Malware
What is PHISHING
- a social engineering attack usually communicated through e-mail - the attacker tries to get the user to click a malicious link in the e-mail, usually through some false story or context, to trick the user into handing over sensitive information, such as usernames, passwords, financial information, and so forth
What is a Botnet?
- a distributed type of malware attack that uses a remotely controlled piece of malware that has infected several different computers. - to create a large robot-like network used to wage large-scale attacks on systems and networks. - Once the malware is installed on the host, the attacker is able to control hosts remotely and send malicious commands to them to be carried out. The hosts are called bots, or zombies, - form of distributed denial-of-service (DDoS) attacks. - Among the different attack methods that botnets can use is sending massive amounts of malware to different computers, sending large volumes of network traffic, and performing other methods designed to slow down or completely disable hosts and networks.
What is SPAM?
- a large volume of e-mail that is sent to a recipient. - Most of the time this e-mail is from advertisers that use mass e-mail programs to send spam to huge lists of people. - For the most part, spam is fairly harmless, although it can clog your inbox and be generally annoying. - Some types of low-level attacks send huge amounts of spam to one particular e-mail gateway, for example, causing denial-of-service (DoS) attacks on the gateway - large variety of phishing e-mail attacks that can come in the form of spam
What is a virus?
- a piece of malicious software that must be propagated through a definite user action --> cannot spread by itself, as other types of malware can - requires a user to initiate, in some way, the execution of the virus Examples: - download from malicious Internet sites, through removable storage media (USB sticks, for example) passed along from person to person, - through the transmission of infected files from computer to computer via e-mail or file sharing
What is a rootkit?
- a piece of malware that attempts to infect critical operating system files on the host. - antivirus software cannot easily detect rootkits, so they can reside on the system for quite a while before detection. - can thwart antivirus software because they can send false system information to it, preventing it from detecting and eradicating not only itself but other viruses as well
What is Spyware?
- a type of malware with a specific purpose. - can actually be a virus or trojan in form - used for the specific purpose of surreptitiously observing a user's actions and recording them, as well as stealing sensitive data, such as passwords, credit card information, and so forth. - ability to send data back to the attacker - can dump data into a file so an attacker can later retrieve it directly from the system if she has physical access.
what is brute-force attack?
- a type of password attack - repeatedly attempt to guess the user's password - go through every single combination, this method would be guaranteed to be 100-percent effective in cracking a password—if you could live long enough to wait for it to finish - Cain and Abel, a popular password-cracking tool, performing a brute-force password attack
what is a rainbow attack
- a variation on a dictionary attack. - It simply eliminates the step of having to hash each word in the list before comparing it to the hashes obtained from the credentials file. - Rainbow tables are simply precomputed hashes, built by software that can go through massive word lists and hash each of the words, adding them to the rainbow tables file
What is a trojan?
- a very specialized piece of malware. - a piece of software that seems to be of value to the user. - It could be in the form of a game, utility, or other piece of useful software. - In reality, however, it is malware and serves a specific function. - Usually a trojan has the goal of collecting personal information from a user, including user credentials, financial information, and so on. - It can also be used as a generic container used to spread viruses and worms.
what is Pharming?
- an attack in which the user is redirected to an attacker's web site, regardless of the URL the user types into the browser or link he clicks in an e-mail - similar to a phishing attack --> Once the user has been redirected to the web site, the attack pretty much functions as a normal phishing attack, getting information from the user who thinks he is on a legitimate web site, when in fact that is not the case. - requires configuration changes on a host or on another system that redirects the user to a different web site, typically a malicious site set up by the attacker.
What is a Backdoor?
- an entry method into a piece of software (application or operating system) that wasn't intended to be used by normal users. - Most backdoors are created as a maintenance entry point during software development - These maintenance backdoors should be closed prior to software release, but often they are either forgotten about or left open intentionally as a way to bypass security mechanisms later after the software is released, either by the programmer or a malicious entity. - usually bypass security mechanisms that normally require identification and authorization, so this is a serious security issue. Vulnerability testing can often detect these unauthorized entry points into a system, but sometimes more in-depth testing methods, such as penetration testing or application fuzzing, may be required to find them.
What is VISHING
- another form of phishing attack occurs over the phone, or Voice-over-IP (VoIP) phone systems - primarily a social engineering attack, such as the use of auto-dialers to send unsolicited messages from fake phone numbers and VoIP IP addresses, voicemail, and other tools. - The goal is to get the user to go visit a fake web site or call a fake number or call center to provide sensitive personal information over the phone.
what is WHALING?
- another phishing attack technique --> type of SPEAR PHISHING - involves targeting senior executives in an organization
What is Spear Phishing
- another phishing attack technique. - involves targeting particular users, who include those in key positions, such as security officers, network or system administrators, or even managers and executives - the attacker has usually done some background work to craft the phishing e-mail to lure a specific victim. For example, the attacker may use social engineering or do some research on the victim to discover personal details, including likes, hobbies, associates, and so on, so that these details can be included in the phishing e-mail to make it appear more legitimate. - user education is probably the most effective deterrent against this type of attack
whAt is Watering Hole Attack
- attack has both social engineering and technical components to it. - the attacker compromises a secondary system, such as a popular web site. She compromises the system, knowing that eventually users will come to it for information or data, and then she can strike. - attacker may use social engineering techniques to determine that the user frequents that particular web site or system, or even to get the user to visit that particular site. Example, the attacker may compromise a web site that a business frequently uses to order supplies. Then the attacker simply waits for the business users to visit the site, before attempting to send malware down to the user's hosts. - To prevent this type of attack, user education on social engineering attacks is valuable, but also, on a more technical level, the use of the newer techniques of DNS firewalling and reputation-based protection may be used.
what is dictionary attack?
- attacker would use specially crafted dictionaries, or word lists, which include not only common words, but also very specific words used in areas such as medicine, religion, sports, and so on. - work simply by going through the entire word list, hashing each word in the list, comparing that hash to the one the attacker has from the credentials database, and seeing if they match. If the hashes match, the attacker knows he found the correct password. If not, he simply goes to the next word in the list and repeat the process. - very fast and efficient, and as long as the password is one of the words in the list, the attack will be successful
What is metamorphic malware?
- changes itself upon different generations and versions, rather than upon each infection from host to host. - It can also change different aspects of its construction and code so that it not only changes its signature, but its actions and its symptoms on the host
what is XMAS Attack
- conducted by using specific flags in a TCP communications session. - When this particular combination of flags is turned on in a TCP segment by the attacker, the network traffic is sent to a host. - Most modern firewalls and network IDSs can be configured to detect and stop this attack
9. The URL http://www.microsoftsucks.com is an example of A. Phishing B. Cybersquatting C. Watering hole attack D. Vishing
B. The URL http://www.microsoftsucks.com is an example of cybersquatting on a domain name that attempts to disparage a legitimate domain.
what is ARP Poisoning
- involves sending false updates to a host, which it caches in its memory, resolving IP addresses to hardware, or media access control (MAC), addresses - Within their own subnetwork, hosts communicate using MAC addresses rather than IP addresses. Because ARP is a broadcast-based protocol, a host will broadcast out to the network, requesting resolution from its target for its MAC address --> saves this information in a cache in its memory - A malicious user can send false updates to the host's ARP cache, which may cause it to communicate with the malicious host instead of the legitimate one.
What is Ransomeware?
- locks the user out of the computer, preventing her from accessing anything on it or escaping from a restricted user interface. - a message that warns the user that her data has been completely encrypted. - user must pay a fee within a certain time period to get a copy of the decryption key, or the data will remain encrypted (and useless to the user) forever. - Obviously, this motivates most users, who are scared of losing their data, to pay the fee to get their data back.
what is Malicious Insider Threat?
- motivated by different things: sometimes revenge against the organization, sometimes for profit or financial gain, and sometimes they have even purposefully gotten a job or position within the organization with the intention of carrying out an attack. - normal user privileges --> do only a small amount of damage --> no ability to perform sensitive functions. - Malicious insiders with administrative privileges --> the worst -->the ability to do a lot of damage and affect a lot of different systems and data within the organization. - mitigations --> user education, security clearances and background checks to ensure trustworthiness, allowing only the least privilege necessary for users to do their jobs, and limited access to systems and data. Auditing is also the key to detecting malicious insider attacks, since user actions can be audited and they can be held accountable for those actions.
What is a Logic Bomb?
- not necessarily a form of malware—not easily detected by anti-malware software - a script set to execute at a particular time or if certain events or circumstances take place on the system. - designed to take malicious actions when it executes. - usually the result of a malicious insider or a disgruntled administrator EX: a script that has been written to begin erasing file shares or disk storage at a certain time or date - Detecting a logic bomb can be troublesome; it usually requires examining any files, utilities, and scheduled jobs the malicious user had access to, as well as auditing the user's actions and reviewing the access logs that recorded any use of his privileges.
what is DNS Poisoning?
- one of those attacks that has both network and host components to it - DNS table are compromised, substituting known good entries for a web site with bad ones. This has the effect of redirecting users to a malicious site, instead of the legitimate one - mitigation --> DNS servers are patched with the latest security updates, and configure them to accept updates only from servers with which they have authenticated.
what is Transitive Access
- refers to passing on higher access privileges or permissions to a user. - This might happen if you inadvertently configure access rules to be too broad or to have excessive privileges in them. - Attackers often look for this transitive type of access to gain a foothold in the system, and then they either elevate privileges or jump to another system where a transitive trust exists between those systems or users.
What is SPIM
- spam and instant messaging (IM), combined to describe a new form of spam that occurs over chat and IM services - comes over the IM services that many of us use on mobile devices to communicate with someone
what is Client-side Attacks
- target vulnerabilities that exist on hosts, including their configurations and applications. - normally are conducted remotely against the host, via the network, instead of by having physical access to the host. - Most client-side attacks take place through active web content, such as scripts, applets, Active Server Pages (ASP), and so forth. Examples: - web browsers or connections between the client and server, looking for vulnerabilities --> to make the network connection and transfer data between the two hosts. - cross-site scripting (XSS) attacks
What is adware?
- the name given to malicious, and more often than not, annoying advertisements that come in the form of pop-up messages in a user's browser or even on a user's screen outside of a browser session. - These messages usually want the user to visit a site, buy a product, or click the ad itself. - can often disguise software with a more malicious intent. Adware can sometimes carry malware, such as trojans or viruses that appear as simply annoying advertisements.
what is Typo Squatting/URL Hijacking
- type of attack that can affect an organization makes use of incorrectly spelled or similar sounding URLs that the organization may use to promote its business. - Typo squatting is a variant on an attack (called cybersquatting or URL hijacking) in which the attacker buys out domain names in different top-level domains, knowing the company will eventually want to own them, and then charging an outrageous fee for them. - Attackers may purchase similarly spelled web site names that users may be tricked into visiting, not noticing that the URL is spelled slightly different from the organization's official web site.
What are Armored viruses?
- use advanced techniques to avoid detection and analysis. These techniques include changing its tactics and characteristics, such as the different types of files and locations it hides in; the use of encryption to avoid detection and analysis; and others. - change their code by adding confusing and complex pieces to it. - very difficult to detect and analyze, simply because of these intelligent changes to their code. - Because of all of this complexity, the size of the virus executable is considerably larger than a normal virus. This may raise flags in other ways, because larger files sometimes can alert anti-malware to check a file more carefully.
what are Password Attacks
- very common - used to attempt to gain access to a system by discovering the username and password combination for a valid user on the host - including brute-force, dictionary attacks, rainbow tables, and hybrid attacks. - target the password hashes themselves, since most passwords are not stored in plaintext form
What is a worm?
- very similar to a virus, in that it can cause disruptions to the host, slow down systems, and cause other problems. - able to self-replicate and spread all over a network, usually through methods such as instant messaging, e-mail, and other types of network-based connections
what is Privilege Escalation?
-a general type of attack, usually perpetrated on hosts after the attacker has gained some sort of low-level access to the system - attacker may gain privileged access to the system by using an ordinary user or guest account --> to gain a higher level of privileges on the system, allowing her to control the system, broaden her attack, and gain access to sensitive data. - exploiting the configuration settings on the host, taking advantage of weak encryption or authentication methods, or even exploiting software or operating system vulnerabilities, such as buffer overflow or input injection attacks. These types of attacks may allow the attacker to run arbitrary code on the system, resulting in privilege escalation. - prevention --> comprehensive system hardening program --> involves keeping security patches current, locking down configuration settings, allowing only the least privileges required on the system
3. Which of the following types of malware infects critical operating system files, often replacing them with malicious ones? A. Rootkit B. Trojan C. Boot sector virus D. Ransomware
A. A rootkit infects critical operating system files, often replacing them with malicious ones.
7. All of the following statements about password attacks are true, except: A. Brute-force attacks use word lists to attempt password guessing. B. Dictionary attacks are generally faster than brute-force attacks. C. Rainbow tables are word lists consisting of precomputed hashes. D. Online attacks are usually mitigated by account lockout controls.
A. Brute-force attacks do not use word lists, but dictionary attacks do.
2. Which of the following types of malware appears to be a useful piece of software, but in fact is malicious in nature? A. Worm B. Trojan C. Adware D. Logic bomb
B. A trojan appears to be a useful piece of software but is malicious in nature.
1. Which of the following characteristics best describes a virus? A. Script that executes at a certain time B. Displays annoying pop-up advertisements C. Unable to propagate itself D. Is specifically used to capture a user's personal information and send it back to the attacker
C. A virus, unlike a worm, is unable to self-replicate or propagate itself; it relies on user action to do so.
4. One of your users calls you in a panic because he has just seen a pop-up message on his computer screen that states that all of the files on the system are encrypted, and that he must pay to have them decrypted or lose them forever. You back up the user's files on a daily basis and update the antivirus signatures every other day. What is the best course of action to take in this case? A. Pay the fee the ransomware is asking for. B. Notify the authorities at once and attempt to update the antivirus signature with the latest release. C. Wipe the computer's hard drives and restore the user's files from backup. D. Reboot the computer.
C. Because the user's files are backed up daily, the best course of action is to wipe the computer's hard drive and restore the user's files from backup.
8. Which of the following best describes a birthday paradox attack? A. A password attack that uses precomputed hashes in its word list. B. Two unique pieces of plaintext can have the same hash value under certain circumstances. C. In a room with 23 people, the odds of any 2 having the same birthdate is 50 percent. D. A password attack that attempts every single possible combination of characters and password lengths to discover a password.
C. In a room with 23 people, the odds of any 2 having the same birthdate is 50 percent.
6. Which of the following attacks involves sending false IP-to-MAC address mappings to a host, causing it to communicate with the attacker's machine instead of the legitimate one? A. XMAS attack B. Pharming C. DNS poisoning D. ARP poisoning
D. ARP poisoning involves sending false IP-to-MAC address mappings to a host, causing it to communicate with the attacker's machine instead of the legitimate one.
10. In a watering hole type of attack, which web site is an attacker most likely to compromise? A. An organization's official web site B. A site with a name very similar to the victim's web site C. A user's social media site D. A site frequented by the users of a victim organization
D. In a watering hole attack, an attacker is most likely to compromise a site frequented by the users of a victim organization, in order to download malware to their computers.
5. Which of the following methods of phishing attacks uses chat to target its victims? A. Whaling B. Vishing C. Spam D. Spim
D. Spim is a form of phishing attack that uses instant messaging and chat to target its victims.
_____________________ is really the best way to mitigate against the multitude of vulnerabilities that can affect each host, as well as protect against various threats that exist, including malware, unauthorized access, and so on.
Hardening a host
What is the biggest difference between a virus and a worm?
The big difference between a virus and a worm is that a virus can't spread itself; in other words, a virus requires a user action to replicate and spread. A worm doesn't have this problem and can automatically replicate over an entire network with very little user intervention.
What is Polymorphic Malware?
a type of malware that is actually able to change itself every time it infects a new host. It does this is to avoid detection by anti-malware software. - Because most malware has a particular signature, antivirus and other anti-malware solutions typically look for these unique signatures to identify a particular type of malware infection --> NOT easily detected
A ______________ is automatically executed in the computer's memory when the host boots up; at that moment there is no OS-based antivirus software loaded to detect or eradicate it, so it has already done its damage by the time the OS loads.
boot-sector virus Usually, the only way to get rid of a boot-sector virus is to boot the host off of a known good (meaning clean and free of malware) media, such as a new hard drive, bootable CD/DVD disc, or a USB stick.
what is a collision?
hashes are unique in that it is mathematically difficult to find two different pieces of plaintext that, when subjected to the same hashing algorithm, produce the same identical hash. When this actually does occur (although extremely rare, it is theoretically possible), this is called a collision - birthday paradox
MyDoom, Blaster, and the Win32Conficker are examples of a virus or a worm?
worm