SB 15: Malware Flashcards
What is a trapdoor?
Or “backdoor”, is a means of subverting the normal access control and even authentication of a system. Can be malicious and intentional or introduces accidentally and unintentionally by a programmer. Can be used for testing purposes.
What is a covert channel?
Any communication that violates the security policy. It can be used to move information in a way that is not intended (or allowed).
It creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate. “Hidden channels”
What is a trojan horse?
A program with an overt (documented or known) purpose and a covert (undocumented or unexpected) purpose. They generally do not try to inject themselves into other files or propagate themselves.
A propagating trojan horse, however, creates copies of itself and can insert itself into specific programs
What is a rootkit?
A pernicious trojan horse. Hides itself on a system to carry out its actions without being detected.
The earliest forms of rootkits installed backdoor’s and traps, and then changed system programs that reported on the system status.
Installation can be automated or an attacker can install it after having gained root access to the system. Once installed it hides itself, the attacker then can gain full access to the system, giving them the power to change anything.
Detection methods include: alternativ OS, behavioural analysis, signature scanning. Very difficult to remove depending on where it is located, can be in the kernel or on firmware which requires re-installation of the OS or replacement of hardware components.
Examples:
Sony BMG DRM rootkit
Greek wiretapping
What is a computer virus?
Is a program that inserts (a possibly transformed version of) itself into one or more files and then performs some (possibly null) action.
1st phase: insertion
2nd phase: execution, in the execution phase there may be some form of spread condition.
Generally requires a host program.
Uses complex anti-detection/stealth mechanisms to prevent anti-virus from detecting them.
Social engineering and exploit vulnerabilites to infect systems.
What is a computer worm?
A program that copies itself from one computer to another.
There are generally three phases:
1. Target selection: determining what systems to attempt to spread to.
2. Propagation: an attempt to infect the chosen target.
3. Execution: once it has successfully infected the target system. It can be empty in which case it is simply spreading.
What is bots and botnets?
Bot: a malware that carries out some action in coordination with other bots.
Bot-master: controls the bots.
Command & Control server: where the bots are controlled from.
C&C channels: communication paths.
Botnet: a collection of bots.
There are four stages in a bots lifecycle:
1. Infect: via worms, trojans or exploiting vulnerabilities, etc.
2. Connect: check for network connections to communicate.
3. Command: given commands to execute and download any extra components needed.
4. Execute: execute the commands, if appropriate it may send results to other sites.
3 and 4 are repeated as needed.
What is adware?
A trojan horse that gathers information for marketing purposes and displays ads.
What is spyware?
A trojan horse that records information about the use of a computer, usually resulting in confidential information being discovered.
What parts in a system can a computer virus infect?
Boot sector: the part of a disk used to bootstrap the system or mount a disk.
Executable: infects programs and can either append or prepend itself to the program.
Data: data is interpreted as a set of instructions, and
the computer virus causes the interpreter to spread the virus.
Multipartite: can infect booth boot sector and applications. Typically consist of two parts, one for each type.
Macro: composed of a set of instructions that are interpreted rather than executed directly. Can infect executable or data. Not bound by machine architecture. I.e macro virus targeted at a Word program will only work on systems running Word.
Is a computer virus a form of trojan horse?
Yes: the insertion and execution are the covert purpose of the virus, the purpose of the infected program is overt.
No: a virus has no covert purpose, its overt purpose it to infect and execute.
Either way defenses against trojan horses also defend against viruses.
What is concealment for computer viruses?
One of the goals of a computer virus is to remain undiscovered until executed and possibly even after that.
How concealment has been done has evolved with time to make it even more difficult to find a virus on a system.
How can a botnet be organized?
- Centralized: each bot communicates directly with the bot-master. Usually organized in a hierarchical structure. Allows control of large botnets.
- Peer-to-peer: uses a C&C structure where there is no single C&C server. Bots act as peers. If some part of the botnet is deleted the remainder can still continue to function.
- Random: To communicate, addresses are scanned at random to find another bot. Minimizes the damage if a bot is discovered.
What is a problem inherent with botnets?
The C&C addresses must be available to the bots. Discovery of any node places key servers at risk. By using knowledge of how content delivery networks work, this information can be hidden.
