Week 4 - Malware and botnets Flashcards
(10 cards)
Compare and contrast viruses, worms, and trojan as types of malware. Provide examples for each (6 marks)
- Viruses - attach to programs/files and replicate when executed (e.g., Brain virus, 1986)
- Worms - self-replicating, exploit vulnerabilities to spread (e.g., CodeRed, 2001)
- Trojans - disguised as useful software to trick users into installing them (e.g., Remote Access Trojan)
Viruses would require user action, worms do not, and trojans rely on deception.
Explain the structure and lifecycle of a traditional IRC botnet (7 marks)
1) Infection through vulnerabilities or social engineering.
2) Installation and connection to C&C server.
3) Bots join an IRC channel and await commands.
4) Bots perform actions like spam, DDoS, or theft.
These were easy to detect and infiltrate due to known protocols and open channels.
What are the key differences between Type I, II, and III botnets? (5 marks)
Type 1: Worm-like bots that scan continuously
Type 2: Bots scan on instruction, more efficient
Type 3: Do not self-spread; centrally deployed
Later types are usually easier to control and commercialise, with less risk of uncontrolled spread.
Describe at least three ways malware hides or evades detection
- Polymorphism - it encrypts itself differently with each infection
- Metamorphism - rewrites its own code for the same behaviour
- Rootkits - it hide files and processes from system tools
- Anti-sandboxing - it avoids execution in analysis environments
- Bootkits - load before the OS, altering system behaviour
Outline the methods used by Abu Rajab et al. (2006) to track and study botnets. What were their key findings? (8 marks)
Methods = honeypots, darknets, IRC trackers, DNS cache probing
Findings = 192 botnets observed over 3 months; 27% of traffic linked to botnets; 11% of DNS servers showed infection signs
Botnets varied in growth patterns (linear, staricade, exponential). Highlighted botnet evolution and scale.
Describe how drive-by download attacks work and what vulnerabilities they typically exploit (6 marks)
Attackers exploit browser or plugin flaws to automatically install malware without user input.
Targets would include: web browsers, flash, activeX
Delivery methods would be: compromised sites and malvertising (malicious ads)
Explain the Fast Flux technique and the use of Domain Generation Algorithms (DGA) in botnet communication (7 marks)
Fast flux: rapid rotation of IP addresses tied to a domain to evade takedowns
DGA: Bots use algorithms to generate domain names at different times. Researchers can reverse DGAs to pre-block botnet domains. These increase botnet resilience and hinder detection.
What role do peer-to-peer (P2P) architectures play in modern botnet design? (5 marks)
- Removes reliance on central servers
- Bots act as both clients and proxies
- Enhances resilience and uptime
- But allows researchers to infiltrate as bots and monitor communications.
Discuss how malware authors use social engineering to infect users. Provide examples (6 marks)
Malware relies on tricking users through the following methods:
1) email attachments - masquerade as invoces or job offers
2) fake updates - pose as media plugins or system patches
3) scareware - falsely claim malware is detected, offer fake antivirus that exploit fear, urgency and curiosity
Then people tend to fall into the trap due to influence
What is the Mirai botnet, and what made it significant in the evolution of botnet attacks (6 marks)
- Exploited default credentials in IoT devices
- Used in 2016 DDoS attacks on Dyn, disrupting Twitter, Netflix, and Reddit.
- The code was then later leaked, inspiring copycats
- This is significant because it highlighted the vulnerability of IoT systems and expanded botnet targets beyond PCs.
