Module 3 - Threats & Attacks on Endpoints Flashcards
What word is currently accepted when referring to network-connected hardware devices?
endpoint
this term reflects the fact that devices that are connected to a network today are far more than a computing device with a keyboard and monitor
What are the five groupings used to characterize malware?
imprison - ex: ransomware, cryptomalware
launch - ex: virus, worm, bot
snoop - ex: spyware, keylogger
deceive - ex: PUPs, trojan, RAT
evade - ex: backdoor, logic bomb, rootkit
Gabriel’s sister called him about a message that suddenly appeared on her screen that says her software license has expired and she must immediately pay $500 to have it renewed before control of her computer is returned to her. What type of malware has infected her computer?
blocking ransomware
this is one of the earliest forms of malware
Marius’s team leader has just texted him that an employee has just reported that her computer is sudden locked up with cryptomalware. Why would Marius consider this a dangerous situation?
cryptomalware can encrypt all files on any network that is connected to the employee’s computer
basically any other endpoint that is connected to the network that the infected computer is connected to is vulnerable
Which type of malware relies on LOLBins?
file-less virus
a file-less virus does not attach itself to a file like a file virus would; a file-less virus takes advantage of native services and processes that are part of the OS to avoid detection and carry out its attacks; the native services used in a file-less virus are called living-off-the-land binaries
Which type of malware is known as a network virus?
a worm
a worm is a malicious program that uses a computer network to replicate; it is designed to enter a computer through the network and then take advantage of a vulnerability in an application or an OS on the host computer; once the worm has exploited the vulnerability on one system, it immediately searches for another computer on the network that has the same vulnerability
What are some examples of different attacks generated through a botnet?
spamming spreading malware ad fraud mining cryptocurrencies DDOS DOS
What are some ways a bot communicates with a C & C device?
1) by signing into a bot-herding website where information has been placed that the bot knows how to interpret
2) by signing in to a 3rd party website
3) commands sent via blog posts, specially coded attack commands through twitter posts or notes posted on Facebook
4) by creating an email account and then drafting an email that is never sent but contains commands the bot receives when it logs into the email account and reads the draft
Randall’s roommate is complaining to him about all of the software that came pre-installed on his new computer. What type of software is this?
PUP (Potentially Unwanted Programs)
What is the difference between a Trojan and Remote Access Trojan (RAT)?
a RAT gives the attacker unauthorized remote access to the victim’s computer
a computer Trojan is an executable program that masquerades as performing a benign activity but also does something malicious; ex) a user might download what is advertised as a calendar program yet in addition to installing the calendar, ti also installs malware that scans the system for credit card numbers and passwords, connects through the network to remote system and then transmits that information to the attacker
a remote access Trojan has the basic functionality of a Trojan but also gives the threat actor unauthorized remote access to the victim’s computer by using specially configured communication protocols
Which of these would NOT be considered the result of a logic bomb?
a) send an email to Rowan’s inbox each Monday morning with the agenda of that week’s department meeting
b) if the company’s stock price drops below $50, then credit Oscar’s retirement account with one additional year of retirement credit
c) erase the hard drives of all the servers 90 days after Alfredo’s name is removed form the list of current employees
d) delete all human resource records regarding Augustine one month after he leaves the company
A) send an email to Rowan’s inbox each Monday morning with the agenda of that week’s department meeting
Which of the following attacks is based on a website accepting user input without sanitizing it?
a) RSS
b) XSS
c) SQLS
d) SSXRS
B) XSS - cross site scripting attack
Which of the following attacks is based on the principle that when a user is currently authenticated on a website and then loads a another webpage, the new page inherits the identity and privileges of the first website?
a) SSFR
b) DLLS
c) CSRF
d) DRCR
C) CSRF - cross-site request forgery attack
Which of the following manipulates the trusting relationship between web servers?
a) SSRF
b) CSRF
c) EXMAL
d) SCSI
A) SSRF - server-side request forgery attack
Which type of memory vulnerability attack manipulates the “return address” of the memory location of software program?
a) shim overflow attack
b) factor overflow attack
c) integer overflow attack
d) buffer overflow attack
D) buffer overflow attack
What race condition can result in a NULL pointer/object dereference?
a) conflict race condition
b) value-based race condition
c) threat race condition
d) time of check/time of use race condition
D) time of check/time of use race condition
Which of the following attacks targets the external software component that is a repository of both code and data?
a) application program interface (API) attack
b) device driver manipulation attack
c) dynamic-link library (DLL) injection attack
d) OS REG attack
C) dynamic-link library (DLL) injection attack
What term refers to changing the design of existing code?
a) library manipulation
b) shimming
c) refactoring
d) design driver manipulation
C) refactoring
Which of the following is technology that imitates human abilities?
a) AI
b) ML
c) RC
d) XLS
A) artificial intelligence (AI)
Which statement regarding keylogger is NOT true?
a) software keyloggers can be designed to send captured information automatically back to the attacker through the internet
b) hardware keyloggers are installed between the keyboard and computer keyboard USB port
c) software keyloggers are generally easy to detect
d) keyloggers can be used to capture passwords , credit card numbers, or personal information
C) software keyloggers are generally easy to detect
What are some examples of malware used to “imprison” a user/system?
1) ransomware - is one the fastest growing types of malware; ransomware prevents a user’s endpoint device from properly and fully functioning until a fee is paid; that is, it takes away a user’s freedom from freely using their computer until the ransom is transacted
2) cryptomalware - a more recent form of malware that instead of blocking users from accessing the computer, the malware encrypts all the files on the device so that none of them can be opened; new variants of cryptomalware can encrypt all files on any network or attached device connected to the infected computer
What are some examples of malware used to “launch” attacks on other computers/systems?
File-based virus - it is malicious computer code that is attaches itself to a file; a file-based virus reproduces itself on the same computer without any human intervention; each time the infected program is launched or the data file is opened - either by the user or the computer’s operating system (OS) - the virus first unloads a payload to perform a malicious action, then the virus reproduces itself by inserting its code into another file, but only on the same computer; a file-based virus can only be transmitted when a user transfers the infected file to other devices
File-less virus - does not attach itself to a file on a computer, instead takes advantage of native services and processes that are part of the OS to avoid detection and carry out its attacks; these native services used in a file-less virus are called living-off-the-land binaries (LOLBins); unlike a file-based virus, a file-less virus does not infect a file and wait for that file to be launched; instead, the malicious code of a fileless virus is loaded directly in the computer’s random access memory (RAM) through the LOLBins and then executed; advantages of file-less virus over a file-based virus is
1) easy to infect - does not require certain file types in order to infect a computer stored on a hard drive but instead a common delivery method is through malicious webpages that the user visits; these pages silently send a script to the victim’s web browser which invokes a scripting language such as JaveScript; the browser passes instructions to a LOLBin such as PowerShell, which reads and executes the commands
2) extensive control - several LOLBins have extensive control and authority on a computer; ex) PowerShell has full access to the core OS of a Windows computer, so it can undermine existing security features; PowerShell can also manipulate user accounts and password protection
3) persistent - a program that is loaded into RAM for execution will terminate once the computer is shut down or rebooted, however, file-less viruses often write their script into the Windows Registry, which is a database that stores settings for the Windows OS and application programs; each time the computer is restarted or on a set schedule, the script of the file-less virus is again launched
4) difficult to detect - files that are infected virus loads into RAM, no telltale file can be scanned
5) difficult to defend against - to fully defend against a file-less virus, ti would be necessary to turn off all the potential LOLBins, which would cripple the OS and cause it to not properly function
Worm
a worm is a malicious program that uses a computer network to replicate; a worm is designed to enter a computer through the network and then take advantage of a vulnerability in an application or an OS on the host computer; once the worm has exploited the vulnerability on one system, it immediately searches for another computer on the network that has the same vulnerability; also known as a network virus
Bot
software that allows the infected computer to be placed under the remote control of an attacker for the purpose of launching attacks; this infected robot computer is known as a bot or zombie; infected bot computers receive instructions through a command and control (C&C) structure from the bot herder(s) regarding which computers to attack and how
What are some examples of malware used to “snoop” on a user/system?
Spyware - spyware is tracking software that is deployed without consent or control of the user; sypware can secretly monitor users by collecting information without their approval through the computer’s resources, including programs already installed on the computer, to collect and distribute personal or sensitive information
Keylogger - can be a software program or hardware device that silently captures and stores each keystroke that user types on the computer’s keyboard; software keyloggers can go beyond just capturing keystrokes, they can also capture everything on the user’s screen and silently turn on the computer’s web camera to record images of the user; the advantage of software keyloggers to hardware keylogger is that the threat actor does not have to physically access the user’s computer because they can be installed remotely and then routinely send captured information back to the threat actor through the victim’s own internet connection
What are some examples of malware used to “deceive” a user/system?
Potentially Unwanted Programs (PUPs) - is software that the user does not want on their computer; PUPs often become installed along with other programs and are the result of the user overlooking the default installation options on software downloads; PUPs may include software that comes preloaded on a new computer or smartphone and cannot be easily removed (if at all); other forms of PUPs are: pop-up windows, pop-under windows, search engine hijacking, home page hijacking, toolbars with no value for the user, and settings that redirect to competitor’s websites, alter search results, and replace ads on webpages
Trojan - a computer Trojan is an executable program that masquerades as performing a benign activity but also does something malicious
Remote Access Trojan (RAT) - is a special type of Trojan that has the same basic functionality of a Trojan but also gives the threat actor unauthorized access to the victim’s computer by using specially configured communication protocols; this creates an opening into the victim’s computer, allowing the threat agent unrestricted access
