Once you've compromised sysem, then what does the malicious software do?
What is a virus? What do they require to activate?
What is a virus writer's goals?
What are the kinds of viruses?
What are the things that boot sector viruses affect?
How do boot sector viruses work?
Why attack the bootstrap?
How does a virus attach to host code?
What are entry-point obscuring viruses?
What are polymorphic viruses?
What are metamorphic viruses?
Where else can viruses reside?
What are macros and how prevalant are they?
How was Melissa Macro Virus implemented andw hat was the strategy?
What was the behavior of Melissa Macro Virus?
What is the source code of melissa virus?
What is the transmission rate, damage, and remedy to Melissa macro virus?
How do you detect viruses?
What are virus signatures? How are they used?
What are the issues involved with scanning for virus signatures?
What are the steps of a simple virus?
1. User runs an infected program
2. Program transfers control to the virus.
3. Virus locates a new program
4. Virus appends ts logic to the end of the new file
5. virus updates the new program so the virus gets control when the program is launched
What are head/tail scanners?
With knowledge of head/tail scanners, what did the bad guys do?
What is scalpel scanning?
What are encrypted viruses and how do they work?
What are encrypted viruses?
What makes encrypted viruses easy to detect?
How do polymorphic viruses work?
What are the steps of the polymorphic virus?
1. User executes program
2. virus decrypts itself
3.virus finds new progg
4. mutation engine creates new decryptor
5. virus makes a new copy of itself and encrypts this copy
6. virus appends the new decryptor and encrypted virus body to new file
7. End. we have a new infection
What does the decryption loop from the polymorphic virus look like?
- main point is that there are new ones generated making them more dificult to detect
How do you detect the polymorphic virus?
What is the x-ray technique?
- A way to detect the polymorphic virus
- plaintext attack on encrypted virus body
What is "Generic" decryption? What are the assumptions? What is the key idea?
What are the steps for how Generic Decryption works?
1. Load suspected program into VM
2. Allow the program to execute normally
3. "Tag" all modified memory as the program executes
3.1 fetch byte
3.2 decrypt byte
3.3 store byte
3.4 loop to 1
3.5 and it goes on..
4. Scan all modified areas of virtual memroy for virus signatures
5. Kill virus
What are the challenges with Generic Decryption (GD)?
What is profile-based emulation?
What does having profiles specific to each polymorphic virus do in profile-based emulation?
What are problems with profile-based emulation and Generic Decryption in general?
How do entry-point obscuring viruses work?
What to do against entry-point obscuring viruses?
What is a metamorphic virus? What are the problems they cause?
What is an integrated infection and what are the problems they cause?
What are Modern AV programs?
What are the advantages and disadvantages to virus scanning?
What is innoculation? What are the drawbacks?
What are integrity checks & whitelists?
What are the advantages and disadvantages of integrity checks?
How does behavior-based detection work?
What are the advantages and disadvantages of behavior-based detection?
What are reputation systems?
What is the difference between standard disinfection vs generic disinfection?