Malware Flashcards
trojan horse
A type of software that performs unwanted and harmful actions in disguise of a legitimate and useful program is known as a Trojan horse. This type of malware may act like a legitimate program and have all the expected functionalities, but apart from that it will also contain a portion of malicious code that the user is unaware of.
Worm
A standalone malicious computer program that propagates itself over a computer network to adversely affect system resources and network bandwidth is indeed called a “worm.” Unlike viruses, worms don’t need a host file or user interaction to spread; they can independently replicate and spread across networks, often causing significant damage by consuming system resources, slowing down network performance, or even causing system crashes.
PUP
“PUP” stands for Potentially Unwanted Program. It refers to software that is usually installed alongside other software with the user’s explicit consent or knowledge. While PUPs may not be inherently malicious, they often exhibit behaviors that users may find undesirable or unwanted, such as displaying intrusive advertisements, tracking user activities, or altering browser settings.
Examples of PUPs include browser toolbars, adware, and certain types of software bundling. While PUPs may not be harmful in the same way as malware, they can still impact system performance and user experience, leading to frustration and privacy concerns.
fileless virus
The type of malware that resides only in RAM.
Fileless viruses operate by running directly in a computer’s memory (RAM) without leaving a trace on the system’s hard drive. This characteristic makes them particularly difficult to detect and remove using traditional antivirus or antimalware tools, as they don’t rely on traditional executable files or leave behind identifiable signatures.
Fileless viruses typically exploit vulnerabilities in legitimate system processes or applications to execute malicious code directly in memory. Because they don’t require the creation of files on disk, they can evade detection by traditional antivirus software that primarily scans files for signs of malicious activity.
C2 Server
A “C2 server” (Command and Control server) is a centralized server used by attackers to control compromised computers or devices, often referred to as “bots” or “zombies,” within a botnet. In a cyberattack, the C2 server serves as the main communication hub between the attacker and the infected devices.
The C2 server issues commands to the infected devices, instructing them to carry out various malicious activities, such as launching DDoS (Distributed Denial of Service) attacks, sending spam emails, stealing sensitive information, or spreading malware to other systems.
The C2 server also collects data and information from the infected devices, such as system information, network status, or stolen data, allowing the attacker to monitor and manage the botnet effectively.
Detecting and taking down C2 servers is a crucial aspect of cybersecurity defense strategies, as disrupting communication between the attacker and the infected devices can help mitigate the impact of cyberattacks and prevent further damage.
authentication, authorization, accounting (AAA)
Authentication, authorization, and accounting (AAA) are three fundamental components of access control and security mechanisms in computer systems and networks:
Authentication: Authentication is the process of verifying the identity of a user or entity attempting to access a system or resource. It ensures that users are who they claim to be before granting them access. Authentication mechanisms typically involve the use of credentials, such as usernames and passwords, biometric data, digital certificates, or multi-factor authentication methods. By authenticating users, organizations can prevent unauthorized access to sensitive information and resources.
Authorization: Authorization is the process of determining the permissions and privileges that authenticated users have within a system or network. It specifies what actions or resources a user is allowed to access based on their identity and assigned permissions. Authorization mechanisms enforce access control policies and ensure that users only have access to the resources necessary for their roles or responsibilities. This helps organizations maintain the principle of least privilege and prevent unauthorized access to sensitive data or critical systems.
Accounting: Accounting, also known as auditing or logging, involves tracking and recording the actions and activities of users within a system or network. It includes collecting information about user logins, resource access, changes to system configurations, and other security-relevant events. Accounting data is used for various purposes, such as monitoring system activity, detecting security incidents, investigating breaches, and ensuring compliance with regulatory requirements. By maintaining comprehensive accounting records, organizations can track user behavior, identify security threats, and maintain accountability for system activities.
A malware-infected network host under remote control of a hacker is commonly referred to as:
a “bot” or a “botnet.” Botnets consist of a large number of compromised computers or devices, known as “bots,” that are under the control of a central command and control (C2) server operated by the attacker. These infected hosts can be used to carry out various malicious activities, such as launching DDoS attacks, sending spam emails, stealing sensitive information, or spreading malware to other systems.
cryptomalware
Cryptomalware, a type of ransomware, encrypts the victim’s files or data, rendering them unusable until the ransom is paid.
logic bomb
A logic bomb is a type of malicious code or software that is intentionally inserted into a computer system or network with the purpose of lying dormant until triggered by a specific event or condition. When triggered, the logic bomb executes its malicious payload, which could be anything from deleting files or corrupting data to causing system crashes or launching other forms of cyberattacks.
Unlike other types of malware that actively spread or replicate themselves, logic bombs are typically installed by insiders or individuals with authorized access to the system, making them difficult to detect and prevent. They are often used as a form of sabotage or revenge, allowing attackers to cause significant damage to the targeted organization or individuals.
root kit
A rootkit is a type of malicious software designed to gain unauthorized access to a computer system and remain undetected by antivirus or antimalware programs, as well as by the operating system itself. Rootkits are typically installed by attackers after they have gained initial access to a system, often through exploiting vulnerabilities or through social engineering tactics.
Once installed, rootkits are capable of hiding their presence and activities from users and system administrators by modifying system files, processes, and configurations. They can provide attackers with privileged access to the system, allowing them to execute malicious commands, steal sensitive information, or carry out other nefarious activities without being detected.
Rootkits come in various forms, including user-mode rootkits and kernel-mode rootkits. User-mode rootkits operate at the application level, while kernel-mode rootkits operate at a deeper level within the operating system’s kernel, providing even greater control and stealth capabilities.
Detecting and removing rootkits can be challenging due to their ability to hide from traditional security tools and techniques. Specialized rootkit detection and removal tools are often required to effectively identify and eliminate rootkit infections. Additionally, maintaining good security practices, such as keeping systems and software updated, using strong authentication methods, and practicing safe browsing habits, can help prevent rootkit infections.
spyware
Spyware is a type of malicious software (malware) that is designed to secretly monitor and gather information about a user’s activities on their computer or device. It can capture various types of data, including keystrokes, browsing history, passwords, personal information, and more, without the user’s consent or knowledge.
Spyware typically operates stealthily in the background, making it difficult for users to detect its presence. It can be installed on a computer or device through various methods, such as malicious email attachments, software downloads, or by exploiting vulnerabilities in software or operating systems.
packet sniffer
A packet sniffer, also known as a network sniffer or packet analyzer, is a tool used to capture and analyze data packets transmitted over a network. Packet sniffers are commonly used for network troubleshooting, monitoring network performance, and analyzing network traffic for security purposes.
When deployed on a network, a packet sniffer intercepts and captures data packets as they travel between devices on the network. It can capture packets from various network protocols, such as TCP/IP, UDP, HTTP, FTP, and more.
pcap vs packet sniffer
While packet sniffers capture and analyze network traffic, PCAP files are often used to store and share captured packet data for offline analysis or archival purposes.
PCAP (Packet Capture): PCAP stands for Packet Capture, and it refers to a file format commonly used to store captured network traffic data. When network traffic is captured by a network monitoring tool or a packet sniffer, it is often saved in a PCAP file format. PCAP files contain raw data packets captured from the network, along with additional metadata such as timestamps, packet headers, and other information. These files can be analyzed using various network analysis tools to troubleshoot network issues, monitor network performance, or investigate security incidents.
Packet Sniffer: A packet sniffer, also known as a network sniffer or packet analyzer, is a software tool or hardware device used to capture and analyze network traffic in real-time. Packet sniffers intercept and capture data packets as they travel across a network, allowing network administrators, security professionals, or analysts to inspect the contents of the packets, analyze network behavior, and identify potential security threats or performance issues.
RAT
A Remote Access Trojan (RAT) is a type of malware that allows an attacker to remotely control a compromised computer or device. RATs typically provide attackers with a range of capabilities, such as remote desktop control, file transfer, keylogging, and more, enabling them to carry out various malicious activities on the infected system.
MaaS
MaaS stands for Malware-as-a-Service. It refers to a model where cybercriminals offer malware-related services and tools for sale or rent to other malicious actors. MaaS providers may offer a wide range of malware, including ransomware, banking Trojans, exploit kits, and more, along with support services such as distribution, updates, and technical assistance. MaaS allows even less technically skilled individuals to conduct sophisticated cyberattacks, contributing to the proliferation of cybercrime.
