Threats, Attacks & Vulnerabilities Flashcards
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware.
Why is Security Important?
Assets
Tangible assets - physical items, buildings,furniture, computer equipment
Intangible assets - information, resources, intellectual property
Employees -organization’s staff, human capital
Computer Viruses- Designed to replicate and spread from computer to computer usually by infecting executable applications or program code
Boot sector viruses - attack the disk boot sector information, partition table or sometimes the file system
Program viruses - sequences of code that insert themselves into another executable program
Script viruses - Used to automate OS functions and add interactivity to web pages; executed by interpreter rather than self-executing
Macro viruses -use programming features offered by host program (i.e. MSWord). Current versions prohibit offer restrictions by default; users can disable.
Multipartite virus - Use both boot sector and executable file infection methods of propagation.
Worms - Memory resident viruses that replicate over network resources; do not attach to another executable file.
Targets a vulnerability in an application
Primary effect - rapidly consume network bandwidth as it replicates.
Can perform a Denial of Service (DoS)
Can carry a payload that can perform another malicious action (i.e. backdoor).
Logic Bomb - Waits for a pre-determined user event to execute
Date or time - Time bomb
Need not to be viruses -can be a script
Anti-virus applications can detect these
Also known as mines
Trojans and RATs -
Trojans - pretends to be something else
RATs- Remote Access Trojan
Trojans -program that pretends to be something else;also act as backdoor apps.
Rogueware or Scareware - fake anti-virus, web pop-up claims to have detected viruses and prompts user to intiate full scan which installs the attackers Trojan.
Attacker can use botnet to launch attack, Distributed Denial of Service (DDoS) or mas-mail spam
Attacker must establish a covert channel with RAT, must establish connection with Command and Control (C2 or C&C).
This network connection is best way to identify the presence of a RAT.
Backdoors - Remote access method installed without user’s knowledge
Mostly created by programmers - testing and development
Is not removed when deployed to production
Also created by misconfiguration of software allowing unauthorized access
Examples: leaving a router configured with default admin password; Remote Desktop connection configured with unsecured password; leaving modem open to receive dial-up connections.
Spyware, Adware and Keyloggers
Spyware -monitors user activity and sends information to someone else. Installed without users knowledge. Also take screenshots or activate recording devices like a microphone or webcam. Cannot be uninstalled by user by normal means.
Keyloggers - actively attempt to steal confidential information by recording users keystrokes entered from web form
Spawn browser pop-up windows or modify DNS queries to direct users to to other websites.
Adware - software that displays commercial offers and details.
Some adware act like spyware and track user site visits and display targeted ads. User accepts commercial installation and it behaves normally, it is adware
Spyware and adware can have negative impact on computer performance.
Ransomware and Crypto-malware
Ransomware attempts to extort money from the user;threatning messages like deactivating Windows or computer is locked by Police for child porn activities or terrorism
This type of attack is relatively trivial to fix
Crypto-malware - attempts to encrypt data files on fixed drives. Users cannot access drive without private encryption key which is held by attacker.
This attack is extremely difficult to mitigate unless current backups of encrypted files are available.
Ransomeware uses online payment methods such as wire transfer, Bitcoin or premium rate phone lines to allow extortion of $$ without revealing his or her identity or being traced by local law enforcement.
Rootkits -clas of backdoor that is hard to detect and remove
Rootkits work by changing core system files and programming interfaces so local shell process such as taskmgr or tasklist on Windows or ps or top on Linux or port scanning tools as netstat no longer reveal their presence from the infected machine. Might contain cleaning system log tools, further concealing the Trojan.
Most powerful rootkits operate in kernel mode; least powerful operate in user mode replacing key utilities or less privileged drivers.
Software processing rings:
Ring 0 - most privileged (direct access to hardware)
Ring 1- I/O processes
Ring 2 - Drivers
Ring 3 - mode processes run
