1.2 Given a scenario, analyze potential indicators to determine the type of attack Flashcards
What is a PUP and a PUA?
Potentially unwanted programs (PUPs)/Potentially unwanted applications (PUAs)—software installed alongside a package selected by the user or perhaps bundled with a new computer system. Unlike a Trojan, the presence of a PUP is not automatically regarded as malicious. It may have been installed without active consent or consent from a purposefully confusing license agreement. This type of software is sometimes described as grayware rather than malware.
What are the different types of viruses?
1.) Non-resident/file infector
2.) Memory resident
3.) Boot
4.) Script and macro viruses
What is a multipartite and a polymorphic virus?
The term multipartite is used for viruses that use multiple vectors and polymorphic for viruses that can dynamically change or obfuscate their code to evade detection.
What is the difference between a worm and a virus?
A computer worm is memory-resident malware that can run without user intervention and replicate over network resources. A virus is executed only when the user performs an action such as downloading and running an infected executable process, attaching an infected USB stick, or opening an infected Word document with macros enabled. By contrast, a worm can execute by exploiting a vulnerability in a process when the user browses a website, runs a vulnerable server application, or is connected to an infected file share.
What is fileless maleware?
1.) Fileless malware does not write its code to disk. The malware uses memory resident techniques to run in its own process, within a host process or dynamic link library (DLL), or within a scripting host. This does not mean that there is no disk activity at all, however. The malware may change registry values to achieve persistence (executing if the host computer is restarted). The initial execution of the malware may also depend on the user running a downloaded script, file attachment, or Trojan software package.
2.) Fileless malware uses lightweight shellcode to achieve a backdoor mechanism on the host. The shellcode is easy to recompile in an obfuscated form to evade detection by scanners. It is then able to download additional packages or payloads to achieve the actor’s actions and/or objectives. These packages can also be obfuscated, streamed, and compiled on the fly to evade automated detection.
3.) Fileless malware may use “live off the land” techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate system scripting tools, notably PowerShell and Windows Management Instrumentation (WMI), to execute payload actions. If they can be executed with sufficient permissions, these environments provide all the tools the attacker needs to perform scanning, reconfigure settings, and exfiltrate data.
What is adware?
Adware—this is a class of PUP/grayware that performs browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening sponsor’s pages at startup, adding bookmarks, and so on. Adware may be installed as a program or as a browser extension/plug-in.
What is spyware?
Spyware—this is malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Another spyware technique is to perform Domain Name Service (DNS) redirection to pharming sites.
What is a keylogger?
A keylogger is spyware that actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data.
What is a RAT?
A remote access trojan (RAT) is backdoor malware that mimics the functionality of legitimate remote control programs, but is designed specifically to operate covertly. Once the RAT is installed, it allows the threat actor to access the host, upload files, and install software or use “live off the land” techniques to effect further compromises.
What is a backdoor?
Any type of access method to a host that circumvents the usual authentication method and gives the remote user administrative control can be referred to as a backdoor.
What is a bot and botnet?
A compromised host can be installed with one or more bots. A bot is an automated script or tool that performs some malicious activity. A group of bots that are all under the control of the same malware instance can be manipulated as a botnet by the herder program. A botnet can be used for many types of malicious purpose, including triggering distributed denial of service (DDoS) attacks, launching spam campaigns, or performing cryptomining.
What is command and control?
Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a connection from the compromised host to a command and control (C2 or C&C) host or network.
A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
What is a rootkit?
Malware running with this level of privilege is referred to as a rootkit. The term derives from UNIX/Linux where any process running as root has unrestricted access to everything from the root of the file system down.
A rootkit is a program or a collection of malicious software tools that give a threat actor remote access to and control over a computer or other system.
What is ransomeware?
Ransomware is a type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism.
What is cryptomaleware?
The crypto-malware class of ransomware attempts to encrypt data files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate, unless the user has up to date backups of the encrypted files.
What is a logic bomb?
A logic bomb isn’t necessarily malicious code but could be an event that triggers an undesirable event. A typical example is a disgruntled system administrator who leaves a scripted trap that runs in the event his or her account is deleted or disabled. Anti-virus software is unlikely to detect this kind of malicious script or program. This type of trap is also referred to as a mine.
What is cuckoo?
If it is not detected by endpoint protection, you may want to analyze the suspect code in a sandboxed environment. A sandbox is a system configured to be completely isolated from its host so that the malware cannot “break out.” The sandbox will be designed to record file system and registry changes plus network activity. Cuckoo is packaged software that aims to provide a turnkey sandbox solution (cuckoosandbox.org).
What is SHA?
Secure Hash Algorithm (SHA)—considered the strongest algorithm. There are variants that produce different-sized outputs, with longer digests considered more secure. The most popular variant is SHA-256, which produces a 256-bit digest.
What is MD5?
Message Digest Algorithm #5 (MD5)—produces a 128-bit digest. MD5 is not considered to be quite as safe for use as SHA-256, but it might be required for compatibility between security products.
What is hashing?
Hashing is the simplest type of cryptographic operation. A cryptographic hashing algorithm produces a fixed length string from an input plaintext that can be of any length. The output can be referred to as a checksum, message digest, or hash. The function is designed so that it is impossible to recover the plaintext data from the digest (one-way) and so that different inputs are unlikely to produce the same output (a collision).
What is symmetric encryption?
A symmetric cipher is one in which encryption and decryption are both performed by the same secret key. The secret key is so-called because it must be kept secret. If the key is lost or stolen, the security is breached. Symmetric encryption is used for confidentiality.
What are two types of symmetric encryption?
Stream cipher and block ciphers.
What is a stream cipher?
In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a time. This is suitable for encrypting communications where the total length of the message is not known. The plaintext is combined with a separate randomly generated message, calculated from the key and an initialization vector (IV). The IV ensures the key produces a unique ciphertext from the same plaintext. The keystream must be unique, so an IV must not be reused with the same key. The recipient must be able to generate the same keystream as the sender and the streams must be synchronized. Stream ciphers might use markers to allow for synchronization and retransmission. Some types of stream ciphers are made self-synchronizing.
What is a block cipher?
In a block cipher, the plaintext is divided into equal-size blocks (usually 128-bit). If there is not enough data in the plaintext, it is padded to the correct size using some string defined in the algorithm. For example, a 1200-bit plaintext would be padded with an extra 80 bits to fit into 10 x 128-bit blocks. Each block is then subjected to complex transposition and substitution operations, based on the value of the key used.
The Advanced Encryption Standard (AES) is the default symmetric encryption cipher for most products. Basic AES has a key size of 128 bits, but the most widely used variant is AES256, with a 256-bit key.
