Chapter 3 - Malicious Code

Question 1

Malware

Answer 1

Malware describes a wide range of software that is intentionally designed to cause harm to systems and devices, networks, or users.

Question 2

Ransomware

Answer 2

Ransomware is malware that takes over a computer and then demands a ransom. Some Indicators of Compromise for Ransomware include:

1. Encryption of files
2. Data exfiltration behaviors (large file transfers)
3. Notices to end users of the encryption with demands for ransom
4. Command and control traffic and/or contact to known malicious IP addresses

Question 3

Trojans

Answer 3

Trojan Horses are a type of malware that are typically disguised as legitimate software. They rely on unsuspecting individuals running them, thus providing attackers with a path into a system. Some Indicators of Compromise for Trojans include:

1. Signatures for the specific malware applications or downloadable files
2. Command and control system hostnames and IP addresses
3. Folders or files created on target devices

Question 4

Worms

Answer 4

Worms spread themselves. Worms can spread via email attachments, network file shares, vulnerable IoT devices and more. Worms self-install, rather than requiring users to click on them. Some Indicators of Compromise for Worms include:

1. Known malicious files.
2. Downloads of additional components from remote systems.
3. Command and control contact to remote systems.
4. Malicious behaviors using system commands (cmd.exe, msiexec.exe) for injection and other activities.

Question 5

Spyware

Answer 5

Spyware is malware that is designed to obtain information about an individual, organization or system. Spyware is associated with identity theft and fraud, advertising and redirection of traffic, digital rights management (DRM) monitoring, and with stalkerware (spyware specifically used to monitor partners in relationships). Some Indicators of Compromise for Spyware include:

1. Remote-access and remote-control-related indicators.
2. Known software file fingerprints.
3. Malicious processes, often disguised as system processes.
4. Injection attacks against browsers

To properly classify malware as Spyware, understanding of the attackers motivations is often necessary.

Question 6

Bloatware

Answer 6

Bloatware describes unwanted preinstalled applications on a device. Bloatware can be programs the manufacturer provides or can be due to commercial relationships the manufacturer has with other vendors.

Question 7

Viruses

Answer 7

Viruses are malicious programs that self-copy and self-replicate once they are activated. Viruses come in many varieties, including:

1. Memory-resident viruses, which remain in memory while the system of the device is running.
2. Non-memory-resident viruses, which execute, spread, and then shut down.
3. Boot sector viruses, which reside inside the boot sector of a drive or storage media.
4. Macro viruses, which use macros or code inside word processing software or other tools to spread.
5. Email viruses that spread via email either as email attachments or as part of the email itself using flaws inside email clients.

Question 8

Keyloggers

Answer 8

Keyloggers are programs that capture keystrokes from a board (although keylogger applications may also capture other input such as mouse movement, touchscreen input, or credit card swipes from attached devices). Some common IoCs for keyloggers include:

1. File hashes and signatures
2. Exfiltration activity to command and control systems
3. Process names
4. Known reference URLs

Question 9

Logic Bombs

Answer 9

Logic Bombs are not independent malicious programs. Instead, they are functions or code placed inside other programs that will activate when set conditions are met. Logic Bombs often require code analysis for the relevant application to discover and mitigate the attackers desired outcome.

Question 10

Rootkits

Answer 10

Rootkits are malware that is specifically designed to allow attackers to access a system through a backdoor. Some common IoCs for Rootkits include:

1. Opening ports or creation of reverse proxy tunnels.
2. Behavior-based identification like the creation of services, executables, configuration changes, file access, and command invocation.
3. Command and control domains, IP addresses, and systems.