into an application or script that will execute in response to an event. The event might be a specific date or time, or a user action such as when a user launches a specific program.
Backdoor (Chapter 6)
A backdoor provides another way of accessing a system, similar to
how a backdoor in a house provides another method of entry. Malware often
installs backdoors on systemsto bypass normal authentication methods.
While application developers often code backdoors into applications,
this practice is not recommended. For example, an application developer
might create a backdoor within an application intended for maintenance
purposes. However, if attackers discover the backdoor, they can use it to
access the application.
malware
is a malicious software.
